Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1482544
MD5:371d606aa2fcd2945d84a13e598da55f
SHA1:0f8f19169f79b3933d225a2702dc51f906de4dcd
SHA256:59c6d955b28461cd8d1f8f8c9a97d4f7a2e741dd62c69e67f0b71ecb3f7f040a
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7172 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 371D606AA2FCD2945D84A13E598DA55F)
    • RegAsm.exe (PID: 7248 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "20.52.165.210:39030", "Bot Id": "LiveTraffic", "Message": "error", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 7172JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: RegAsm.exe PID: 7248JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.file.exe.efcbc0.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  4.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    2.2.file.exe.efcbc0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      2.2.file.exe.e60000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-26T01:04:03.743125+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:07.269284+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:07.452766+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:07.817243+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:05.757590+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:06.758090+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:02.303746+0200
                        SID:2046056
                        Source Port:39030
                        Destination Port:49699
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:05.540772+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:02.815760+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:08.604793+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:05.251203+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:12.488988+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49700
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:08.193450+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:03.750483+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:52.569722+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:06.947262+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:05.003544+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:03.351517+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:04.508584+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:03:56.769434+0200
                        SID:2043234
                        Source Port:39030
                        Destination Port:49699
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:01.792419+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:08.009821+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:03:56.744640+0200
                        SID:2043234
                        Source Port:39030
                        Destination Port:49699
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:03.096465+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:04.728532+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:03:56.368564+0200
                        SID:2046045
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:08.377618+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:02.297384+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T01:04:07.635145+0200
                        SID:2043231
                        Source Port:49699
                        Destination Port:39030
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "20.52.165.210:39030", "Bot Id": "LiveTraffic", "Message": "error", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\gp2fk5c\output.pdb. source: file.exe
                        Source: Binary string: C:\gp2fk5c\output.pdb source: file.exe
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED4596 FindFirstFileExW,2_2_00ED4596
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED4980 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00ED4980
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0638C35Fh4_2_0638BC00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-20h]4_2_063829F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0638A423h4_2_0638A40B

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 20.52.165.210:39030
                        Source: global trafficTCP traffic: 192.168.2.7:49699 -> 20.52.165.210:39030
                        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.52.165.210
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EC40292_2_00EC4029
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EB03E52_2_00EB03E5
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAE3552_2_00EAE355
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED25F22_2_00ED25F2
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED86EF2_2_00ED86EF
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E906A02_2_00E906A0
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAE69D2_2_00EAE69D
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EBE61E2_2_00EBE61E
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EDA8DB2_2_00EDA8DB
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAEA2B2_2_00EAEA2B
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECCBE32_2_00ECCBE3
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAEDC82_2_00EAEDC8
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EBF0F12_2_00EBF0F1
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E730C02_2_00E730C0
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EC11702_2_00EC1170
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAF1562_2_00EAF156
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAF4BB2_2_00EAF4BB
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EC16A02_2_00EC16A0
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAF82F2_2_00EAF82F
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E959EF2_2_00E959EF
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EC1AE02_2_00EC1AE0
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAFB942_2_00EAFB94
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EADCB62_2_00EADCB6
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EDBC0C2_2_00EDBC0C
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EADFFE2_2_00EADFFE
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EAFFB52_2_00EAFFB5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02F6DC744_2_02F6DC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0638C5C84_2_0638C5C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0638B2304_2_0638B230
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063893B84_2_063893B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06380F284_2_06380F28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06385F584_2_06385F58
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0638BC004_2_0638BC00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06388D784_2_06388D78
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0638AAF84_2_0638AAF8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06389B204_2_06389B20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063868284_2_06386828
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063889104_2_06388910
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063893A94_2_063893A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06380F184_2_06380F18
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06385C104_2_06385C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06388D684_2_06388D68
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0638AAE84_2_0638AAE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063889024_2_06388902
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0639EA184_2_0639EA18
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063943C04_2_063943C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063917F94_2_063917F9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063918314_2_06391831
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_063918404_2_06391840
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E8E229 appears 82 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EB86B5 appears 31 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E8E1F6 appears 125 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E8ED90 appears 66 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00ECAE73 appears 33 times
                        Source: file.exe, 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamePrefrontal.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\file.exeCommand line argument: FreeConsole2_2_00E63CAB
                        Source: C:\Users\user\Desktop\file.exeCommand line argument: kernel32.dll2_2_00E63CAB
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: RegAsm.exe, 00000004.00000002.1439565659.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32Jump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: C:\gp2fk5c\output.pdb. source: file.exe
                        Source: Binary string: C:\gp2fk5c\output.pdb source: file.exe
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8E1C4 push ecx; ret 2_2_00E8E1D7
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8EDE0 push ecx; ret 2_2_00E8EDF3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0639562F push eax; ret 4_2_06395643
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0639DEB0 push es; ret 4_2_0639DEC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06399C79 push es; ret 4_2_06399C7C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06399CD9 push es; retf 4_2_06399CDC
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0639229F push es; ret 4_2_063922A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0639E8BA push es; retn 0004h4_2_0639E8C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1060Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3398Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.9 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7500Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED4596 FindFirstFileExW,2_2_00ED4596
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED4980 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00ED4980
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                        Source: RegAsm.exe, 00000004.00000002.1447238650.0000000007170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                        Source: RegAsm.exe, 00000004.00000002.1439565659.000000000346B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                        Source: RegAsm.exe, 00000004.00000002.1442124511.0000000004522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06387908 LdrInitializeThunk,4_2_06387908
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EB8348 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00EB8348
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EC6108 mov ecx, dword ptr fs:[00000030h]2_2_00EC6108
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC90D mov eax, dword ptr fs:[00000030h]2_2_00ECC90D
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC6DE mov eax, dword ptr fs:[00000030h]2_2_00ECC6DE
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC7BF mov eax, dword ptr fs:[00000030h]2_2_00ECC7BF
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC764 mov eax, dword ptr fs:[00000030h]2_2_00ECC764
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC721 mov eax, dword ptr fs:[00000030h]2_2_00ECC721
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC8C9 mov eax, dword ptr fs:[00000030h]2_2_00ECC8C9
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC885 mov eax, dword ptr fs:[00000030h]2_2_00ECC885
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ECC93E mov eax, dword ptr fs:[00000030h]2_2_00ECC93E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EB8348 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00EB8348
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8E824 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00E8E824
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8EB85 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E8EB85
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8ED15 SetUnhandledExceptionFilter,2_2_00E8ED15
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00BF018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,2_2_00BF018D
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FA3008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8E615 cpuid 2_2_00E8E615
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,2_2_00ECA871
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,2_2_00E709A7
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,2_2_00ECAA02
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,2_2_00ED8C84
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,2_2_00ED8E7F
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,2_2_00ED8F8F
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,2_2_00ED8F26
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00ED90B5
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,2_2_00ED902A
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,2_2_00E8D179
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,2_2_00ECB32D
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,2_2_00ED9308
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00ED9431
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,2_2_00ED9537
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00ED9606
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00E8EDF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00E8EDF4
                        Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00ED3BB7 GetTimeZoneInformation,2_2_00ED3BB7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 2.2.file.exe.efcbc0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.file.exe.efcbc0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.file.exe.e60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 7172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7248, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7248, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 2.2.file.exe.efcbc0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.file.exe.efcbc0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.file.exe.e60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 7172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7248, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		Boot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory231
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe100%AviraHEUR/AGEN.1316902
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                        http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                        http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        20.52.165.210:390300%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        20.52.165.210:39030true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ip.sb/ipfile.exe, 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000004.00000002.1439565659.0000000003554000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.000000000364C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000031B6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000004.00000002.1439565659.00000000033AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000004.00000002.1439565659.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        20.52.165.210
                        		unknownUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1482544
                        Start date and time:2024-07-26 01:02:55 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 41s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 139
                        • Number of non-executed functions: 180
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:04:05API Interceptor21x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        20.52.165.210setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Quasar, RedLineBrowse
                          HoFS2S35wC.exeGet hashmaliciousRedLineBrowse
                            Bm8M4PhbkB.exeGet hashmaliciousRedLineBrowse
                              file.exeGet hashmaliciousPython Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                MICROSOFT-CORP-MSN-AS-BLOCKUShttp://56edthdxfhbx.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                • 13.107.246.60
                                http://3115ll.me/Get hashmaliciousUnknownBrowse
                                • 20.239.71.172
                                http://sdgvgsdgsdjms1.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                • 13.107.246.60
                                http://appinforyvjhf6454ms1a.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                • 13.107.246.60
                                http://via.evove.topGet hashmaliciousUnknownBrowse
                                • 13.107.253.69
                                http://raphias-preconfined-b8f60aa01fc97a2-d8e5c9f7064ecef0-0cade.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 13.107.246.60
                                LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                                • 13.107.246.60
                                LisectAVT_2403002A_160.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRAT, XRedBrowse
                                • 13.107.246.60
                                LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                                • 13.107.246.60
                                https://forms.office.com/Pages/ResponsePage.aspx?id=4Kydhlha3USXUsGxfRX-jBHWmjJmsZxDrR9zl3guaTNURU9US0pPQldQMFdROEtOVUJYRlJER1pIMi4uGet hashmaliciousUnknownBrowse
                                • 52.111.243.107

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3094
                                Entropy (8bit):5.33145931749415
                                Encrypted:false
                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.283234984449825
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:967'168 bytes
                                MD5:371d606aa2fcd2945d84a13e598da55f
                                SHA1:0f8f19169f79b3933d225a2702dc51f906de4dcd
                                SHA256:59c6d955b28461cd8d1f8f8c9a97d4f7a2e741dd62c69e67f0b71ecb3f7f040a
                                SHA512:01c5b0afd03518406fa452cbb79d452865c6daf0140f32ad4b78e51a0b786f6c19bba46a4d017dcdcc37d6edf828f0c87249964440e2abbfb42a437e1cfd91a4
                                SSDEEP:24576:TwGArtsJR9XoZ6vuES4K316MxyeV+xQQjTP6hW:TxJR9XoZ6vPMUeVjeb
                                TLSH:FD25CF2139C08036C77220320A68E3BA9BFEF8311F1556DF57E85A7E6F389C15B2565B
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xl...?...?...?W..>...?W..>...?W..>...?F..>...?W..>...?...?...?F..>...?F..>...?w..>...?w..?...?w..>...?Rich...?........PE..L..

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x42e1ba
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x669EB393 [Mon Jul 22 19:31:31 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:af0f88358390a4f58963b26bacea4505

                                Entrypoint Preview

                                Instruction
                                call 00007F19E4F9D6E7h
                                jmp 00007F19E4F9C888h
                                mov ecx, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], ecx
                                pop ecx
                                pop edi
                                pop edi
                                pop esi
                                pop ebx
                                mov esp, ebp
                                pop ebp
                                push ecx
                                ret
                                mov ecx, dword ptr [ebp-10h]
                                xor ecx, ebp
                                call 00007F19E4F9C293h
                                jmp 00007F19E4F9CA42h
                                mov ecx, dword ptr [ebp-14h]
                                xor ecx, ebp
                                call 00007F19E4F9C284h
                                jmp 00007F19E4F9CA33h
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0049C100h]
                                xor eax, ebp
                                push eax
                                push dword ptr [ebp-04h]
                                mov dword ptr [ebp-04h], FFFFFFFFh
                                lea eax, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], eax
                                ret
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0049C100h]
                                xor eax, ebp
                                push eax
                                mov dword ptr [ebp-10h], eax
                                push dword ptr [ebp-04h]
                                mov dword ptr [ebp-04h], FFFFFFFFh
                                lea eax, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], eax
                                ret
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0049C100h]
                                xor eax, ebp
                                push eax
                                mov dword ptr [ebp-10h], esp

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9aa900x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xeb0000x1e0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xec0000x50dc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x931b00x54.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x932c00x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x930f00x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x890000x218.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x870f60x8720081c7594450573996ac37f6ee2bcd9e28False0.42069336840888066data6.670524803941736IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x890000x1276c0x12800213c7947ba358e8550c48ab5fdb49b88False0.3732712204391892data4.728875099210412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x9c0000x4e7f80x4d0005e9f02d14cdcd007910f52e422aaf1ceFalse0.9744730367288961data7.981335027566462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xeb0000x1e00x2004a10ea50c40631a3a0cd442b72e37be8False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xec0000x50dc0x52008893855a45bd0375fa52415c7691b2dbFalse0.7245141006097561data6.621373951024678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xeb0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                USER32.dllOffsetRect
                                KERNEL32.dllGetCPInfo, CreateFileW, WaitForSingleObject, GetModuleHandleA, SwitchToFiber, CreateThread, GetProcAddress, VirtualAllocEx, RaiseException, RtlCaptureStackBackTrace, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, FormatMessageA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, CloseHandle, WaitForSingleObjectEx, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, QueryPerformanceCounter, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, HeapSize, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, SetConsoleCtrlHandler, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, OutputDebugStringW, SetStdHandle

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-26T01:04:03.743125+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:07.269284+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:07.452766+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:07.817243+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:05.757590+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:06.758090+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:02.303746+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)390304969920.52.165.210192.168.2.7
                                2024-07-26T01:04:05.540772+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:02.815760+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:08.604793+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:05.251203+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:12.488988+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970020.12.23.50192.168.2.7
                                2024-07-26T01:04:08.193450+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:03.750483+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:52.569722+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970420.12.23.50192.168.2.7
                                2024-07-26T01:04:06.947262+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:05.003544+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:03.351517+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:04.508584+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:03:56.769434+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response390304969920.52.165.210192.168.2.7
                                2024-07-26T01:04:01.792419+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:08.009821+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:03:56.744640+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response390304969920.52.165.210192.168.2.7
                                2024-07-26T01:04:03.096465+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:04.728532+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:03:56.368564+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:08.377618+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:02.297384+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210
                                2024-07-26T01:04:07.635145+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4969939030192.168.2.720.52.165.210

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 26, 2024 01:03:55.687057018 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:03:55.693444967 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:55.693530083 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:03:55.704215050 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:03:55.711126089 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:56.317095995 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:56.366446018 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:03:56.368563890 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:03:56.374842882 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:56.744640112 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:56.769433975 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:03:56.769481897 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:01.792418957 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:01.799813986 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977580070 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977619886 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977647066 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977669954 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977695942 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:01.977740049 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:01.977806091 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:02.297384024 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:02.303745985 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:02.480060101 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:02.522701979 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:02.815759897 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:02.820739031 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:02.995908022 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.038357019 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.096465111 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.103190899 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.278141975 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.319665909 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.351516962 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.358166933 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.358376026 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.358705044 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.358716011 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.358751059 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.358761072 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.358768940 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.360012054 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.360032082 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.361527920 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.361537933 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.366436958 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.366458893 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.367631912 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.367640972 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.369220018 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.637892008 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.679066896 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.743124962 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.750411034 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.750427961 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.750438929 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.750442982 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.750483036 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.750529051 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.750637054 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.750689983 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.752526999 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.752592087 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.752742052 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.752752066 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.752756119 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.752844095 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.754976988 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.754987001 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.755001068 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.755011082 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.755021095 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.755045891 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.755076885 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.756575108 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.756586075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.756656885 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.756818056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.756867886 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.759176970 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.759187937 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.759196997 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.759207010 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.759249926 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.759291887 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.761181116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.761246920 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.761282921 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.761365891 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.761614084 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.761670113 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.763545990 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763556004 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763567924 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763580084 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763590097 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763597012 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.763618946 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.763638973 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.763777018 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763787985 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763792038 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763802052 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763812065 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763820887 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763834953 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.763839960 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.764417887 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.765866041 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.765979052 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.765988111 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766000032 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766010046 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766021013 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766030073 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766093016 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766303062 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.766449928 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766459942 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766505957 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.766525030 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766535997 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766555071 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766563892 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766567945 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766571999 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766582966 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.766596079 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.766624928 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.766885042 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.766938925 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.767724037 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767808914 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.767822981 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767832994 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767843008 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767857075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767915964 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.767940998 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.767950058 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767961979 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.767970085 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768209934 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768346071 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768356085 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768364906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768379927 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768501043 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768510103 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768518925 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768528938 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768538952 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.768551111 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.769392967 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.769855976 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.769865990 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.769874096 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770128012 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770256042 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770266056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770275116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770288944 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770301104 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770311117 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770320892 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770329952 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.770437956 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771389008 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771399021 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771460056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771537066 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771548033 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.771780968 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.771842003 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.773236036 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773247004 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773256063 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773262978 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773267031 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773269892 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773407936 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773417950 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773426056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773437977 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773449898 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773459911 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773519039 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773529053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773598909 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773607969 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773619890 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773791075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773801088 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773809910 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773914099 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773924112 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773935080 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773945093 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773957968 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.773967028 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775067091 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775078058 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775087118 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775156021 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775163889 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775173903 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775183916 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775221109 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775229931 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775238037 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775248051 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775329113 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775338888 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775348902 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775362015 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775373936 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775383949 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775394917 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.775403976 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776300907 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776335001 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776458025 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776468039 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776479006 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776504040 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776514053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776524067 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776740074 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.776979923 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.777034044 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.778073072 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778199911 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778208971 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778225899 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778234959 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778296947 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778306007 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778314114 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778326988 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778336048 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778345108 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778476954 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778486013 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778496027 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778506041 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778527021 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778536081 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778544903 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778553963 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778563976 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778573036 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778582096 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778682947 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778692961 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778702974 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778713942 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778723001 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778732061 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778736115 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778744936 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778753996 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778765917 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778774977 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.778785944 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779025078 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779887915 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779896975 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779906988 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779917002 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779936075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779944897 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779954910 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779966116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779975891 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779984951 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.779994965 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780016899 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780021906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780025005 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780034065 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780045033 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780055046 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780065060 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780404091 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.780625105 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.780683041 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.783916950 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.783927917 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784040928 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784049988 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784059048 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784122944 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784132957 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784145117 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784153938 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784162998 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784229040 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784239054 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784250021 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784264088 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784272909 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784343958 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784353971 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784372091 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784382105 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784393072 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784682989 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.784693956 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785098076 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785108089 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785118103 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785126925 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785193920 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785203934 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785213947 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785223961 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785234928 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785245895 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785265923 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785275936 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.785286903 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786446095 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786689997 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786699057 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786710978 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786720037 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786736965 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786745071 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786756039 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786808014 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786819935 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786828995 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786839008 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786859989 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786869049 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786878109 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786887884 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786896944 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.786906004 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.787812948 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788034916 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.788091898 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.788091898 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788130999 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788263083 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788273096 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788276911 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788280964 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788290024 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788428068 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788436890 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788445950 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788455009 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788467884 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788518906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788701057 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788711071 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788719893 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788728952 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788738966 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.788748026 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789364100 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789372921 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789484978 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789494991 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789598942 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789608002 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789617062 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789627075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789704084 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789712906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789722919 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789731979 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789741993 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789751053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789803982 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789813995 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789824009 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789828062 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789836884 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789849043 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789859056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789887905 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789897919 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789901972 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789910078 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789915085 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.789918900 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790004969 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790015936 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790025949 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790035963 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790046930 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790060043 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790879965 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.790889978 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.791120052 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.791167974 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.794689894 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.794822931 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795041084 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795646906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795656919 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795665979 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795675039 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795685053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795794010 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795809031 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795818090 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795826912 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795835972 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795846939 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795857906 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795869112 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795912027 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795921087 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795929909 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.795938969 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796087027 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796097994 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796108007 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796117067 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796120882 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796124935 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796133041 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796144009 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796155930 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796179056 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796188116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796196938 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796506882 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796516895 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.796860933 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797786951 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797796965 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797806978 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797817945 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797827005 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797837019 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797847033 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.797856092 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798073053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798082113 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798090935 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798099995 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798110962 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798120975 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798228025 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798238039 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798248053 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798259974 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798270941 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798512936 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.798571110 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.798780918 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798790932 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798911095 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798919916 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798930883 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798952103 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798962116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798970938 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798983097 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.798993111 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799002886 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799067020 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799076080 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799079895 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799088955 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799093008 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799097061 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799107075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799112082 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799820900 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799829960 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799839973 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799981117 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799990892 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.799999952 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800010920 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800020933 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800030947 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800041914 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800087929 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800096989 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800117970 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800127983 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800132036 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800136089 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800146103 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800156116 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800297976 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800308943 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800321102 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800329924 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800339937 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800348043 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800359964 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800520897 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800668955 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800678015 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800688982 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800698042 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800745010 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800808907 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800818920 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.800822973 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.804968119 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.804979086 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.804997921 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805007935 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805017948 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805110931 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805119991 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805298090 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.805356026 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.805458069 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805469036 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805572987 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805593014 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805603027 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805612087 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.805769920 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.849534035 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:03.849792004 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:03.901546955 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.502353907 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.508584023 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:04.516936064 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.691189051 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.728532076 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:04.735378981 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.910376072 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:04.960305929 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.003544092 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.010586977 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.185534000 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.227042913 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.251203060 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.261349916 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.436320066 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.491619110 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.540771961 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.549676895 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.725863934 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.757590055 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:05.765867949 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.940910101 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:05.991518021 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:06.758090019 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:06.765216112 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:06.940141916 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:06.947262049 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:06.954119921 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:06.954138041 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:06.954586983 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:06.955504894 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.224734068 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.269284010 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:07.274774075 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.450555086 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.452765942 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:07.458713055 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.632786036 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.635144949 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:07.644762993 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.815797091 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:07.817243099 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:07.824573994 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.006846905 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.009820938 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:08.015206099 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.191958904 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.193449974 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:08.200716019 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.373622894 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.377618074 CEST4969939030192.168.2.720.52.165.210
                                Jul 26, 2024 01:04:08.385637045 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.565480947 CEST390304969920.52.165.210192.168.2.7
                                Jul 26, 2024 01:04:08.604793072 CEST4969939030192.168.2.720.52.165.210

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:2
                                Start time:19:03:52
                                Start date:25/07/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xe60000
                                File size:967'168 bytes
                                MD5 hash:371D606AA2FCD2945D84A13E598DA55F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:4
                                Start time:19:03:52
                                Start date:25/07/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0xd60000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1437733005.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1439565659.0000000003175000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:0.5%
                                  Dynamic/Decrypted Code Coverage:2.8%
                                  Signature Coverage:7.9%
                                  Total number of Nodes:216
                                  Total number of Limit Nodes:10
                                  execution_graph 63902 bf018d 63903 bf01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 63902->63903 63905 bf03a2 WriteProcessMemory 63903->63905 63906 bf03e7 63905->63906 63907 bf03ec WriteProcessMemory 63906->63907 63908 bf0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 63906->63908 63907->63906 63909 e66e45 63910 e66e55 63909->63910 63911 e66e50 63909->63911 63920 e90044 RaiseException 63910->63920 63919 e63bd5 CreateThread WaitForSingleObject 63911->63919 63913 e69e43 63921 e69ab7 47 API calls std::exception::exception 63913->63921 63915 e69e55 63922 e90044 RaiseException 63915->63922 63917 e69e63 63919->63910 63923 e63b0d 63919->63923 63920->63913 63921->63915 63922->63917 63938 e646fa 63923->63938 63933 e63b67 codecvt 63981 e64c6d 46 API calls _Deallocate 63933->63981 63935 e63b8e 63982 e8da10 63935->63982 63937 e63b9a 63939 e64717 std::locale::_Locimp::_Locimp_ctor 63938->63939 63989 e6594e 63939->63989 63941 e63b2c 63942 e8db27 63941->63942 63944 e8db2c 63942->63944 63945 e63b33 63944->63945 63949 e8db48 Concurrency::cancel_current_task 63944->63949 63998 eb8616 63944->63998 64007 ec5ae0 EnterCriticalSection LeaveCriticalSection numpunct 63944->64007 63952 e6385c 63945->63952 63947 e8eb57 Concurrency::cancel_current_task 64009 e90044 RaiseException 63947->64009 63949->63947 64008 e90044 RaiseException 63949->64008 63950 e8eb74 63953 e63956 63952->63953 63958 e6388d 63952->63958 64012 e64833 63953->64012 63956 e646fa 48 API calls std::locale::_Locimp::_Locimp_ctor 63956->63958 63957 e8da10 CatchGuardHandler 5 API calls 63959 e63970 VirtualAllocEx 63957->63959 63958->63953 63958->63956 63960 e64c93 48 API calls 63958->63960 63961 eb81cb 48 API calls 63958->63961 63962 e64c6d 46 API calls std::locale::_Locimp::_Locimp_ctor 63958->63962 63963 e63a4a 63959->63963 63960->63958 63961->63958 63962->63958 63964 e8db27 numpunct 16 API calls 63963->63964 63965 e63a66 63964->63965 63966 e646fa std::locale::_Locimp::_Locimp_ctor 48 API calls 63965->63966 63967 e63a77 63966->63967 64017 e64c6d 46 API calls _Deallocate 63967->64017 63970 e63a7f 63971 e63ac9 63970->63971 64018 e66b04 48 API calls 2 library calls 63970->64018 64019 e63ed8 48 API calls 63971->64019 63973 e63ad7 64020 e635cf 76 API calls 63973->64020 63975 e63afc 63978 e8da10 CatchGuardHandler 5 API calls 63975->63978 63976 e63adc std::ios_base::_Ios_base_dtor 63976->63975 64021 e65bce 46 API calls 2 library calls 63976->64021 63979 e63b0b 63978->63979 63980 e63663 77 API calls 2 library calls 63979->63980 63980->63933 63981->63935 63983 e8da18 63982->63983 63984 e8da19 IsProcessorFeaturePresent 63982->63984 63983->63937 63986 e8e861 63984->63986 64022 e8e824 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 63986->64022 63988 e8e944 63988->63937 63990 e659b9 63989->63990 63992 e6595f std::locale::_Locimp::_Locimp_ctor 63989->63992 63997 e61511 48 API calls 2 library calls 63990->63997 63995 e65966 std::locale::_Locimp::_Locimp_ctor 63992->63995 63996 e66d09 48 API calls 2 library calls 63992->63996 63993 e659be 63995->63941 63996->63995 63997->63993 63999 ecc99a 63998->63999 64000 ecc9d8 63999->64000 64001 ecc9c3 HeapAlloc 63999->64001 64006 ecc9ac _strftime 63999->64006 64011 ebc47e 14 API calls __strnicoll 64000->64011 64003 ecc9d6 64001->64003 64001->64006 64004 ecc9dd 64003->64004 64004->63944 64006->64000 64006->64001 64010 ec5ae0 EnterCriticalSection LeaveCriticalSection numpunct 64006->64010 64007->63944 64008->63947 64009->63950 64010->64006 64011->64004 64013 e6395f 64012->64013 64014 e6483b 64012->64014 64013->63957 64016 e65bce 46 API calls 2 library calls 64014->64016 64016->64013 64017->63970 64018->63970 64019->63973 64020->63976 64021->63975 64022->63988 64023 e8e11c 64032 e8ecd3 GetModuleHandleW 64023->64032 64026 e8e15a 64035 ec61ef 23 API calls CallUnexpected 64026->64035 64028 e8e128 64029 e8e133 64028->64029 64034 ec61d1 23 API calls CallUnexpected 64028->64034 64031 e8e162 64033 e8e124 64032->64033 64033->64026 64033->64028 64034->64029 64035->64031 64036 e8dfdd 64064 e8ee41 64036->64064 64038 e8dfe2 ___unDNameEx 64068 e8dce2 64038->64068 64040 e8dffa 64041 e8e14d 64040->64041 64051 e8e024 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 64040->64051 64084 e8eb85 4 API calls 2 library calls 64041->64084 64043 e8e154 64044 e8e15a 64043->64044 64076 ec6232 64043->64076 64085 ec61ef 23 API calls CallUnexpected 64044->64085 64047 e8e043 64048 e8e162 64049 e8e0c4 64080 e8ec9a GetStartupInfoW ctype 64049->64080 64051->64047 64051->64049 64053 e8e0bd 64051->64053 64052 e8e0ca 64081 e63cab 127 API calls 3 library calls 64052->64081 64079 eb6966 46 API calls 3 library calls 64053->64079 64056 e8e0df 64057 e8ecd3 GetModuleHandleW 64056->64057 64058 e8e0e6 64057->64058 64058->64043 64059 e8e0ea 64058->64059 64060 e8e0f3 64059->64060 64082 ec61e0 23 API calls CallUnexpected 64059->64082 64083 e8de53 82 API calls ___scrt_uninitialize_crt 64060->64083 64063 e8e0fb 64063->64047 64065 e8ee57 64064->64065 64067 e8ee60 64065->64067 64086 e8edf4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 64065->64086 64067->64038 64069 e8dceb 64068->64069 64087 e8e615 IsProcessorFeaturePresent 64069->64087 64071 e8dcf7 64088 e934ce 10 API calls 2 library calls 64071->64088 64073 e8dcfc 64074 e8dd00 64073->64074 64089 e93500 7 API calls 2 library calls 64073->64089 64074->64040 64090 ec5ff4 64076->64090 64079->64049 64080->64052 64081->64056 64082->64060 64083->64063 64084->64043 64085->64048 64086->64067 64087->64071 64088->64073 64089->64074 64091 ec6021 64090->64091 64092 ec6033 64090->64092 64117 ec60c5 GetModuleHandleW 64091->64117 64102 ec5d63 64092->64102 64095 ec6026 64095->64092 64118 ec612a GetModuleHandleExW 64095->64118 64097 ec6070 64097->64044 64101 ec6085 64103 ec5d6f ___unDNameEx 64102->64103 64124 eb866d EnterCriticalSection 64103->64124 64105 ec5d79 64125 ec5ec6 64105->64125 64107 ec5d86 64129 ec5da4 64107->64129 64110 ec608b 64134 ec6108 64110->64134 64113 ec60a9 64115 ec612a CallUnexpected 3 API calls 64113->64115 64114 ec6099 GetCurrentProcess TerminateProcess 64114->64113 64116 ec60b1 ExitProcess 64115->64116 64117->64095 64119 ec6169 GetProcAddress 64118->64119 64120 ec618a 64118->64120 64119->64120 64123 ec617d 64119->64123 64121 ec6032 64120->64121 64122 ec6190 FreeLibrary 64120->64122 64121->64092 64122->64121 64123->64120 64124->64105 64126 ec5ed2 ___unDNameEx 64125->64126 64128 ec5f39 CallUnexpected 64126->64128 64132 ec76f8 14 API calls 3 library calls 64126->64132 64128->64107 64133 eb86b5 LeaveCriticalSection 64129->64133 64131 ec5d92 64131->64097 64131->64110 64132->64128 64133->64131 64139 ecc90d GetPEB 64134->64139 64137 ec6095 64137->64113 64137->64114 64138 ec6112 GetPEB 64138->64137 64140 ecc927 64139->64140 64142 ec610d 64139->64142 64143 ecafd3 64140->64143 64142->64137 64142->64138 64146 ecae73 64143->64146 64147 ecae9d 64146->64147 64148 ecaea1 64146->64148 64147->64142 64148->64147 64153 ecada8 64148->64153 64151 ecaebb GetProcAddress 64151->64147 64152 ecaecb std::_Locinfo::_Locinfo_dtor 64151->64152 64152->64147 64159 ecadb9 ___vcrt_InitializeCriticalSectionEx 64153->64159 64154 ecae4f 64154->64147 64154->64151 64155 ecadd7 LoadLibraryExW 64156 ecae56 64155->64156 64157 ecadf2 GetLastError 64155->64157 64156->64154 64158 ecae68 FreeLibrary 64156->64158 64157->64159 64158->64154 64159->64154 64159->64155 64160 ecae25 LoadLibraryExW 64159->64160 64160->64156 64160->64159 64161 e62fec 64162 e62ff8 __EH_prolog3_catch 64161->64162 64165 e62866 64162->64165 64164 e6300d numpunct 64166 e62872 64165->64166 64167 e6287a 64165->64167 64171 e62790 64166->64171 64170 e62877 64167->64170 64174 e62328 16 API calls numpunct 64167->64174 64170->64164 64173 e6279c 64171->64173 64175 e67ce3 64171->64175 64173->64170 64174->64170 64176 e67cef __EH_prolog3_catch 64175->64176 64181 e67e6d 64176->64181 64180 e67d05 numpunct 64180->64173 64193 e6216f 64181->64193 64183 e67e7c 64201 e6be21 64183->64201 64186 e67e9b 64206 e632d9 21 API calls CatchGuardHandler 64186->64206 64188 e67ec4 64207 e67f05 48 API calls 2 library calls 64188->64207 64190 e67ed6 64208 e649ce 67 API calls __Thrd_create 64190->64208 64192 e67ee1 64192->64180 64204 e6bdd5 12 API calls __Mtx_timedlock 64193->64204 64195 e62178 64197 e6218c 64195->64197 64205 e69a18 48 API calls CallUnexpected 64195->64205 64197->64183 64198 e62195 64199 e6be21 __Thrd_create ReleaseSRWLockExclusive 64198->64199 64200 e6219c 64199->64200 64200->64183 64202 e6be2d ReleaseSRWLockExclusive 64201->64202 64203 e67d01 64201->64203 64202->64203 64203->64180 64203->64186 64204->64195 64205->64198 64206->64188 64207->64190 64208->64192

                                  Executed Functions

                                  Function 00BF018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00BF00FF,00BF00EF), ref: 00BF02FC
                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00BF030F
                                  • Wow64GetThreadContext.KERNEL32(00000110,00000000), ref: 00BF032D
                                  • ReadProcessMemory.KERNELBASE(00000114,?,00BF0143,00000004,00000000), ref: 00BF0351
                                  • VirtualAllocEx.KERNELBASE(00000114,?,?,00003000,00000040), ref: 00BF037C
                                  • WriteProcessMemory.KERNELBASE(00000114,00000000,?,?,00000000,?), ref: 00BF03D4
                                  • WriteProcessMemory.KERNELBASE(00000114,00400000,?,?,00000000,?,00000028), ref: 00BF041F
                                  • WriteProcessMemory.KERNELBASE(00000114,-00000008,?,00000004,00000000), ref: 00BF045D
                                  • Wow64SetThreadContext.KERNEL32(00000110,00E40000), ref: 00BF0499
                                  • ResumeThread.KERNELBASE(00000110), ref: 00BF04A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289097178.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_bf0000_file.jbxd
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                  • API String ID: 2687962208-1257834847
                                  • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                  • Instruction ID: c9c4a05d190fdf394d130f3ace8b08b5078c322451d39b00107f3baae28d6fb4
                                  • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                  • Instruction Fuzzy Hash: 52B1F67260024AAFDB60CF68CC80BDA73A5FF88714F158164EA0CAB352D770FA418B94
                                  Function 00ECC90D Relevance: 1.3, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 199 ecc90d-ecc925 GetPEB 200 ecc936-ecc938 199->200 201 ecc927-ecc92b call ecafd3 199->201 203 ecc939-ecc93d 200->203 204 ecc930-ecc934 201->204 204->200 204->203
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,;
                                  • API String ID: 0-2433392739
                                  • Opcode ID: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                  • Instruction ID: 974177b534bf81b74b5fa06e9255347b7a0aa0dadff57628e7a5ea3917873004
                                  • Opcode Fuzzy Hash: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                  • Instruction Fuzzy Hash: 57E04F72911168EBC715DB8C8A04E8AB2ECE784B14B15415AF505E3200C271DE02C7D0
                                  Function 00EC6108 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 227 ec6108 call ecc90d 229 ec610d-ec6110 227->229 230 ec6127-ec6129 229->230 231 ec6112-ec6122 GetPEB 229->231 231->230 232 ec6124-ec6126 231->232
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1de4bcb73b141b582b0cb571b4a911e1f54f3f8ffa2eb27b21d741e3114bb213
                                  • Instruction ID: 10ea4666c059237762465b36278900b36c755d215784b5896e8d3494ad6375f7
                                  • Opcode Fuzzy Hash: 1de4bcb73b141b582b0cb571b4a911e1f54f3f8ffa2eb27b21d741e3114bb213
                                  • Instruction Fuzzy Hash: 62C0127800298046CE2989109771FA63394A391B8AF98348CC40A1AA42C52B9C83DA00
                                  Function 00ECADA8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 23 ecada8-ecadb4 24 ecae46-ecae49 23->24 25 ecae4f 24->25 26 ecadb9-ecadca 24->26 27 ecae51-ecae55 25->27 28 ecadcc-ecadcf 26->28 29 ecadd7-ecadf0 LoadLibraryExW 26->29 30 ecae6f-ecae71 28->30 31 ecadd5 28->31 32 ecae56-ecae66 29->32 33 ecadf2-ecadfb GetLastError 29->33 30->27 35 ecae43 31->35 32->30 34 ecae68-ecae69 FreeLibrary 32->34 36 ecadfd-ecae0f call eca0d8 33->36 37 ecae34-ecae41 33->37 34->30 35->24 36->37 40 ecae11-ecae23 call eca0d8 36->40 37->35 40->37 43 ecae25-ecae32 LoadLibraryExW 40->43 43->32 43->37
                                  APIs
                                  • FreeLibrary.KERNEL32(00000000), ref: 00ECAE69
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID: ,;$api-ms-$ext-ms-
                                  • API String ID: 3664257935-359346959
                                  • Opcode ID: 9dae17f61cb3af3deaf20acfb3591ebfd16a58082b9246c4a3bd826643c47c1e
                                  • Instruction ID: 53572b6f9dff9096321979b971efa24f8eab687dfec44284e182b27d6570a570
                                  • Opcode Fuzzy Hash: 9dae17f61cb3af3deaf20acfb3591ebfd16a58082b9246c4a3bd826643c47c1e
                                  • Instruction Fuzzy Hash: 81215B31A0221DAFCB219B21AD84F9E3758AB1176CF191138FD02B7380E732ED46C6D2
                                  Function 00E8DFDD Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ___security_init_cookie.LIBCMT ref: 00E8DFDD
                                    • Part of subcall function 00E8EE41: ___get_entropy.LIBCMT ref: 00E8EE5B
                                  • ___scrt_release_startup_lock.LIBCMT ref: 00E8E079
                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00E8E08D
                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00E8E0B3
                                  • ___scrt_uninitialize_crt.LIBCMT ref: 00E8E0F6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                                  • String ID:
                                  • API String ID: 2539496024-0
                                  • Opcode ID: 4bee7ad38710058a1edeb4697331562c4b7ad88371ab2fbd6c3e52b0c82211f8
                                  • Instruction ID: dd06e339e1bc124da2a8caf7fdf95679f019fdf7824e6faabf67c5b737bcc05f
                                  • Opcode Fuzzy Hash: 4bee7ad38710058a1edeb4697331562c4b7ad88371ab2fbd6c3e52b0c82211f8
                                  • Instruction Fuzzy Hash: 5931F431689355AADB247B74AC07BAE77E19F52768F24342DF48E7B3E3CA6248018350
                                  Function 00EC608B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000002,,;,00EC6085,00E9C3E7,00E9C3E7,?,00000002,AB1BDD2F,00E9C3E7,00000002), ref: 00EC609C
                                  • TerminateProcess.KERNEL32(00000000), ref: 00EC60A3
                                  • ExitProcess.KERNEL32 ref: 00EC60B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID: ,;
                                  • API String ID: 1703294689-2433392739
                                  • Opcode ID: 42d5974a99e456d5950dc6893f5dbca10e75cb650633f7a7c854f1791c9a252b
                                  • Instruction ID: 55dee2cff46369925a850cf49d12684caf27c8785f83b308baaaeff10f78e43e
                                  • Opcode Fuzzy Hash: 42d5974a99e456d5950dc6893f5dbca10e75cb650633f7a7c854f1791c9a252b
                                  • Instruction Fuzzy Hash: 5DD09E31001149BFCF112F62DD4ED8A3FA9EF413567069058B90979073DF369D57DA80
                                  Function 00E63B0D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • VirtualAllocEx.KERNELBASE(000000FF,00000000,000004AC,00001000,j@h,?,0000000006:1@0000000005:@), ref: 00E63B50
                                    • Part of subcall function 00E63A4A: _Deallocate.LIBCONCRT ref: 00E63AF7
                                    • Part of subcall function 00E63663: OffsetRect.USER32(00000000,00000000,00000000), ref: 00E63734
                                    • Part of subcall function 00E64C6D: _Deallocate.LIBCONCRT ref: 00E64C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Deallocate$AllocOffsetRectVirtual
                                  • String ID: 0000000006:1@0000000005:@$j@h
                                  • API String ID: 1123492211-1644150196
                                  • Opcode ID: 2776a9165ab9f2e6d5719948eb0e7f80dcfd549a89d0171ab3b0481ae629b5f2
                                  • Instruction ID: 48e92cd33be25be22d2ae827a0dcff78c8b3c32fc35b485c09bd995e32b269ed
                                  • Opcode Fuzzy Hash: 2776a9165ab9f2e6d5719948eb0e7f80dcfd549a89d0171ab3b0481ae629b5f2
                                  • Instruction Fuzzy Hash: F701D471A402086ADB04FB75FC43FAF77B4AB85B50F205129F116B61C2DE749A058369
                                  Function 00E66E45 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 135 e66e45-e66e4a 136 e69e27-e69e63 call e69a7a call e90044 call e69ab7 call e90044 135->136 137 e66e50-e66e52 call e63bd5 135->137 140 e66e55-e66e57 137->140 140->136
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::invalid_argument::invalid_argument
                                  • String ID: h@n$hPm
                                  • API String ID: 2141394445-800802255
                                  • Opcode ID: 86c04abeab33db3bdd53c2031b16f2467d01881d264f55d15933f22255b368a1
                                  • Instruction ID: ddf421c517229857ef2a769139a2da70f8ff15102e26586a74a3c7cbfc864ab2
                                  • Opcode Fuzzy Hash: 86c04abeab33db3bdd53c2031b16f2467d01881d264f55d15933f22255b368a1
                                  • Instruction Fuzzy Hash: 47E09B7490020C7BCF04FBF4E446DDD77FDAE04340F405464BA15B7552EB71AA09C691
                                  Function 00ECAE73 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 148 ecae73-ecae9b 149 ecae9d-ecae9f 148->149 150 ecaea1-ecaea3 148->150 151 ecaef2-ecaef5 149->151 152 ecaea9-ecaeb0 call ecada8 150->152 153 ecaea5-ecaea7 150->153 155 ecaeb5-ecaeb9 152->155 153->151 156 ecaed8-ecaeef 155->156 157 ecaebb-ecaec9 GetProcAddress 155->157 159 ecaef1 156->159 157->156 158 ecaecb-ecaed6 call ec7874 157->158 158->159 159->151
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,;
                                  • API String ID: 0-2433392739
                                  • Opcode ID: 42a7c6133a38f60e8b2c3bf0a652704424dc7920f31e5bcdd8332887c5050b52
                                  • Instruction ID: c3434d7fc353aa193ae334075180d452410058d5b4f9c49c3b9ce93c59749f9b
                                  • Opcode Fuzzy Hash: 42a7c6133a38f60e8b2c3bf0a652704424dc7920f31e5bcdd8332887c5050b52
                                  • Instruction Fuzzy Hash: 7B01493364022D5F9B118E6AED40E9A33D6EBC03283285138F900EB044DA32CC9397C1
                                  Function 00E63BD5 Relevance: 3.0, APIs: 2, Instructions: 12synchronizationthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 162 e63bd5-e63bf0 CreateThread WaitForSingleObject
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00003B0D,00000000,00000000,00000000), ref: 00E63BE1
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E63BEA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 1891408510-0
                                  • Opcode ID: 688e1fdc54a6706c67146b39289377a126635a389f784b1630330b6b1cd0e80f
                                  • Instruction ID: 42d627adcedb5908104d0084df61da4194acf693df5a0ef5c40a1c8d67c93fe6
                                  • Opcode Fuzzy Hash: 688e1fdc54a6706c67146b39289377a126635a389f784b1630330b6b1cd0e80f
                                  • Instruction Fuzzy Hash: 82C092F09442487EFE1057B27D4CC773A9CEB003313500B107D21F51E5CA648C088630
                                  Function 00E67CE3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 171 e67ce3-e67d03 call e8e25f call e67e6d 176 e67d05-e67d16 171->176 177 e67d18-e67d21 call e67e9b 171->177 181 e67d3a-e67d3f call e8e1c4 176->181 180 e67d26-e67d35 call e69018 177->180 180->181
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3_catch
                                  • String ID:
                                  • API String ID: 3886170330-0
                                  • Opcode ID: bfd5e69eb9bde9674e12df5085a3900dda26cbf765e4576b65f1b1a301207202
                                  • Instruction ID: d8e427a203da3a0aee8232e42883934e101948105e50b575db2ccf88c7c16934
                                  • Opcode Fuzzy Hash: bfd5e69eb9bde9674e12df5085a3900dda26cbf765e4576b65f1b1a301207202
                                  • Instruction Fuzzy Hash: 2AF0F074A442058BDB14EB84D802BADB3B1EF85318F209648B9157B3D2CB722E01CB90

                                  Non-executed Functions

                                  Function 00E959EF Relevance: 46.7, APIs: 25, Strings: 1, Instructions: 1201COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::DName.LIBVCRUNTIME ref: 00E95A3D
                                  • operator+.LIBVCRUNTIME ref: 00E95A57
                                  • DName::operator+.LIBCMT ref: 00E95B85
                                  • DName::operator+.LIBCMT ref: 00E95BA2
                                    • Part of subcall function 00E96DBB: DName::DName.LIBVCRUNTIME ref: 00E96DFE
                                  • DName::operator+.LIBCMT ref: 00E95C56
                                  • DName::operator+.LIBCMT ref: 00E95C65
                                    • Part of subcall function 00E9B53B: DName::operator+.LIBCMT ref: 00E9B57F
                                    • Part of subcall function 00E9B53B: DName::operator+.LIBCMT ref: 00E9B58B
                                    • Part of subcall function 00E9B53B: DName::operator+.LIBCMT ref: 00E9B606
                                    • Part of subcall function 00E9B53B: DName::operator+=.LIBCMT ref: 00E9B649
                                  • DName::operator+.LIBCMT ref: 00E95BF1
                                    • Part of subcall function 00E957AD: DName::operator=.LIBVCRUNTIME ref: 00E957CE
                                    • Part of subcall function 00E95755: shared_ptr.LIBCMT ref: 00E95771
                                    • Part of subcall function 00E974B7: shared_ptr.LIBCMT ref: 00E9755D
                                  • DName::operator+.LIBCMT ref: 00E961CF
                                  • DName::operator+.LIBCMT ref: 00E961EB
                                  • DName::operator+.LIBCMT ref: 00E9648A
                                    • Part of subcall function 00E95644: DName::operator+.LIBCMT ref: 00E95665
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
                                  • String ID: /
                                  • API String ID: 848932493-2043925204
                                  • Opcode ID: 43971465f60d4ea99f62268e0aee8d80c1d9e6a27564782305c337dc83b7f804
                                  • Instruction ID: 9e685de62049a712f309e7da9261390af9df134471ec7e07b6bbcd39494ce80b
                                  • Opcode Fuzzy Hash: 43971465f60d4ea99f62268e0aee8d80c1d9e6a27564782305c337dc83b7f804
                                  • Instruction Fuzzy Hash: F2925CB3E106199BDF15DFA8CC96BEE77E4AB14304F14613AE512F7281EB68D908CB50
                                  Function 00E63CAB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 00E63CB2
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,FreeConsole,00000030), ref: 00E63CC5
                                  • GetProcAddress.KERNEL32(00000000), ref: 00E63CCC
                                  • SwitchToFiber.KERNEL32(00000000), ref: 00E63DFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFiberH_prolog3_catch_HandleModuleProcSwitch
                                  • String ID: FreeConsole$kernel32.dll
                                  • API String ID: 4208805470-2564406000
                                  • Opcode ID: 63acf2a458e94fd14d348fdf25a94bc21d0bf7bc0361a2ceea62e03992e56b32
                                  • Instruction ID: b03f39ffa55b7f89a9c7b7126cff07d0a30287f4651a93c634cb488db2f830d9
                                  • Opcode Fuzzy Hash: 63acf2a458e94fd14d348fdf25a94bc21d0bf7bc0361a2ceea62e03992e56b32
                                  • Instruction Fuzzy Hash: EA315A33D907194AE708B779EC0ABDCB6A5EF407A0F906726F826B72E1C7B44A058654
                                  Function 00EDBC0C Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 4f70dbcdfbb50c1a902e1164ce0fe3dfea5d574966558e67cdcb292bde8cb48a
                                  • Instruction ID: 0508b20516440d26a26cd8cabc6f33f5fb08a976ac13d309c8ecc9d051459ed8
                                  • Opcode Fuzzy Hash: 4f70dbcdfbb50c1a902e1164ce0fe3dfea5d574966558e67cdcb292bde8cb48a
                                  • Instruction Fuzzy Hash: 5BD2F671E092298FDB658E28DD407EAB7B5EB48344F2551EAD40DF7240E738AE86CF41
                                  Function 00ED9431 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00ED974F,00000002,00000000,?,?,?,00ED974F,?,00000000), ref: 00ED94CA
                                  • GetLocaleInfoW.KERNEL32(?,20001004,00ED974F,00000002,00000000,?,?,?,00ED974F,?,00000000), ref: 00ED94F3
                                  • GetACP.KERNEL32(?,?,00ED974F,?,00000000), ref: 00ED9508
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 7388c91cb5f3a75520d63c80c838bb6a5dc7247610bd86206dd3c0b47d5d7953
                                  • Instruction ID: cb92bd547b8468f1a91e85c3f1f3cdb021168499b5554167d27934dd156365f1
                                  • Opcode Fuzzy Hash: 7388c91cb5f3a75520d63c80c838bb6a5dc7247610bd86206dd3c0b47d5d7953
                                  • Instruction Fuzzy Hash: 7221C432600105AADB318F64DD80BD773A6EB54B58B265426E91AFB307E732DD43C350
                                  Function 00ED9606 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00ED9712
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00ED975B
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00ED976A
                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00ED97B2
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00ED97D1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                  • String ID:
                                  • API String ID: 415426439-0
                                  • Opcode ID: 73a03c2268ea4ec024e8ef7be736fd3496fe76388b6e85d5f24a25027a3553a2
                                  • Instruction ID: ad2518f544462f660f8666f95a1f1b174387770026a3e78cfa5feab9f50270a6
                                  • Opcode Fuzzy Hash: 73a03c2268ea4ec024e8ef7be736fd3496fe76388b6e85d5f24a25027a3553a2
                                  • Instruction Fuzzy Hash: FF518071A10209AFDF10DFA5DC85AAE73B8FF08344F14546BE515FB292EB70D9068B60
                                  Function 00ED8C84 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetACP.KERNEL32(?,?,?,?,?,?,00EC8CB2,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00ED8D45
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EC8CB2,?,?,?,00000055,?,-00000050,?,?), ref: 00ED8D70
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00ED8ED3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                  • String ID: utf8
                                  • API String ID: 607553120-905460609
                                  • Opcode ID: 524e08650bc41e1230337b41382fd238cd4210de105a8c2a6c55555019d445c8
                                  • Instruction ID: 95c28b0f85263605c0d1e06234ebb03889ed113138bd980561a420318549b97c
                                  • Opcode Fuzzy Hash: 524e08650bc41e1230337b41382fd238cd4210de105a8c2a6c55555019d445c8
                                  • Instruction Fuzzy Hash: 7671F471600206AADB24AB35CE86FB673ECEF54704F15642BF905FB2C1EE70D9428B61
                                  Function 00EB8348 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00E69E75), ref: 00EB8440
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00E69E75), ref: 00EB844A
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00E69E75), ref: 00EB8457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID: ,;
                                  • API String ID: 3906539128-2433392739
                                  • Opcode ID: 3a6450d96c60a50518f24d5d8ecbbbc1a84d33a86a5588ea284cdb80b9f06d3d
                                  • Instruction ID: 67cc8a484c8bc6511ee7bd9c7a74095be52d923697b350b7bf85f3d01bc7b244
                                  • Opcode Fuzzy Hash: 3a6450d96c60a50518f24d5d8ecbbbc1a84d33a86a5588ea284cdb80b9f06d3d
                                  • Instruction Fuzzy Hash: 0331C4749012199BCB21DF65D98979DBBF8BF08310F5055DAE41CA6291EB309B85CF44
                                  Function 00ECCBE3 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 643a87ec7067eb0f059c9ec9e189034da19b5170aa607025d9f1f99224a4e4db
                                  • Instruction ID: e251c3f8e77a7338857681e7777bb549ca06bee6a282401c1807d3df66895e27
                                  • Opcode Fuzzy Hash: 643a87ec7067eb0f059c9ec9e189034da19b5170aa607025d9f1f99224a4e4db
                                  • Instruction Fuzzy Hash: 85B14A72A042559FDB158F68C981FFEBFE5EF45304F24516EE819BB241C2369D02C7A0
                                  Function 00ED4980 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00ED4A1B
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00ED4A96
                                  • FindClose.KERNEL32(00000000), ref: 00ED4AB8
                                  • FindClose.KERNEL32(00000000), ref: 00ED4ADB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID:
                                  • API String ID: 1164774033-0
                                  • Opcode ID: a620c3937420fd04dea21408be5520512e6c55f537b854b7f7d9c13aa96e92d5
                                  • Instruction ID: cff26d8f27a3cfeadbfcc7a51e3764cee7be546455066bff7ee104bc19cb10ce
                                  • Opcode Fuzzy Hash: a620c3937420fd04dea21408be5520512e6c55f537b854b7f7d9c13aa96e92d5
                                  • Instruction Fuzzy Hash: 2241C4B1900629AFDF20EF65CC899BAB3B9EBA5309F105196E405F72C0F7309E85CB54
                                  Function 00E8EB85 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E8EB91
                                  • IsDebuggerPresent.KERNEL32 ref: 00E8EC5D
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E8EC76
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00E8EC80
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                  • String ID:
                                  • API String ID: 254469556-0
                                  • Opcode ID: 1fc17ba7b2c4d8cfb92fab2551b9a4c29bd702e8a8e84c83d57318ba0923893f
                                  • Instruction ID: 722f3a128014fbd2d880e2ae9cbc29cec4ac4b063ce3157a54b08f0e6acaed79
                                  • Opcode Fuzzy Hash: 1fc17ba7b2c4d8cfb92fab2551b9a4c29bd702e8a8e84c83d57318ba0923893f
                                  • Instruction Fuzzy Hash: A631E5B5D012199BDF20EFA5D9897CDBBF8AF08300F1051AAE40CAB250EB709A85CF45
                                  Function 00E709A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 00E709BB
                                  • FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 00E709E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FormatInfoLocaleMessage
                                  • String ID: !x-sys-default-locale
                                  • API String ID: 4235545615-2729719199
                                  • Opcode ID: 02ec633b8cfbad1f1a862b5a593d34c5314ad3c6d91e4968ebc6bbba26d90966
                                  • Instruction ID: af2c250e7bca193c00006f96e4de7e59a7f80e0c9565174325bde8c2c9363075
                                  • Opcode Fuzzy Hash: 02ec633b8cfbad1f1a862b5a593d34c5314ad3c6d91e4968ebc6bbba26d90966
                                  • Instruction Fuzzy Hash: C8F065B6510108FFFB149B95CC4ADEF77ECEB48354F008019BA06FA181E2B1AE0097B0
                                  Function 00ED90B5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED9109
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED9153
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED9219
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale$ErrorLast
                                  • String ID:
                                  • API String ID: 661929714-0
                                  • Opcode ID: 066bd769916ab8219f7c36ed5f61caaf3b25f1a09ce081db5dab4bab0b7f5b89
                                  • Instruction ID: 85d0fe52432fc46cf17d69f0e1121f27ed6fafff9bacb4514bddd8dcecbb38a7
                                  • Opcode Fuzzy Hash: 066bd769916ab8219f7c36ed5f61caaf3b25f1a09ce081db5dab4bab0b7f5b89
                                  • Instruction Fuzzy Hash: 3461DF71901107AFDB289F29DD86BBAB7E8EF05304F1050BAE905E6396E734D982CB50
                                  Function 00EC1170 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70759940279b82447888f77995834206f28e84f48c6ffbfaccb146b01713bdd2
                                  • Instruction ID: e07ae510f6f1680bcc22121d2a06da50d1d8d16d55ad979036df7b6280148ef1
                                  • Opcode Fuzzy Hash: 70759940279b82447888f77995834206f28e84f48c6ffbfaccb146b01713bdd2
                                  • Instruction Fuzzy Hash: 70F12C71E002199FDF18CFA9D980AADB7B1FF89314F1592ADE825B7381D7319D028B90
                                  Function 00EAF156 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$3~
                                  • API String ID: 0-2959131182
                                  • Opcode ID: cfdadf50e70be986a1c0ec1d5cca69f7c2533ab837ecbc1abb012f0f7174d7bf
                                  • Instruction ID: 619b79259af93b718f7ab31cf437c550dc1fbeaa9c94836d4abb02126145dc92
                                  • Opcode Fuzzy Hash: cfdadf50e70be986a1c0ec1d5cca69f7c2533ab837ecbc1abb012f0f7174d7bf
                                  • Instruction Fuzzy Hash: F5B1BE74A0060ACBCB24DFE8C580ABFB7F1AF5E708B506529D456BB2A1D730BD46CB51
                                  Function 00EDA8DB Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID:
                                  • API String ID: 4168288129-0
                                  • Opcode ID: 8c49c1d23cbd5706bd2d47d7f4ceff623f3dca042ac1061cd6994a29346d8a69
                                  • Instruction ID: 6071ce50fface722048743cdc52de05d8e1cfffb62d52538e3243892b387547a
                                  • Opcode Fuzzy Hash: 8c49c1d23cbd5706bd2d47d7f4ceff623f3dca042ac1061cd6994a29346d8a69
                                  • Instruction Fuzzy Hash: C0B20671E086298FDB658E28DD407EAB3B5EB88305F1551EBD84DF7240E774AE828F41
                                  Function 00ED3BB7 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00ED3FFC,00000000,00000000,00000000), ref: 00ED3EBB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationTimeZone
                                  • String ID:
                                  • API String ID: 565725191-0
                                  • Opcode ID: 27681d0f7fc4ee9b94d784496c13014c98ab900b97a6ca51f861733aacafe9cf
                                  • Instruction ID: 90e584b78470fb02fe800cdf439fd7ec3871d44d3888f9f5e6b768281e5363e6
                                  • Opcode Fuzzy Hash: 27681d0f7fc4ee9b94d784496c13014c98ab900b97a6ca51f861733aacafe9cf
                                  • Instruction Fuzzy Hash: 29C11772900215AFDB20AB74DC02AAEBBB9EF54714F155067F905BB381E7308F42DB92
                                  Function 00ED25F2 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00ED281F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: c8e8a19fe47bb05aa1949dc621bc464a3987facf7f08d27d4de95f3da2a27d1f
                                  • Instruction ID: 4089dda3007208539054b6acfba25a675ef81c79110b409856e0cdfbe800ce22
                                  • Opcode Fuzzy Hash: c8e8a19fe47bb05aa1949dc621bc464a3987facf7f08d27d4de95f3da2a27d1f
                                  • Instruction Fuzzy Hash: 4AB15C35610609CFD729CF28C486BA47BA0FF54368F25965EE999DF3A1C335E982CB40
                                  Function 00ED4596 Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13c45efd899e6ed197a7540ffdaa32a01d1700d7c1b21f540196201cc2b1b1a4
                                  • Instruction ID: 12ecd18517ea55941198c7247c49219d13084d376490bde34a4df697fbdd6ae9
                                  • Opcode Fuzzy Hash: 13c45efd899e6ed197a7540ffdaa32a01d1700d7c1b21f540196201cc2b1b1a4
                                  • Instruction Fuzzy Hash: 1A51D5B5800219AFDB24DF79CC89EAAB7B9EF55304F14519EF419E3341EA319E418F50
                                  Function 00E8E615 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E8E62B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: 4e744ade1fa6207366bc6e2ecbcbd4c0664cda6de7e38c69430ee46a4dc3cd3f
                                  • Instruction ID: 4bad45c009bd09363ca330ee3e4d60b4ebd78f719a11a37b8e6632f118cb7564
                                  • Opcode Fuzzy Hash: 4e744ade1fa6207366bc6e2ecbcbd4c0664cda6de7e38c69430ee46a4dc3cd3f
                                  • Instruction Fuzzy Hash: C4517BB1A01609CFEB14CF69D9856AABBF0FB58314F24846AD40AFB360E3759D54CF50
                                  Function 00EAFFB5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 827a9dbfabecf59146038d524b3f14e915ebf41d8d74085bc7c5925a0d782934
                                  • Instruction ID: 5adf6c0308738cb015191003e01e6f0247a5d2a73cf84fb1790f3e54b798a16b
                                  • Opcode Fuzzy Hash: 827a9dbfabecf59146038d524b3f14e915ebf41d8d74085bc7c5925a0d782934
                                  • Instruction Fuzzy Hash: 38E1AB306006098FCB29DF68C584AEFB7F1BF49318F246A59D496BB2A1D730BD46CB51
                                  Function 00EB03E5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 0e60c0d52c8aa95d6cb06afbc2e4bc9242640096d2ecf2e5dbaca85b3f498501
                                  • Instruction ID: 74ec32487f920f29e4acc1cdac8b9e92de3a3fde871a66ba3c832d5be477e121
                                  • Opcode Fuzzy Hash: 0e60c0d52c8aa95d6cb06afbc2e4bc9242640096d2ecf2e5dbaca85b3f498501
                                  • Instruction Fuzzy Hash: EBE1AA706006058FCB34DF68C580AEFB7F1BF49318B20A65AD59AAB6A1DA30BD45CF51
                                  Function 00EAFB94 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 64160fb95f788b2b7931f87a88844d1fca87516769aa039cb96376f12bf73a6d
                                  • Instruction ID: 238373bb04f085e57ec19791b83fb4d956b246873af442598bfddcfcaa802262
                                  • Opcode Fuzzy Hash: 64160fb95f788b2b7931f87a88844d1fca87516769aa039cb96376f12bf73a6d
                                  • Instruction Fuzzy Hash: A1E1A0346006058FCB24CFA8C5906AAF7F1FF4E328B24A669D856AF2A1D730FD45CB55
                                  Function 00EAEA2B Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 942379e915d5846babe12d54e524b58edd2bfad3067372d62d037f32ff284459
                                  • Instruction ID: 1fe7707ac1da71d76f4a6f4db657d3da765b52193778e4bd7ab8a793926794ac
                                  • Opcode Fuzzy Hash: 942379e915d5846babe12d54e524b58edd2bfad3067372d62d037f32ff284459
                                  • Instruction Fuzzy Hash: 06C1BB30A006468FDB38CF68C494ABABBE1BF4A318F246619D456BF791D730BD45CB91
                                  Function 00EAE69D Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: d7eb193059697556c3b111904806ec8549da74b15c507735dd9d4aa05bfc4849
                                  • Instruction ID: 3da72e665d3a4e584d7f2657796cd7c1fee89ef22acafbd47d60adde8338ccd2
                                  • Opcode Fuzzy Hash: d7eb193059697556c3b111904806ec8549da74b15c507735dd9d4aa05bfc4849
                                  • Instruction Fuzzy Hash: 47C1BF309007468FDB28CF28C4946BAB7E1AF4A318F286A5AE456BF391C735BD45CB51
                                  Function 00EAEDC8 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: b9de5c734af1c8e023451e20de14f37a17fa9bfa9e1225aea5917c1c1360b91b
                                  • Instruction ID: f9c5c83becaac81d568014719cda0b0752ba5450ebf41f9a8b0246cdcb7fb272
                                  • Opcode Fuzzy Hash: b9de5c734af1c8e023451e20de14f37a17fa9bfa9e1225aea5917c1c1360b91b
                                  • Instruction Fuzzy Hash: C6C19D74A006468FCB24CF68C4906AAB7E1EB4A318F14A669E456AF392C731BD45CB51
                                  Function 00ED9308 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED935C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID:
                                  • API String ID: 3736152602-0
                                  • Opcode ID: ba2b027c481c34db2274ac6525f93a0bf7842619f68e39d9b8dfd09cd4665e7f
                                  • Instruction ID: 300bf7b346022fde53abb1b113796df93859f3b9a631243ae2018b8015604fad
                                  • Opcode Fuzzy Hash: ba2b027c481c34db2274ac6525f93a0bf7842619f68e39d9b8dfd09cd4665e7f
                                  • Instruction Fuzzy Hash: C4219531615206ABDF28AA29DC41EBA73E8EF45314F14607FF905E7282EB75DD42CB50
                                  Function 00EAF4BB Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 20ecdcab19567c61a947f3d85b95b2cb3a4bc0890747946d434360c792b28091
                                  • Instruction ID: 42c6d8140e5d6889a33c40438dcea5db08da111635c43b8057709bbc4895dbb4
                                  • Opcode Fuzzy Hash: 20ecdcab19567c61a947f3d85b95b2cb3a4bc0890747946d434360c792b28091
                                  • Instruction Fuzzy Hash: 08B19270A006099ACF28DFE8D5816BEB7F1AF4E708F14662ED456BB250D730BD468B51
                                  Function 00EAF82F Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 37d543b69acd0855b4310a935a0ed71140109df722067a70341d30782f22cfa5
                                  • Instruction ID: 232ba62ceb436a08206618b7263dcc939187f493e95457ebce4c4413fbc0f300
                                  • Opcode Fuzzy Hash: 37d543b69acd0855b4310a935a0ed71140109df722067a70341d30782f22cfa5
                                  • Instruction Fuzzy Hash: 90B1A170A006099ACB28DFE8C590AFFB7F1AF8E318F146629D456BB250D734B946CB51
                                  Function 00EADFFE Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 833bd96ff5031b76ee244392ff09a016604ee6bfb04a8d13fbb07bfd93c2d2f5
                                  • Instruction ID: 5949c55d4cc64213155aab65d6a13aed69596503fdf2ac1898e20309bdbe3b29
                                  • Opcode Fuzzy Hash: 833bd96ff5031b76ee244392ff09a016604ee6bfb04a8d13fbb07bfd93c2d2f5
                                  • Instruction Fuzzy Hash: B3B1E430A0061A8BCF34CE68C595ABFB7E5AF4A308F14661ED452BF391D771B905CBA1
                                  Function 00EAE355 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 51a660a52be2a9819eebf01ece819c23c6e24a696393ab13ab15a69fd261b533
                                  • Instruction ID: 6b98b181007adfb24c30a854f9e3747e8b14c6afcc94baa62a60faad0ec1d268
                                  • Opcode Fuzzy Hash: 51a660a52be2a9819eebf01ece819c23c6e24a696393ab13ab15a69fd261b533
                                  • Instruction Fuzzy Hash: E7B1C07090060A8BCF248E68C495ABEBBF5AF5E318F14291AD466FF381D731BD45CB51
                                  Function 00EADCB6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 4d9026552d143bb7374d0c35e9dbe29bb6876f5ceb5b588b5cce488fd58e69c4
                                  • Instruction ID: 05013fdb92f6334dc3008d26786f780012c21af89164a66d4b0e798e5fbae336
                                  • Opcode Fuzzy Hash: 4d9026552d143bb7374d0c35e9dbe29bb6876f5ceb5b588b5cce488fd58e69c4
                                  • Instruction Fuzzy Hash: F6B1B674A0860A8FCB248E68CC516BFB7E5AF5E308F14661EE553BFA81C730B941CB51
                                  Function 00ED8F8F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • EnumSystemLocalesW.KERNEL32(00ED90B5,00000001,00000000,?,-00000050,?,00ED96E6,00000000,?,?,?,00000055,?), ref: 00ED9001
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 245b13f310304f1ab9ddd0c3bdb23806aa86047d648787ca19b450da83d162cd
                                  • Instruction ID: 3e32bf8aaaaf7f50a2820b41bf17f4d7ce8f7ac3a42428a7d165e5df21c027f9
                                  • Opcode Fuzzy Hash: 245b13f310304f1ab9ddd0c3bdb23806aa86047d648787ca19b450da83d162cd
                                  • Instruction Fuzzy Hash: D91129362007055FDB189F39D99157AB792FF8031CB14442DE5869BB41D772A903C740
                                  Function 00ED9537 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00ED92D1,00000000,00000000,?), ref: 00ED9563
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID:
                                  • API String ID: 3736152602-0
                                  • Opcode ID: 0b44303aaeb934b93358ca731cf9b45bbd24e2ab0c1683b4882de8b4b773a527
                                  • Instruction ID: 1462f75f32a3618e18a40ffbe2f2c50d47c2b2c0aa1f068de06404a1c096bdf0
                                  • Opcode Fuzzy Hash: 0b44303aaeb934b93358ca731cf9b45bbd24e2ab0c1683b4882de8b4b773a527
                                  • Instruction Fuzzy Hash: 8FF0F936600116BFEB255B249C45BFA77A4EB40358F15443AEC06B3281DA75FE43C6B0
                                  Function 00ED8E7F Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00ED8ED3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID: utf8
                                  • API String ID: 3736152602-905460609
                                  • Opcode ID: bbc269861ac31d51a7406295126a2f96837566c9217106ecadb2f25f89d7a54e
                                  • Instruction ID: 72e05848cab9ff2888003c98f8da01e0c165b7806526b1c946bb131404cf62e5
                                  • Opcode Fuzzy Hash: bbc269861ac31d51a7406295126a2f96837566c9217106ecadb2f25f89d7a54e
                                  • Instruction Fuzzy Hash: BDF0F432610149ABC714AB28DD89EFE33ECDB45314F2011BEF506F7281DA74AD058750
                                  Function 00ED902A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • EnumSystemLocalesW.KERNEL32(00ED9308,00000001,?,?,-00000050,?,00ED96AA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00ED9074
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: f556d1b7eea0e529a5b9e027294ab03931c8a2d9e97129b94663c01a8dac5099
                                  • Instruction ID: 3df7d1dc46fe3148dc6ca0482959a65f8bf5aaef1eefe2a53160f4c20c5efb25
                                  • Opcode Fuzzy Hash: f556d1b7eea0e529a5b9e027294ab03931c8a2d9e97129b94663c01a8dac5099
                                  • Instruction Fuzzy Hash: 33F0C2363003045FDB24AF39AC85A7A7BD5EF8136CB15442EFA46AB782C6B69C02C750
                                  Function 00ECA871 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00EB866D: EnterCriticalSection.KERNEL32(-00F4986B,,;,00EC5B24,00000000,00EFA018), ref: 00EB867C
                                  • EnumSystemLocalesW.KERNEL32(00ECA85E,00000001,00EFA378,0000000C,00ECB19E,00000000), ref: 00ECA8A9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 84dbcf603296261d48fdec8446bfa4ce5ebaeefdce9c31550ad58206708908f7
                                  • Instruction ID: b67c711de456d8421ae90d64cf4664f308ed823c066f779d0a11cd40ab440c63
                                  • Opcode Fuzzy Hash: 84dbcf603296261d48fdec8446bfa4ce5ebaeefdce9c31550ad58206708908f7
                                  • Instruction Fuzzy Hash: A1F08C76A40208DFE700EF98E906B9C77F0FB44725F10412AF800AB3A1CBB65801DB41
                                  Function 00E8D179 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00E8AC15,00000000,?,00000004,00E89604,?,00000004,00E89C0B,00000000,00000000), ref: 00E8D192
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: c66596f73296091e971ba923698c52e3de54a80e76bb578da4894b6c87e724e6
                                  • Instruction ID: 24c96cac668c10c2e291d7bcf9d7878eb19a5fa6f6194abfb26c0b0adb51c597
                                  • Opcode Fuzzy Hash: c66596f73296091e971ba923698c52e3de54a80e76bb578da4894b6c87e724e6
                                  • Instruction Fuzzy Hash: 74E09232296204B6D706ABBD9D0FBAA37989B0071EF005241F10AF61C1CAA4CA009351
                                  Function 00ED8F26 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ECC3E7: GetLastError.KERNEL32(?,00000008,00ECA5D6), ref: 00ECC3EB
                                    • Part of subcall function 00ECC3E7: SetLastError.KERNEL32(00000000,00E9C3B4,00000016,00EA86AB), ref: 00ECC48D
                                  • EnumSystemLocalesW.KERNEL32(00ED8E7F,00000001,?,?,?,00ED9708,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00ED8F5D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 6917a139c24a6dfb31143c2d7709475248b8a9a3068311c1b953e4b039f73320
                                  • Instruction ID: d63ceffb109be4646007c00f4f696170bacdf9fdacfc68b5a15112e71298b09b
                                  • Opcode Fuzzy Hash: 6917a139c24a6dfb31143c2d7709475248b8a9a3068311c1b953e4b039f73320
                                  • Instruction Fuzzy Hash: 15F0E5363002495BCB04AF39DD49A6ABF95EFD1754B06405DFE099F792CB729843C790
                                  Function 00ECB32D Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00EC9AA2,?,20001004,00000000,00000002,?,?,00EC8E1A), ref: 00ECB361
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 4f945cdd7a1bee3656e387156ebd7ead2d9a8486a8088c39810220c0da2b17c5
                                  • Instruction ID: d9a902afa45e3d5dc50b2d1b7f2405e9e319ab9f24780625bca1e045d5854ce6
                                  • Opcode Fuzzy Hash: 4f945cdd7a1bee3656e387156ebd7ead2d9a8486a8088c39810220c0da2b17c5
                                  • Instruction Fuzzy Hash: 8FE01A3294025CBBCF122F61ED09FEE3A6AAB44761F044028FD0575161CB738922AA95
                                  Function 00ECAA02 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumSystemLocalesW.KERNEL32(Function_0006A85E,00000001), ref: 00ECAA1C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2099609381-0
                                  • Opcode ID: cff13587754b1834c7c6e8be139b1384fb79bfc6ec1467c9db65e937114e4eb5
                                  • Instruction ID: d62ac50d876b221c6b161e755a3da80b257fb80a488b7e5d4481e4974d8f206d
                                  • Opcode Fuzzy Hash: cff13587754b1834c7c6e8be139b1384fb79bfc6ec1467c9db65e937114e4eb5
                                  • Instruction Fuzzy Hash: 13D05E3948434C6FF7049F11ED0E9143BA5E7C0314B100029F9081A3B1DBB368018641
                                  Function 00E8ED15 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002ED24,00E8DFD0), ref: 00E8ED1A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: b6bab108609cfccab23fc75fd1f7a8d6d6779355f9e3db86a24da648c43efc06
                                  • Instruction ID: 94d378811d07bd1e89a6856feeae068fe2a169b3d701400bc6bb57d989b892de
                                  • Opcode Fuzzy Hash: b6bab108609cfccab23fc75fd1f7a8d6d6779355f9e3db86a24da648c43efc06
                                  • Instruction Fuzzy Hash:
                                  Function 00EC4029 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocHeap
                                  • String ID:
                                  • API String ID: 4292702814-0
                                  • Opcode ID: 866ba0119c5be56c6693968b5ed7c6ec201eed0ec42d353a87a038e0e5e98aea
                                  • Instruction ID: 395a936c37bb0794602246c76919367154ae7377ab5eff8f3d3655fa0e7be02e
                                  • Opcode Fuzzy Hash: 866ba0119c5be56c6693968b5ed7c6ec201eed0ec42d353a87a038e0e5e98aea
                                  • Instruction Fuzzy Hash: 0E329EB4A0020A9FCF18CF58CAA1BBEB7B5EF45308F24516DDD45A7345D632AE46CB80
                                  Function 00EBE61E Relevance: .5, Instructions: 481COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a8c87df19553602a0f1f2a6de16060871e961fb5e21bc31af767a1b8deff1d4
                                  • Instruction ID: 7ee3b62ee228a6004ce139de4788255aa7c5bef62420af849a36bd43e2ddc4b7
                                  • Opcode Fuzzy Hash: 5a8c87df19553602a0f1f2a6de16060871e961fb5e21bc31af767a1b8deff1d4
                                  • Instruction Fuzzy Hash: CF120A71A002299FDB29CF18C880BEAB7B9BF45304F5451EAD949FB345E7709E818F91
                                  Function 00EC1AE0 Relevance: .4, Instructions: 386COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ddd34ea5109d086821cf5d16581aab7b53bd64783860e3b5c9547fbabcef272
                                  • Instruction ID: 19eef76a3e6ad821d759ed1b60131dfc43e677ad5f3fc190da8ec20812adc3dd
                                  • Opcode Fuzzy Hash: 4ddd34ea5109d086821cf5d16581aab7b53bd64783860e3b5c9547fbabcef272
                                  • Instruction Fuzzy Hash: 20E13E71A002288FDB25DF18C980FEAB7B9EF46304F1451DEE949B7246D7319E828F81
                                  Function 00ED86EF Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                  • String ID:
                                  • API String ID: 3471368781-0
                                  • Opcode ID: b7906d2620a780493a1646bf63282cc6e235a5f07a33a7795783a46a29eb2939
                                  • Instruction ID: b63712cc8430fa8310794058d1abf2765dbe8009a0b513fa08e44deb0412949d
                                  • Opcode Fuzzy Hash: b7906d2620a780493a1646bf63282cc6e235a5f07a33a7795783a46a29eb2939
                                  • Instruction Fuzzy Hash: E7B1F5355007418BCB389B28CE92AB7B3E8EB4430CF54556FE987E6780EE75E982C711
                                  Function 00E730C0 Relevance: .3, Instructions: 278COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af5d5ea7a104676b9c4cfd42af6a29a1baaefa5302267f5dd81c93c36b778eec
                                  • Instruction ID: 7ea447f169c64f2670872a8d25f77b1d7cf171f12706f9c13593a944d15c20c1
                                  • Opcode Fuzzy Hash: af5d5ea7a104676b9c4cfd42af6a29a1baaefa5302267f5dd81c93c36b778eec
                                  • Instruction Fuzzy Hash: 25B1D371D112588ADB55CFB9C4412DDF7F1EFA9314F29D36AE824B7211E731AA818740
                                  Function 00EC16A0 Relevance: .3, Instructions: 259COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce3e68538591a493c355f072d86dfcf8257a1655f2f82e88cb0092603bf476a7
                                  • Instruction ID: 363816c2f81869cd4980b98417494fb681f9ca8a8fdfef9b37c39783917c7f3e
                                  • Opcode Fuzzy Hash: ce3e68538591a493c355f072d86dfcf8257a1655f2f82e88cb0092603bf476a7
                                  • Instruction Fuzzy Hash: F9A12076A001299BDB24DF18C990BEDB7F5FB8A304F1551EED909B7241D7729E828F80
                                  Function 00EBF0F1 Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4a9b8d0671ae6a94e6d73b6fbfecec31b5e27fc558ccdeeae3ec50a98904673
                                  • Instruction ID: 3e6f2dfe14e48ed51c8336132f132c9c1ef4f84cbfa802fdf1d6603cac54c0a3
                                  • Opcode Fuzzy Hash: e4a9b8d0671ae6a94e6d73b6fbfecec31b5e27fc558ccdeeae3ec50a98904673
                                  • Instruction Fuzzy Hash: 08515C71E01219EFDF04CF99C981AEEBBB2EF88304F198469E915AB251C7349E50CB90
                                  Function 00E906A0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 8379c70b83db142cb7cd3babdcf1b3cbb01e492a7ac9351914da71070070e699
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 76119EB72401814FDE14866DD8B46B7A796EBC53387AC6377C1416BF05C322F4B1D900
                                  Function 00ECC93E Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44e8e4576bb574d73ffb4f222cbb09e72c13a1ee909e5863716b10e195460e69
                                  • Instruction ID: 2404d0e3496861b5a1c238e43ae1ff12771d025e95991e3141a6de7bcba223e0
                                  • Opcode Fuzzy Hash: 44e8e4576bb574d73ffb4f222cbb09e72c13a1ee909e5863716b10e195460e69
                                  • Instruction Fuzzy Hash: 1AF09632A503249BC7259A6C8709F99B3A8E789B14F252159E505FB250C6B2DE0197C0
                                  Function 00ECC764 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d63a081bc4ba9001157e8e9f5c00a65a7e2f912f9defb76786ca98c2109f09a
                                  • Instruction ID: 1f124f5960df723ca81a3be01b1ffc68249e382a8547cbc01d0c09e76dbd7e33
                                  • Opcode Fuzzy Hash: 1d63a081bc4ba9001157e8e9f5c00a65a7e2f912f9defb76786ca98c2109f09a
                                  • Instruction Fuzzy Hash: F8F04431680204ABC706CA38C7A9F5576E8EB05708F34646AEA0AEB790C772DE429E41
                                  Function 00ECC8C9 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38d1b74802d76c323c2d0c359e77df4c49847d62e788d52e9c4665d627c6485d
                                  • Instruction ID: f41013df3422797dfd24861ef9d3726aaee24db86ecb7236855d5b38fc7eda7b
                                  • Opcode Fuzzy Hash: 38d1b74802d76c323c2d0c359e77df4c49847d62e788d52e9c4665d627c6485d
                                  • Instruction Fuzzy Hash: 98F03032A50228EBDB26CB4CD905F4A73ECEB49B54F22506AF405F7251C6B1EE01DBD0
                                  Function 00ECC885 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfc5653cf1d1a423337e514b93d9b6d9462731988843e4d4960ca1fa0e671b44
                                  • Instruction ID: d4a50c4ae39b2d8e1553c27b77249b430ac7299b769dcb83c95f1c92de9654ad
                                  • Opcode Fuzzy Hash: bfc5653cf1d1a423337e514b93d9b6d9462731988843e4d4960ca1fa0e671b44
                                  • Instruction Fuzzy Hash: FEF0A072A10224DBDB16C748D905F5A73E8EB45B10F21505AE505F7150C2B0ED01C7C0
                                  Function 00ECC6DE Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 691c0619916bfe1de07e9816b9f4837cdf24013de7ded582258d6cff25edf38d
                                  • Instruction ID: 000b5b130886181e5fc9241669694bf51ffb80127930c01714620040406c9d89
                                  • Opcode Fuzzy Hash: 691c0619916bfe1de07e9816b9f4837cdf24013de7ded582258d6cff25edf38d
                                  • Instruction Fuzzy Hash: 35E06535600208EFCB05CB68D644F0AB7F8EB48384F2190A8E81AE7690D735EE45CB81
                                  Function 00ECC721 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c60c9cf59985aa2bc796835dcaf813a9b89e953bd4c7556ca2b0bba71cfae703
                                  • Instruction ID: d0a64c4ec3835a93c38ce9818747e4838aee4cbabe81f8e7bc36e518da1bc5d7
                                  • Opcode Fuzzy Hash: c60c9cf59985aa2bc796835dcaf813a9b89e953bd4c7556ca2b0bba71cfae703
                                  • Instruction Fuzzy Hash: A5E03235600348EFCB0ACF68C644F4AB7E8EB48784F22A0A8E809E7250E735DE41DE40
                                  Function 00ECC7BF Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
                                  • Instruction ID: 909d5dffc46809297ce4b4a26ff0a2b6bb4766cfb93da522cfa4318d9f99feb6
                                  • Opcode Fuzzy Hash: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
                                  • Instruction Fuzzy Hash: 67E0EC75501248EFCB04DF64C649F4AB7F8EB44755F1544A8E405D7651D375DE40DA40
                                  Function 00E80821 Relevance: 27.4, APIs: 18, Instructions: 433COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E80828
                                  • ctype.LIBCPMT ref: 00E8086F
                                    • Part of subcall function 00E7FEA1: __Getctype.LIBCPMT ref: 00E7FEB0
                                    • Part of subcall function 00E7AEBC: __EH_prolog3.LIBCMT ref: 00E7AEC3
                                    • Part of subcall function 00E7AEBC: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AECD
                                    • Part of subcall function 00E7AEBC: int.LIBCPMT ref: 00E7AEE4
                                    • Part of subcall function 00E7AFE8: __EH_prolog3.LIBCMT ref: 00E7AFEF
                                    • Part of subcall function 00E7AFE8: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AFF9
                                    • Part of subcall function 00E7AFE8: int.LIBCPMT ref: 00E7B010
                                    • Part of subcall function 00E7B1A7: __EH_prolog3.LIBCMT ref: 00E7B1AE
                                    • Part of subcall function 00E7B1A7: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B1B8
                                    • Part of subcall function 00E7B1A7: int.LIBCPMT ref: 00E7B1CF
                                    • Part of subcall function 00E7B1A7: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B229
                                    • Part of subcall function 00E7B112: __EH_prolog3.LIBCMT ref: 00E7B119
                                    • Part of subcall function 00E7B112: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B123
                                    • Part of subcall function 00E7B112: int.LIBCPMT ref: 00E7B13A
                                    • Part of subcall function 00E6ECE1: __EH_prolog3.LIBCMT ref: 00E6ECE8
                                    • Part of subcall function 00E6ECE1: std::_Lockit::_Lockit.LIBCPMT ref: 00E6ECF2
                                    • Part of subcall function 00E6ECE1: std::_Lockit::~_Lockit.LIBCPMT ref: 00E6ED99
                                  • int.LIBCPMT ref: 00E80A25
                                  • int.LIBCPMT ref: 00E80A7F
                                  • int.LIBCPMT ref: 00E80AC2
                                  • int.LIBCPMT ref: 00E80B05
                                  • int.LIBCPMT ref: 00E80B71
                                  • int.LIBCPMT ref: 00E80BF6
                                  • numpunct.LIBCPMT ref: 00E80C1D
                                    • Part of subcall function 00E7BF46: __EH_prolog3.LIBCMT ref: 00E7BF4D
                                    • Part of subcall function 00E7B6E4: __EH_prolog3.LIBCMT ref: 00E7B6EB
                                    • Part of subcall function 00E7B6E4: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B6F5
                                    • Part of subcall function 00E7B6E4: int.LIBCPMT ref: 00E7B70C
                                    • Part of subcall function 00E7B6E4: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B766
                                    • Part of subcall function 00E7B80E: __EH_prolog3.LIBCMT ref: 00E7B815
                                    • Part of subcall function 00E7B80E: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B81F
                                    • Part of subcall function 00E7B80E: int.LIBCPMT ref: 00E7B836
                                    • Part of subcall function 00E7B80E: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B890
                                    • Part of subcall function 00E6ECE1: Concurrency::cancel_current_task.LIBCPMT ref: 00E6EDA4
                                    • Part of subcall function 00E7AA14: __EH_prolog3.LIBCMT ref: 00E7AA1B
                                    • Part of subcall function 00E7AA14: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AA25
                                    • Part of subcall function 00E7AA14: int.LIBCPMT ref: 00E7AA3C
                                    • Part of subcall function 00E7AA14: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AA96
                                  • int.LIBCPMT ref: 00E80C46
                                  • int.LIBCPMT ref: 00E80844
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • int.LIBCPMT ref: 00E808AE
                                  • int.LIBCPMT ref: 00E808F4
                                  • int.LIBCPMT ref: 00E80937
                                  • int.LIBCPMT ref: 00E809BD
                                  • __Getcoll.LIBCPMT ref: 00E809E3
                                  • int.LIBCPMT ref: 00E80CAE
                                  • codecvt.LIBCPMT ref: 00E80CCE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                                  • String ID:
                                  • API String ID: 778957219-0
                                  • Opcode ID: 369c751aa2f6ba7205fc1c63e6ddc6e2dcc70f949bef8cc7a4a089d937aadfb1
                                  • Instruction ID: 888759ded16d41198490d3b43a33f4fc2cc05366c66ddfd34fe8875a7933318f
                                  • Opcode Fuzzy Hash: 369c751aa2f6ba7205fc1c63e6ddc6e2dcc70f949bef8cc7a4a089d937aadfb1
                                  • Instruction Fuzzy Hash: 08E10271A40609AFDB15BF648C42ABFBAF5EF81394F14A169F85C77382EB308D049791
                                  Function 00E80CFD Relevance: 27.4, APIs: 18, Instructions: 433COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E80D04
                                  • ctype.LIBCPMT ref: 00E80D4B
                                    • Part of subcall function 00E7FEDA: __Getctype.LIBCPMT ref: 00E7FEE9
                                    • Part of subcall function 00E7AF51: __EH_prolog3.LIBCMT ref: 00E7AF58
                                    • Part of subcall function 00E7AF51: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AF62
                                    • Part of subcall function 00E7AF51: int.LIBCPMT ref: 00E7AF79
                                    • Part of subcall function 00E7B07D: __EH_prolog3.LIBCMT ref: 00E7B084
                                    • Part of subcall function 00E7B07D: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B08E
                                    • Part of subcall function 00E7B07D: int.LIBCPMT ref: 00E7B0A5
                                    • Part of subcall function 00E7B2D1: __EH_prolog3.LIBCMT ref: 00E7B2D8
                                    • Part of subcall function 00E7B2D1: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B2E2
                                    • Part of subcall function 00E7B2D1: int.LIBCPMT ref: 00E7B2F9
                                    • Part of subcall function 00E7B2D1: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B353
                                    • Part of subcall function 00E7B23C: __EH_prolog3.LIBCMT ref: 00E7B243
                                    • Part of subcall function 00E7B23C: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B24D
                                    • Part of subcall function 00E7B23C: int.LIBCPMT ref: 00E7B264
                                    • Part of subcall function 00E7B23C: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B2BE
                                    • Part of subcall function 00E6ECE1: __EH_prolog3.LIBCMT ref: 00E6ECE8
                                    • Part of subcall function 00E6ECE1: std::_Lockit::_Lockit.LIBCPMT ref: 00E6ECF2
                                    • Part of subcall function 00E6ECE1: std::_Lockit::~_Lockit.LIBCPMT ref: 00E6ED99
                                  • int.LIBCPMT ref: 00E80F01
                                  • int.LIBCPMT ref: 00E80F5B
                                  • int.LIBCPMT ref: 00E80F9E
                                  • int.LIBCPMT ref: 00E80FE1
                                  • int.LIBCPMT ref: 00E8104D
                                  • int.LIBCPMT ref: 00E810D2
                                  • numpunct.LIBCPMT ref: 00E810F9
                                    • Part of subcall function 00E7BF79: __EH_prolog3.LIBCMT ref: 00E7BF80
                                    • Part of subcall function 00E7B779: __EH_prolog3.LIBCMT ref: 00E7B780
                                    • Part of subcall function 00E7B779: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B78A
                                    • Part of subcall function 00E7B779: int.LIBCPMT ref: 00E7B7A1
                                    • Part of subcall function 00E7B779: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B7FB
                                    • Part of subcall function 00E7B8A3: __EH_prolog3.LIBCMT ref: 00E7B8AA
                                    • Part of subcall function 00E7B8A3: std::_Lockit::_Lockit.LIBCPMT ref: 00E7B8B4
                                    • Part of subcall function 00E7B8A3: int.LIBCPMT ref: 00E7B8CB
                                    • Part of subcall function 00E7B8A3: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B925
                                    • Part of subcall function 00E6ECE1: Concurrency::cancel_current_task.LIBCPMT ref: 00E6EDA4
                                    • Part of subcall function 00E7AAA9: __EH_prolog3.LIBCMT ref: 00E7AAB0
                                    • Part of subcall function 00E7AAA9: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AABA
                                    • Part of subcall function 00E7AAA9: int.LIBCPMT ref: 00E7AAD1
                                    • Part of subcall function 00E7AAA9: std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AB2B
                                  • int.LIBCPMT ref: 00E81122
                                  • int.LIBCPMT ref: 00E80D20
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • int.LIBCPMT ref: 00E80D8A
                                  • int.LIBCPMT ref: 00E80DD0
                                  • int.LIBCPMT ref: 00E80E13
                                  • int.LIBCPMT ref: 00E80E99
                                  • __Getcoll.LIBCPMT ref: 00E80EBF
                                  • int.LIBCPMT ref: 00E8118A
                                  • codecvt.LIBCPMT ref: 00E811AA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
                                  • String ID:
                                  • API String ID: 778957219-0
                                  • Opcode ID: c0d7c65b6d95859307b9272d9e4fc87f61621e27e80bc2da77b66f239c7fd9da
                                  • Instruction ID: a81f42554af5a8e4f39060363c52cd4bd0cb8af7b204c02ba41c93def1e5a094
                                  • Opcode Fuzzy Hash: c0d7c65b6d95859307b9272d9e4fc87f61621e27e80bc2da77b66f239c7fd9da
                                  • Instruction Fuzzy Hash: 6EE1F1B1A012459BDB21BFA49C42ABFBAF9EF40390F14A46DF95C77391EB308D049791
                                  Function 00E987D7 Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
                                  • String ID:
                                  • API String ID: 2932655852-0
                                  • Opcode ID: 1243d46b0c4d3f4628ea0c5dfe622300baca5f6a182794b44638b08a03e3ae20
                                  • Instruction ID: 702206d9ce9147212785d44a643fcceae7265fc079873144034edf3af95dac8d
                                  • Opcode Fuzzy Hash: 1243d46b0c4d3f4628ea0c5dfe622300baca5f6a182794b44638b08a03e3ae20
                                  • Instruction Fuzzy Hash: 64C195B6904208AFCF09EFA8C9969EE77F4EB16304F54105EF516B72A1EF709944CB50
                                  Function 00E99DCF Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E99E3A
                                  • DName::operator+.LIBCMT ref: 00E99F7D
                                    • Part of subcall function 00E95755: shared_ptr.LIBCMT ref: 00E95771
                                  • DName::operator+.LIBCMT ref: 00E99F28
                                  • DName::operator+.LIBCMT ref: 00E99FC9
                                  • DName::operator+.LIBCMT ref: 00E99FD8
                                  • DName::operator+.LIBCMT ref: 00E9A104
                                  • DName::operator=.LIBVCRUNTIME ref: 00E9A144
                                  • DName::DName.LIBVCRUNTIME ref: 00E9A14E
                                  • DName::operator+.LIBCMT ref: 00E9A16B
                                  • DName::operator+.LIBCMT ref: 00E9A177
                                    • Part of subcall function 00E9B68F: Replicator::operator[].LIBCMT ref: 00E9B6CC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                                  • String ID:
                                  • API String ID: 1043660730-0
                                  • Opcode ID: 2a5add142521c7aecfcb61a805b8bbae755a444379fcf6de4093999051211428
                                  • Instruction ID: d94778cd84c3eda01fbf090227e597dbd02f0cf3c317103aeef2c6b870e3e1d2
                                  • Opcode Fuzzy Hash: 2a5add142521c7aecfcb61a805b8bbae755a444379fcf6de4093999051211428
                                  • Instruction Fuzzy Hash: 8BC1B0B1A042089FDF25DFA8CC45BEAB7F8AF16304F54546DE545B7282EB709A44CF90
                                  Function 00E96E6A Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                  • String ID:
                                  • API String ID: 1464150960-0
                                  • Opcode ID: 4da82fe8c236a7eaf578892a12cc51d4d624c52fe1a60d8098d2681426e67704
                                  • Instruction ID: 83bb8f2acbdecf64447f90f201b54c8f345bfea9a21d7ef8f46f8354981f9cac
                                  • Opcode Fuzzy Hash: 4da82fe8c236a7eaf578892a12cc51d4d624c52fe1a60d8098d2681426e67704
                                  • Instruction Fuzzy Hash: F0E18DB2D2820A9BCF04DFD5C499AFEBBB4AB04304F20A15AE951B7251D7745B09CF91
                                  Function 00E8AC49 Relevance: 16.8, APIs: 11, Instructions: 277COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E8AC50
                                    • Part of subcall function 00E898D6: __EH_prolog3_GS.LIBCMT ref: 00E898DD
                                    • Part of subcall function 00E898D6: __Getcoll.LIBCPMT ref: 00E89941
                                    • Part of subcall function 00E898D6: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00E8995D
                                  • __Getcoll.LIBCPMT ref: 00E8AC9F
                                    • Part of subcall function 00E89427: __EH_prolog3.LIBCMT ref: 00E8942E
                                    • Part of subcall function 00E89427: std::_Lockit::_Lockit.LIBCPMT ref: 00E89438
                                    • Part of subcall function 00E89427: int.LIBCPMT ref: 00E8944F
                                    • Part of subcall function 00E89427: std::_Lockit::~_Lockit.LIBCPMT ref: 00E894A9
                                    • Part of subcall function 00E6ECE1: __EH_prolog3.LIBCMT ref: 00E6ECE8
                                    • Part of subcall function 00E6ECE1: std::_Lockit::_Lockit.LIBCPMT ref: 00E6ECF2
                                    • Part of subcall function 00E6ECE1: std::_Lockit::~_Lockit.LIBCPMT ref: 00E6ED99
                                  • int.LIBCPMT ref: 00E8AC79
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • int.LIBCPMT ref: 00E8ACDD
                                  • int.LIBCPMT ref: 00E8AD33
                                  • int.LIBCPMT ref: 00E8AD78
                                  • int.LIBCPMT ref: 00E8ADBB
                                  • int.LIBCPMT ref: 00E8AE27
                                  • int.LIBCPMT ref: 00E8AEA8
                                  • numpunct.LIBCPMT ref: 00E8AECF
                                  • int.LIBCPMT ref: 00E8AEF7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Getcoll$H_prolog3_LocinfoLocinfo::~_numpunct
                                  • String ID:
                                  • API String ID: 4001742795-0
                                  • Opcode ID: 4922720b185664dfa283b5b0f0ab99c604efe40aaa9650d2401479ea71fc27f0
                                  • Instruction ID: 46842a55826bd012fb4e904a06db5bef7a2a0b9a632c71ce33aff52bbc3caa93
                                  • Opcode Fuzzy Hash: 4922720b185664dfa283b5b0f0ab99c604efe40aaa9650d2401479ea71fc27f0
                                  • Instruction Fuzzy Hash: 67911AB1D013155EE721BF649C0667FBAE5EF80354F18A42AF85DB72C2EB70890097A2
                                  Function 00E9B68F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Replicator::operator[].LIBCMT ref: 00E9B6CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Replicator::operator[]
                                  • String ID: @$generic-type-$template-parameter-
                                  • API String ID: 3676697650-1320211309
                                  • Opcode ID: c7af009857d5160c1dd10270f48dbf1d48fb14aa930fa7bc1bba14e2f4987f93
                                  • Instruction ID: c8cebf5eae1a820656697d87088026f0810a921a535778c7e3a2b97070c4d125
                                  • Opcode Fuzzy Hash: c7af009857d5160c1dd10270f48dbf1d48fb14aa930fa7bc1bba14e2f4987f93
                                  • Instruction Fuzzy Hash: 7961B171E04208AFDF15DF98ED46AEEBBF8AF19304F545429E901B7291DB749904CB90
                                  Function 00E9A8D6 Relevance: 15.3, APIs: 10, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E9A9AC
                                  • UnDecorator::getSignedDimension.LIBCMT ref: 00E9A9B7
                                  • UnDecorator::getSignedDimension.LIBCMT ref: 00E9AAA3
                                  • UnDecorator::getSignedDimension.LIBCMT ref: 00E9AAC0
                                  • UnDecorator::getSignedDimension.LIBCMT ref: 00E9AADD
                                  • DName::operator+.LIBCMT ref: 00E9AAF2
                                  • UnDecorator::getSignedDimension.LIBCMT ref: 00E9AB0C
                                  • swprintf.LIBCMT ref: 00E9AB86
                                  • DName::operator+.LIBCMT ref: 00E9ABE1
                                    • Part of subcall function 00E9688F: DName::DName.LIBVCRUNTIME ref: 00E968ED
                                  • DName::DName.LIBVCRUNTIME ref: 00E9AC58
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
                                  • String ID:
                                  • API String ID: 3689813335-0
                                  • Opcode ID: 3f22d791999fb5c2bc6b78b3cb447ace088bb1b0d10771fbeaeba544bc4b1576
                                  • Instruction ID: 7009b440e6f901600331edda7ba877d1caada1353f529a0c07c3d10e0f69b61e
                                  • Opcode Fuzzy Hash: 3f22d791999fb5c2bc6b78b3cb447ace088bb1b0d10771fbeaeba544bc4b1576
                                  • Instruction Fuzzy Hash: 1E91C972D042099ADF19EFB8D94A9FE77F8AF05304F18353AF112B6191DA749A04C7D2
                                  Function 00EB75E6 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID: :$f$f$f$p$p$p
                                  • API String ID: 3732870572-1434680307
                                  • Opcode ID: a3b2db390ca256f8c6e5597bfbc9c1fc43178198aed8796d26ff8cb913277da8
                                  • Instruction ID: 93f871ebec136f2265b6a2c1548b3bf718e1a70ab284921ed1afed77e85684c4
                                  • Opcode Fuzzy Hash: a3b2db390ca256f8c6e5597bfbc9c1fc43178198aed8796d26ff8cb913277da8
                                  • Instruction Fuzzy Hash: AF02AE39909119DADF249F64D4846EFBBB3FFC0B18FA56119D8957BA80E7308E848F50
                                  Function 00E8424A Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E84251
                                    • Part of subcall function 00E7AC68: __EH_prolog3.LIBCMT ref: 00E7AC6F
                                    • Part of subcall function 00E7AC68: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AC79
                                    • Part of subcall function 00E7AC68: int.LIBCPMT ref: 00E7AC90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3$LockitLockit::_std::_
                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                  • API String ID: 2181796688-2891247106
                                  • Opcode ID: 8c93fb47252cf9a5f0e65ba8c09859a25cf04137314f158d741b188984636bb2
                                  • Instruction ID: 9bdd236850b760c8a271390c0bc4d20ffdf1361566ee1149d1e80318f4df7927
                                  • Opcode Fuzzy Hash: 8c93fb47252cf9a5f0e65ba8c09859a25cf04137314f158d741b188984636bb2
                                  • Instruction Fuzzy Hash: A9C16EF650010AABDB19EFA8D955DFF7BE8EF09304F145119FA0EB6291E630DA10DB60
                                  Function 00E8463A Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E84641
                                    • Part of subcall function 00E7ACFD: __EH_prolog3.LIBCMT ref: 00E7AD04
                                    • Part of subcall function 00E7ACFD: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AD0E
                                    • Part of subcall function 00E7ACFD: int.LIBCPMT ref: 00E7AD25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3$LockitLockit::_std::_
                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                  • API String ID: 2181796688-2891247106
                                  • Opcode ID: f029d60cc04bf60b07d61b2b7ed110ab4353c002f9c33f30a6b47b1d559c241e
                                  • Instruction ID: 55662b0ab529eb5d4cd84679c0826b23673df9618e13ec86d85a30c9571a8858
                                  • Opcode Fuzzy Hash: f029d60cc04bf60b07d61b2b7ed110ab4353c002f9c33f30a6b47b1d559c241e
                                  • Instruction Fuzzy Hash: 35C190B254010BABCB19EF68C955DFF7BE8EF49304F04511AFA4EB6291D6319A10CB60
                                  Function 00E8B90D Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E8B914
                                    • Part of subcall function 00E65030: std::_Lockit::_Lockit.LIBCPMT ref: 00E6503C
                                    • Part of subcall function 00E65030: int.LIBCPMT ref: 00E6504F
                                    • Part of subcall function 00E65030: std::_Lockit::~_Lockit.LIBCPMT ref: 00E65098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_
                                  • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                  • API String ID: 1638721334-2891247106
                                  • Opcode ID: 59a0b636f2775385918ea0430c0a2c283c35be7095f5e2ab4a1f9e458cf885b2
                                  • Instruction ID: 02485bb430abbadc58391ca4819d197bada67bbc745935d62bc77e1bc37e85c4
                                  • Opcode Fuzzy Hash: 59a0b636f2775385918ea0430c0a2c283c35be7095f5e2ab4a1f9e458cf885b2
                                  • Instruction Fuzzy Hash: 93C16C7650010AAFDB19EFA8C9A6DFB7BE8AF09304F141159FA0EB6255D7309A00CB60
                                  Function 00E8000A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MaklocchrMaklocstr$H_prolog3_
                                  • String ID: 6-$false$true
                                  • API String ID: 2404127365-1111579777
                                  • Opcode ID: 4ff0bc5800fa6a0cd199a9e0fb5db8f5ad7b2053da13daf3ca836209f5866fd9
                                  • Instruction ID: 00dc649d60c60b45397d113143d9876868acba444751628ec69d2e035d89441b
                                  • Opcode Fuzzy Hash: 4ff0bc5800fa6a0cd199a9e0fb5db8f5ad7b2053da13daf3ca836209f5866fd9
                                  • Instruction Fuzzy Hash: EB21AEB1D00348AADF14EFA5D845E9EBBF8EF44700F00A45AF959AF252E670D904CB61
                                  Function 00E70C49 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E70C4F
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00E70C5D
                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00E70C6E
                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00E70C7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule
                                  • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                  • API String ID: 667068680-1247241052
                                  • Opcode ID: 3a5d237f78b682b1db6014f52a94b04460e811d7ef843a3b4ca4b2797706dbbc
                                  • Instruction ID: 520201d55a4309dd3cb0a06978ffc7acfe46863fe6a92cfdaa5d07a5b4d3f006
                                  • Opcode Fuzzy Hash: 3a5d237f78b682b1db6014f52a94b04460e811d7ef843a3b4ca4b2797706dbbc
                                  • Instruction Fuzzy Hash: 48E08675A4539C9FC3209F73BC4D8D63AE8AB067103061079FC05F21A1D7B411899B95
                                  Function 00E93D52 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 00E93E71
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00E93F7F
                                  • _UnwindNestedFrames.LIBCMT ref: 00E940D1
                                  • CallUnexpected.LIBVCRUNTIME ref: 00E940EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2751267872-393685449
                                  • Opcode ID: b50f6c248bd52ba5f275b75765bdddbd724156521cf5ef15daea60f484ba4da0
                                  • Instruction ID: 3e400515221276ff1ba2c45639e593f5cd91a775db27d7f3f8d29e6009126ad7
                                  • Opcode Fuzzy Hash: b50f6c248bd52ba5f275b75765bdddbd724156521cf5ef15daea60f484ba4da0
                                  • Instruction Fuzzy Hash: 82B19AB1D00209EFCF29DFA4C8819AEBBB5FF14315B14605AF9147B252D371DA52CB92
                                  Function 00ED095B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3907804496
                                  • Opcode ID: ae947db9cd80607e82c717da8abca9d617900f147d527680ba0872445a19166e
                                  • Instruction ID: d5854f6eeaadb0a54565fefb475007b4542cc7f935306e2a9b6c2465476e738d
                                  • Opcode Fuzzy Hash: ae947db9cd80607e82c717da8abca9d617900f147d527680ba0872445a19166e
                                  • Instruction Fuzzy Hash: 38B1D274A042499FDB11DF98C880BAEBBF1EF85314F18625AE9117B392C7B09D43DB61
                                  Function 00E7FF31 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Maklocstr$GetvalsH_prolog3_
                                  • String ID: 6-$false$true
                                  • API String ID: 1611767717-1111579777
                                  • Opcode ID: 31787071680e977b94e16297a3ed9631def35a4befb20b3101b1bcd6369d9195
                                  • Instruction ID: 5431484300f1bad58a756cc3f8d3b454961ddda88a505ec7332d204595e955e7
                                  • Opcode Fuzzy Hash: 31787071680e977b94e16297a3ed9631def35a4befb20b3101b1bcd6369d9195
                                  • Instruction Fuzzy Hash: 7D218371E01308AADF18EFE5D846ADE7BA8EF05710F04D05AF90CBF252DA709944CBA1
                                  Function 00EE2408 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,00EE26D8,00000000,00000000,?,00000000,?,?,?,?,00000000,?), ref: 00EE24AE
                                  • __alloca_probe_16.LIBCMT ref: 00EE2569
                                  • __alloca_probe_16.LIBCMT ref: 00EE25F8
                                  • __freea.LIBCMT ref: 00EE2643
                                  • __freea.LIBCMT ref: 00EE2649
                                  • __freea.LIBCMT ref: 00EE267F
                                  • __freea.LIBCMT ref: 00EE2685
                                  • __freea.LIBCMT ref: 00EE2695
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16$Info
                                  • String ID:
                                  • API String ID: 127012223-0
                                  • Opcode ID: 7d1764bd2456cb8f51ad9cacef31bdca2a4e8f3e303c8a23e2670fa04affc8c4
                                  • Instruction ID: 1a7438a37889a9d2538a9f55338862cc125fd75ebca252b9ce13e48d06b64c13
                                  • Opcode Fuzzy Hash: 7d1764bd2456cb8f51ad9cacef31bdca2a4e8f3e303c8a23e2670fa04affc8c4
                                  • Instruction Fuzzy Hash: E871147290028E9BDF21AFA68C41FAE77FDDF49314F28251DEA18B7281DA75CD018761
                                  Function 00E8D6FA Relevance: 12.2, APIs: 8, Instructions: 225COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00E8D785
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00E8D811
                                  • __alloca_probe_16.LIBCMT ref: 00E8D83B
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E8D87C
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00E8D898
                                  • __alloca_probe_16.LIBCMT ref: 00E8D8BE
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E8D8FB
                                  • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00E8D918
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                  • String ID:
                                  • API String ID: 3603178046-0
                                  • Opcode ID: c2f6226d552d51c1be6bc74539367ee747229c2327f0cf5d592b1997e3dfed8b
                                  • Instruction ID: b618dbd5e3a5e1574d9898a57350f155358795643b425119ec7840812bfc44c9
                                  • Opcode Fuzzy Hash: c2f6226d552d51c1be6bc74539367ee747229c2327f0cf5d592b1997e3dfed8b
                                  • Instruction Fuzzy Hash: 3971AF329082599FDF21AFA4CC81BEE7BBAAF45728F152055E90CBB1D1D7728C04C7A0
                                  Function 00E70A5F Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E70AA8
                                  • __alloca_probe_16.LIBCMT ref: 00E70AD4
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E70B13
                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E70B30
                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E70B6F
                                  • __alloca_probe_16.LIBCMT ref: 00E70B8C
                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E70BCE
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E70BF1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                  • String ID:
                                  • API String ID: 2040435927-0
                                  • Opcode ID: 37605b790e9b80f870c499b7a89e6f3aeece64edde6dc66c8bc4887fbd3425d2
                                  • Instruction ID: 9c0cf1697124b5e77fe1dae4963501938077c22d06d5216e8730f08c5104373f
                                  • Opcode Fuzzy Hash: 37605b790e9b80f870c499b7a89e6f3aeece64edde6dc66c8bc4887fbd3425d2
                                  • Instruction Fuzzy Hash: 4051BF7250020AEFDF219F64CC85FAB7BA9EF40758F109528F919BA190E770DE10CBA0
                                  Function 00EC3932 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 369COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16
                                  • String ID: 6H$a/p$am/pm
                                  • API String ID: 3509577899-1333560639
                                  • Opcode ID: 856896dcd5bbec978fc8413eb2dcafed8f318fd6fb8bedb4c3120587a8fceb0d
                                  • Instruction ID: 8e5871471b074e92dc3ba38045786a3bd4138b69dc9184d5f384ff9443d1c898
                                  • Opcode Fuzzy Hash: 856896dcd5bbec978fc8413eb2dcafed8f318fd6fb8bedb4c3120587a8fceb0d
                                  • Instruction Fuzzy Hash: A0C19F359002169ACB249F788A45FBABBB0FF45708F24A04DE946BB255D3339E43CB61
                                  Function 00E6EF2D Relevance: 10.7, APIs: 7, Instructions: 186COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6EF34
                                  • int.LIBCPMT ref: 00E6EF4F
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • int.LIBCPMT ref: 00E6EFA5
                                  • int.LIBCPMT ref: 00E6EFEA
                                  • int.LIBCPMT ref: 00E6F02D
                                  • int.LIBCPMT ref: 00E6F09E
                                  • _Yarn.LIBCPMT ref: 00E6F11C
                                    • Part of subcall function 00E61DD4: __Getctype.LIBCPMT ref: 00E61DEF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$GetctypeH_prolog3Lockit::_Lockit::~_Yarn
                                  • String ID:
                                  • API String ID: 3817491809-0
                                  • Opcode ID: c37066b0e2d1b09cf2c59cd40da0b2b1117617b9c96160f570a10e2ed812722d
                                  • Instruction ID: b50f4f8f0f03f6c3e72e399294395dc4567e7b4ae1b2aaf067a0b2a8603dd785
                                  • Opcode Fuzzy Hash: c37066b0e2d1b09cf2c59cd40da0b2b1117617b9c96160f570a10e2ed812722d
                                  • Instruction Fuzzy Hash: 4151FBB5A45206AFDB217F64BC469BF7AE8EF413D4F046439F81977382EB70890097A1
                                  Function 00E96C1E Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E96CAC
                                  • DName::operator+.LIBCMT ref: 00E96CFF
                                    • Part of subcall function 00E95755: shared_ptr.LIBCMT ref: 00E95771
                                    • Part of subcall function 00E95644: DName::operator+.LIBCMT ref: 00E95665
                                  • DName::operator+.LIBCMT ref: 00E96CF0
                                  • DName::operator+.LIBCMT ref: 00E96D50
                                  • DName::operator+.LIBCMT ref: 00E96D5D
                                  • DName::operator+.LIBCMT ref: 00E96DA4
                                  • DName::operator+.LIBCMT ref: 00E96DB1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$shared_ptr
                                  • String ID:
                                  • API String ID: 1037112749-0
                                  • Opcode ID: 8828296fccf3506603ef4bba8c55638a43e33f2745d8572cc3946bd4e4992501
                                  • Instruction ID: 93b51dc020e16dd1280102fe10faf9c305e1e13a4467d70f619b2e472456d5a1
                                  • Opcode Fuzzy Hash: 8828296fccf3506603ef4bba8c55638a43e33f2745d8572cc3946bd4e4992501
                                  • Instruction Fuzzy Hash: 695162B2A00218ABCF15DFD4C856EEEBBF8EF08304F54555AF505B7281EB709A44CBA0
                                  Function 00E6E373 Relevance: 10.6, APIs: 7, Instructions: 70COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6E37A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6E384
                                  • int.LIBCPMT ref: 00E6E39B
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • numpunct.LIBCPMT ref: 00E6E3BE
                                  • std::_Facet_Register.LIBCPMT ref: 00E6E3D5
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6E3F5
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E6E402
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                  • String ID:
                                  • API String ID: 3064348918-0
                                  • Opcode ID: 8c39cb8dc81e17f5900e1fa161024a2dbd7982fdaf937047cc2c94d783ecfb22
                                  • Instruction ID: 925b89e578acddb5a473ebd0d25728b5633bfb76afb37011afd3551fcaf453f5
                                  • Opcode Fuzzy Hash: 8c39cb8dc81e17f5900e1fa161024a2dbd7982fdaf937047cc2c94d783ecfb22
                                  • Instruction Fuzzy Hash: D6116A36980624ABCB14AFA4E8456BEB7F4EF847A0F101009F805B73D2CF709D0187D1
                                  Function 00E6A037 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6A03E
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6A048
                                  • int.LIBCPMT ref: 00E6A05F
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • codecvt.LIBCPMT ref: 00E6A082
                                  • std::_Facet_Register.LIBCPMT ref: 00E6A099
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6A0B9
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E6A0C6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                  • String ID:
                                  • API String ID: 2133458128-0
                                  • Opcode ID: 52783e0c604c7a7cf5652f2f0ad33ed9f4f88da06acc1caaa469e9057ee2c9a1
                                  • Instruction ID: 914c456dd1776a43cbb8cc6146169cb9db56c3a9ca68c5efd156000d9a45fca9
                                  • Opcode Fuzzy Hash: 52783e0c604c7a7cf5652f2f0ad33ed9f4f88da06acc1caaa469e9057ee2c9a1
                                  • Instruction Fuzzy Hash: 6F117B71E402199BCF05EB54E8466AE77F5AF80390F185019F805BB392CF709E01CBD2
                                  Function 00E7AAA9 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AAB0
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AABA
                                  • int.LIBCPMT ref: 00E7AAD1
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • codecvt.LIBCPMT ref: 00E7AAF4
                                  • std::_Facet_Register.LIBCPMT ref: 00E7AB0B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AB2B
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7AB38
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                  • String ID:
                                  • API String ID: 2133458128-0
                                  • Opcode ID: c5b11469dfc3569f79ef2bc870bdab3f08457790a7ded393579ab047ca8bb4d0
                                  • Instruction ID: bc7105328ebb5cd82cb1f9d6ca7e7463fe4ba616642a10585f31f32283fe4d27
                                  • Opcode Fuzzy Hash: c5b11469dfc3569f79ef2bc870bdab3f08457790a7ded393579ab047ca8bb4d0
                                  • Instruction Fuzzy Hash: 6701F53594021A9BCF05EBA0E8466BE77F6AF85751F286109F815BB3D2CF709E01C781
                                  Function 00E7AA14 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AA1B
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AA25
                                  • int.LIBCPMT ref: 00E7AA3C
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • codecvt.LIBCPMT ref: 00E7AA5F
                                  • std::_Facet_Register.LIBCPMT ref: 00E7AA76
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AA96
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7AAA3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                  • String ID:
                                  • API String ID: 2133458128-0
                                  • Opcode ID: 75082d848ebae6cf21f755ea1abff08cfa852a4963e3271321603dcb6d8327e4
                                  • Instruction ID: 7fc72f33fc94239346f4e094e166eb7b5de80a5a781052f027028bf334fa390b
                                  • Opcode Fuzzy Hash: 75082d848ebae6cf21f755ea1abff08cfa852a4963e3271321603dcb6d8327e4
                                  • Instruction Fuzzy Hash: 7401D635D401198BCB09EB60D9866AE77F5AF84354F289018F4197B393DF709E02C791
                                  Function 00E890A9 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E890B0
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E890BA
                                  • int.LIBCPMT ref: 00E890D1
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • messages.LIBCPMT ref: 00E890F4
                                  • std::_Facet_Register.LIBCPMT ref: 00E8910B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8912B
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E89138
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                  • String ID:
                                  • API String ID: 958335874-0
                                  • Opcode ID: a2e87b744338cdca08dadf9c81ecd27b17c07ee87e710692fb99fd0b93fa308e
                                  • Instruction ID: c7db9daac08046b85052c4ee3ef59d373c9812ac29593b37914ee7844db2b856
                                  • Opcode Fuzzy Hash: a2e87b744338cdca08dadf9c81ecd27b17c07ee87e710692fb99fd0b93fa308e
                                  • Instruction Fuzzy Hash: EA010435D4411A9BCB05FBA0D8896FE77F4AF84350F195049E809BB2A2CF7489028B80
                                  Function 00E7B1A7 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B1AE
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B1B8
                                  • int.LIBCPMT ref: 00E7B1CF
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E7B1F2
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B209
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B229
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B236
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                  • String ID:
                                  • API String ID: 3376033448-0
                                  • Opcode ID: 20536b2a1743cb796eae852ba7a1d393c5f151e833d6c0d14450ec99c4e2ef4e
                                  • Instruction ID: 4192e0b43750b7a226e020acb4218ac798b66dbf2e338280f4248236f0c029d1
                                  • Opcode Fuzzy Hash: 20536b2a1743cb796eae852ba7a1d393c5f151e833d6c0d14450ec99c4e2ef4e
                                  • Instruction Fuzzy Hash: 4601D63594151A8BCB09EF64E9896BE77F5AF84350F145149F415BB3D2DF709E028780
                                  Function 00E892FD Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E89304
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8930E
                                  • int.LIBCPMT ref: 00E89325
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E89348
                                  • std::_Facet_Register.LIBCPMT ref: 00E8935F
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8937F
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E8938C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                  • String ID:
                                  • API String ID: 3376033448-0
                                  • Opcode ID: 1f3c2968399e5eed249e9d95beef70fac834f2e440c6d3a751a2aa016c2c273d
                                  • Instruction ID: f4356e7c1ef479eb6226843a4b309f9761e7730e2e2ed7fe012466df57851ac1
                                  • Opcode Fuzzy Hash: 1f3c2968399e5eed249e9d95beef70fac834f2e440c6d3a751a2aa016c2c273d
                                  • Instruction Fuzzy Hash: 2901C435E401199BCB05FB64D8866BE77B5AF84360F285009F8097B3E3CF709D018B90
                                  Function 00E7B2D1 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B2D8
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B2E2
                                  • int.LIBCPMT ref: 00E7B2F9
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E7B31C
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B333
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B353
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B360
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                  • String ID:
                                  • API String ID: 3376033448-0
                                  • Opcode ID: 759a203c2bd0873d6c049f88799f278bdd2d1e5d72e7a6143816398bf356ba82
                                  • Instruction ID: 8be8a9e08bbae0771df4bce4bc8b169a338dc104a32e840734e8c9be1be82503
                                  • Opcode Fuzzy Hash: 759a203c2bd0873d6c049f88799f278bdd2d1e5d72e7a6143816398bf356ba82
                                  • Instruction Fuzzy Hash: 790126369006199BCB05EBA0D8466BE77F8BF44750F185009F4057B3D2DFB09D41C780
                                  Function 00E89268 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E8926F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E89279
                                  • int.LIBCPMT ref: 00E89290
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E892B3
                                  • std::_Facet_Register.LIBCPMT ref: 00E892CA
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E892EA
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E892F7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                  • String ID:
                                  • API String ID: 3376033448-0
                                  • Opcode ID: 55ca69e8835c1035465d4d27acded65d90f0ce75f9daaa320fa318dd2a66b650
                                  • Instruction ID: c6b94bf0a64f62ec3171a6bc3d3229d129ee02264052f421afd40588ed82b1ad
                                  • Opcode Fuzzy Hash: 55ca69e8835c1035465d4d27acded65d90f0ce75f9daaa320fa318dd2a66b650
                                  • Instruction Fuzzy Hash: EB01C435E405199BCF05FBA4E8866BE77B5AF84350F185049E8097B3A3CF7099058B80
                                  Function 00E7B23C Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B243
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B24D
                                  • int.LIBCPMT ref: 00E7B264
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E7B287
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B29E
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B2BE
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B2CB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                  • String ID:
                                  • API String ID: 3376033448-0
                                  • Opcode ID: c4b021938cddc196fb6dd135c761c9c77716f9d55771f1218a86977ce59dd0a2
                                  • Instruction ID: e73d469682efd774eb3ecabf3b8173b83df89bada8fed179f7007b8e935837a1
                                  • Opcode Fuzzy Hash: c4b021938cddc196fb6dd135c761c9c77716f9d55771f1218a86977ce59dd0a2
                                  • Instruction Fuzzy Hash: 3A0126369415198BCB05EBA0D8896BE77F8BF84350F145048F8057B3E2CF709D018780
                                  Function 00E7B5BA Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B5C1
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B5CB
                                  • int.LIBCPMT ref: 00E7B5E2
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • numpunct.LIBCPMT ref: 00E7B605
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B61C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B63C
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B649
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                  • String ID:
                                  • API String ID: 3064348918-0
                                  • Opcode ID: b502e9b17dd590d5e67a75148be9d145ed2572ea2bd3b68f6151ae128c413f37
                                  • Instruction ID: d21edb23b190bc25b2b133f9ec8ff5eed3a441ecea87a65a1131fcd8fec8a62b
                                  • Opcode Fuzzy Hash: b502e9b17dd590d5e67a75148be9d145ed2572ea2bd3b68f6151ae128c413f37
                                  • Instruction Fuzzy Hash: 3201D2359446199BCF05EFA4E8866BEB7B5AF84750F245049F816BB3D2DF709E018BC0
                                  Function 00E7B64F Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B656
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B660
                                  • int.LIBCPMT ref: 00E7B677
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • numpunct.LIBCPMT ref: 00E7B69A
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B6B1
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B6D1
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B6DE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                  • String ID:
                                  • API String ID: 3064348918-0
                                  • Opcode ID: 6a150f0d5ae05cc6dd80e6fb32818fb4d25aebd4c747fa9ca40302a9d3209b2b
                                  • Instruction ID: 330027d8a5237ae5c2f8e6f71430802a3b6f28bf9340f17bf3d925512c77bf21
                                  • Opcode Fuzzy Hash: 6a150f0d5ae05cc6dd80e6fb32818fb4d25aebd4c747fa9ca40302a9d3209b2b
                                  • Instruction Fuzzy Hash: 9001C0359441198BCF09EBA0D8466BE77F5AF84750F245409F919BB3E2DF70AE018B91
                                  Function 00EC612A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,AB1BDD2F,?,?,00000000,00EE7EF1,000000FF,,;,00EC60B1,00000002,,;,00EC6085,00E9C3E7), ref: 00EC615F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EC6171
                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00EE7EF1,000000FF,,;,00EC60B1,00000002,,;,00EC6085,00E9C3E7), ref: 00EC6193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: ,;$CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1534709971
                                  • Opcode ID: ad2ef2e75474fe3869315cb175717cc4b791403d4284e79d16694d6c64de2d67
                                  • Instruction ID: 0918a99a4a52635ddee476a07664d5301466b7bea8d677509650e5be2bffe4e8
                                  • Opcode Fuzzy Hash: ad2ef2e75474fe3869315cb175717cc4b791403d4284e79d16694d6c64de2d67
                                  • Instruction Fuzzy Hash: D201A731A4479DAFCB118B41DC49FEE77F8FB08725F040669F812B62A1D7759904CA90
                                  Function 00E9B53B Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E9B57F
                                  • DName::operator+.LIBCMT ref: 00E9B58B
                                    • Part of subcall function 00E95755: shared_ptr.LIBCMT ref: 00E95771
                                  • DName::operator+=.LIBCMT ref: 00E9B649
                                    • Part of subcall function 00E99DCF: DName::operator+.LIBCMT ref: 00E99E3A
                                    • Part of subcall function 00E99DCF: DName::operator+.LIBCMT ref: 00E9A104
                                    • Part of subcall function 00E95644: DName::operator+.LIBCMT ref: 00E95665
                                  • DName::operator+.LIBCMT ref: 00E9B606
                                    • Part of subcall function 00E957AD: DName::operator=.LIBVCRUNTIME ref: 00E957CE
                                  • DName::DName.LIBVCRUNTIME ref: 00E9B66D
                                  • DName::operator+.LIBCMT ref: 00E9B679
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                  • String ID:
                                  • API String ID: 2795783184-0
                                  • Opcode ID: 6386432800d5676434b0b1637ead20742c35c0ed34e9251fecb4dceadccf65a3
                                  • Instruction ID: 2e5d3c37e90ccc37f7ab60b11a5501ec65ab0eb932212d0aa9f04480371f4202
                                  • Opcode Fuzzy Hash: 6386432800d5676434b0b1637ead20742c35c0ed34e9251fecb4dceadccf65a3
                                  • Instruction Fuzzy Hash: 334104B1A04248AFDF15EFA8D955BEE7BF9AB0A300F406459E146BB292E7706940C750
                                  Function 00E9A18D Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E9B68F: Replicator::operator[].LIBCMT ref: 00E9B6CC
                                  • DName::operator=.LIBVCRUNTIME ref: 00E9A239
                                    • Part of subcall function 00E99DCF: DName::operator+.LIBCMT ref: 00E99E3A
                                    • Part of subcall function 00E99DCF: DName::operator+.LIBCMT ref: 00E9A104
                                  • DName::operator+.LIBCMT ref: 00E9A1F3
                                  • DName::operator+.LIBCMT ref: 00E9A1FF
                                  • DName::DName.LIBVCRUNTIME ref: 00E9A243
                                  • DName::operator+.LIBCMT ref: 00E9A260
                                  • DName::operator+.LIBCMT ref: 00E9A26C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                                  • String ID:
                                  • API String ID: 955152517-0
                                  • Opcode ID: 2c02270df9452c3fb61ef1735f2f806699dd4bb8263d66475d71a8c346ab1356
                                  • Instruction ID: 1a606119309b06adf5dfc031f50725e943cbe269b789c8b9c0f74f098b5b06f7
                                  • Opcode Fuzzy Hash: 2c02270df9452c3fb61ef1735f2f806699dd4bb8263d66475d71a8c346ab1356
                                  • Instruction Fuzzy Hash: 5531E4B1A043049FCF14DF58C855AEABBF5BF99300F14946DE486B73A1D770A944CB90
                                  Function 00E939E4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00E939DB,00E8FF85,00E68DC2,AB1BDD2F,?,?,?,?,00EE4DCA,000000FF), ref: 00E939F2
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E93A00
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E93A19
                                  • SetLastError.KERNEL32(00000000,?,00E939DB,00E8FF85,00E68DC2,AB1BDD2F,?,?,?,?,00EE4DCA,000000FF), ref: 00E93A6B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: dfab78c5dfa3d14495f6e8ab0872b40943c2228726be0cab411204bbf5ae8b07
                                  • Instruction ID: 65ab80ef52c9d535001b95c2bf05da18970e88af048b827679fc666d23cc09c7
                                  • Opcode Fuzzy Hash: dfab78c5dfa3d14495f6e8ab0872b40943c2228726be0cab411204bbf5ae8b07
                                  • Instruction Fuzzy Hash: 9501243210A311AEAF24277A7C8596B2AE8EB42778F70232AF014B51E2EF914D559180
                                  Function 00E6E2DE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6E2E5
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6E2EF
                                  • int.LIBCPMT ref: 00E6E306
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E6E340
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6E360
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E6E36D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: b995ca6e48ed3f7d9e4fad948a28e63d67ff17a6c8bf5361483eeb860c5bc140
                                  • Instruction ID: 7eb100c095c45a5e91279d2b58eb766fee1d060cac5fd0e073a887ea5909cebd
                                  • Opcode Fuzzy Hash: b995ca6e48ed3f7d9e4fad948a28e63d67ff17a6c8bf5361483eeb860c5bc140
                                  • Instruction Fuzzy Hash: 5601F9359806199BCB05FBA0E9856BE77F5AF45394F241009F4157B3D3CF709E018B81
                                  Function 00E6E249 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6E250
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6E25A
                                  • int.LIBCPMT ref: 00E6E271
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E6E2AB
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6E2CB
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E6E2D8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 44fba3413f4f9ae250ec4e19968976924da5ba4ba52c8a6759fc60d990bedba2
                                  • Instruction ID: 54086f580c3b3d526341966c181ca9fcffb473aee406bc4eef9dfda0b224a453
                                  • Opcode Fuzzy Hash: 44fba3413f4f9ae250ec4e19968976924da5ba4ba52c8a6759fc60d990bedba2
                                  • Instruction Fuzzy Hash: B201D6399802198BCB19EBA4E8566FE77F9AF85790F245109F8157B3E2CF709D0187C0
                                  Function 00E7ABD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7ABDA
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7ABE4
                                  • int.LIBCPMT ref: 00E7ABFB
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7AC35
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AC55
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7AC62
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 5e4dfcae1cebccd47428fd746633781e1fb428525183883d4c0be6be302bbdd0
                                  • Instruction ID: 359209ce19a119287c411b388256c27e3188c0bf00fed171b9c117fde41c4059
                                  • Opcode Fuzzy Hash: 5e4dfcae1cebccd47428fd746633781e1fb428525183883d4c0be6be302bbdd0
                                  • Instruction Fuzzy Hash: AD01D235A402199BCB06EB60D8866BEB7F5BF84754F285518F805BB3D2CF709E01CB91
                                  Function 00E7AB3E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AB45
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AB4F
                                  • int.LIBCPMT ref: 00E7AB66
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7ABA0
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7ABC0
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7ABCD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: d12de2c19e43a1b94257a8f2b25d3d2786666da520e55fbb9384a2ddb2f29484
                                  • Instruction ID: a3a0b74d404f09fd97518a464b850daffaef195a45f2145e358272bb784fba99
                                  • Opcode Fuzzy Hash: d12de2c19e43a1b94257a8f2b25d3d2786666da520e55fbb9384a2ddb2f29484
                                  • Instruction Fuzzy Hash: A90122359011198BCF05EB64D886AFE77F5AF84364F285049F81ABB3D2CF749E018B81
                                  Function 00E89014 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E8901B
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E89025
                                  • int.LIBCPMT ref: 00E8903C
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E89076
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E89096
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E890A3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 31095c8f88ff761d1e23154ec3324d1b507f3ee9ad5c6ecf32a90211f5d8f76a
                                  • Instruction ID: 447dce64fe0bad18e90550de756ce21b48bc3b29807def535f08fae41313c1b1
                                  • Opcode Fuzzy Hash: 31095c8f88ff761d1e23154ec3324d1b507f3ee9ad5c6ecf32a90211f5d8f76a
                                  • Instruction Fuzzy Hash: 0801C435D402199BCB05FBA4D8456FE77F5AF84360F285008F8197B392CF759A018B90
                                  Function 00E891D3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E891DA
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E891E4
                                  • int.LIBCPMT ref: 00E891FB
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E89235
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E89255
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E89262
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 0e6ac78d7ffa4d37ea012c0cede70ecaa1c50258c397b10eb7a622ce46f0047b
                                  • Instruction ID: 948e64885a0eb35f473e9b89ce100c6adba68508574a57b32dc26b080ff33938
                                  • Opcode Fuzzy Hash: 0e6ac78d7ffa4d37ea012c0cede70ecaa1c50258c397b10eb7a622ce46f0047b
                                  • Instruction Fuzzy Hash: BA010431E401199BCB05FBA4E9466BE77B8AF80354F185008E809BB2A3DF709D018780
                                  Function 00E8913E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E89145
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8914F
                                  • int.LIBCPMT ref: 00E89166
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E891A0
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E891C0
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E891CD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: f17353167503116423aa17ab1dce2bcdec7c5714a546ec0af5273ef59db44f91
                                  • Instruction ID: dfcb3ba800fd90fa9cc1394f262822f2847741766e6cff469a81d2792358da5e
                                  • Opcode Fuzzy Hash: f17353167503116423aa17ab1dce2bcdec7c5714a546ec0af5273ef59db44f91
                                  • Instruction Fuzzy Hash: 01012635E0412A8BCB05FB60D84A6BE77B1AF80394F285548F8097B3A3CF708E01C780
                                  Function 00E7B3FB Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B402
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B40C
                                  • int.LIBCPMT ref: 00E7B423
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B45D
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B47D
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B48A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 22be00735876898477ca624ccb94c77a8b966d7a0604c11d27b919e79535e81a
                                  • Instruction ID: 215c9304249e4c0ea25058bb932b6e77659280c7b78b598a250fd2c791eea52d
                                  • Opcode Fuzzy Hash: 22be00735876898477ca624ccb94c77a8b966d7a0604c11d27b919e79535e81a
                                  • Instruction Fuzzy Hash: 1A0100369401198BCB05AB60E8467BE77F5AF84750F285008E815BB3D2EF709A028B80
                                  Function 00E89392 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E89399
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E893A3
                                  • int.LIBCPMT ref: 00E893BA
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E893F4
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E89414
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E89421
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: ed66c12f574eec69049e7900cafb8f4c2702f6be25b4ecb867e2c762a7f53329
                                  • Instruction ID: 48729aed7e184e098a380a217ca8534153881ea3b31b6ed02aa5d8593b1fa3ed
                                  • Opcode Fuzzy Hash: ed66c12f574eec69049e7900cafb8f4c2702f6be25b4ecb867e2c762a7f53329
                                  • Instruction Fuzzy Hash: 2401C435E401298BCB05FBA0E8956BE77B5BF44354F285049F81ABB3A3CF709A428781
                                  Function 00E7B366 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B36D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B377
                                  • int.LIBCPMT ref: 00E7B38E
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B3C8
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B3E8
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B3F5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: d9748b475d4a9088b0c1cd2e44ffefe00b4bc209fa2a1d931f3479129a908184
                                  • Instruction ID: 949dfa2208a62486544ad189591330f57949768caf7e4ce03ff070864dd7775b
                                  • Opcode Fuzzy Hash: d9748b475d4a9088b0c1cd2e44ffefe00b4bc209fa2a1d931f3479129a908184
                                  • Instruction Fuzzy Hash: 180122329002199BCB05FFA4D88A6FE77B5AF80360F256109F815BB3D2CFB09E418780
                                  Function 00E7B490 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B497
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B4A1
                                  • int.LIBCPMT ref: 00E7B4B8
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B4F2
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B512
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B51F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 6ee95ab9d86e5427b114e6c780b3f597250ef69c425b8bd6a7b7e4de00088f9b
                                  • Instruction ID: b6e6d3cb2ab4b2d911c872b63bc765cb4a0b4d6a2e620c6fcb54d50dd03ba653
                                  • Opcode Fuzzy Hash: 6ee95ab9d86e5427b114e6c780b3f597250ef69c425b8bd6a7b7e4de00088f9b
                                  • Instruction Fuzzy Hash: 0801D6359406199BCF05EFA0E8856BE77F5AF84760F146149F916BB3D2DF709E018B80
                                  Function 00E89427 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E8942E
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E89438
                                  • int.LIBCPMT ref: 00E8944F
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E89489
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E894A9
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E894B6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 4e866c6a11df8eb4ed6248d341747730857443268ab04d0ea3c54d1bd5d6a474
                                  • Instruction ID: 668f4a7fe834f7a34b1f9282a795cd3ac68fc86e645b6152d2d16ce3c7b5014e
                                  • Opcode Fuzzy Hash: 4e866c6a11df8eb4ed6248d341747730857443268ab04d0ea3c54d1bd5d6a474
                                  • Instruction Fuzzy Hash: A701F935D405198BCB05FBA0D9856BE77F5AF84364F185009F419BB393CF749D428781
                                  Function 00E7B525 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B52C
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B536
                                  • int.LIBCPMT ref: 00E7B54D
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B587
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B5A7
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B5B4
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 6cf780cf5f2691499d8372896289675e21a01d1d7b8a141226c371a7fee1e591
                                  • Instruction ID: 0522d6c8cdaef40dcc52f22455d6faf928d0f069fc9c5f4c9f0b68ffcedee6d4
                                  • Opcode Fuzzy Hash: 6cf780cf5f2691499d8372896289675e21a01d1d7b8a141226c371a7fee1e591
                                  • Instruction Fuzzy Hash: 1801D6359402199FCB05EBA4D8456BE7BB5AF85764F245449F4057B3D2CF709E018780
                                  Function 00E7B6E4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B6EB
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B6F5
                                  • int.LIBCPMT ref: 00E7B70C
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B746
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B766
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B773
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 4b656a9d7528f31181ef28328a55bc88fbf399eb1b074180cfc77e90592b95d4
                                  • Instruction ID: 44b72af5c1aa33b23e0d128c49ed3ae7321c2ff7eb97837782729aa026dc2f8b
                                  • Opcode Fuzzy Hash: 4b656a9d7528f31181ef28328a55bc88fbf399eb1b074180cfc77e90592b95d4
                                  • Instruction Fuzzy Hash: 190104359401198BCF09AF64E8857BE77F8AF81354F145109E815BB3D2CF709A018B80
                                  Function 00E7B779 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B780
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B78A
                                  • int.LIBCPMT ref: 00E7B7A1
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B7DB
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B7FB
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B808
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 9e59a1421c3427faa1674750de9f080e98014033f3649b6c33abb6e0dae3af02
                                  • Instruction ID: 702e0f8c61e2fa919e56694d2f3a7305dd6516376928aa8189bd87e14ee8fb5c
                                  • Opcode Fuzzy Hash: 9e59a1421c3427faa1674750de9f080e98014033f3649b6c33abb6e0dae3af02
                                  • Instruction Fuzzy Hash: 5C0126369406198BCB09EBA0E8856FE77F4AF84360F245109F4157B3D2CF709E01C780
                                  Function 00E7B8A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B8AA
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B8B4
                                  • int.LIBCPMT ref: 00E7B8CB
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B905
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B925
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B932
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: f0bd6f4190cce6f5661d457e613dd978d5e390f4251c35a3fc214d1ea55fbf14
                                  • Instruction ID: 3aa17e722d9b5a91f0edcdad3d9aead6a261bb02cfd581873e63448898652e1e
                                  • Opcode Fuzzy Hash: f0bd6f4190cce6f5661d457e613dd978d5e390f4251c35a3fc214d1ea55fbf14
                                  • Instruction Fuzzy Hash: B401043594051A8BCB05ABA0D8456FEB7F4AF84354F245008E915BB2D2CF709D01CB81
                                  Function 00E7B80E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B815
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B81F
                                  • int.LIBCPMT ref: 00E7B836
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E7B870
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B890
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E7B89D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                  • String ID:
                                  • API String ID: 55977855-0
                                  • Opcode ID: 7533eaedbbfbddc4141f9a5561446f42ad9aa12d2d3ced47cf9c95fdbdb49176
                                  • Instruction ID: fcc44ec3cfe276bd97db5f47afbb9e2661aa7b63d9882e2304cc551591236bbe
                                  • Opcode Fuzzy Hash: 7533eaedbbfbddc4141f9a5561446f42ad9aa12d2d3ced47cf9c95fdbdb49176
                                  • Instruction Fuzzy Hash: DB01D6359401199BCF09EFA0D8957BE77B5AF44354F145508F419BB392CF709E02C791
                                  Function 00E7ACFD Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AD04
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AD0E
                                  • int.LIBCPMT ref: 00E7AD25
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • ctype.LIBCPMT ref: 00E7AD48
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AD7F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                  • String ID:
                                  • API String ID: 3358926169-0
                                  • Opcode ID: 13ed5936b34c77b9a07d73b1ea81f93368543d56001e76c05a752fba470eca3b
                                  • Instruction ID: 0a80dc8a235424f8b386a27aab183c427f8d0d9ab3722faa3a370f0eabf29be9
                                  • Opcode Fuzzy Hash: 13ed5936b34c77b9a07d73b1ea81f93368543d56001e76c05a752fba470eca3b
                                  • Instruction Fuzzy Hash: F3F02B319406155BCB15FB60D8867BE33756F80399F646018FA157F2C2DF3089018781
                                  Function 00E7AC68 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AC6F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AC79
                                  • int.LIBCPMT ref: 00E7AC90
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • ctype.LIBCPMT ref: 00E7ACB3
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7ACEA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                  • String ID:
                                  • API String ID: 3358926169-0
                                  • Opcode ID: 7ae82605d3d759057e0dae83ed2cf70d13889025f8960a09894ef1ce99d283db
                                  • Instruction ID: e967c8afe52bf78d7f7eb5e40c5f3b5455ec752d2d7379630aee2e3006002a02
                                  • Opcode Fuzzy Hash: 7ae82605d3d759057e0dae83ed2cf70d13889025f8960a09894ef1ce99d283db
                                  • Instruction Fuzzy Hash: 5CF0E0319445165BCB06FBA0D9577BE77B46F80394F246518F4157B2D2DF748D028741
                                  Function 00E7AD92 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AD99
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7ADA3
                                  • int.LIBCPMT ref: 00E7ADBA
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • messages.LIBCPMT ref: 00E7ADDD
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AE14
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                  • String ID:
                                  • API String ID: 50917705-0
                                  • Opcode ID: bb95e50100697a4815cff376d34602dbfe64468be1b7f6d16231c4f95b2a7f52
                                  • Instruction ID: 39215d017c0cb303be0667de9d2707f959d1e9b3a04ddd784545b81d9e94380d
                                  • Opcode Fuzzy Hash: bb95e50100697a4815cff376d34602dbfe64468be1b7f6d16231c4f95b2a7f52
                                  • Instruction Fuzzy Hash: 40F02B3194061547CB09FBA0C8966BE73B4AF40394F146414F5157B2C1DF309E418781
                                  Function 00E7AE27 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AE2E
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AE38
                                  • int.LIBCPMT ref: 00E7AE4F
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • messages.LIBCPMT ref: 00E7AE72
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AEA9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
                                  • String ID:
                                  • API String ID: 50917705-0
                                  • Opcode ID: c6b36c8469cba44903b2a81e04c2b63499e871322247344fa4d1089e14bfa48a
                                  • Instruction ID: 01c02fa5691c1dc5f404b07af9bbe377d6535165daca5508f1196a20e9ebcf55
                                  • Opcode Fuzzy Hash: c6b36c8469cba44903b2a81e04c2b63499e871322247344fa4d1089e14bfa48a
                                  • Instruction Fuzzy Hash: 12F02B3194051A97CF05FF60D8566BE33B5AF41394F18A518F4157B1C2DF3099018742
                                  Function 00EC7A11 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,00F49D52,00000104), ref: 00EC7A6E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileModuleName
                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                  • API String ID: 514040917-4022980321
                                  • Opcode ID: 44874b660b8d706c560c0548d072674ac4b910097e116d8d661072dd0c21536a
                                  • Instruction ID: 0be7e97bb0617dac18e1f154d18128b20176676d2fc5eb6baf8b5d9282c3204f
                                  • Opcode Fuzzy Hash: 44874b660b8d706c560c0548d072674ac4b910097e116d8d661072dd0c21536a
                                  • Instruction Fuzzy Hash: 91216B32B0830527E63166225D46F9B379D8B91758B04383AFD88B6252F693CE13C6A1
                                  Function 00E7FD6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Mpunct$GetvalsH_prolog3
                                  • String ID: $+xv
                                  • API String ID: 2204710431-1686923651
                                  • Opcode ID: 0167b52e4f5c04789d1d48c08a6f812168833b79eaf9ae8474b5c4eaf6bf7499
                                  • Instruction ID: 92eed51e99b7100375d548136c92e4ba4e98d46cc447f6c5b8b76299b502a1a8
                                  • Opcode Fuzzy Hash: 0167b52e4f5c04789d1d48c08a6f812168833b79eaf9ae8474b5c4eaf6bf7499
                                  • Instruction Fuzzy Hash: 7F21B2B1904B526FD725EF74889077BBEF8AB08300F04556AE59DD7A42E370E601CB90
                                  Function 00E6ECE1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6ECE8
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6ECF2
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6ED99
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E6EDA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                  • String ID: 6-
                                  • API String ID: 4244582100-3458737923
                                  • Opcode ID: bc6e663e4f0b653679b2053dc23430a9efc2329d1c7d1eb3db3639733f69e79b
                                  • Instruction ID: c335ef2dc67a7141236413da0b81eb44c4d515b475c2899539dabc66466a5e7c
                                  • Opcode Fuzzy Hash: bc6e663e4f0b653679b2053dc23430a9efc2329d1c7d1eb3db3639733f69e79b
                                  • Instruction Fuzzy Hash: 27214F34A4061AAFCB04EF25D891AADB7B5FF48360F109559E916AB3E1CB30ED50CF90
                                  Function 00ECAF6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00ECAF25), ref: 00ECAF7B
                                  • GetLastError.KERNEL32(?,00ECAF25), ref: 00ECAF85
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00ECAFC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3177248105-537541572
                                  • Opcode ID: 3f9c4fefbd752038e7c1ed02979df1f83c5313bfb0ca101b92dfd0835d2b374b
                                  • Instruction ID: 21f065f86f6a18dfc720f97544e7a81c48534dce4571e5464c8742c1f2453053
                                  • Opcode Fuzzy Hash: 3f9c4fefbd752038e7c1ed02979df1f83c5313bfb0ca101b92dfd0835d2b374b
                                  • Instruction Fuzzy Hash: B7F05E7174428DBAEF201A63DE0AF593B94AB00B9CF195038F90CB81E1E672D9169546
                                  Function 00ED1E40 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                  Download Yara Rule
                                  APIs
                                  • __alloca_probe_16.LIBCMT ref: 00ED1EC7
                                  • __alloca_probe_16.LIBCMT ref: 00ED1F88
                                  • __freea.LIBCMT ref: 00ED1FEF
                                    • Part of subcall function 00ECC99A: HeapAlloc.KERNEL32(00000000,00E69E75,?,,;,00E8F1E6,?,?,?,?,,;,00E612CC,00E69E75,?,?,?,?), ref: 00ECC9CC
                                  • __freea.LIBCMT ref: 00ED2004
                                  • __freea.LIBCMT ref: 00ED2014
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                  • String ID:
                                  • API String ID: 1096550386-0
                                  • Opcode ID: b2a55f42b9650f99abfae62abad467040424f3993a6e67efa3e2a4b1a0f8cce5
                                  • Instruction ID: 82713dac6820e115e86aa59ba754ddfad9565411ca04690934310e25971d01fc
                                  • Opcode Fuzzy Hash: b2a55f42b9650f99abfae62abad467040424f3993a6e67efa3e2a4b1a0f8cce5
                                  • Instruction Fuzzy Hash: 5951D372600206BFEB219FA0CD41EBB77AAEF54354B15156AFD08F6251EB71CC12D760
                                  Function 00E9979F Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: operator+shared_ptr$NameName::
                                  • String ID:
                                  • API String ID: 2894330373-0
                                  • Opcode ID: f0e1bd4323d2e95bf9f02af93cd1ad38c4d1fd68b617b5139d5224d11782ecde
                                  • Instruction ID: d10583f87328b651b41a5c1deea61b96a5bc585fd71122eb47a14fe3506dc7b3
                                  • Opcode Fuzzy Hash: f0e1bd4323d2e95bf9f02af93cd1ad38c4d1fd68b617b5139d5224d11782ecde
                                  • Instruction Fuzzy Hash: A861AE75804109AFCF28DFACD8459EE7BF5FB46308F14956EE819BB222D3718601DB40
                                  Function 00E6BE77 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00E6BE8B
                                  • AcquireSRWLockExclusive.KERNEL32(?), ref: 00E6BEAA
                                  • AcquireSRWLockExclusive.KERNEL32(?,?), ref: 00E6BED8
                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 00E6BF33
                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 00E6BF4A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AcquireExclusiveLock$CurrentThread
                                  • String ID:
                                  • API String ID: 66001078-0
                                  • Opcode ID: 3ed21c30811a592b3cbd23251e184785581110595dc2ff221be0df500badb220
                                  • Instruction ID: f2d078acfe5ba8d2cb2a7650bb11ce697b517e1e4917784163cc639822a5f060
                                  • Opcode Fuzzy Hash: 3ed21c30811a592b3cbd23251e184785581110595dc2ff221be0df500badb220
                                  • Instruction Fuzzy Hash: AE417D3168060ADFCB20DF65EC809AAB3F9FF04394B505929E41AE7561D730E9C9CF50
                                  Function 00E65030 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6503C
                                  • int.LIBCPMT ref: 00E6504F
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Facet_Register.LIBCPMT ref: 00E65082
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E65098
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E650A3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 8a58996b7b4f30c5e799e75dcdb686b0cc9df3c6db1740e4a6a1cc5a14683581
                                  • Instruction ID: 7b315f1cce9dfc2da92f32557800d39669009670444e0cab31fe56a892b36d5c
                                  • Opcode Fuzzy Hash: 8a58996b7b4f30c5e799e75dcdb686b0cc9df3c6db1740e4a6a1cc5a14683581
                                  • Instruction Fuzzy Hash: 3B01F777A80914ABCB15AB64F8459DE7BB8DF817A4F145149F802BB292EB30DE0187D0
                                  Function 00E6B8EB Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E6B8F2
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E6B8FD
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6B96B
                                    • Part of subcall function 00E6BA7E: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E6BA96
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00E6B918
                                  • _Yarn.LIBCPMT ref: 00E6B92E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                  • String ID:
                                  • API String ID: 1088826258-0
                                  • Opcode ID: fab73d614160284f85e8a241a1b7cf242a2c4b39fdf6864de2b3a0ae58700e85
                                  • Instruction ID: 981ac571c9cd0f20be76fa880042c255ab163ff3d379a4cd67326a6c4126d6a3
                                  • Opcode Fuzzy Hash: fab73d614160284f85e8a241a1b7cf242a2c4b39fdf6864de2b3a0ae58700e85
                                  • Instruction Fuzzy Hash: 4801D479A412659BCB09EB20E8855BE7BB5FFC5380B145009E901B7392CF345E42CBC1
                                  Function 00E7AF51 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AF58
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AF62
                                  • int.LIBCPMT ref: 00E7AF79
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AFD3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                  • String ID:
                                  • API String ID: 1383202999-0
                                  • Opcode ID: 4b85078b8b78b115545ff08c51ca5f12fd968c8b37f3dc992177110cc4d0f33d
                                  • Instruction ID: 2fe32988404b500d1c078a271c2b8528182a959ec1116e06b6a9b8356661395a
                                  • Opcode Fuzzy Hash: 4b85078b8b78b115545ff08c51ca5f12fd968c8b37f3dc992177110cc4d0f33d
                                  • Instruction Fuzzy Hash: 58F02B35A406199BCB1AFBA0D8577BE7375AF40394F186414F5197F2C2EF309E018742
                                  Function 00E7AEBC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AEC3
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AECD
                                  • int.LIBCPMT ref: 00E7AEE4
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7AF3E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                  • String ID:
                                  • API String ID: 1383202999-0
                                  • Opcode ID: 9c1d350cea6984eac30361870d4e7638333a5fc3621c23e35a086ec1ef7eb708
                                  • Instruction ID: d39c05d5f924c96545366fffe938768b71f1e5abdf4ba4ad532bb5f667ef307b
                                  • Opcode Fuzzy Hash: 9c1d350cea6984eac30361870d4e7638333a5fc3621c23e35a086ec1ef7eb708
                                  • Instruction Fuzzy Hash: 8AF02431A4061957CF09FBA0D8927BE72B4AF80794F28A018F8197B2D2DF309A018781
                                  Function 00E7AFE8 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7AFEF
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7AFF9
                                  • int.LIBCPMT ref: 00E7B010
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B06A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                  • String ID:
                                  • API String ID: 1383202999-0
                                  • Opcode ID: b041c25ddd354c5b615287a85b525c13f8ff937fc9a32ab95b143f0f437cc4f0
                                  • Instruction ID: f902e560de0da34afc077588184bfbede20a3b9f0541bdfac1c6437c56f59e37
                                  • Opcode Fuzzy Hash: b041c25ddd354c5b615287a85b525c13f8ff937fc9a32ab95b143f0f437cc4f0
                                  • Instruction Fuzzy Hash: 9CF0B43194061AD7CF15FB60D8967BF76B5AF40798F246408F9297B2D2DF309A058781
                                  Function 00E7B07D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B084
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B08E
                                  • int.LIBCPMT ref: 00E7B0A5
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B0FF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                  • String ID:
                                  • API String ID: 1383202999-0
                                  • Opcode ID: dffd53cd7a7a58dbf5c8a5328377d05182298e7383044da5799d71abb51c7222
                                  • Instruction ID: 0f71dbbe0fdb3f408bf5a93a2278b95c2842b10e31ef682216e9827393786bcb
                                  • Opcode Fuzzy Hash: dffd53cd7a7a58dbf5c8a5328377d05182298e7383044da5799d71abb51c7222
                                  • Instruction Fuzzy Hash: C0F090319406199BCB15FBA0E8967BE73B5AF41794F546408F9297B2D2DF709E018780
                                  Function 00E7B112 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7B119
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E7B123
                                  • int.LIBCPMT ref: 00E7B13A
                                    • Part of subcall function 00E61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00E61C7C
                                    • Part of subcall function 00E61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00E61C96
                                  • moneypunct.LIBCPMT ref: 00E7B15D
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E7B194
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
                                  • String ID:
                                  • API String ID: 3160146232-0
                                  • Opcode ID: db4379d50d9e0b0a43ac3191338e6c6b49c6969be90c06b28f22d432a2471c12
                                  • Instruction ID: 5389308c249563234bbc27482ff68d8497e4e50d50f9eaee43818a82e041fa5d
                                  • Opcode Fuzzy Hash: db4379d50d9e0b0a43ac3191338e6c6b49c6969be90c06b28f22d432a2471c12
                                  • Instruction Fuzzy Hash: D1F08231A4161A9BCB05FFA0C9A67BE7775AF40785F546004F50A7B282DF749A018791
                                  Function 00E968F7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Replicator::operator[].LIBCMT ref: 00E96963
                                  • DName::operator=.LIBVCRUNTIME ref: 00E969F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator=Replicator::operator[]
                                  • String ID: .j$.j
                                  • API String ID: 3211817929-272043564
                                  • Opcode ID: 68887d207334452e6d5fddafe408f052a73194af89b43ee14261ee4b0626a488
                                  • Instruction ID: 930753a8af4ac4f068e775a8efe6b76e33d25ab18abaeff3e98d5831e38a464c
                                  • Opcode Fuzzy Hash: 68887d207334452e6d5fddafe408f052a73194af89b43ee14261ee4b0626a488
                                  • Instruction Fuzzy Hash: AF3145726003089FDF11EFA8C882BBE77E9AB82719F54242FE452A71C2DBB09C45C750
                                  Function 00E9481B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00E94870
                                  • type_info::operator==.LIBVCRUNTIME ref: 00E948D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MatchTypetype_info::operator==
                                  • String ID: R@$R@
                                  • API String ID: 445925684-1339891605
                                  • Opcode ID: 83ced6a893d83f3b77d281eb41169e307691c03169a6e3fcef4c47b32ca1bd00
                                  • Instruction ID: 01714cad54ded3584877b25a6c23985cff5ef89e5f27dcb49307c73604b3b58f
                                  • Opcode Fuzzy Hash: 83ced6a893d83f3b77d281eb41169e307691c03169a6e3fcef4c47b32ca1bd00
                                  • Instruction Fuzzy Hash: AA312AB5E00259AB8F14DF9DD8819AEBBF5EF49314B149469E814F7341D230ED029B90
                                  Function 00E8AB02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Mpunct$H_prolog3
                                  • String ID: $+xv
                                  • API String ID: 4281374311-1686923651
                                  • Opcode ID: 18492e4b231d480dc5ae438d767f7a31a169ef8cea2c1b98da794d8c11716306
                                  • Instruction ID: 71aad8096535f2438be1593b704a1c94ddf94cc2706529c410f3d3c5f547972b
                                  • Opcode Fuzzy Hash: 18492e4b231d480dc5ae438d767f7a31a169ef8cea2c1b98da794d8c11716306
                                  • Instruction Fuzzy Hash: BC2192B1904A526FD725EF74888077BBEF8BB08700F08666AE49DD7A42D770E601CB91
                                  Function 00E7FC9F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E7FCA6
                                    • Part of subcall function 00E77C2B: _Maklocstr.LIBCPMT ref: 00E77C4B
                                    • Part of subcall function 00E77C2B: _Maklocstr.LIBCPMT ref: 00E77C68
                                    • Part of subcall function 00E77C2B: _Maklocstr.LIBCPMT ref: 00E77C85
                                  • _Mpunct.LIBCPMT ref: 00E7FD33
                                  • _Mpunct.LIBCPMT ref: 00E7FD4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Maklocstr$Mpunct$H_prolog3
                                  • String ID: $+xv
                                  • API String ID: 4259326447-1686923651
                                  • Opcode ID: af3f800482b2a69d80cd6323170d40907391c7c12e6206c491321c539b631d8b
                                  • Instruction ID: b852ffe523ac17d8e9113d0f54dfc1b1ca7f3414d5dfdd39afeb0f189da4997b
                                  • Opcode Fuzzy Hash: af3f800482b2a69d80cd6323170d40907391c7c12e6206c491321c539b631d8b
                                  • Instruction Fuzzy Hash: 4621B0B1904A526FDB25EF74988077BBEF8BB0C300F04595AE59DD7A42E330EA01CB90
                                  Function 00E8FEDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • __is_exception_typeof.LIBVCRUNTIME ref: 00E8FF72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __is_exception_typeof
                                  • String ID: MOC$RCC$csm
                                  • API String ID: 3140442014-2671469338
                                  • Opcode ID: 7a133def654c3f26824ec6c5f15ea01c6f76681e7f3f84147a0a92843e6c5151
                                  • Instruction ID: 3deba9759dc6117f4c964c3c234032bf0cd67c71b2d1ac9229112281cf90e228
                                  • Opcode Fuzzy Hash: 7a133def654c3f26824ec6c5f15ea01c6f76681e7f3f84147a0a92843e6c5151
                                  • Instruction Fuzzy Hash: 3F119331604304DFCB15AF64D402B99B7E8FF81316F1510AAFA4DAB165D7B4EE40CB91
                                  Function 00E77C2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Maklocstr
                                  • String ID: 6-
                                  • API String ID: 2987148671-3458737923
                                  • Opcode ID: 06c077c2d901f1b436a43087f663b4e15195dd5c6024d3631a1a829cfb3f6298
                                  • Instruction ID: 35bed02bf9fbf4d8280db6e77907c75db41f64dafdd40f740ff0378e3188273f
                                  • Opcode Fuzzy Hash: 06c077c2d901f1b436a43087f663b4e15195dd5c6024d3631a1a829cfb3f6298
                                  • Instruction Fuzzy Hash: 9E118FB16087847BE720DBA58881F12BBECEB08714F04991AF288DBA40D274FD5087A4
                                  Function 00E6E912 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: 6-$false$true
                                  • API String ID: 2427045233-1111579777
                                  • Opcode ID: c3d68d6ad353e05c286dd76f073d32a50cb630252db84b940d51d8b2b96e05c4
                                  • Instruction ID: cd7472a4696366a4002b9695da9fea29f60420f416158e9f08d295de623e54a1
                                  • Opcode Fuzzy Hash: c3d68d6ad353e05c286dd76f073d32a50cb630252db84b940d51d8b2b96e05c4
                                  • Instruction Fuzzy Hash: D111E975A417449EC720FFB4D801B89B7F4AF05340F04A52AF1A6E7391EB70E504CB50
                                  Function 00E61B73 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E61B7A
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E61BB2
                                    • Part of subcall function 00E6B9E9: _Yarn.LIBCPMT ref: 00E6BA08
                                    • Part of subcall function 00E6B9E9: _Yarn.LIBCPMT ref: 00E6BA2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name$_
                                  • API String ID: 1908188788-959849644
                                  • Opcode ID: 6f8a2ee82e587c2574423a0bc91bcc6ac458145baf3a54d0a7113ed94457712a
                                  • Instruction ID: f021ffc24593c792582ba4c2ef7af184145060c85b98b630009c5b7b17f9a428
                                  • Opcode Fuzzy Hash: 6f8a2ee82e587c2574423a0bc91bcc6ac458145baf3a54d0a7113ed94457712a
                                  • Instruction Fuzzy Hash: 7EF03A71545B409E83319F7AA481447FBE4BE28350394DE2FE1DED3A12D730E444CB6A
                                  Function 00E69E84 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E90
                                    • Part of subcall function 00E69B2B: std::exception::exception.LIBCONCRT ref: 00E69B38
                                    • Part of subcall function 00E90044: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,,;,00E69E83,?,00EF6D8C,?), ref: 00E900A4
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69EB0
                                    • Part of subcall function 00E69B65: std::exception::exception.LIBCONCRT ref: 00E69B72
                                  • std::regex_error::regex_error.LIBCPMT ref: 00E69ED0
                                    • Part of subcall function 00E69BA8: std::exception::exception.LIBCONCRT ref: 00E69BC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
                                  • String ID: ,;
                                  • API String ID: 2470674941-2433392739
                                  • Opcode ID: bacf27d3cb81ebeee656b3fa2a38525d2418c313d34a18bd075b54a870a4ac4b
                                  • Instruction ID: 75364853c47810fc7622e8620013f819e7405454619f98650df6922d24243f1c
                                  • Opcode Fuzzy Hash: bacf27d3cb81ebeee656b3fa2a38525d2418c313d34a18bd075b54a870a4ac4b
                                  • Instruction Fuzzy Hash: C6F0D035C4020C7BCF04FAE4E846DED77BC9E04740F805820BB24B2552EB75A61986D5
                                  Function 00E9BFF1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00E9BEEE,?,?,00000000,?,?,?,00E9C0CC,00000002,FlsGetValue,00EEC674,FlsGetValue), ref: 00E9BFFE
                                  • GetLastError.KERNEL32(?,00E9BEEE,?,?,00000000,?,?,?,00E9C0CC,00000002,FlsGetValue,00EEC674,FlsGetValue,?,?,00E93A05), ref: 00E9C008
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00E9C030
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID: api-ms-
                                  • API String ID: 3177248105-2084034818
                                  • Opcode ID: a29b26e55553940c62922b8608fbace6fc9dfb404bc3683767b82a3c5f6d35fa
                                  • Instruction ID: e6a65d63458bd46fffa84bc035e2e9df86ed34c37472a87384a5a02fca76d8a3
                                  • Opcode Fuzzy Hash: a29b26e55553940c62922b8608fbace6fc9dfb404bc3683767b82a3c5f6d35fa
                                  • Instruction Fuzzy Hash: 0EE0483068164DFBEF202F62DC4BB593B94BB11B95F205060FD0DB81E1D762D91A9544
                                  Function 00E76784 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strcspn$H_prolog3_ctype
                                  • String ID:
                                  • API String ID: 838279627-0
                                  • Opcode ID: c89d4fac29e53ae6925a17ae03ca48d72b1240a31e4eabaf211eb5133ac0e6d8
                                  • Instruction ID: 08d95c5e06e448243b828da4ebd8a024a053ba3b13b9e9821c35ed3a51c1b34f
                                  • Opcode Fuzzy Hash: c89d4fac29e53ae6925a17ae03ca48d72b1240a31e4eabaf211eb5133ac0e6d8
                                  • Instruction Fuzzy Hash: 55D15971D006199FDF15DFA4C880AEEBBF9EF48318F14911AE919BB251D730AE45CBA0
                                  Function 00E76B2D Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strcspn$H_prolog3_ctype
                                  • String ID:
                                  • API String ID: 838279627-0
                                  • Opcode ID: 72301d71c64bb093b73d5d3f3780a4b254527693677bd0cbee8317244b7ddc78
                                  • Instruction ID: f14a9bce90170cd0b140bdc96a775b65b693d101663d46c557dcadfcf5cf20ed
                                  • Opcode Fuzzy Hash: 72301d71c64bb093b73d5d3f3780a4b254527693677bd0cbee8317244b7ddc78
                                  • Instruction Fuzzy Hash: 3AD15A75D006099FDF15EFA4C880AEEBBB9FF08318F149019E919BB251D730AE45CBA0
                                  Function 00E6CAC5 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strcspn$H_prolog3_ctype
                                  • String ID:
                                  • API String ID: 838279627-0
                                  • Opcode ID: 66bc2ffb853bd291f597202520cc849dabcc0fc6e22c408f68e43a7ea04c28c4
                                  • Instruction ID: d700b894b9b069dc47a56bbf266d20802026309d27938d2482c12ca7f5bd43cb
                                  • Opcode Fuzzy Hash: 66bc2ffb853bd291f597202520cc849dabcc0fc6e22c408f68e43a7ea04c28c4
                                  • Instruction Fuzzy Hash: 80D15771D402099FDF15DFA4D880AFEBBB9EF08394F24512AE859BB251D730AD45CBA0
                                  Function 00ECE7BE Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleOutputCP.KERNEL32(AB1BDD2F,00000000,00000000,00000000), ref: 00ECE821
                                    • Part of subcall function 00ED32C6: WideCharToMultiByte.KERNEL32(00EBA335,00000000,00000000,00000000,00000000,00000000,000000FF,0000FDE9,00000000,00000000,00000000,?,00ED195B,00000000,00000000,00EBA335), ref: 00ED3372
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00ECEA7C
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00ECEAC4
                                  • GetLastError.KERNEL32 ref: 00ECEB67
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 2112829910-0
                                  • Opcode ID: 5093a08400fee38c9cd958111aee6eb3e3d630b13a2876bb46e570f415257e9b
                                  • Instruction ID: 8db0770cb6834117a8a2a54ed163a56ee1db8bb7d2f6573a6e747783936dc473
                                  • Opcode Fuzzy Hash: 5093a08400fee38c9cd958111aee6eb3e3d630b13a2876bb46e570f415257e9b
                                  • Instruction Fuzzy Hash: 8CD165B5D002489FCB15CFA8D980AADBBF9FF48304F28556AE816FB351D631A942CB50
                                  Function 00E97E0C Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E97E13
                                  • UnDecorator::getSymbolName.LIBCMT ref: 00E97EA5
                                  • DName::operator+.LIBCMT ref: 00E97FA9
                                  • DName::DName.LIBVCRUNTIME ref: 00E9804C
                                    • Part of subcall function 00E95755: shared_ptr.LIBCMT ref: 00E95771
                                    • Part of subcall function 00E959EF: DName::DName.LIBVCRUNTIME ref: 00E95A3D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                                  • String ID:
                                  • API String ID: 1134295639-0
                                  • Opcode ID: 4fa01f3fcf119e7111324cc27971a985da4391ba6d864cefbaa76adeeb25c8a7
                                  • Instruction ID: 9aad5354daaabbae895d1d58ee21ea98b6b43a81b75e467b42c67c72289839c8
                                  • Opcode Fuzzy Hash: 4fa01f3fcf119e7111324cc27971a985da4391ba6d864cefbaa76adeeb25c8a7
                                  • Instruction Fuzzy Hash: FF716F75E182198FDF01DF94D881AEEBBF4BB0A314F14606EE941BB251D7749D48CBA0
                                  Function 00E984AB Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E985E0
                                    • Part of subcall function 00E953A4: __aulldvrm.LIBCMT ref: 00E953D5
                                  • DName::operator+.LIBCMT ref: 00E98541
                                  • DName::operator=.LIBVCRUNTIME ref: 00E98625
                                  • DName::DName.LIBVCRUNTIME ref: 00E98657
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+$NameName::Name::operator=__aulldvrm
                                  • String ID:
                                  • API String ID: 2973644308-0
                                  • Opcode ID: a034e5e3322a40d55f8bd5ed67c354ac53fcfda26af91434f1e2b71645384bf0
                                  • Instruction ID: 1e5177cc55e67e7f9dee0eeb526ff5e75a68524e3b47937eba9cc42a44af0d6f
                                  • Opcode Fuzzy Hash: a034e5e3322a40d55f8bd5ed67c354ac53fcfda26af91434f1e2b71645384bf0
                                  • Instruction Fuzzy Hash: 6061AEB5904219DFCF05DF58C941AEEBBF0FB56304F10916AE8117B362DBB09A40CB90
                                  Function 00E93AFB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 491b66c0d93c10986bfc90066e229f56479b901797752f28370f9f546e45143d
                                  • Instruction ID: c58a767846dfb2ccd7996332343820d2400b64cc060825b53f8f02770ac2c6a3
                                  • Opcode Fuzzy Hash: 491b66c0d93c10986bfc90066e229f56479b901797752f28370f9f546e45143d
                                  • Instruction Fuzzy Hash: FA51C372A00A46AFDF289F64D841BAAF7E4EF00714F14552DED0676291E731EE80C7A0
                                  Function 00E981DC Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DName::operator+.LIBCMT ref: 00E9820F
                                    • Part of subcall function 00E95719: DName::operator+=.LIBCMT ref: 00E9572F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name::operator+Name::operator+=
                                  • String ID:
                                  • API String ID: 382699925-0
                                  • Opcode ID: 78ed14223d232ca92d5bc05c32d88bece92513417c32bd4a4c509911187d7cb3
                                  • Instruction ID: 70e173227ff3c33b3e62328acdd4d10f98bc774a99332102fe60d3392bd94790
                                  • Opcode Fuzzy Hash: 78ed14223d232ca92d5bc05c32d88bece92513417c32bd4a4c509911187d7cb3
                                  • Instruction Fuzzy Hash: FF416DB5D0420EDACF04DFA8D6869FEBBF4EB46744F10605AE905B7260DB709A85CB90
                                  Function 00E706CE Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00E706D5
                                    • Part of subcall function 00E6B8EB: __EH_prolog3.LIBCMT ref: 00E6B8F2
                                    • Part of subcall function 00E6B8EB: std::_Lockit::_Lockit.LIBCPMT ref: 00E6B8FD
                                    • Part of subcall function 00E6B8EB: std::locale::_Setgloballocale.LIBCPMT ref: 00E6B918
                                    • Part of subcall function 00E6B8EB: _Yarn.LIBCPMT ref: 00E6B92E
                                    • Part of subcall function 00E6B8EB: std::_Lockit::~_Lockit.LIBCPMT ref: 00E6B96B
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E706F9
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00E70748
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E707A8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocalestd::locale::_$Yarn
                                  • String ID:
                                  • API String ID: 2301162320-0
                                  • Opcode ID: 0207ff9139c3c87d2d1e048ab2cc92bf1f2da5eb494bd7f83ce076e6935c4e32
                                  • Instruction ID: e83ec2c3f1be281cd387a980ea7299136fb8d9eda8974394b91464e7d45cc832
                                  • Opcode Fuzzy Hash: 0207ff9139c3c87d2d1e048ab2cc92bf1f2da5eb494bd7f83ce076e6935c4e32
                                  • Instruction Fuzzy Hash: 4F2151756002149FDB08FF68D8C196E77E5AF48354715A06AE90AEB392DB30ED458B90
                                  Function 00ED417E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00ED32C6: WideCharToMultiByte.KERNEL32(00EBA335,00000000,00000000,00000000,00000000,00000000,000000FF,0000FDE9,00000000,00000000,00000000,?,00ED195B,00000000,00000000,00EBA335), ref: 00ED3372
                                  • GetLastError.KERNEL32 ref: 00ED41E2
                                  • __dosmaperr.LIBCMT ref: 00ED41E9
                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00ED4223
                                  • __dosmaperr.LIBCMT ref: 00ED422A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 1913693674-0
                                  • Opcode ID: 292a184ef6075b78ed43d9e4345d40a050d968516614c66917f32f776940d13d
                                  • Instruction ID: 87784dbefc0a3167eca3aa8ce5ab83e743a33fa07fb31afa154ed96921103922
                                  • Opcode Fuzzy Hash: 292a184ef6075b78ed43d9e4345d40a050d968516614c66917f32f776940d13d
                                  • Instruction Fuzzy Hash: 3321C5B1604215AF9B20AF65DC81C6BB7E9FF70368710A51AF869B73A1D730ED428750
                                  Function 00EC2668 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fd5b37b7a90f1ee30fe12c397ef843760443ab620a801b2a7f041b7545b7094
                                  • Instruction ID: 8dad8a9e352b9a765750e976a5187bb98ae88bc73bc9996e6a356b822cb0a9f8
                                  • Opcode Fuzzy Hash: 7fd5b37b7a90f1ee30fe12c397ef843760443ab620a801b2a7f041b7545b7094
                                  • Instruction Fuzzy Hash: 6221D471600205AF9B20AF61CEC1EAB77E8EF043A8710A51EFA14B7151E772DD52D7A0
                                  Function 00ED5ED4 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 00ED5EDC
                                    • Part of subcall function 00ED32C6: WideCharToMultiByte.KERNEL32(00EBA335,00000000,00000000,00000000,00000000,00000000,000000FF,0000FDE9,00000000,00000000,00000000,?,00ED195B,00000000,00000000,00EBA335), ref: 00ED3372
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED5F14
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ED5F34
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 158306478-0
                                  • Opcode ID: 7bf0d26f83ffa33eda66bef61c99c98a5c1ee7d794ca10f690bf6933dcd56e34
                                  • Instruction ID: e639ac2aae2d64dccfdb7b224b940727a9e2947ff4ed28853c34dafc8b71412d
                                  • Opcode Fuzzy Hash: 7bf0d26f83ffa33eda66bef61c99c98a5c1ee7d794ca10f690bf6933dcd56e34
                                  • Instruction Fuzzy Hash: F711E1F3A0590A7FA71127725DCDCBF2ADDCE843A8715202AF402B9201EA259E0381B2
                                  Function 00E9C896 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,?,00E9C5EB,00000000,00000004,00000000), ref: 00E9C8E5
                                  • GetLastError.KERNEL32 ref: 00E9C8F1
                                  • __dosmaperr.LIBCMT ref: 00E9C8F8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastThread__dosmaperr
                                  • String ID:
                                  • API String ID: 2744730728-0
                                  • Opcode ID: 3f53dbe3574ba18653d10591a53e9cc9566b57692813251726780c17436f5517
                                  • Instruction ID: a4a48357d14930c67d40bbf598cc0a27f43e06871adb06f29ad643bb3f9af97e
                                  • Opcode Fuzzy Hash: 3f53dbe3574ba18653d10591a53e9cc9566b57692813251726780c17436f5517
                                  • Instruction Fuzzy Hash: 4501C4B2401208BFCF20ABA5DC49BEE7AA9EF81375F305215F624B61E1DB708A41D760
                                  Function 00ED1008 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00ED101E
                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00ED102B
                                  • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00ED1051
                                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00ED1077
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer$ErrorLast
                                  • String ID:
                                  • API String ID: 142388799-0
                                  • Opcode ID: eefa55dafb6c9aab533197c17c298933284e4a4166e5b68b605034dd962cd76b
                                  • Instruction ID: 57290daa275903009398c3324f6385a26d9f4d02c2b5439275d95de261bcd851
                                  • Opcode Fuzzy Hash: eefa55dafb6c9aab533197c17c298933284e4a4166e5b68b605034dd962cd76b
                                  • Instruction Fuzzy Hash: 5C117971905169BFCF24AF95DD489DF3FB9EF00364F104586F824AA2A1C771CA81DBA0
                                  Function 00EE1F7B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00EE1F95
                                  • GetLastError.KERNEL32 ref: 00EE1FA1
                                    • Part of subcall function 00EE204A: CloseHandle.KERNEL32(FFFFFFFE,00EE2094,?,00EDDB8F,00000000,00000001,00000000,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000,00000000), ref: 00EE205A
                                  • ___initconout.LIBCMT ref: 00EE1FB1
                                    • Part of subcall function 00EE200C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EE203B,00EDDB7C,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000), ref: 00EE201F
                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00EE1FC5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: 9d16caad743f1ff07973509336c5156db0f7d0ff5fdcc27e8bccd4502047734f
                                  • Instruction ID: 7acae238e9ff4920807e3ba4fe993fd862527806e91dc41fbe656f8b6410ee15
                                  • Opcode Fuzzy Hash: 9d16caad743f1ff07973509336c5156db0f7d0ff5fdcc27e8bccd4502047734f
                                  • Instruction Fuzzy Hash: C8F0823A100549AFCB222F97EC09D467FF6EFC9750B214419FA8AA2171DB329854DF50
                                  Function 00EE2061 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00EDDB8F,00000000,00000001,00000000,00000000,?,00ECEBBB,00000000,00000000,00000000), ref: 00EE2078
                                  • GetLastError.KERNEL32(?,00EDDB8F,00000000,00000001,00000000,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000,00000000,?,00ECF18A,?), ref: 00EE2084
                                    • Part of subcall function 00EE204A: CloseHandle.KERNEL32(FFFFFFFE,00EE2094,?,00EDDB8F,00000000,00000001,00000000,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000,00000000), ref: 00EE205A
                                  • ___initconout.LIBCMT ref: 00EE2094
                                    • Part of subcall function 00EE200C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EE203B,00EDDB7C,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000), ref: 00EE201F
                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00EDDB8F,00000000,00000001,00000000,00000000,?,00ECEBBB,00000000,00000000,00000000,00000000), ref: 00EE20A9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: 3bd8f28a41d369070a6f69dafff5250a0606ed7116b300ea100e32e401d9b2ed
                                  • Instruction ID: c644c11de9f435f6b241642fbe1b9af2cbd8f703e875693952225f422205deb6
                                  • Opcode Fuzzy Hash: 3bd8f28a41d369070a6f69dafff5250a0606ed7116b300ea100e32e401d9b2ed
                                  • Instruction Fuzzy Hash: 4EF0373640116DBFCF221F93DC199997F66FF453A0F155414FE09A5171D6328820DB91
                                  Function 00EB731E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID: +$-
                                  • API String ID: 3732870572-2137968064
                                  • Opcode ID: 39a310d45cb71cb3a467e140423cede7b76dcada602dc74fde997beada53b2a3
                                  • Instruction ID: d46fb266ebf1025dcc7fff65a7d0c346b80615dd57790177620a5cf792814e1e
                                  • Opcode Fuzzy Hash: 39a310d45cb71cb3a467e140423cede7b76dcada602dc74fde997beada53b2a3
                                  • Instruction Fuzzy Hash: 21A1D030A09259AFCF24CE7888506EF7FA1EF85329F14A599E8F5FB791D230D9019B50
                                  Function 00E87698 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3___cftoe
                                  • String ID: !%x
                                  • API String ID: 855520168-1893981228
                                  • Opcode ID: 80be2058fd0465b1670452b26524ab1acb3b2607d8f16338d8634091fc8a9689
                                  • Instruction ID: 3d75b66a72e6388a6d11c5ce8a0fc19f075803b2bb4053d6da325496e7afae40
                                  • Opcode Fuzzy Hash: 80be2058fd0465b1670452b26524ab1acb3b2607d8f16338d8634091fc8a9689
                                  • Instruction Fuzzy Hash: F9718971D04108AFDF18EFA8E885AEEB7F5EF48304F24502AF499B7250EB35A941CB50
                                  Function 00E878B2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3___cftoe
                                  • String ID: !%x
                                  • API String ID: 855520168-1893981228
                                  • Opcode ID: 48d49a548d0019dc3aa379a14da4185db969513502f1464a2fa75ef28087ee60
                                  • Instruction ID: 1c23bd30b134043a1d14cb545a58343bdc9b224107bbaafcae329140dbe76ce6
                                  • Opcode Fuzzy Hash: 48d49a548d0019dc3aa379a14da4185db969513502f1464a2fa75ef28087ee60
                                  • Instruction Fuzzy Hash: 46717A71D04108AFDF18EFA8E881AEDB7F5EF48304F245069F459B7251EB34AA41CB50
                                  Function 00E862B1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E862B8
                                  • swprintf.LIBCMT ref: 00E86330
                                    • Part of subcall function 00E7ACFD: __EH_prolog3.LIBCMT ref: 00E7AD04
                                    • Part of subcall function 00E7ACFD: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AD0E
                                    • Part of subcall function 00E7ACFD: int.LIBCPMT ref: 00E7AD25
                                    • Part of subcall function 00E76589: _wmemset.LIBCMT ref: 00E765B2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_LockitLockit::__wmemsetstd::_swprintf
                                  • String ID: %.0Lf
                                  • API String ID: 2528782737-1402515088
                                  • Opcode ID: 7d657a1a2eacd31283239c1cddf7e876081b02a5eac27f7424459f1dfd0aa3ad
                                  • Instruction ID: 9042f940d40709f710ec673c5c978281e3f4154a9d604d2af44eda4627811703
                                  • Opcode Fuzzy Hash: 7d657a1a2eacd31283239c1cddf7e876081b02a5eac27f7424459f1dfd0aa3ad
                                  • Instruction Fuzzy Hash: F0619B71D00218AFCF05EFE4D884AEDBBB9FF48300F10455AE51ABB2A1EB349915CB90
                                  Function 00E85F84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E85F8B
                                  • swprintf.LIBCMT ref: 00E86003
                                    • Part of subcall function 00E7AC68: __EH_prolog3.LIBCMT ref: 00E7AC6F
                                    • Part of subcall function 00E7AC68: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AC79
                                    • Part of subcall function 00E7AC68: int.LIBCPMT ref: 00E7AC90
                                    • Part of subcall function 00E76502: _wmemset.LIBCMT ref: 00E7652B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_LockitLockit::__wmemsetstd::_swprintf
                                  • String ID: %.0Lf
                                  • API String ID: 2528782737-1402515088
                                  • Opcode ID: f6301807a9b98a4839914339ac92a5ed60c69ceb66e47e4c07435c53ccc3b32e
                                  • Instruction ID: cb7bc15823ca47240e8c64223ddbf1240537a5130998c944fbd481b7a7d9be3d
                                  • Opcode Fuzzy Hash: f6301807a9b98a4839914339ac92a5ed60c69ceb66e47e4c07435c53ccc3b32e
                                  • Instruction Fuzzy Hash: CC61AE71D00208AFCF05EFE4D884AEDBBB9FF48300F209559E51ABB2A5DB349905CB90
                                  Function 00E8C582 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E8C589
                                  • swprintf.LIBCMT ref: 00E8C601
                                    • Part of subcall function 00E65030: std::_Lockit::_Lockit.LIBCPMT ref: 00E6503C
                                    • Part of subcall function 00E65030: int.LIBCPMT ref: 00E6504F
                                    • Part of subcall function 00E65030: std::_Lockit::~_Lockit.LIBCPMT ref: 00E65098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3_Lockit::_Lockit::~_swprintf
                                  • String ID: %.0Lf
                                  • API String ID: 2921955253-1402515088
                                  • Opcode ID: 7182b7c45d167a18cef05bb77d7eccec8dac79b5c0ab45858282c60ef152e7dd
                                  • Instruction ID: cdd3f180f5bc32b5b3401f8efae8f6cb940c064b292e6a3caf66a3f25e6e8e88
                                  • Opcode Fuzzy Hash: 7182b7c45d167a18cef05bb77d7eccec8dac79b5c0ab45858282c60ef152e7dd
                                  • Instruction Fuzzy Hash: C3617B71D00248AFCF09EFE4D885AEDBBB5FF48340F20555AE50ABB291EB359915CB50
                                  Function 00E8CF01 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 3732870572-1956417402
                                  • Opcode ID: 087b702ad431eef1ee8e61e07410808b9120d01865ddbb8e9bd0b5d91d1976f0
                                  • Instruction ID: 03e684acfdc417760ec64c5695cee5e0c2b91699715c822b11103fcfdefe2e1d
                                  • Opcode Fuzzy Hash: 087b702ad431eef1ee8e61e07410808b9120d01865ddbb8e9bd0b5d91d1976f0
                                  • Instruction Fuzzy Hash: C151F670B082885FEF25AE6D88517BEBBF79F46314F24605AE59DF7381C37089428B61
                                  Function 00E93570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00E935AF
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00E93663
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 3480331319-1018135373
                                  • Opcode ID: 3d6de56def97fbe08c7d6d7e7a443f7818ad9043175ba355058cc8af599e611d
                                  • Instruction ID: 06839159e2b673ea37ae0558a08216928a6cd48544124ca0565a43ce2c19cd5a
                                  • Opcode Fuzzy Hash: 3d6de56def97fbe08c7d6d7e7a443f7818ad9043175ba355058cc8af599e611d
                                  • Instruction Fuzzy Hash: 4B41B174A00218EFCF10DF6AC885AAEBBF4AF45318F149155E814BB393D731AA15CF90
                                  Function 00E940F7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(00000000,?), ref: 00E9411C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID: MOC$RCC
                                  • API String ID: 2118026453-2084237596
                                  • Opcode ID: a417fb10cc7301bf69121d2eaa2f3390b398dd0486948fd373551e296728c59d
                                  • Instruction ID: d48562221dff832f6234b6540ac1cd578ad47246fd8cc0157ad41f9500507324
                                  • Opcode Fuzzy Hash: a417fb10cc7301bf69121d2eaa2f3390b398dd0486948fd373551e296728c59d
                                  • Instruction Fuzzy Hash: 4C414AB1900209AFCF16DF94DC81EAEBBB5FF48308F149059F91477265D3359951DB50
                                  Function 00E86183 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E8618A
                                    • Part of subcall function 00E7ACFD: __EH_prolog3.LIBCMT ref: 00E7AD04
                                    • Part of subcall function 00E7ACFD: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AD0E
                                    • Part of subcall function 00E7ACFD: int.LIBCPMT ref: 00E7AD25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                                  • String ID: 0123456789-$0123456789-
                                  • API String ID: 79917597-2494171821
                                  • Opcode ID: b66e68dda8bf21db09c895b78ea7056da573d023951f1171a54d360f7b53b9fd
                                  • Instruction ID: 078335364522503c25c1f7888a3b03f18de94ccb2781e712fb7770e06df29eff
                                  • Opcode Fuzzy Hash: b66e68dda8bf21db09c895b78ea7056da573d023951f1171a54d360f7b53b9fd
                                  • Instruction Fuzzy Hash: A0415831900118DFCF15EFE4D9819EEBBB5BF08314F1010AAE919BB261DB30AD56CB51
                                  Function 00E8C456 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E8C45D
                                    • Part of subcall function 00E65030: std::_Lockit::_Lockit.LIBCPMT ref: 00E6503C
                                    • Part of subcall function 00E65030: int.LIBCPMT ref: 00E6504F
                                    • Part of subcall function 00E65030: std::_Lockit::~_Lockit.LIBCPMT ref: 00E65098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$H_prolog3_Lockit::_Lockit::~_
                                  • String ID: 0123456789-$0123456789-
                                  • API String ID: 1106374426-2494171821
                                  • Opcode ID: cb68f2e8f3e3e779b34ae9d8f9e11f89d7dbb788fc5e63383e0461d02580f6a1
                                  • Instruction ID: 85c3bc28b271859af4d4596a3a29a19e77324209396b729715e39730faae0f10
                                  • Opcode Fuzzy Hash: cb68f2e8f3e3e779b34ae9d8f9e11f89d7dbb788fc5e63383e0461d02580f6a1
                                  • Instruction Fuzzy Hash: 92418D71D00109AFCF19EFA4E8919EEBBB5AF09314F20506AF429BB251DB309E45CB60
                                  Function 00E85E56 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00E85E5D
                                    • Part of subcall function 00E7AC68: __EH_prolog3.LIBCMT ref: 00E7AC6F
                                    • Part of subcall function 00E7AC68: std::_Lockit::_Lockit.LIBCPMT ref: 00E7AC79
                                    • Part of subcall function 00E7AC68: int.LIBCPMT ref: 00E7AC90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_LockitLockit::_std::_
                                  • String ID: %.0Lf$0123456789-
                                  • API String ID: 79917597-3094241602
                                  • Opcode ID: ff74456bbf2cb18a9c37cf7e037be879bf6abf871f8d597282d3bbab46098d5b
                                  • Instruction ID: 0f1720ca067f6ddaefec969ba3ccd7a62acdd1a2460bcee948600b08c3c77499
                                  • Opcode Fuzzy Hash: ff74456bbf2cb18a9c37cf7e037be879bf6abf871f8d597282d3bbab46098d5b
                                  • Instruction Fuzzy Hash: D1416732A00659DFCF16EFA8D8809EEBBB5BF08314F14105AE919BB251DB309A55CB90
                                  Function 00E68E83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • __alloca_probe_16.LIBCMT ref: 00E68F0B
                                  • RaiseException.KERNEL32(?,?,?,?,?), ref: 00E68F30
                                    • Part of subcall function 00E90044: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,,;,00E69E83,?,00EF6D8C,?), ref: 00E900A4
                                    • Part of subcall function 00E9C3A4: IsProcessorFeaturePresent.KERNEL32(00000017,00EA86AB,?,?,?,?,?,?,00000000,?,?,,;,00E69B03,00E69E75,?,?), ref: 00E9C3C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                  • String ID: csm
                                  • API String ID: 1924019822-1018135373
                                  • Opcode ID: 9a500ea24bbc044f9c66df3495eaf6b80353322b6b880f6a5dae04e5b07b266f
                                  • Instruction ID: eb38f7b1c1fe5a6e7c392817642926309ea96fc49a8260ef140430986b244cfd
                                  • Opcode Fuzzy Hash: 9a500ea24bbc044f9c66df3495eaf6b80353322b6b880f6a5dae04e5b07b266f
                                  • Instruction Fuzzy Hash: E531AD31A0021C9FCF24DF98EA44AAEB7F9FF08758F14551AE959BB201CB30AD40CB80
                                  Function 00E98714 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: NameName::
                                  • String ID: A
                                  • API String ID: 1333004437-3554254475
                                  • Opcode ID: 4e0688cf0980e86d7bbade9c682488cd76f2794513665b9d9cde9416e7b631b1
                                  • Instruction ID: cac0665a844c7fe4b520cc96d232d54e85d47c8571cfa429befb8f72e54c0684
                                  • Opcode Fuzzy Hash: 4e0688cf0980e86d7bbade9c682488cd76f2794513665b9d9cde9416e7b631b1
                                  • Instruction Fuzzy Hash: 5A21CD75900208AFCF01DFE4D942AED7BB1FB56344F20A45AE815FB261CBB09A41DB81
                                  Function 00E67F05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: h@n$hPm
                                  • API String ID: 0-800802255
                                  • Opcode ID: 231d540d5d175973f5c229f8d280f5d7cd5e90752bd32de325be91ffc0224efd
                                  • Instruction ID: 0b950b993257bcdbc6c13ff284307b8445fc53f86dc389267195ac0909df21f7
                                  • Opcode Fuzzy Hash: 231d540d5d175973f5c229f8d280f5d7cd5e90752bd32de325be91ffc0224efd
                                  • Instruction Fuzzy Hash: E101D434A41208AFCB04FBB4E856DED73FCAF04304F50A558B52967592EB32A909CB90
                                  Function 00E6C947 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(?,?,00E6BABE,00E6BB39,?,00E6B91D,00000000,00000000,00000000,00000004,00E6A1D3,00000001,00000000,00E6A0DB), ref: 00E6C95A
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00EA86AB,?,?,?,?,?,?,00000000,?,?,,;,00E69B03,00E69E75,?,?), ref: 00E9C3C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodeFeaturePointerPresentProcessor
                                  • String ID: ,;
                                  • API String ID: 4030241255-2433392739
                                  • Opcode ID: 5497db0698b7d66b21f464744a03a79e6a9ac7154cfa785ee8129d914930611f
                                  • Instruction ID: c6e9ebec25883960810f6a201807a3e187374b6dacd6479458fbbf103724c7b1
                                  • Opcode Fuzzy Hash: 5497db0698b7d66b21f464744a03a79e6a9ac7154cfa785ee8129d914930611f
                                  • Instruction Fuzzy Hash: 60F0F97114430CAFEF047B25FD0AF263AD49B80718F346079BA0D751E2DFB1445AD111
                                  Function 00E950D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___swprintf_l.LIBCMT ref: 00E950F0
                                    • Part of subcall function 00E9BC97: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 00E9BCA7
                                  • swprintf.LIBCMT ref: 00E95113
                                    • Part of subcall function 00E70959: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E7096B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
                                  • String ID: %lf
                                  • API String ID: 3672277462-2891890143
                                  • Opcode ID: bb71c48c16b62232d7b5a86bd0a30082a7871c89ff37d7d7ca97428689cc6e6b
                                  • Instruction ID: 3a59b7e7ad45dbfa3c1ded45ea8babee78aeaa119b6bd0aac61e9423bbe5be57
                                  • Opcode Fuzzy Hash: bb71c48c16b62232d7b5a86bd0a30082a7871c89ff37d7d7ca97428689cc6e6b
                                  • Instruction Fuzzy Hash: 38F0F6A5100008BAEB05AB95DC46FBF7FACDF85350F114098F64427142DB755E0193B2
                                  Function 00E95133 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___swprintf_l.LIBCMT ref: 00E9514C
                                    • Part of subcall function 00E9BC97: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 00E9BCA7
                                  • swprintf.LIBCMT ref: 00E9516F
                                    • Part of subcall function 00E70959: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E7096B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
                                  • String ID: %lf
                                  • API String ID: 3672277462-2891890143
                                  • Opcode ID: 6b300374b18e9ecdc4ff931424561a59a08fce0c267d863281cac8dc66416593
                                  • Instruction ID: f46c3320807ef5c4cee91c9b7c8418da3139e56a2b085c86e4e530f2f6cd47d5
                                  • Opcode Fuzzy Hash: 6b300374b18e9ecdc4ff931424561a59a08fce0c267d863281cac8dc66416593
                                  • Instruction Fuzzy Hash: C0F024A5100008BAEB04AB59DC46FBF7FACCF85390F018099FA482B182DB759E0193B2
                                  Function 00E69021 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00E62B26), ref: 00E69023
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00EA86AB,?,?,?,?,?,?,00000000,?,?,,;,00E69B03,00E69E75,?,?), ref: 00E9C3C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID: ,;
                                  • API String ID: 2325560087-2433392739
                                  • Opcode ID: a5da73baebb8306ba419904e4578018bf554c3267fd0ef1562c02cd96c36f1bf
                                  • Instruction ID: 43d087bc506e9b446ac46cb610eaa04a2d3775c8b45e8e96f7a04aae9f7fda14
                                  • Opcode Fuzzy Hash: a5da73baebb8306ba419904e4578018bf554c3267fd0ef1562c02cd96c36f1bf
                                  • Instruction Fuzzy Hash: 88F0897128434D6AFE143671AD0FF6625D85F84B19F687079BB057C1D3EE9188529121
                                  Function 00E6331B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::invalid_argument::invalid_argument
                                  • String ID: h@n$hPm
                                  • API String ID: 2141394445-800802255
                                  • Opcode ID: c06269ce712e4648eaa2cabad0239e59aab7bd19cb46203293b4a617cfafaf21
                                  • Instruction ID: 8b6b6f2b4272b09c20f121c184f83be725bf7aa741b0122d7783ba844d820b7a
                                  • Opcode Fuzzy Hash: c06269ce712e4648eaa2cabad0239e59aab7bd19cb46203293b4a617cfafaf21
                                  • Instruction Fuzzy Hash: 45E0657490020C7BCF04FBB4E446D9D77FD9E04340F805464BA15A6452EB71AA09C691
                                  Function 00E6747B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::invalid_argument::invalid_argument
                                  • String ID: h@n$hPm
                                  • API String ID: 2141394445-800802255
                                  • Opcode ID: c06269ce712e4648eaa2cabad0239e59aab7bd19cb46203293b4a617cfafaf21
                                  • Instruction ID: 8b6b6f2b4272b09c20f121c184f83be725bf7aa741b0122d7783ba844d820b7a
                                  • Opcode Fuzzy Hash: c06269ce712e4648eaa2cabad0239e59aab7bd19cb46203293b4a617cfafaf21
                                  • Instruction Fuzzy Hash: 45E0657490020C7BCF04FBB4E446D9D77FD9E04340F805464BA15A6452EB71AA09C691
                                  Function 00E6449A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::invalid_argument::invalid_argument
                                  • String ID: h@n$hPm
                                  • API String ID: 2141394445-800802255
                                  • Opcode ID: 0b4230697551685edb2ee3e667edf5c8d9bebf48b683a447080ad5d0a7be803c
                                  • Instruction ID: e7b8a3c88d7dffbae1a1a66bd6f83d2d874fbf82de49c694f332088b137f6438
                                  • Opcode Fuzzy Hash: 0b4230697551685edb2ee3e667edf5c8d9bebf48b683a447080ad5d0a7be803c
                                  • Instruction Fuzzy Hash: 70E09238A0020CBBCF04FBF4E846EAC77FCAE04300F806464BA15B6492EB71EA05C790
                                  Function 00E69E27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E90044: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,,;,00E69E83,?,00EF6D8C,?), ref: 00E900A4
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E69E50
                                    • Part of subcall function 00E69AB7: std::exception::exception.LIBCONCRT ref: 00E69AC4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1289160403.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000002.00000002.1289143437.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289219622.0000000000EE9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000EFC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F2F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289343167.0000000000F3E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.1289632701.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaisestd::exception::exceptionstd::invalid_argument::invalid_argument
                                  • String ID: h@n$hPm
                                  • API String ID: 2656338737-800802255
                                  • Opcode ID: ace0a68b9197b48e50d5fbc3f5cd033924776ea097fcff7a44bff42180592c5e
                                  • Instruction ID: b092070de6966cf186b1eb5c3e476122f538fbad57fffbbe4fd7fef4dfc40a23
                                  • Opcode Fuzzy Hash: ace0a68b9197b48e50d5fbc3f5cd033924776ea097fcff7a44bff42180592c5e
                                  • Instruction Fuzzy Hash: 3FE0B669C4020C7B8A04F6F4E846A9D77AD5914640F805460AA25B2592EBB5AA088695

                                  Execution Graph

                                  Execution Coverage:16.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:114
                                  Total number of Limit Nodes:6
                                  execution_graph 38353 2f6d300 DuplicateHandle 38354 2f6d396 38353->38354 38245 63816a0 38246 63816ba 38245->38246 38251 63816f0 38246->38251 38256 6381b02 38246->38256 38261 6381700 38246->38261 38247 63816d6 38252 6381700 38251->38252 38253 6381b38 38252->38253 38266 63874bf 38252->38266 38275 63874c0 38252->38275 38253->38247 38257 6381ad0 38256->38257 38258 6381b38 38257->38258 38259 63874bf 8 API calls 38257->38259 38260 63874c0 8 API calls 38257->38260 38258->38247 38259->38257 38260->38257 38262 638172d 38261->38262 38263 6381b38 38262->38263 38264 63874bf 8 API calls 38262->38264 38265 63874c0 8 API calls 38262->38265 38263->38247 38264->38262 38265->38262 38267 63874c0 38266->38267 38284 6387558 38267->38284 38290 6387560 38267->38290 38268 63874f9 38296 6387729 38268->38296 38303 63877aa 38268->38303 38310 6387738 38268->38310 38269 6387530 38269->38252 38276 63874e7 38275->38276 38279 6387558 2 API calls 38276->38279 38280 6387560 2 API calls 38276->38280 38277 63874f9 38281 6387738 3 API calls 38277->38281 38282 6387729 3 API calls 38277->38282 38283 63877aa 3 API calls 38277->38283 38278 6387530 38278->38252 38279->38277 38280->38277 38281->38278 38282->38278 38283->38278 38285 6387560 38284->38285 38317 6386d88 38285->38317 38289 63875d9 38289->38268 38291 6387566 38290->38291 38292 6386d88 OleInitialize 38291->38292 38293 63875a2 GetKeyboardLayout 38292->38293 38295 63875d9 38293->38295 38295->38268 38297 6387762 38296->38297 38324 63878f8 38297->38324 38328 6387908 38297->38328 38298 638781e 38299 6387874 KiUserExceptionDispatcher 38298->38299 38300 6387897 38299->38300 38300->38269 38304 63877bd 38303->38304 38308 63878f8 LdrInitializeThunk 38304->38308 38309 6387908 LdrInitializeThunk 38304->38309 38305 638781e 38306 6387874 KiUserExceptionDispatcher 38305->38306 38307 6387897 38306->38307 38307->38269 38308->38305 38309->38305 38311 6387754 38310->38311 38315 63878f8 LdrInitializeThunk 38311->38315 38316 6387908 LdrInitializeThunk 38311->38316 38312 638781e 38313 6387874 KiUserExceptionDispatcher 38312->38313 38314 6387897 38313->38314 38314->38269 38315->38312 38316->38312 38319 6386d93 38317->38319 38318 63875a2 GetKeyboardLayout 38318->38289 38319->38318 38321 6386d98 38319->38321 38322 6387660 OleInitialize 38321->38322 38323 63876c4 38322->38323 38323->38318 38325 6387908 38324->38325 38326 6387967 LdrInitializeThunk 38325->38326 38327 638795f 38325->38327 38326->38327 38327->38298 38329 638790e 38328->38329 38330 638795f 38329->38330 38331 6387967 LdrInitializeThunk 38329->38331 38330->38298 38331->38330 38212 2f6d0b8 38213 2f6d0fe GetCurrentProcess 38212->38213 38215 2f6d150 GetCurrentThread 38213->38215 38218 2f6d149 38213->38218 38216 2f6d18d GetCurrentProcess 38215->38216 38219 2f6d186 38215->38219 38217 2f6d1c3 38216->38217 38220 2f6d1eb GetCurrentThreadId 38217->38220 38218->38215 38219->38216 38221 2f6d21c 38220->38221 38222 2f6ad38 38225 2f6ae30 38222->38225 38223 2f6ad47 38226 2f6ae41 38225->38226 38227 2f6ae64 38225->38227 38226->38227 38233 2f6b0c8 38226->38233 38237 2f6b0b8 38226->38237 38227->38223 38228 2f6ae5c 38228->38227 38229 2f6b068 GetModuleHandleW 38228->38229 38230 2f6b095 38229->38230 38230->38223 38234 2f6b0dc 38233->38234 38235 2f6b101 38234->38235 38241 2f6a870 38234->38241 38235->38228 38238 2f6b0dc 38237->38238 38239 2f6b101 38238->38239 38240 2f6a870 LoadLibraryExW 38238->38240 38239->38228 38240->38239 38242 2f6b2a8 LoadLibraryExW 38241->38242 38244 2f6b321 38242->38244 38244->38235 38332 2f64668 38333 2f64684 38332->38333 38335 2f64696 38333->38335 38336 2f647a0 38333->38336 38337 2f647c5 38336->38337 38341 2f648b0 38337->38341 38345 2f648a1 38337->38345 38342 2f648d7 38341->38342 38343 2f649b4 38342->38343 38349 2f64248 38342->38349 38343->38343 38347 2f648b0 38345->38347 38346 2f649b4 38346->38346 38347->38346 38348 2f64248 CreateActCtxA 38347->38348 38348->38346 38350 2f65940 CreateActCtxA 38349->38350 38352 2f65a03 38350->38352

                                  Executed Functions

                                  Function 0639EA18 Relevance: 8.3, Strings: 6, Instructions: 790COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 639ea18-639ea24 295 639ea96-639ea9f 294->295 296 639ea26-639ea2a 294->296 297 639eaa8-639eadd 295->297 298 639eaa1-639eaa6 295->298 299 639ea30-639ea36 296->299 300 639eae4-639eaed 296->300 297->300 298->297 303 639ea38-639ea3b 299->303 304 639ea3d 299->304 301 639eaef-639eaf4 300->301 302 639eaf6-639eb60 300->302 301->302 325 639eb90-639eb95 302->325 326 639eb62 302->326 305 639ea40-639ea44 303->305 304->305 309 639ea5a-639ea5f 305->309 310 639ea46-639ea54 305->310 312 639ea6f-639ea77 309->312 313 639ea61-639ea67 309->313 310->309 500 639ea79 call 639ea18 312->500 501 639ea79 call 639eb38 312->501 502 639ea79 call 639ea0a 312->502 313->312 317 639ea7f-639ea83 319 639ea8f-639ea93 317->319 320 639ea85-639ea89 317->320 320->319 327 639eb65-639eb78 326->327 328 639eb98-639ebce 327->328 329 639eb7a-639eb82 327->329 332 639ef3c-639ef45 328->332 333 639ebd4-639ebd8 328->333 496 639eb84 call 6387c28 329->496 497 639eb84 call 6387b58 329->497 498 639eb84 call 6387b48 329->498 499 639eb84 call 6387c1d 329->499 331 639eb8a-639eb8e 331->325 331->327 334 639ef4e-639ef69 332->334 335 639ef47-639ef4c 332->335 336 639ebde-639ebf0 333->336 337 639ef70-639efac 333->337 334->337 335->334 342 639ecdd-639ece6 336->342 343 639ebf6-639ec3f 336->343 364 639ef3a 337->364 365 639efae-639efda 337->365 345 639ece8-639ecf2 342->345 346 639ecfa-639ed04 342->346 366 639ec41-639ec4b 343->366 367 639ec53-639ec5d 343->367 345->346 349 639ed2c-639ed3d 346->349 350 639ed06-639ed24 346->350 357 639ed4d-639ed68 349->357 358 639ed3f-639ed45 349->358 350->349 503 639ed6a call 639ea18 357->503 504 639ed6a call 639eb38 357->504 505 639ed6a call 639f4e8 357->505 506 639ed6a call 639ea0a 357->506 507 639ed6a call 639f417 357->507 508 639ed6a call 639f1c6 357->508 358->357 364->332 368 639efdc-639efe2 365->368 369 639efe4-639efe7 365->369 366->367 371 639ec5f-639ec7d 367->371 372 639ec85-639ec96 367->372 373 639efea-639eff1 368->373 369->373 370 639ed70-639ef39 371->372 381 639ec98-639ec9e 372->381 382 639eca6-639ecd8 372->382 376 639effd-639f016 373->376 377 639eff3-639effa 373->377 384 639f018-639f031 376->384 385 639f034-639f040 376->385 381->382 382->370 384->385 387 639f40d-639f411 385->387 388 639f046-639f083 call 6392860 385->388 389 639f478-639f47f 387->389 390 639f413-639f415 387->390 422 639f089-639f094 388->422 423 639f2e0-639f2e7 388->423 396 639f481-639f4a4 389->396 397 639f4d3-639f4da 389->397 393 639f470-639f476 390->393 393->389 399 639f420-639f426 393->399 411 639f4b2 396->411 412 639f4a6-639f4b0 396->412 401 639f4dd-639f51b 399->401 402 639f42c-639f43b 399->402 409 639f52b-639f534 401->409 410 639f51d-639f529 401->410 413 639f43d-639f467 402->413 414 639f46f 402->414 415 639f537-639f53b 409->415 410->415 421 639f4bc-639f4cc 411->421 412->421 413->414 414->393 417 639f53d-639f55f 415->417 418 639f562-639f56e 415->418 432 639f57c-639f597 call 639c9c0 418->432 433 639f570-639f579 418->433 421->397 434 639f0e2-639f112 422->434 435 639f096-639f09d 422->435 424 639f3fb-639f407 423->424 425 639f2ed-639f353 423->425 424->387 424->388 473 639f3cb-639f3f8 425->473 474 639f355-639f35c 425->474 447 639f599-639f59f 432->447 448 639f5a1 432->448 450 639f118-639f19b call 6392860 * 3 434->450 451 639f19d-639f1b6 434->451 436 639f0cb-639f0de 435->436 437 639f09f-639f0c3 435->437 436->434 437->436 453 639f5a3-639f5b6 447->453 448->453 452 639f1b8-639f1c3 450->452 451->452 452->423 494 639f5b9 call 639f618 453->494 495 639f5b9 call 639f610 453->495 458 639f5bc-639f5e3 call 639d560 468 639f5ee 458->468 469 639f5e5 458->469 469->468 473->424 474->473 476 639f35e-639f3c9 call 6392860 * 3 474->476 476->473 494->458 495->458 496->331 497->331 498->331 499->331 500->317 501->317 502->317 503->370 504->370 505->370 506->370 507->370 508->370
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$(q$(q$0oEp$DqEp$LjEp
                                  • API String ID: 0-2627632715
                                  • Opcode ID: e530dd5586dbfa594c3dc3402e6750420540186de386f910b7a5f8587803235b
                                  • Instruction ID: 95f485c73664adc3acf2091c9d89cf5cb9140ebacbc6d618c4eac9df711f848d
                                  • Opcode Fuzzy Hash: e530dd5586dbfa594c3dc3402e6750420540186de386f910b7a5f8587803235b
                                  • Instruction Fuzzy Hash: 64622935A002149FDB54DF68D894A9EBBF6FF88310B148469E906DB361DB35EC46CFA0
                                  Function 063829F0 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 875 63829f0-6382a0b 876 6382a0d 875->876 877 6382a12-6382ab8 875->877 876->877 882 6382c91-6382c9a 877->882 883 6382abd-6382ac6 882->883 884 6382ca0-6382cb7 882->884 886 6382ac8 883->886 887 6382acd-6382b16 883->887 886->887 892 6382b1c-6382b9c 887->892 893 6382c8d-6382c8e 887->893 897 6382b9e-6382bb0 892->897 898 6382bb2 892->898 893->882 899 6382bb5-6382bce 897->899 898->899 901 6382c8c 899->901 902 6382bd4-6382c84 call 6380150 899->902 901->893 910 6382c8a-6382c8b 902->910 910->901
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: 98443e9ff16826eb425d95da7fbb2c4acad4d4cd9ff494fc124799c668fe7100
                                  • Instruction ID: 880b53d174280950d7b0b0297d5c6e0f37a9e6c3b7deb3c4fbdbbecad4817b2c
                                  • Opcode Fuzzy Hash: 98443e9ff16826eb425d95da7fbb2c4acad4d4cd9ff494fc124799c668fe7100
                                  • Instruction Fuzzy Hash: 4961C375D002189FDB54DFA9C880ADDBBB2FF49300F649069E515BB360DB34A946CF94
                                  Function 06387908 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 742808321c414876ad812c1fc14dd78a880f0a15a5dea9f7dbc4ac0e2ac822e6
                                  • Instruction ID: 132dedde5c501b73997be16c5a5c502980992b0cdf88b3ad8a53887011163e0b
                                  • Opcode Fuzzy Hash: 742808321c414876ad812c1fc14dd78a880f0a15a5dea9f7dbc4ac0e2ac822e6
                                  • Instruction Fuzzy Hash: 6B21C075E012189FDB08EFA9E484AEDBBB6FB89310F20906AE515B7360DB345845CF94
                                  Function 0638BC00 Relevance: .4, Instructions: 426COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9af73fbd6dfca4c3f41aa6a8d4e96abeecfa976ae1f77420ee47f1bf13bc445b
                                  • Instruction ID: f59bd8b5e6ea907880475aae95573ac665f75dc927de6adc816a7a74004194b1
                                  • Opcode Fuzzy Hash: 9af73fbd6dfca4c3f41aa6a8d4e96abeecfa976ae1f77420ee47f1bf13bc445b
                                  • Instruction Fuzzy Hash: 4D227D74D00229CFDBA5DF69C850BDDB7B2AF49300F1091EAD54AA7250EB74AE85CF90
                                  Function 063943C0 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d9b700437ef220676a822d301eb5b3f4eafe49ff94aba4a2b2b49c1037beb5d
                                  • Instruction ID: 500dbe0002158819175877150f9f7fa28f31e108af0b9fcc4ca620a351b68ddd
                                  • Opcode Fuzzy Hash: 2d9b700437ef220676a822d301eb5b3f4eafe49ff94aba4a2b2b49c1037beb5d
                                  • Instruction Fuzzy Hash: 7BD18E35A006059FCB45CF79D884AAEBBF6FF89300B158569E805A7361DB30EC56CFA1
                                  Function 02F6D0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 509 2f6d0a8-2f6d147 GetCurrentProcess 513 2f6d150-2f6d184 GetCurrentThread 509->513 514 2f6d149-2f6d14f 509->514 515 2f6d186-2f6d18c 513->515 516 2f6d18d-2f6d1c1 GetCurrentProcess 513->516 514->513 515->516 517 2f6d1c3-2f6d1c9 516->517 518 2f6d1ca-2f6d1e5 call 2f6d289 516->518 517->518 522 2f6d1eb-2f6d21a GetCurrentThreadId 518->522 523 2f6d223-2f6d285 522->523 524 2f6d21c-2f6d222 522->524 524->523
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02F6D136
                                  • GetCurrentThread.KERNEL32 ref: 02F6D173
                                  • GetCurrentProcess.KERNEL32 ref: 02F6D1B0
                                  • GetCurrentThreadId.KERNEL32 ref: 02F6D209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 8a43e7fb40d0a61eb95c36e147b60ea81bd76056a99b42ad161efd45bf517a0a
                                  • Instruction ID: 3cabb6434ad5a66f44da8be1c04b712460f02695d1e7bb491b8d4ad032f1d742
                                  • Opcode Fuzzy Hash: 8a43e7fb40d0a61eb95c36e147b60ea81bd76056a99b42ad161efd45bf517a0a
                                  • Instruction Fuzzy Hash: DE5156B0E003498FEB14DFA9D948BAEBBF1FB48314F20845AE119A72A0DB745945CF65
                                  Function 02F6D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 531 2f6d0b8-2f6d147 GetCurrentProcess 535 2f6d150-2f6d184 GetCurrentThread 531->535 536 2f6d149-2f6d14f 531->536 537 2f6d186-2f6d18c 535->537 538 2f6d18d-2f6d1c1 GetCurrentProcess 535->538 536->535 537->538 539 2f6d1c3-2f6d1c9 538->539 540 2f6d1ca-2f6d1e5 call 2f6d289 538->540 539->540 544 2f6d1eb-2f6d21a GetCurrentThreadId 540->544 545 2f6d223-2f6d285 544->545 546 2f6d21c-2f6d222 544->546 546->545
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02F6D136
                                  • GetCurrentThread.KERNEL32 ref: 02F6D173
                                  • GetCurrentProcess.KERNEL32 ref: 02F6D1B0
                                  • GetCurrentThreadId.KERNEL32 ref: 02F6D209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: a1d210c3269c8ad2488aea1efbde791aadc31b9ae236ad987edfc766396966e1
                                  • Instruction ID: 47bb3a904a1e76644c383dc5cfa3b6de4ba512ad3491f9ca24746cf6415fddab
                                  • Opcode Fuzzy Hash: a1d210c3269c8ad2488aea1efbde791aadc31b9ae236ad987edfc766396966e1
                                  • Instruction Fuzzy Hash: 1F5157B0E003498FEB14DFAAD548BAEBBF1FB48314F208459E119A73A0DB746945CF65
                                  Function 0639C050 Relevance: 2.9, Strings: 2, Instructions: 412COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 575 639c050-639c07c 576 639c529-639c530 575->576 577 639c082-639c095 575->577 578 639c09b-639c0a3 577->578 579 639c25d-639c263 577->579 582 639c10a-639c118 578->582 583 639c0a5-639c0a9 578->583 581 639c26b-639c28b 579->581 584 639c28d-639c28f 581->584 585 639c2bf-639c2c1 581->585 586 639c14b 582->586 587 639c11a-639c11c 582->587 589 639c0ab-639c0f9 583->589 590 639c101 583->590 591 639c291-639c293 584->591 592 639c295-639c2af 584->592 588 639c2c4-639c2d0 585->588 598 639c14d-639c151 586->598 594 639c11e-639c120 587->594 595 639c122-639c13c 587->595 596 639c313-639c325 588->596 597 639c2d2-639c30d 588->597 589->590 590->582 593 639c2ba-639c2bd 591->593 607 639c2b1-639c2b3 592->607 608 639c2b5 592->608 593->588 600 639c147-639c149 594->600 616 639c13e-639c140 595->616 617 639c142 595->617 604 639c32b-639c32f 596->604 605 639c4ef-639c4fc 596->605 597->596 602 639c1a3-639c1af 598->602 603 639c153-639c192 598->603 600->598 687 639c1b5 call 639ea18 602->687 688 639c1b5 call 639eb38 602->688 689 639c1b5 call 639ea0a 602->689 603->602 627 639c194-639c19f 603->627 611 639c35a-639c369 604->611 612 639c331-639c356 604->612 605->576 606 639c4fe-639c51a 605->606 606->576 632 639c51c-639c527 606->632 607->593 608->593 613 639c36f-639c38e 611->613 614 639c4d4-639c4e3 611->614 612->611 613->614 622 639c394-639c3a4 613->622 642 639c4ea 614->642 643 639c4e5 614->643 615 639c1bb-639c1c5 630 639c1ec-639c1f4 615->630 631 639c1c7-639c1e4 615->631 616->600 617->600 633 639c40a-639c411 622->633 634 639c3a6-639c3b5 622->634 627->602 630->581 644 639c1f6-639c1fa 630->644 631->630 632->576 652 639c531-639c53a 632->652 637 639c413-639c422 633->637 638 639c424 633->638 634->614 640 639c3bb-639c400 634->640 645 639c426-639c428 637->645 638->645 640->633 642->605 643->642 647 639c1fc-639c24a 644->647 648 639c252-639c25b 644->648 650 639c4c9-639c4cc 645->650 651 639c42e-639c432 645->651 647->648 648->581 650->604 655 639c4d2 650->655 656 639c434-639c48e 651->656 657 639c496-639c4a8 651->657 658 639c53c-639c541 652->658 659 639c543-639c5f7 652->659 655->605 656->657 657->614 663 639c4aa-639c4c1 657->663 658->659 684 639c5f9-639c603 659->684 685 639c604-639c606 659->685 663->650 687->615 688->615 689->615
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: tSAq$tSAq
                                  • API String ID: 0-3261842419
                                  • Opcode ID: a8bf26491a54873ea5de6045971327d32c2bc376744b306698747aef008a4cf1
                                  • Instruction ID: d5a2eb631937cf5047f50cbd48b38a476ef12635906144bcbb22edad3d477e64
                                  • Opcode Fuzzy Hash: a8bf26491a54873ea5de6045971327d32c2bc376744b306698747aef008a4cf1
                                  • Instruction Fuzzy Hash: A102BB30A007058FDB65DF68C844B9ABBF2BF89300F159599D549AB352DB31ED89CFA0
                                  Function 0639C041 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 690 639c041-639c04c 691 639c0bd-639c0c1 690->691 692 639c04e-639c07c 690->692 697 639c0c3-639c0f9 691->697 695 639c529-639c530 692->695 696 639c082-639c095 692->696 698 639c09b-639c0a3 696->698 699 639c25d-639c263 696->699 702 639c101 697->702 703 639c10a-639c118 698->703 704 639c0a5-639c0a9 698->704 701 639c26b-639c28b 699->701 705 639c28d-639c28f 701->705 706 639c2bf-639c2c1 701->706 702->703 707 639c14b 703->707 708 639c11a-639c11c 703->708 704->702 710 639c0ab-639c0bb 704->710 711 639c291-639c293 705->711 712 639c295-639c2af 705->712 709 639c2c4-639c2d0 706->709 718 639c14d-639c151 707->718 714 639c11e-639c120 708->714 715 639c122-639c13c 708->715 716 639c313-639c325 709->716 717 639c2d2-639c30d 709->717 710->697 713 639c2ba-639c2bd 711->713 727 639c2b1-639c2b3 712->727 728 639c2b5 712->728 713->709 720 639c147-639c149 714->720 736 639c13e-639c140 715->736 737 639c142 715->737 724 639c32b-639c32f 716->724 725 639c4ef-639c4fc 716->725 717->716 722 639c1a3-639c1af 718->722 723 639c153-639c192 718->723 720->718 806 639c1b5 call 639ea18 722->806 807 639c1b5 call 639eb38 722->807 808 639c1b5 call 639ea0a 722->808 723->722 746 639c194-639c19f 723->746 731 639c35a-639c369 724->731 732 639c331-639c356 724->732 725->695 726 639c4fe-639c51a 725->726 726->695 751 639c51c-639c527 726->751 727->713 728->713 733 639c36f-639c38e 731->733 734 639c4d4-639c4e3 731->734 732->731 733->734 741 639c394-639c3a4 733->741 761 639c4ea 734->761 762 639c4e5 734->762 735 639c1bb-639c1c5 749 639c1ec-639c1f4 735->749 750 639c1c7-639c1e4 735->750 736->720 737->720 752 639c40a-639c411 741->752 753 639c3a6-639c3b5 741->753 746->722 749->701 763 639c1f6-639c1fa 749->763 750->749 751->695 771 639c531-639c53a 751->771 756 639c413-639c422 752->756 757 639c424 752->757 753->734 759 639c3bb-639c400 753->759 764 639c426-639c428 756->764 757->764 759->752 761->725 762->761 766 639c1fc-639c24a 763->766 767 639c252-639c25b 763->767 769 639c4c9-639c4cc 764->769 770 639c42e-639c432 764->770 766->767 767->701 769->724 774 639c4d2 769->774 775 639c434-639c48e 770->775 776 639c496-639c4a8 770->776 777 639c53c-639c541 771->777 778 639c543-639c5f7 771->778 774->725 775->776 776->734 782 639c4aa-639c4c1 776->782 777->778 803 639c5f9-639c603 778->803 804 639c604-639c606 778->804 782->769 806->735 807->735 808->735
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: tSAq$tSAq
                                  • API String ID: 0-3261842419
                                  • Opcode ID: bb660b6d14b024f1dc6275e3ec5d8a4c20ca1217b30b1491fabc7070af3fb383
                                  • Instruction ID: f0ecdddf4056608031a9ec6914db8c2a919e43ff96c1932671fdd71f781d9a2f
                                  • Opcode Fuzzy Hash: bb660b6d14b024f1dc6275e3ec5d8a4c20ca1217b30b1491fabc7070af3fb383
                                  • Instruction Fuzzy Hash: A9E17770A007198FDB65DF68C444B99BBF2FF49300F159699D849AB352DB30E989CFA0
                                  Function 0639F618 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 809 639f618-639f628 810 639f71a-639f723 809->810 811 639f62e-639f632 809->811 814 639f72c-639f761 810->814 815 639f725-639f72a 810->815 812 639f768-639f771 811->812 813 639f638-639f63e 811->813 816 639f77a-639f7af 812->816 817 639f773-639f778 812->817 818 639f648-639f64b 813->818 819 639f640-639f646 813->819 814->812 815->814 836 639f7b6-639f7c0 816->836 817->816 820 639f64e-639f653 818->820 819->820 824 639f690-639f699 820->824 825 639f655-639f664 820->825 827 639f69b-639f6b6 824->827 828 639f6e6-639f6f4 824->828 835 639f66a-639f682 825->835 825->836 847 639f6b8-639f6c1 827->847 848 639f6ce-639f6da 827->848 833 639f6fc-639f701 828->833 837 639f70d-639f717 833->837 838 639f703-639f707 833->838 835->824 851 639f684-639f68d 835->851 839 639f7ca-639f834 836->839 840 639f7c2-639f7c7 836->840 838->837 863 639f835-639f8a0 839->863 840->839 873 639f6c3 call 639f961 847->873 874 639f6c3 call 639f970 847->874 848->828 855 639f6dc-639f6e4 848->855 852 639f6c9-639f6cc 852->828 855->827 872 639f8a2-639f8a7 863->872 873->852 874->852
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$(q
                                  • API String ID: 0-2485164810
                                  • Opcode ID: 8ea70cf9e7c29723a817cfc4dcc0513ac90f235b1044e6ace477d891b25170c1
                                  • Instruction ID: 307a4876a6922a623c6c8a0dabe8bc0a57553f0250fdbb69d275f0f8e70c5a76
                                  • Opcode Fuzzy Hash: 8ea70cf9e7c29723a817cfc4dcc0513ac90f235b1044e6ace477d891b25170c1
                                  • Instruction Fuzzy Hash: C2818F34B002159FDB549F38D854A6E7BF6AFC9640B188069E906DB3A1DF35DC05CBA1
                                  Function 06393348 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 911 6393348-639335a 912 639347a-6393483 911->912 913 6393360-6393362 911->913 914 639348c-63934a7 912->914 915 6393485-639348a 912->915 916 6393368-639336b 913->916 917 63934ae-63934b7 913->917 914->917 915->914 916->917 920 6393371-6393377 916->920 918 63934b9-63934be 917->918 919 63934c0-639356c 917->919 918->919 924 6393573-6393587 919->924 923 639337d-6393389 920->923 920->924 927 639338b 923->927 928 63933e2-63933eb 923->928 933 63933cb-63933df 927->933 934 6393392-639339a 927->934 929 63933ed-63933f2 928->929 930 63933f4-639340c 928->930 929->930 930->924 944 6393412-6393473 930->944 936 639339c-63933a2 934->936 937 63933b2-63933b9 934->937 938 63933a4 936->938 939 63933a6-63933b0 936->939 943 63933c1-63933c8 937->943 938->937 939->937 944->912
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$(q
                                  • API String ID: 0-2485164810
                                  • Opcode ID: 2c8f2f52f53f4ac04363f4a022ba56004f82b7f347f84c5d336e3c74943b9bc3
                                  • Instruction ID: 5c76e1a785161442d590209d51712149eb8d98563c6fcfecd99d0e52fcfdb389
                                  • Opcode Fuzzy Hash: 2c8f2f52f53f4ac04363f4a022ba56004f82b7f347f84c5d336e3c74943b9bc3
                                  • Instruction Fuzzy Hash: 1151F370B002159FEB549B79985062EBBE7FFC8300B14C469D906DB381DE35EC4A8BE5
                                  Function 02F6AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 963 2f6ae30-2f6ae3f 964 2f6ae41-2f6ae4e call 2f69838 963->964 965 2f6ae6b-2f6ae6f 963->965 970 2f6ae64 964->970 971 2f6ae50 964->971 966 2f6ae83-2f6aec4 965->966 967 2f6ae71-2f6ae7b 965->967 974 2f6aec6-2f6aece 966->974 975 2f6aed1-2f6aedf 966->975 967->966 970->965 1021 2f6ae56 call 2f6b0c8 971->1021 1022 2f6ae56 call 2f6b0b8 971->1022 974->975 977 2f6af03-2f6af05 975->977 978 2f6aee1-2f6aee6 975->978 976 2f6ae5c-2f6ae5e 976->970 981 2f6afa0-2f6afb7 976->981 982 2f6af08-2f6af0f 977->982 979 2f6aef1 978->979 980 2f6aee8-2f6aeef call 2f6a814 978->980 984 2f6aef3-2f6af01 979->984 980->984 996 2f6afb9-2f6b018 981->996 985 2f6af11-2f6af19 982->985 986 2f6af1c-2f6af23 982->986 984->982 985->986 988 2f6af25-2f6af2d 986->988 989 2f6af30-2f6af39 call 2f6a824 986->989 988->989 994 2f6af46-2f6af4b 989->994 995 2f6af3b-2f6af43 989->995 997 2f6af4d-2f6af54 994->997 998 2f6af69-2f6af76 994->998 995->994 1014 2f6b01a-2f6b060 996->1014 997->998 999 2f6af56-2f6af66 call 2f6a834 call 2f6a844 997->999 1005 2f6af78-2f6af96 998->1005 1006 2f6af99-2f6af9f 998->1006 999->998 1005->1006 1016 2f6b062-2f6b065 1014->1016 1017 2f6b068-2f6b093 GetModuleHandleW 1014->1017 1016->1017 1018 2f6b095-2f6b09b 1017->1018 1019 2f6b09c-2f6b0b0 1017->1019 1018->1019 1021->976 1022->976
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 02F6B086
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: ad6334079e093b36e62ba6149ea1c22f969eced70360f6cc3c396c2c171d0c32
                                  • Instruction ID: a0bd9b205bd91dd06c63f4abd0755e7d13a645f06e6fd606b88f852e8f8a8abb
                                  • Opcode Fuzzy Hash: ad6334079e093b36e62ba6149ea1c22f969eced70360f6cc3c396c2c171d0c32
                                  • Instruction Fuzzy Hash: 137147B1A00B058FD724DF6AD44576ABBF2FF88244F00892DD186E7A50DB75E849CB91
                                  Function 06387738 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1200 6387738-6387752 1201 6387759-6387789 1200->1201 1202 6387754 1200->1202 1204 638778b-6387795 1201->1204 1205 6387797-638779d 1201->1205 1202->1201 1206 63877a0-6387815 call 6380150 1204->1206 1205->1206 1227 6387818 call 63878f8 1206->1227 1228 6387818 call 6387908 1206->1228 1214 638781e-638788f call 6380150 KiUserExceptionDispatcher 1221 6387897-63878ab 1214->1221 1222 63878cb-63878eb 1221->1222 1223 63878ad-63878c9 1221->1223 1226 63878ed-63878f5 1222->1226 1223->1226 1227->1214 1228->1214
                                  APIs
                                  • KiUserExceptionDispatcher.NTDLL ref: 06387880
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DispatcherExceptionUser
                                  • String ID:
                                  • API String ID: 6842923-0
                                  • Opcode ID: 4ea51c2b8f30533e847adf53e113c3e90c5a50181c6b5065575aa658f663ebeb
                                  • Instruction ID: 44dad398ad81efa39d34511585e4f19b76a480e96ab6a4de58c7971b6d5fc8b8
                                  • Opcode Fuzzy Hash: 4ea51c2b8f30533e847adf53e113c3e90c5a50181c6b5065575aa658f663ebeb
                                  • Instruction Fuzzy Hash: BA51B574E00208DFDB48EFA9D4546EDBBB6FB88300F20912AE416AB354DB785D46CF80
                                  Function 06387729 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1229 6387729-6387789 1232 638778b-6387795 1229->1232 1233 6387797-638779d 1229->1233 1234 63877a0-6387815 call 6380150 1232->1234 1233->1234 1255 6387818 call 63878f8 1234->1255 1256 6387818 call 6387908 1234->1256 1242 638781e-638788f call 6380150 KiUserExceptionDispatcher 1249 6387897-63878ab 1242->1249 1250 63878cb-63878eb 1249->1250 1251 63878ad-63878c9 1249->1251 1254 63878ed-63878f5 1250->1254 1251->1254 1255->1242 1256->1242
                                  APIs
                                  • KiUserExceptionDispatcher.NTDLL ref: 06387880
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DispatcherExceptionUser
                                  • String ID:
                                  • API String ID: 6842923-0
                                  • Opcode ID: 4680290c3b9912f05e80a4287a674e883943078658b55ab1b4f6f1c639d758cc
                                  • Instruction ID: 38099e29911eebd691bb48ff9ec214e168fff6d40010bc56b7450e92601093af
                                  • Opcode Fuzzy Hash: 4680290c3b9912f05e80a4287a674e883943078658b55ab1b4f6f1c639d758cc
                                  • Instruction Fuzzy Hash: D6418074E002089FDB58EFA5D554AEDBBB2FB88300F20916AE416AB354DB785D46CF80
                                  Function 02F64248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02F659F1
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: d501053fd6f470aed404ed844e61cb2f504668c993e24b25b9f35b555167c4d5
                                  • Instruction ID: 6259201ae2ee487dc73da8141e59467ebe6409e913f853e390383c4e397425e8
                                  • Opcode Fuzzy Hash: d501053fd6f470aed404ed844e61cb2f504668c993e24b25b9f35b555167c4d5
                                  • Instruction Fuzzy Hash: 0B41E071D00719CBEB24CFA9C888B9DBBB5FF48314F60806AD508BB250DB75694ACF90
                                  Function 02F65935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02F659F1
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 0551e3578fb84bace08d4afbdd6e6d618b6621a26419851ca30dd37803f4a379
                                  • Instruction ID: 833fed212d73b716739cc8fd56e2f8751f847209adba7f1c60d82225cf75e4c8
                                  • Opcode Fuzzy Hash: 0551e3578fb84bace08d4afbdd6e6d618b6621a26419851ca30dd37803f4a379
                                  • Instruction Fuzzy Hash: 60410071D00719CBEB24CFA9C884B9DBBB5FF48304F24806AD118BB250DB75694ACF90
                                  Function 06395250 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_q
                                  • API String ID: 0-3590916094
                                  • Opcode ID: 90cc2677f56968651c90ff6fbb9950121daf5d0b9b38f3a85f052cb4272a4fc1
                                  • Instruction ID: 2f215ec668980f834ba246a378f8d885363e7b3bac5b206affd87debe631fe26
                                  • Opcode Fuzzy Hash: 90cc2677f56968651c90ff6fbb9950121daf5d0b9b38f3a85f052cb4272a4fc1
                                  • Instruction Fuzzy Hash: 9AD1B231E006048FCB55DF78D844A9EBBF6FF85310F14856ED846AB251EB30A94ACF91
                                  Function 063877AA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • KiUserExceptionDispatcher.NTDLL ref: 06387880
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DispatcherExceptionUser
                                  • String ID:
                                  • API String ID: 6842923-0
                                  • Opcode ID: 7fb4a553966d21f70de194d83aa426266b6747f6f56db0e206535913e8d83264
                                  • Instruction ID: 80ae9697a6278f5ade2204db3aa01669d82dbb3c58b14c8a0c81da824f34a134
                                  • Opcode Fuzzy Hash: 7fb4a553966d21f70de194d83aa426266b6747f6f56db0e206535913e8d83264
                                  • Instruction Fuzzy Hash: BA319174E00208DFDB44EFA5D494AEDBBB2FB48300F20916AE516AB354DB799D46CF81
                                  Function 0639D9A0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHq
                                  • API String ID: 0-3820536768
                                  • Opcode ID: 19402e01b3ac08333fe20f0042558aeae74b9b5b8debd91c52b6b504c30a2ecd
                                  • Instruction ID: 2a31070e05f6ed075d4c0fc9fa28a6556fe0aeab5f8c59439846216962b1859b
                                  • Opcode Fuzzy Hash: 19402e01b3ac08333fe20f0042558aeae74b9b5b8debd91c52b6b504c30a2ecd
                                  • Instruction Fuzzy Hash: ABB10035A047059FCB54DF68D845AAABBB6FF85310F04816AE909CB251DB30EC4ACFE0
                                  Function 02F6D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F6D387
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c80dc2d59da40a99b2a42804009a1397807c17b61d001146271a9e7c9cc1ee2f
                                  • Instruction ID: 5966e49b5c4fc7acaaa6e20e3fa361100755caa6694e12074a3bce76dadd6542
                                  • Opcode Fuzzy Hash: c80dc2d59da40a99b2a42804009a1397807c17b61d001146271a9e7c9cc1ee2f
                                  • Instruction Fuzzy Hash: 8921E3B5D002499FDB10CF99D985AEEBBF4EB48324F14841AE918A7250D378A944CF60
                                  Function 02F6D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F6D387
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: a5b496b84cabfdf3dab15fe3362c068cf07db613c0e5a8c4f9d3684dcf6520bb
                                  • Instruction ID: ef018d9296ed5e17984518327c08d10988ad61d161fffe69a1b35fa8d37d5d37
                                  • Opcode Fuzzy Hash: a5b496b84cabfdf3dab15fe3362c068cf07db613c0e5a8c4f9d3684dcf6520bb
                                  • Instruction Fuzzy Hash: 4321F5B5D003489FDB10CF9AD985ADEFBF4EB48324F14841AE918A3350D774A944CFA1
                                  Function 02F6B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F6B101,00000800,00000000,00000000), ref: 02F6B312
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 226cfb77b69f5d6c96d4dd550276152660937d5c8bd34550ac1c717871d7d235
                                  • Instruction ID: d9e74df48ead1ddd796c8c3d0af28cef80906a8ee69de8ae191ceb9942e87385
                                  • Opcode Fuzzy Hash: 226cfb77b69f5d6c96d4dd550276152660937d5c8bd34550ac1c717871d7d235
                                  • Instruction Fuzzy Hash: 311103B6D003498FDB24CF9AC845BDEFBF4EB48324F14842AD529A7200C779A545CFA5
                                  Function 02F6A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F6B101,00000800,00000000,00000000), ref: 02F6B312
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: cb13b3db773fe9d07cdda756c023c2018eeaf60bb9eeeb69c1659d13c750b635
                                  • Instruction ID: 1415125c771ae0bf190dc9c08dcf891f461fcdd0ad2f02275aedb7389379c10b
                                  • Opcode Fuzzy Hash: cb13b3db773fe9d07cdda756c023c2018eeaf60bb9eeeb69c1659d13c750b635
                                  • Instruction Fuzzy Hash: 091103B6D003498FDB20CF9AC448AAEFBF4EB48315F14842AD919A7200C775A545CFA5
                                  Function 06387558 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 063875C6
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 394b49567dd3a404cb78da0381a6e61521cbfeeb021656330d02f16697d63520
                                  • Instruction ID: 6d6438ac073211f84375b07d0403610d52d29f1e5f6530c7c90187db026e4023
                                  • Opcode Fuzzy Hash: 394b49567dd3a404cb78da0381a6e61521cbfeeb021656330d02f16697d63520
                                  • Instruction Fuzzy Hash: 2F116A75D003499FCB20EFA9C809BDEBFF4EB49324F208819D419A7240C735AA48CFA5
                                  Function 02F6B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 02F6B086
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1439361876.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2f60000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 8ae0abf69a9d98d0f2633acf920dba1a0bec8aebbbb57a452b408a7809552a7c
                                  • Instruction ID: f21f4bf718fbef7b64244d8b62d3d4de88f77d8e29eb95977a7f316e1e82393d
                                  • Opcode Fuzzy Hash: 8ae0abf69a9d98d0f2633acf920dba1a0bec8aebbbb57a452b408a7809552a7c
                                  • Instruction Fuzzy Hash: 2D1102B5C003498FCB20DF9AC444B9EFBF4EB48624F10841AD528B7210C375A545CFA1
                                  Function 06387560 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 063875C6
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 1a963ab420c564095062752e4c2606066ed65f2c6bee48e70c9914e57937f446
                                  • Instruction ID: 8727b65ef1b2dbafb874720fe90a5b52f72c7e280bce5442086faa61c90dc60a
                                  • Opcode Fuzzy Hash: 1a963ab420c564095062752e4c2606066ed65f2c6bee48e70c9914e57937f446
                                  • Instruction Fuzzy Hash: 98114875D003498FCB20EFA9C8497DEBFF4EB49324F208819D519A7240C735A948CFA5
                                  Function 06386D98 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 063876B5
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 8dfd83d498b13cc8295dfb2ded10e490b031ee9db5e5ab2707fb997b6e219da6
                                  • Instruction ID: 9956450ef866fd22744beccabf8f006684c295b09e9ae30a636e97d4b88e8e99
                                  • Opcode Fuzzy Hash: 8dfd83d498b13cc8295dfb2ded10e490b031ee9db5e5ab2707fb997b6e219da6
                                  • Instruction Fuzzy Hash: A71145B5D003488FCB20DF9AC548BDEBBF4EB48324F248419D518A3300C774A944CFA5
                                  Function 063922C0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: d8b8c48fcea5f4b22b7b790aac2fda1e3dcc6abdecc568755b310e534473c3d6
                                  • Instruction ID: 40075ba4605ed57ba4dc7a496c4e28b01094ff76b20e677229d1f070b60514da
                                  • Opcode Fuzzy Hash: d8b8c48fcea5f4b22b7b790aac2fda1e3dcc6abdecc568755b310e534473c3d6
                                  • Instruction Fuzzy Hash: AC517474F002058FEB586B78941866EBBF7FFC5200B148529D507D7390EE389C4ACBA5
                                  Function 06390040 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_q
                                  • API String ID: 0-3590916094
                                  • Opcode ID: b1d60fd77546f84c18cafac5ed44fec1168745eeca15736de4b971a5aec93a15
                                  • Instruction ID: b97c8dc189876d918934add28855147bbf1334ff6f04bb2c1be7fcd61ed5e153
                                  • Opcode Fuzzy Hash: b1d60fd77546f84c18cafac5ed44fec1168745eeca15736de4b971a5aec93a15
                                  • Instruction Fuzzy Hash: 17517234A002199FDB48EFA4D854A9DBBB6FF89300F158469E506EB360DF359C46CF91
                                  Function 06398078 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: 2c9a7155988816a9d7e48b3ef9b788a6497e70e75ecc40373215fa2ea43d0cd8
                                  • Instruction ID: e8913543ae4a883f898214afc6d9ddf3ef43aa9e4f1239bcde5db506b86c41e4
                                  • Opcode Fuzzy Hash: 2c9a7155988816a9d7e48b3ef9b788a6497e70e75ecc40373215fa2ea43d0cd8
                                  • Instruction Fuzzy Hash: 2651B435A007108FD765DF25D844A6DBBE2EFC5211B148A6AD5468F351CB34AC4E8FE1
                                  Function 0639A978 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: 4b980103ecfe1c317b56a5d050b0da81d6cc2b4922e68a9c669a00e97517f0a8
                                  • Instruction ID: 6c09fe7536345bf000ac06b482e5ccef77487e4163ec8c49c60e36c16b58930a
                                  • Opcode Fuzzy Hash: 4b980103ecfe1c317b56a5d050b0da81d6cc2b4922e68a9c669a00e97517f0a8
                                  • Instruction Fuzzy Hash: 90114E31F043551FE7559B3D581076E7BFB9BC520070980ABD505D7381DD38CC0A8761
                                  Function 06396689 Relevance: .4, Instructions: 413COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ebeb95fc8d9c5356e92d9d8b069990e836f237fe409873d5fbb439e0ff12daa
                                  • Instruction ID: b547d93dddb6b7e14e7e8b0a8b36d9c8b9ea90f2ecfeb5127054d1a3a51574e7
                                  • Opcode Fuzzy Hash: 6ebeb95fc8d9c5356e92d9d8b069990e836f237fe409873d5fbb439e0ff12daa
                                  • Instruction Fuzzy Hash: 87128C34A01208CFCB6ADFB0D19899DBBB2FF49305B61856DD505AB351CB3AAD82CF51
                                  Function 06390660 Relevance: .4, Instructions: 407COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6494096437484461db0ec0859f5ebdbe18c8a75f193990b5e6452a251406a042
                                  • Instruction ID: 4625ce92f18638574b8cdd0541a6629046ac43c3fedb52b18883564aadda2f71
                                  • Opcode Fuzzy Hash: 6494096437484461db0ec0859f5ebdbe18c8a75f193990b5e6452a251406a042
                                  • Instruction Fuzzy Hash: BEF12934B002499FDB58DFA8D454A9D7BF2FF88300F158468E906AB391DB35AC46CFA1
                                  Function 06396698 Relevance: .4, Instructions: 403COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 710a2ef0c928b0ed7e1364ab247b6e823fcf5c99890768d2856ed09c3892645d
                                  • Instruction ID: cb4d93d9ce93b6cfc95a3823c19bf3f958f4ffd15e4a768917c23107c1005a98
                                  • Opcode Fuzzy Hash: 710a2ef0c928b0ed7e1364ab247b6e823fcf5c99890768d2856ed09c3892645d
                                  • Instruction Fuzzy Hash: DA127C34A01208CFCB6ADFB4D19899DBBB2FF49305B61856DD505AB351CB3AAD82CF50
                                  Function 0639B258 Relevance: .4, Instructions: 381COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d8fe0484ae149b2fce4d3ad0668b1426e684074904c46f3116d8c74d47d713c
                                  • Instruction ID: 3630ae71077619427d1e1cde15f0cdab083cbead4e37cce4c72f3292ac9d34b6
                                  • Opcode Fuzzy Hash: 6d8fe0484ae149b2fce4d3ad0668b1426e684074904c46f3116d8c74d47d713c
                                  • Instruction Fuzzy Hash: AE021B34A00715DFDB14DF78C854A99BBB1FF89300F118699E94AAB361EB31E985CF90
                                  Function 063971F0 Relevance: .4, Instructions: 363COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e307b18eeadf22d3f6e009e5666c7ea7cac3cf81dd64a1a9b09e75eae17ed2a1
                                  • Instruction ID: 5d2689037478ed769d7e2d57be146d93df091dc39bcc43ae8035bfe8c4349e8e
                                  • Opcode Fuzzy Hash: e307b18eeadf22d3f6e009e5666c7ea7cac3cf81dd64a1a9b09e75eae17ed2a1
                                  • Instruction Fuzzy Hash: 26D19E30F002599FDB94DB79D854AAE7BF2AF88300F148469E906EB395DF349C458FA0
                                  Function 06396258 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e34650d03f0f9233a26fba154b330bb0f418c0a4103d5b37412d29a8148b2e6
                                  • Instruction ID: 492d35d3513a1f8d88d9627cf0f4bb36ca807fb6c16086589800d56555914631
                                  • Opcode Fuzzy Hash: 9e34650d03f0f9233a26fba154b330bb0f418c0a4103d5b37412d29a8148b2e6
                                  • Instruction Fuzzy Hash: A2C17B34B012049FDB54DF78D894A6E7BF6AF89200B148469E506DB3A5DB35EC0ACFA1
                                  Function 06397830 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11df31c3a06e794e430073ba654168235509e2b7fc03aae2f29ff2b667bfd71d
                                  • Instruction ID: bf6834875cabf0b5cb3ac38d7d27ac636e4533b41c0dd619049bc145ab59081b
                                  • Opcode Fuzzy Hash: 11df31c3a06e794e430073ba654168235509e2b7fc03aae2f29ff2b667bfd71d
                                  • Instruction Fuzzy Hash: 73C15B35B102059FDB84CF69D8449AEB7F6FF88250B158529E906E7391EB34EC46CFA0
                                  Function 063984A8 Relevance: .3, Instructions: 303COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0684e39973c70bf468c6e40eebc7b05bb9df44b673e2d2d437ea7afbd6370d3
                                  • Instruction ID: df61a5f4cea45e15d4673d74c97824111e23a168dd3cbf8bd9906936aaa47df6
                                  • Opcode Fuzzy Hash: f0684e39973c70bf468c6e40eebc7b05bb9df44b673e2d2d437ea7afbd6370d3
                                  • Instruction Fuzzy Hash: 4AC185B5B28102DFFB89CE19E480A6977B9F7453007094529E0229FB90C7BDED848FE1
                                  Function 0639B246 Relevance: .3, Instructions: 263COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd006f8cc9db4660d5c162c8a3039b86d317e899cae19afdfcb21d4d11e954ac
                                  • Instruction ID: 5bbd944fe0f9abf740c417fa93914bd5e7d7f4714d8945cd3b48ec44f5f0f699
                                  • Opcode Fuzzy Hash: fd006f8cc9db4660d5c162c8a3039b86d317e899cae19afdfcb21d4d11e954ac
                                  • Instruction Fuzzy Hash: 4CC1393191071ADFDB15DF78C854A99BBB1FF49300F118699E9896B261EB30EAC4CF90
                                  Function 0639AE10 Relevance: .2, Instructions: 249COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcec4fc054904f35e0308c8290541211bbdbb65fdabf1ef306a01f9388b090c4
                                  • Instruction ID: 1749dced0cab4c2357abb99e165b9553c9f0f3e48e2115e11cdcb6b987ac3145
                                  • Opcode Fuzzy Hash: fcec4fc054904f35e0308c8290541211bbdbb65fdabf1ef306a01f9388b090c4
                                  • Instruction Fuzzy Hash: FE91C030A002059FDB55DF69D884AAEBBF6FF88300F148169E5169B351CB34ED46CBE1
                                  Function 06394830 Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc63fb2c3c5313a30e6787c42ed30d9d237393d288c6999ad83790ce65807210
                                  • Instruction ID: 2af731e6ebd9efdc4c6f7fbb65312204b17fd4491725b7b515f28b7cce9785dd
                                  • Opcode Fuzzy Hash: dc63fb2c3c5313a30e6787c42ed30d9d237393d288c6999ad83790ce65807210
                                  • Instruction Fuzzy Hash: 9C81C171F002499FDB54EF78C854AAF7BF6EF89210B108529E909EB351DB34D806CBA1
                                  Function 06395B28 Relevance: .2, Instructions: 233COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c374b6fe8cebfaaeef9378c8629411a88d8682eda59f88cacdf98ee165b5c13b
                                  • Instruction ID: 9b00e5d74f15a692ed93a5b6c4d375bef923087c5eddbd4fe308ffb383f2cff8
                                  • Opcode Fuzzy Hash: c374b6fe8cebfaaeef9378c8629411a88d8682eda59f88cacdf98ee165b5c13b
                                  • Instruction Fuzzy Hash: 1BA1E379A002099FDB55DF68D488E99BBF2EF88320F154595E905DB362DB30EC85CF90
                                  Function 06395FB0 Relevance: .2, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 196f4c47909b25983699d29edf1203f992e3c25a217a2bd9fff030b12f736af9
                                  • Instruction ID: 3b6370322298373001757d3ef3d004b0fc84a9f1183f6a718b33d5c1ff79f926
                                  • Opcode Fuzzy Hash: 196f4c47909b25983699d29edf1203f992e3c25a217a2bd9fff030b12f736af9
                                  • Instruction Fuzzy Hash: 90712770F053449FEB559B789815B6D7FF2EF86200F1484E9D905CB392DA359C0ACBA1
                                  Function 06392080 Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4c0c9a78340705af4dfe4664251579c781b7c630bbbdaafd0729f957f69c9fc
                                  • Instruction ID: 1bdd5a8c68b131d4136a0902897a77d67d7eaf2de7c814aedc47bbe274ddf182
                                  • Opcode Fuzzy Hash: a4c0c9a78340705af4dfe4664251579c781b7c630bbbdaafd0729f957f69c9fc
                                  • Instruction Fuzzy Hash: 37517F35B007009FCB649F79D89496ABBF7BF892107148A2DE946C7761DB34EC09CBA0
                                  Function 0639A270 Relevance: .2, Instructions: 181COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59b631390cd84e1cf7698184b7e7c528f21956fcbe1f06695f3fb3b3505095ac
                                  • Instruction ID: fb03e98725f35741bdcfddda68672e8b8a6c37e15dc78f12359cd22dfb08c68c
                                  • Opcode Fuzzy Hash: 59b631390cd84e1cf7698184b7e7c528f21956fcbe1f06695f3fb3b3505095ac
                                  • Instruction Fuzzy Hash: 0651D4357042509FC7159B3CE898E6A7BEAEF8A710B1540AAE505CF372CA75DC05CBA1
                                  Function 06396247 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bf818a8a71e137d9b0e2857e11feab8b3533b7b787cf58fe1b5f2c1b991bb30
                                  • Instruction ID: f1dc9f314e8f29e606324a1190a6a1408a5eb6ee83eb64b853a7053008c2fb5c
                                  • Opcode Fuzzy Hash: 9bf818a8a71e137d9b0e2857e11feab8b3533b7b787cf58fe1b5f2c1b991bb30
                                  • Instruction Fuzzy Hash: D9616E34A012099FDB54DF68D894A9DBBF6FF89300F108569E9069B350DB31EC4ACFA1
                                  Function 06390651 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e8bcbcaef0a546d6246d4331404697b58fed7f20e75ce9455243d59ec5c270b
                                  • Instruction ID: bc0737d5a4dce39ac84db81a9917a8b124a4b579b617bf178592cfcbbfcdf7ba
                                  • Opcode Fuzzy Hash: 2e8bcbcaef0a546d6246d4331404697b58fed7f20e75ce9455243d59ec5c270b
                                  • Instruction Fuzzy Hash: C9710734A00209DFDB58DF65D588A9DBBB2FF48311F054568E901AB361DB34EC89CFA1
                                  Function 0639CC80 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 862e0513c6cbe31273a27373711df98825fbb28e1db5b69f88adcf431829d9b3
                                  • Instruction ID: b06fbce2765eeba1f8c02e233d72f456f589c2de3d33c46ea53242cb1b0d166a
                                  • Opcode Fuzzy Hash: 862e0513c6cbe31273a27373711df98825fbb28e1db5b69f88adcf431829d9b3
                                  • Instruction Fuzzy Hash: A451AD34B402159FDB44DF29D894A2EBBF6BF88601B1480A9E506CB771CB31EC15DBE0
                                  Function 06395B19 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2420a72865fc4a552b8b77e085a693541ac87867c6fdf73aaa0f5262135a06ee
                                  • Instruction ID: b31206ac67ee20aa317441e3ecbb18687790d4d821bbfe600223c33cb8621bbf
                                  • Opcode Fuzzy Hash: 2420a72865fc4a552b8b77e085a693541ac87867c6fdf73aaa0f5262135a06ee
                                  • Instruction Fuzzy Hash: 4B510275A01208EFDB55CF69D884E9ABBF6EF88320F158565E9019B361D730E885CFA0
                                  Function 06390DB1 Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afb820ad3c23a351e63d5676481e6a3f6d97b52cbc4ebd6d9fb3c5273cb901df
                                  • Instruction ID: b9c4ea8012360db412b405f1fc902ced72d900c0606adced00d00116382723c1
                                  • Opcode Fuzzy Hash: afb820ad3c23a351e63d5676481e6a3f6d97b52cbc4ebd6d9fb3c5273cb901df
                                  • Instruction Fuzzy Hash: 9951C475A01508DFCB48DF68D994D9EBBF6BF89310B258169E915AB361CB30EC41CF90
                                  Function 06390DC0 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f91f2f20aaccc8042edd1a3efd94ad11891d130ffc32d6143ada208d912f60c3
                                  • Instruction ID: 2761d3ecda0033852374e206a0449662213c2b654c19d589a06ed5476c099a6c
                                  • Opcode Fuzzy Hash: f91f2f20aaccc8042edd1a3efd94ad11891d130ffc32d6143ada208d912f60c3
                                  • Instruction Fuzzy Hash: 6B51E275A01208DFCB48CF68D59499EBBF6BF89310B258259E815AB371CB30EC42CF90
                                  Function 0639A710 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1660629ef92a4ad4cd1bdedd2fd4613774fe1e2a028cceaa7c4084dfd34be066
                                  • Instruction ID: d494e64211b15690418bd0c17d445ec186cb6cb5cbcf2ba2ba4b27e61fbded29
                                  • Opcode Fuzzy Hash: 1660629ef92a4ad4cd1bdedd2fd4613774fe1e2a028cceaa7c4084dfd34be066
                                  • Instruction Fuzzy Hash: 2F414031E003059FCB54DFB9D8446AEBBB6FF88200F148669D505AB255EB35ED46CFA0
                                  Function 0639DEB0 Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4f3762cdaa21fc1a1fbd5bbebebd682ec6ad1e18129b8f4c36ea4c4a9a51e18
                                  • Instruction ID: 338f193bb0cd4d87d7182782784a6e501595ffcc89e4ffe85e56155ed0ef3373
                                  • Opcode Fuzzy Hash: a4f3762cdaa21fc1a1fbd5bbebebd682ec6ad1e18129b8f4c36ea4c4a9a51e18
                                  • Instruction Fuzzy Hash: 1F41C031D0A7D4AFDB42DB68DC51ADEBFB4BF47200F4941AAE041AB292C6240D18CBB1
                                  Function 0639A720 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84ac5f61d44f345d7140114cf7cdd2c23930936435b5231877ff9e7e82cb93dc
                                  • Instruction ID: 5a5c752431a8eefcd88c490396a1ecbf9c488591159bf1c9754d3746e1034e02
                                  • Opcode Fuzzy Hash: 84ac5f61d44f345d7140114cf7cdd2c23930936435b5231877ff9e7e82cb93dc
                                  • Instruction Fuzzy Hash: D0413F35A003068FCB58DFB9D8446AEBBB2FF88200F14856DD515AB254EB35EC46CFA0
                                  Function 0639D800 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f0bc944070c211a21667bb05f8bfba5dc9834674636d03d59993af00d71f9e5
                                  • Instruction ID: f8f2211e6e0174f666b75626b288ccfc7e4a91b18a141eaafa40789f22f2df4b
                                  • Opcode Fuzzy Hash: 4f0bc944070c211a21667bb05f8bfba5dc9834674636d03d59993af00d71f9e5
                                  • Instruction Fuzzy Hash: 0341E931E107059FDB44AF74D458ADDB7B6FF89300F108629E545A7240EF70A989CB91
                                  Function 06390007 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e6005d7752154264235183a98b2c20072b4ceedf0550a9cae1ce27587f5315c
                                  • Instruction ID: da16c5b34c17c46524224265852877dd083e39f3cadf706148dc2c1764a33fa0
                                  • Opcode Fuzzy Hash: 6e6005d7752154264235183a98b2c20072b4ceedf0550a9cae1ce27587f5315c
                                  • Instruction Fuzzy Hash: E4419F30A11249CFCB49EFB4D85499DBBB6BF86300F1540AEE441AB261EB749D86CF90
                                  Function 063976A8 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47f1d9bfd44a7cbda3ab2b5f8519d727dab24619ab77f9957a0ca3b18d688ff9
                                  • Instruction ID: 0169ab1c04f2f84112dbed04ec162371b8008cdac8aa6b7aa030999588245026
                                  • Opcode Fuzzy Hash: 47f1d9bfd44a7cbda3ab2b5f8519d727dab24619ab77f9957a0ca3b18d688ff9
                                  • Instruction Fuzzy Hash: 8D31E035A003189FDB55DB60C850AEEBBF6EF89210F018669D405AF251DB74AD0ACFF1
                                  Function 06390016 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5884d3072fc2e472ea4a60253715ce8167094c0398026171487c056def99fb9d
                                  • Instruction ID: 0246965f9109748ac1868f3e87f5d0c3f7193f71c0fa2f265ab2e08fa801013f
                                  • Opcode Fuzzy Hash: 5884d3072fc2e472ea4a60253715ce8167094c0398026171487c056def99fb9d
                                  • Instruction Fuzzy Hash: 64419F30A10209DFCB49EFB4D854A9DBBB6BF86300F15446EE441AB361EB349D86CF90
                                  Function 0639634D Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b43372b95a5ea04aeb7a92f8a28d469ce9d86df01675cbe52341e0a13074a1ec
                                  • Instruction ID: 4f92f9062a0f05cf468f63865bc238aad1815d29811a88d06fd8bf04b8b146a6
                                  • Opcode Fuzzy Hash: b43372b95a5ea04aeb7a92f8a28d469ce9d86df01675cbe52341e0a13074a1ec
                                  • Instruction Fuzzy Hash: 3841F974A01208DFDB44DFA4D894A9DB7F2FF49305F208469E906A7390DB32AC46DF60
                                  Function 063916D8 Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a53d377a1f3236398bb3c0987a287cf46c3fa4b76df5be4932b592189fbad3a0
                                  • Instruction ID: 5cd09c05d68b549cf749db71a861a971299947d70af8028d90264e6046ea15b6
                                  • Opcode Fuzzy Hash: a53d377a1f3236398bb3c0987a287cf46c3fa4b76df5be4932b592189fbad3a0
                                  • Instruction Fuzzy Hash: 8B213871B4521B9FEB909BA8D80476E7FA6DB81344F1081B9E115EB690CF788D09CFE1
                                  Function 0639DED0 Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45f34c08470a3661ac1b68b7cf0c0083ae715d805bbe5adc7ef5770ddec26a18
                                  • Instruction ID: a43cca75a0dc42583b3e722eedf387915a0ccdae2a1fb915e18ec3c9864b0599
                                  • Opcode Fuzzy Hash: 45f34c08470a3661ac1b68b7cf0c0083ae715d805bbe5adc7ef5770ddec26a18
                                  • Instruction Fuzzy Hash: 4B217775D0A698AFDB41DBA8E841ADDBBB5AF4A200F0441A6E401BB262C6245C08CFB1
                                  Function 06391518 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af7fbce378eaadf3266933f55315554a5ab27f7943cf7960432bea3457d3cc82
                                  • Instruction ID: 7f60034badd4cd44106ecc4aa2ce89f33b0b47bb8b46ba1b9889d748fe9bcbc3
                                  • Opcode Fuzzy Hash: af7fbce378eaadf3266933f55315554a5ab27f7943cf7960432bea3457d3cc82
                                  • Instruction Fuzzy Hash: 8321A271F002168FDB51EB69D84096E77B6EF89250B018269D407AB350EF38EC49CFE2
                                  Function 06391509 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: baaf1c80625beba60fbbbb180b881564432f89afc695240fcec41ffd0aa28540
                                  • Instruction ID: ba3a4548908d38d19138e15e5364a926e68f30683464bab078a43254393db5c9
                                  • Opcode Fuzzy Hash: baaf1c80625beba60fbbbb180b881564432f89afc695240fcec41ffd0aa28540
                                  • Instruction Fuzzy Hash: CC21D671F003168FDB51AB69D8409AD7BB5EF89250B008269D403AB350EF28EC49CFE2
                                  Function 06395221 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c238233b97cf243a90987c509a8eaf4b3a15e73f2c957949f4b598510345dc49
                                  • Instruction ID: 41f9475041bc83965f5a5ed00db31797b1ca5797a0e4ea5f07f1d97ebb12d613
                                  • Opcode Fuzzy Hash: c238233b97cf243a90987c509a8eaf4b3a15e73f2c957949f4b598510345dc49
                                  • Instruction Fuzzy Hash: 1E318030924659DFCB45EFB4C85099DBBB5EF45200F11056EE480AB251FB70A98ACFE1
                                  Function 06392071 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6d1cb0211fea30baae8ce5b55112f2e26577d6713f51747600c073b4ce575ba
                                  • Instruction ID: 32e6c97b1f8528acb3286b1becc5b6c51d21edb76b7b66bb7d47351229baed1e
                                  • Opcode Fuzzy Hash: c6d1cb0211fea30baae8ce5b55112f2e26577d6713f51747600c073b4ce575ba
                                  • Instruction Fuzzy Hash: A2216531A00B05AFCB60CE69D9808ABB7F6BF992107148729F959D7711D731E915CFA0
                                  Function 02E2D4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df46c696b224dba4230720baac34a07704f8c2f4ccad5bb4d39f8d9e23abb07e
                                  • Instruction ID: 7f2b60efecf9be0515f0a0b093ceb9fabea494f93b7051605a38b098f44d67c9
                                  • Opcode Fuzzy Hash: df46c696b224dba4230720baac34a07704f8c2f4ccad5bb4d39f8d9e23abb07e
                                  • Instruction Fuzzy Hash: 9D213771584240DFDB15DF14DDC0B26BF69FB84328F24C569EA0A4F246C376D45ACBA2
                                  Function 02E2D3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a9245cbef3f6c3cfd29f34535ed4b3cbba95187b5d3e8198a90c5ab650a18c2
                                  • Instruction ID: 17491def59cde77182d6126d3fcef2ce182744e0e037530039c6641fa997b6af
                                  • Opcode Fuzzy Hash: 7a9245cbef3f6c3cfd29f34535ed4b3cbba95187b5d3e8198a90c5ab650a18c2
                                  • Instruction Fuzzy Hash: F4212571644244DFDB18DF10DDC4B16BB65FB84328F24C569DA0A4F246C336E85ACBA2
                                  Function 06392550 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d63c3eca6c775ff2cc9fa748cfe6a05d73d0be13eb145837f09c43d759e4f51
                                  • Instruction ID: 27073a35ad6bd2eabe0ce576751482cb4e9565601420c9806e64ce007cd1f9a8
                                  • Opcode Fuzzy Hash: 2d63c3eca6c775ff2cc9fa748cfe6a05d73d0be13eb145837f09c43d759e4f51
                                  • Instruction Fuzzy Hash: 57212274B005019FCB40CB29C99885AFBFAFF8960472540A9E905EB331CB70ED05CBA0
                                  Function 0639A239 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5470def6363002f2b2725b6e418f97a5a6a2d1bf2de47a08fa19d997aaa3e258
                                  • Instruction ID: 69c4eea7d8898636c4d84cdb33c44d4c50c390714fdbba74a87bb326a8d5157d
                                  • Opcode Fuzzy Hash: 5470def6363002f2b2725b6e418f97a5a6a2d1bf2de47a08fa19d997aaa3e258
                                  • Instruction Fuzzy Hash: 5011903560A3909FC7118B79AC54C967BBDEFC661030A45BBE444CB262CA25DC09CBF1
                                  Function 02E3D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438963903.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e3d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd43fc34e2d28af173d40bcf42c17e24ff7d8a5226183367874db8a50951af0c
                                  • Instruction ID: 534b6a00c584d42e1bfba786d70c780ec71f29127241f48814ca8b7e00e30333
                                  • Opcode Fuzzy Hash: cd43fc34e2d28af173d40bcf42c17e24ff7d8a5226183367874db8a50951af0c
                                  • Instruction Fuzzy Hash: 0F212271684300DFDB16DF20DDC8B16BBA6EB84B1AF20C56DD84A4B246C336D847CE62
                                  Function 0639F970 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c1ff36db789c7da6922bcf6a225b7761f01996b8655d6a57979b637c6dba010
                                  • Instruction ID: 8609c4adcf478c5a419668140d7ce8ad6161ed573cc5d35be0ce281f9903331f
                                  • Opcode Fuzzy Hash: 1c1ff36db789c7da6922bcf6a225b7761f01996b8655d6a57979b637c6dba010
                                  • Instruction Fuzzy Hash: 9E2130757041149FCB84DF6AE884D6EBBEAFF896117548169F509DB361CB30EC05CBA0
                                  Function 0639ADF0 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd31efa39cd24e38164c30a0ce43991f065e9936125ce28964e668bcac754be3
                                  • Instruction ID: 4185b916c5f71e0f66ca4ed72769e679a81000ea48ecef3d1d2d567ca4994ab8
                                  • Opcode Fuzzy Hash: fd31efa39cd24e38164c30a0ce43991f065e9936125ce28964e668bcac754be3
                                  • Instruction Fuzzy Hash: B1219271D0525A9FCB41DF68C8809AFFFB5EF45210F054266D55097152DB30AA4ACBF1
                                  Function 06391070 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c98d3d2a88ec1d9d77a21b6fc0b07e527446a0e0cca9a289ba6ce476bd2d6462
                                  • Instruction ID: 871e1ec19addb2566895a5c754c356f15fab2c635e4016151596c58309b47892
                                  • Opcode Fuzzy Hash: c98d3d2a88ec1d9d77a21b6fc0b07e527446a0e0cca9a289ba6ce476bd2d6462
                                  • Instruction Fuzzy Hash: BA214F74B006428FD7A89F38D85862A7BE6FB983117108428E55BC7750DB35DC198FA0
                                  Function 06390F78 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 915edc01fe70c2d82cd46e1595d002ca8dc6abca196726be30e48c08c48320dc
                                  • Instruction ID: a4febce7555d0c32ee912d262e5611a4fe74f93d6a5fdbb47bd3cab61d6d5153
                                  • Opcode Fuzzy Hash: 915edc01fe70c2d82cd46e1595d002ca8dc6abca196726be30e48c08c48320dc
                                  • Instruction Fuzzy Hash: AC1190316047549FC325DF29C840996BBF6AF893147048A6EE48ACB661DB71FC46CBD0
                                  Function 06392560 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ec6a82c09a22aae630142b83985d5e2f0d1090bd6c8842d0b3e7f3374239372
                                  • Instruction ID: 2dd6b9a277bc51c39277e2ced2ba0e4beb3289f850ebb328a73b31fbfbf8b1e5
                                  • Opcode Fuzzy Hash: 9ec6a82c09a22aae630142b83985d5e2f0d1090bd6c8842d0b3e7f3374239372
                                  • Instruction Fuzzy Hash: A421E374B104159FCB44DF69D99886AFBF6FF8961572140A9E906EB331CB30ED05CBA0
                                  Function 06393338 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 318daab0a34b6d95096e31b5b45e90d56f20a34c1df6921a98725e3fecaab28a
                                  • Instruction ID: a99c7208feac1a2bafec791dfda054bc44fa4321f930ca74fb50a97080834b74
                                  • Opcode Fuzzy Hash: 318daab0a34b6d95096e31b5b45e90d56f20a34c1df6921a98725e3fecaab28a
                                  • Instruction Fuzzy Hash: 7E113AB1605116AFEF119A15DC808A6FB39FF81320314C272D91587101C732E569CFF1
                                  Function 06395660 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 528cd27c8f7a01d24d844d01f292b9dc2204b5c35bd91c8cadc6b731cf9a83a4
                                  • Instruction ID: a2cb5249f84e7642b5462b7591eddb95a2264b91f71c66529d484fa2916ac522
                                  • Opcode Fuzzy Hash: 528cd27c8f7a01d24d844d01f292b9dc2204b5c35bd91c8cadc6b731cf9a83a4
                                  • Instruction Fuzzy Hash: 2E219372A106089FD755EF64D440D9BBBF9FF45310F10555EE146CB650EA30F988CB90
                                  Function 02E3D005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438963903.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e3d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2cccef7ffcd30d04561b169fd30d44a7bb4efdde0fbff1541867d30ef78f7635
                                  • Instruction ID: d0e0aae8decc06f04aa6ccd84af23dee98b59e2f81389f4676776c4439c34ee1
                                  • Opcode Fuzzy Hash: 2cccef7ffcd30d04561b169fd30d44a7bb4efdde0fbff1541867d30ef78f7635
                                  • Instruction Fuzzy Hash: 5C2195755493C08FC703CF24D994715BF71EB46619F28C5DAD8498F657C33A980ACB62
                                  Function 06395098 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c2025e0562e27cd4f877e608d1b938b0931c1ed54e9caa9844a0f6bc9eedf54
                                  • Instruction ID: 5a753f930e3795f968459f51e74372b4655529a481b0b3d7ea584600f3bf2cfd
                                  • Opcode Fuzzy Hash: 8c2025e0562e27cd4f877e608d1b938b0931c1ed54e9caa9844a0f6bc9eedf54
                                  • Instruction Fuzzy Hash: F7210771E002088FDF58DFA9D5586DDBBF6AF8C311F14806AD505B7250DB719988CFA0
                                  Function 0639EA0A Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 704f5b7b6f5f6e57ce8145a79468da2940ca531b52772746bfb1c7cc3bb39e90
                                  • Instruction ID: 48f22ffa7a30d658810bf74f0d7de794d2503146136eacba35381873bee893da
                                  • Opcode Fuzzy Hash: 704f5b7b6f5f6e57ce8145a79468da2940ca531b52772746bfb1c7cc3bb39e90
                                  • Instruction Fuzzy Hash: 2E114C756002119FCB15CE19C888E6ABBBAFF88611B088096F908CB265CB30CD54CFF0
                                  Function 0639A969 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7cfad28b7f707700ad58a8dc1bef062687da60b65bbc42cfd97cce4d51c56c44
                                  • Instruction ID: 506614a40c204abf4d2284d32cb47e5fd40b304207556745881df48ca504bd0c
                                  • Opcode Fuzzy Hash: 7cfad28b7f707700ad58a8dc1bef062687da60b65bbc42cfd97cce4d51c56c44
                                  • Instruction Fuzzy Hash: 1F01D821B0D3942FE7568B795C14A7E7FBA9BC6210B0980ABE545C7293DE248D0A87A1
                                  Function 06395651 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2332b8fd694db9cadc51a1c44527dc1aa2bfa6de53779096deb77279879d436a
                                  • Instruction ID: 9d278e54975e89d83398c3058a9d1bc3e326d2c5ebcd1eb15258bfab4b32b47b
                                  • Opcode Fuzzy Hash: 2332b8fd694db9cadc51a1c44527dc1aa2bfa6de53779096deb77279879d436a
                                  • Instruction Fuzzy Hash: A1115C72A083445FD766DF64D404E973FE9EF02210F1445DEE082CB191E620E989CBE1
                                  Function 02E2D3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                  • Instruction ID: 9d3415e5e1f1600480b79bea065cf51e02e6fbfb55cb2aedebd9fd624ba43b7c
                                  • Opcode Fuzzy Hash: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                  • Instruction Fuzzy Hash: 5C112676544280CFCB15CF00D9C0B16BF71FB84328F24C6A9D90A4B616C33AE45ACBA1
                                  Function 02E2D4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                  • Instruction ID: 11916accd775d0d85b78de085299b12ef4198ae26a205fee28acb19949724cf0
                                  • Opcode Fuzzy Hash: e83108a828416d88d7f272b3f2755be97ddf656ef7a6276a7e4349741c6bac78
                                  • Instruction Fuzzy Hash: 7E112676544280CFCB05CF10D9C0B16BF71FB84328F24C6A9D9494B616C336D45ACBA1
                                  Function 06390520 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ad018dcfde123410c67fb2280fc9ab506b044b098cf12d67714270c55b32e72
                                  • Instruction ID: d3f2b39457b36d106864fa068024366916a638196f04405da966dd1fb9fc1899
                                  • Opcode Fuzzy Hash: 0ad018dcfde123410c67fb2280fc9ab506b044b098cf12d67714270c55b32e72
                                  • Instruction Fuzzy Hash: AD118275A00205DFCB10DF79D848CAEBBF5FF89320B10466AE945D7321E731A945CBA0
                                  Function 0639E8D2 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20e062007185e09ce3e9293b6db99e7739f7af662ae1ddfd1a0e23dd2a3f1dcb
                                  • Instruction ID: 26a43cc3b180b3e6a5f2ca2e0d3cfe025c36d5a771c2ae177944b6caa9e238da
                                  • Opcode Fuzzy Hash: 20e062007185e09ce3e9293b6db99e7739f7af662ae1ddfd1a0e23dd2a3f1dcb
                                  • Instruction Fuzzy Hash: 21010431D046289FDF68CAA9C800AEEBFF6AF89700F14052DE552B6350CB359905DBF0
                                  Function 0639DF98 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a9770ce0926611cfa9fa4e76723f8e9a6c7f83804c2ee05e68ba53abba4fb332
                                  • Instruction ID: 6df074c7fa7086be72b2b6be50dc88ff1bc78f101ac1710f5eedfa72038fac4d
                                  • Opcode Fuzzy Hash: a9770ce0926611cfa9fa4e76723f8e9a6c7f83804c2ee05e68ba53abba4fb332
                                  • Instruction Fuzzy Hash: A7110075E01218ABDB04EFA9E885ADDBBF5FF89310F50412AE505B7350CB3168558FA4
                                  Function 0639E980 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c9f091cf63b93df9c716443b4ede47e593455be33789ab14c33c767259dffba
                                  • Instruction ID: 2d551365549ebe99be7eabf848e417dc174bf18593f40bba7e011f222c5821bd
                                  • Opcode Fuzzy Hash: 9c9f091cf63b93df9c716443b4ede47e593455be33789ab14c33c767259dffba
                                  • Instruction Fuzzy Hash: B011C875900208EFCF81CFA9C944AADBBF5EF08210F1484A9E949D7251D736DA61EFA1
                                  Function 06390530 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2d137d1177e701727b574351403ad5d10c6e96efcad839e32bf282c214f85d9
                                  • Instruction ID: 5a403f7eb5d7ede7b304d42090a356fbfedf531473184e1dbe2bff3e5437d8aa
                                  • Opcode Fuzzy Hash: c2d137d1177e701727b574351403ad5d10c6e96efcad839e32bf282c214f85d9
                                  • Instruction Fuzzy Hash: D0018075A002089FCB04DFA9D848CAEBBF9FF89210B00426AE905D7320DB30A944CBA0
                                  Function 063905E0 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56a383f01134da6495af6a5db0e16be39a02c67d907e846b7d999b01a48210bf
                                  • Instruction ID: 8f761cea57f3c5a24da4109737b76e09f1f133753ef666821abbd3af7059061e
                                  • Opcode Fuzzy Hash: 56a383f01134da6495af6a5db0e16be39a02c67d907e846b7d999b01a48210bf
                                  • Instruction Fuzzy Hash: FF01713690111AAFCB01CF94DC04CEE7BBAEF4A310B1042A6F614EB171D7319E25CBA1
                                  Function 0639A6A0 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08822c9a5157e0eb1d80b9364483aed4ef8ecbc8a42d8ac39c304e972f3d1664
                                  • Instruction ID: 47816a407817e4aec43575a6ec6432342d8cedece97e2332d9651a61f168ac5e
                                  • Opcode Fuzzy Hash: 08822c9a5157e0eb1d80b9364483aed4ef8ecbc8a42d8ac39c304e972f3d1664
                                  • Instruction Fuzzy Hash: E3018830A046549FCB119F79E84CAAEBFF6FF49250F14026AE582D7261C7715D45CBA0
                                  Function 06393300 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 379665a5be5e10b9e9c013ddbb6e4cfebd93f7c80a549fbddcdb4899f1854788
                                  • Instruction ID: e5090952ae1562fc037749812eb33034af42e7e907da948616d3d9db3cda265d
                                  • Opcode Fuzzy Hash: 379665a5be5e10b9e9c013ddbb6e4cfebd93f7c80a549fbddcdb4899f1854788
                                  • Instruction Fuzzy Hash: 6201F2B6A45105DFEF418B25EC808A9FB39FB92360314C1B7E5128B101D732D569CFE1
                                  Function 0639EB38 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e774a2682b9fa565a313c95b7deb78e3631630f2660699dc95291be10ccdb84d
                                  • Instruction ID: efa3f7b82218a1ad24d4c98558d19d1a6d77d086fa8c0de0e9cf75a29c0b3cef
                                  • Opcode Fuzzy Hash: e774a2682b9fa565a313c95b7deb78e3631630f2660699dc95291be10ccdb84d
                                  • Instruction Fuzzy Hash: DE012835605229AF8B51CB59D884C9BBBB9EF493607158656F819CB382CA30EC45CBE0
                                  Function 0639CE50 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a47692b953bb75bebd80b31945a0c0e0e13f9ece983ab065753a3dc06b2d0e7
                                  • Instruction ID: effae503fb7988f0cfe480ad81a015725b81b2f9caf84e807f7d69d3dade4ac0
                                  • Opcode Fuzzy Hash: 0a47692b953bb75bebd80b31945a0c0e0e13f9ece983ab065753a3dc06b2d0e7
                                  • Instruction Fuzzy Hash: 2001A2357605108FC704DF69D484C55B7E9EF89A2231640AAEA05CB331DA32EC51CB90
                                  Function 02E2D655 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8105d9aa0b8088067b93010578a4a60dc4a450589c4fdefb4c77f7ed2a317956
                                  • Instruction ID: cfd6099dafee386bb695afaf5eaa6b39bc27105dab4af2463cad09b5bb2c6b24
                                  • Opcode Fuzzy Hash: 8105d9aa0b8088067b93010578a4a60dc4a450589c4fdefb4c77f7ed2a317956
                                  • Instruction Fuzzy Hash: 610126311483549BE7208B15CDC4BA6BF98DF41629F18C42AEE0E5A282C779D848CAB2
                                  Function 0639A630 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 410883f23309e2e058272596733433a5e4027f80c2b0b17c55448c8a8fdafa7f
                                  • Instruction ID: 76aa4f745a54d3472fc2982a9933047047b3c1845395db5c824dc891a0a9b3ee
                                  • Opcode Fuzzy Hash: 410883f23309e2e058272596733433a5e4027f80c2b0b17c55448c8a8fdafa7f
                                  • Instruction Fuzzy Hash: F4F0A431605210DFC7159B2DD4089A577EBEFC5251716427EE445C7361DF71CC46CBA1
                                  Function 0639781F Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5397dbe057ba82610ddabd4fa9ef6b14e3f3517a5690445baa362a6e849cb6dd
                                  • Instruction ID: 0205ac3c3ec5dff726151ac08db3fec0c8a25c364aea92ff9a296bcf09160dbc
                                  • Opcode Fuzzy Hash: 5397dbe057ba82610ddabd4fa9ef6b14e3f3517a5690445baa362a6e849cb6dd
                                  • Instruction Fuzzy Hash: AEF0F036B192586BDF094D99A8048EB7B7ADB89260B044877ED11E7391CB245C15CAF1
                                  Function 0639E8E0 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 931446d1f7eb4a21fea4dc0dca3e7a6315d9d603983ba09019657190cb6e41ea
                                  • Instruction ID: b92b70742f3426bfb6f945b1c0aeeff514bda636b88d9b7e772413601e80d825
                                  • Opcode Fuzzy Hash: 931446d1f7eb4a21fea4dc0dca3e7a6315d9d603983ba09019657190cb6e41ea
                                  • Instruction Fuzzy Hash: 0B01B1319047699BDF65CBA9C814AAEBBF6AF88300F04456DD552B7280CB799904DBB0
                                  Function 0639A6B0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93353a363640b4ac173d155836b3ddb092bc715ce41a88b79801e0aaf9a4ee4f
                                  • Instruction ID: 521388e00dbc65309d84f8282eec23903a4dcdaf4972d4a92cadc7a11ac2818f
                                  • Opcode Fuzzy Hash: 93353a363640b4ac173d155836b3ddb092bc715ce41a88b79801e0aaf9a4ee4f
                                  • Instruction Fuzzy Hash: 3DF0A471B001149FCB059F69D84CA6EBBF6EB89210F140169E645D3361CB709C45CB90
                                  Function 0639769D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 620f5d7430adf022586b8c8b6f9209ed2166673c9c55e5d920793698ce01eab9
                                  • Instruction ID: c4c0271b1bd669e4485752af312669e34dd703d21355864748400041698ea93a
                                  • Opcode Fuzzy Hash: 620f5d7430adf022586b8c8b6f9209ed2166673c9c55e5d920793698ce01eab9
                                  • Instruction Fuzzy Hash: 7FF06935B402058FCF09EB68E804AAC73F2EB88221B210168D502DB3A0CF31DD0ACFE0
                                  Function 06396C60 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d8f04bfb13e84ae6e573bde0bc00e3a37d1338a1a020e997810417bfa97207b
                                  • Instruction ID: 47b64b7b12186fa175e756d6dbc30ce293de773bc46c9bc28bcee4e1d9b7db28
                                  • Opcode Fuzzy Hash: 9d8f04bfb13e84ae6e573bde0bc00e3a37d1338a1a020e997810417bfa97207b
                                  • Instruction Fuzzy Hash: 62F0E2B124A6C01FCB1397648C168E93F6B8B8331571A81F3F981CF2A2C62C4D1687E3
                                  Function 06391661 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 376f82aa26299888e1e3ae052a8cd2f1e8b3c0f6f4361971f1dce8f18e5205fd
                                  • Instruction ID: 539f540820999fc8a393cf026ab8d3a7c1db5d694346efa8f8f3b7ea9facad89
                                  • Opcode Fuzzy Hash: 376f82aa26299888e1e3ae052a8cd2f1e8b3c0f6f4361971f1dce8f18e5205fd
                                  • Instruction Fuzzy Hash: 60F0593694C3870BDB364324AC053A53F9A4B82124F0C41B39C04DFAD2C15A8C19CBF1
                                  Function 063976B8 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51d226d2f46e9a520d170c0e7bee087be73ba00e637c1caf5cbdde55b4850e95
                                  • Instruction ID: 0217614ba82eb6572bd77a9b002615a5df8a4534de42aa8c2076676cf14fc8b9
                                  • Opcode Fuzzy Hash: 51d226d2f46e9a520d170c0e7bee087be73ba00e637c1caf5cbdde55b4850e95
                                  • Instruction Fuzzy Hash: CCF037356003105BD365EB24E84089EBBA7AEC6221740CA39E04A4F614DFB5B94A8FE6
                                  Function 02E2D654 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1438918165.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_2e2d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28b84f19057369971a4145df9ffbfe0dd5d7eed9122240e22fee8ff46c6da0a3
                                  • Instruction ID: 31df5b7b15a7ef910e449f2aed5b107917cf9fae262d21e657e491d0734d5f58
                                  • Opcode Fuzzy Hash: 28b84f19057369971a4145df9ffbfe0dd5d7eed9122240e22fee8ff46c6da0a3
                                  • Instruction Fuzzy Hash: FBF0F6310483509FE7208E05CD88B62FF98DB40739F18C45EED0D5B282C3789844CBB1
                                  Function 0639A640 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b56abe7ba475826e8e961db8a4a0597ecb01f89cc3799cbb797ffa46d3ccd7e
                                  • Instruction ID: f3de439f08af7c7674a722197604a6d67083d565f145dcd868ab326a0d16f6ea
                                  • Opcode Fuzzy Hash: 3b56abe7ba475826e8e961db8a4a0597ecb01f89cc3799cbb797ffa46d3ccd7e
                                  • Instruction Fuzzy Hash: AAF09A30700205CFCB69AA6DD408626B7EBEBC926271A417DE50AC73A0CF71DC42CFA0
                                  Function 063905F0 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62282358c0bd375ee58f9d840dd84ab87e393759439bc543ce4d0ab2b31ef5b0
                                  • Instruction ID: 9193a84a142f3f7bbc9f6c6f7b4968b02650288c401e33be20c68f8b5f9f93ea
                                  • Opcode Fuzzy Hash: 62282358c0bd375ee58f9d840dd84ab87e393759439bc543ce4d0ab2b31ef5b0
                                  • Instruction Fuzzy Hash: F7F03C3690011AAFCF00DF94D904DDEBBF6FF49310B104165E618EB270D732AA15CB91
                                  Function 06394FF2 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9023668d978c5f8831ac583b170f415f7fab8e0aaa16e736b37c324865d98d8
                                  • Instruction ID: 97c15c35a4de4e01b3c761312fbf396a1d0e9f270f6c6ff7d6e7dde924e5e443
                                  • Opcode Fuzzy Hash: b9023668d978c5f8831ac583b170f415f7fab8e0aaa16e736b37c324865d98d8
                                  • Instruction Fuzzy Hash: B4F03A75C0161A9FCB40EFB8D8059EEBBF8AF05340F10413AD949A7201E7305A51CBE1
                                  Function 0639FA29 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7e8acb7439d62c08cce44466fb7641a7a73ffc7ed4a55c9abe3cdcadf33d6e1
                                  • Instruction ID: ab16b87718c80ebd042022c64ea0bd06c6fb9fe35476e04218f62c1a21213a60
                                  • Opcode Fuzzy Hash: f7e8acb7439d62c08cce44466fb7641a7a73ffc7ed4a55c9abe3cdcadf33d6e1
                                  • Instruction Fuzzy Hash: BFF08C71E41228AF8B90EF7C98049EEBBFDEF08211B108125E958DB341E7308A14CBE0
                                  Function 063916C7 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3de0b2014a69f6d1aa9b01166158ab75233b29a6781dd90cf251c60416c10296
                                  • Instruction ID: 99c23e7982f2fe9fce2811c2d0e88867082bee9a120164c6ab2b456ae0e78ae3
                                  • Opcode Fuzzy Hash: 3de0b2014a69f6d1aa9b01166158ab75233b29a6781dd90cf251c60416c10296
                                  • Instruction Fuzzy Hash: 3AF0973230821A5BCB9963A5DC00519BB1A8BC1240F2580B9E906DBA91CD35EC01CFE0
                                  Function 0639FD17 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0a4638e2c256c5a0dd80ad16b2b4a7e4d80ff77ebfc9e2a78ed7ad986e21cc3
                                  • Instruction ID: 71b4568ebff1b12fd6f57711f8736a69fdb5d3964990c21cbc9ac0f8dbe96415
                                  • Opcode Fuzzy Hash: f0a4638e2c256c5a0dd80ad16b2b4a7e4d80ff77ebfc9e2a78ed7ad986e21cc3
                                  • Instruction Fuzzy Hash: 4EF0A0306493506FD32186B99814AA67FAC6F06250F0441AAE145CB2A6CB21D805C7F1
                                  Function 06394321 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc241311d0161d48f00898be8352beeed849459ab4f60f0bb46874a1f1782bf3
                                  • Instruction ID: f07cfb02b166d6d005835323f9827a08c2132752c389dd0563fd1529714bf067
                                  • Opcode Fuzzy Hash: cc241311d0161d48f00898be8352beeed849459ab4f60f0bb46874a1f1782bf3
                                  • Instruction Fuzzy Hash: DCE0EC1504E3D12EC7571A708C218967F7A6A43140B4986D3F5948D073C2195A2ED7B7
                                  Function 06393F60 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 241fa22e5052b2322f6ecc876be1dfffc6935f7581d66333e6a259fe29504a74
                                  • Instruction ID: 1319798a7e504e703f32aeac8c5f6ea38a2d7b21c7ac96d813f1f064deb3052d
                                  • Opcode Fuzzy Hash: 241fa22e5052b2322f6ecc876be1dfffc6935f7581d66333e6a259fe29504a74
                                  • Instruction Fuzzy Hash: 0DE092317051609FC3015F29D404866BBBA9FCA220325019BE184C7222CA219D42C390
                                  Function 063977F9 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7682b4994d49436d0caa71056817ad6962c6d02ee35adde02a790110e97fc648
                                  • Instruction ID: 47bd7660bb081c90d660d950d1d04e4f5cadec3654894e358cb5879e34660656
                                  • Opcode Fuzzy Hash: 7682b4994d49436d0caa71056817ad6962c6d02ee35adde02a790110e97fc648
                                  • Instruction Fuzzy Hash: E7E0D83671A2805FDB454E545840CE77B39EB4521071544AAD901CB092C726883DC7B0
                                  Function 063960A8 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e86c7ffd962c1af61cbd3c96aa9a66842e2a810931a419f53f95a6c40fd2a51
                                  • Instruction ID: f19eb7fbd3e7ed706a05569caafe97facbc17de3046a9562720a2116c74bb58b
                                  • Opcode Fuzzy Hash: 2e86c7ffd962c1af61cbd3c96aa9a66842e2a810931a419f53f95a6c40fd2a51
                                  • Instruction Fuzzy Hash: 03E0263190A271DFC70197288814C92BF749F8721132642E6E448DF322C2228C16CBE0
                                  Function 06391688 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb049015edad01165c897b9d42d73911ade9cc2b48fe9c6b1e84cddebc8e1f96
                                  • Instruction ID: a113a611023e0b283570ad618f0cc9cd5736672284876808627222bac1aaf22a
                                  • Opcode Fuzzy Hash: fb049015edad01165c897b9d42d73911ade9cc2b48fe9c6b1e84cddebc8e1f96
                                  • Instruction Fuzzy Hash: 0BE02633AA026707DB2952A8E8053BA73CA8B80224F188033D90DDBF80C5949C158BE1
                                  Function 0639FD28 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bfa143e797fee7fb502843ee52287ae9534c14feeb5f8f7e1ed813a109012cf
                                  • Instruction ID: 32a53fff414f64b82002e017c480da5f71b169e5d06bbb95dd72f0548d7aa5fd
                                  • Opcode Fuzzy Hash: 2bfa143e797fee7fb502843ee52287ae9534c14feeb5f8f7e1ed813a109012cf
                                  • Instruction Fuzzy Hash: FFE0DF32B503044FD324D6A9A000B6677D86F49360F04006AE205CB2A4CB22E800C7A4
                                  Function 06395000 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98129c403fd21941c031be0a08406cabf45f5f69caf3b6da58c90881c9c6a77a
                                  • Instruction ID: cb3d2988a5963c8a68681f19b5cdcd0067c82b81f594181a2c9c4b2b5b4b783d
                                  • Opcode Fuzzy Hash: 98129c403fd21941c031be0a08406cabf45f5f69caf3b6da58c90881c9c6a77a
                                  • Instruction Fuzzy Hash: 85F01571C006198FCB40EFA8D8002DEBBF4AF05240F108226D909E7210E7305A558BD1
                                  Function 0639FA38 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92aaa6a5ce75ae324d6cb08839b2aaa286712a8248445a456ccbaf48d2bf605f
                                  • Instruction ID: 99f495488d5e6c22ed0d3e98ad37093b4736c823d68e2cf4a21f66b5d2d0b6f6
                                  • Opcode Fuzzy Hash: 92aaa6a5ce75ae324d6cb08839b2aaa286712a8248445a456ccbaf48d2bf605f
                                  • Instruction Fuzzy Hash: 3BE0ED71E002189F8B84EFA9D4445DEBBF9EF48210B108166D518D7200E7309A14CBE0
                                  Function 06395313 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 664020e9d9d41ed1b7b720598c1d881a6f2978f56489395a5540468c3aa7580b
                                  • Instruction ID: f23020b69a6e2f22136be8e9fb66cb1c8679a9919ee9961f6b64e19298d44177
                                  • Opcode Fuzzy Hash: 664020e9d9d41ed1b7b720598c1d881a6f2978f56489395a5540468c3aa7580b
                                  • Instruction Fuzzy Hash: 41F06D31854609CFDB42EFB4C4546ADBBB0AF0A310F50052AD442AB650DB3059C5CFE2
                                  Function 0639A8E8 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ddeb039af643aa4704022f6bb546cfaabdf9dff819f883bc212b45720dd1a1f
                                  • Instruction ID: 631acddec591592e4816f3c7a860b89d6f803a46718ee0edb4950f5b3de65c19
                                  • Opcode Fuzzy Hash: 8ddeb039af643aa4704022f6bb546cfaabdf9dff819f883bc212b45720dd1a1f
                                  • Instruction Fuzzy Hash: 77D05B7110D1546BE3065B14A4109FB3F6BEF4611071502E6B8419B756DB585D4B47F2
                                  Function 06392520 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6420d5642e51eeca8f3ef7f72ca1f348314df2ea674c2cd99d7926a64dfb99b
                                  • Instruction ID: b9ce1447b093ce30ce6dbc7c3ece0725ee1a72599cc1183af56b1a127a02011d
                                  • Opcode Fuzzy Hash: f6420d5642e51eeca8f3ef7f72ca1f348314df2ea674c2cd99d7926a64dfb99b
                                  • Instruction Fuzzy Hash: 28D05B357206105F4604561FE42C85EF7DFEFD9A2131540A7F509C3330CEB0DC028694
                                  Function 06393F70 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dca10b3c31c6f720bdf82bfdf7e6d82055051f9ab1bc73a87b1c47261c401489
                                  • Instruction ID: cea3b8a2ec06a9a6838f1a36b907063e4ca8f8fa20c136030e23b8cf83585b6f
                                  • Opcode Fuzzy Hash: dca10b3c31c6f720bdf82bfdf7e6d82055051f9ab1bc73a87b1c47261c401489
                                  • Instruction Fuzzy Hash: B7D05E327100209F87049F5EE50486ABBEFDFC962132540ABE149C7322CA71EC03C790
                                  Function 06396C88 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e299bc5b1df12726961c71af2778c05eda3db9f1eef2c30e31266f25dc4fde85
                                  • Instruction ID: 8a9d94482728302f4606704e01d3e59ed599fd88367304b7874ed2ea47cd12c1
                                  • Opcode Fuzzy Hash: e299bc5b1df12726961c71af2778c05eda3db9f1eef2c30e31266f25dc4fde85
                                  • Instruction Fuzzy Hash: CCD05E323408284B8B14AB18E8094AD375BDB84765368C136E606C7340CE7C8C0187CA
                                  Function 063960B8 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a1e438571b5f635d846e26b79793c1a977bfabf7ea8571f38f975dbfe3f272d
                                  • Instruction ID: ea3cc67a8aef91ba68e360160a2e1093ff0ff1fd63076d6563eec1a49b8b82cc
                                  • Opcode Fuzzy Hash: 4a1e438571b5f635d846e26b79793c1a977bfabf7ea8571f38f975dbfe3f272d
                                  • Instruction Fuzzy Hash: 74D0A732A011399F8700DA5CD945885B778EF4661471141E5D9185F321D622EC15CBD0
                                  Function 063914D9 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e161482f46a8d0f9d18e7f513bf0a8123dcbbc4f19f8482d96577abcb4a7de20
                                  • Instruction ID: dd9ff1e3d4008be3b67bf7965b2183de8ccd01f01281d8535ab3f1eb5e2639fa
                                  • Opcode Fuzzy Hash: e161482f46a8d0f9d18e7f513bf0a8123dcbbc4f19f8482d96577abcb4a7de20
                                  • Instruction Fuzzy Hash: 19D05E3442A3D1DFDF22DF20E8447513F69BB01285F0801A1D052AB84AC32D1C09CBF2
                                  Function 0639A610 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72c5b61fee0f7b5d1d4d6abe93936b802f31494c92e41d3d53a54b53589791bc
                                  • Instruction ID: 9c4b3bb7b5620236efcd39c6406fd9884dd564639f976b110956fb425844cee2
                                  • Opcode Fuzzy Hash: 72c5b61fee0f7b5d1d4d6abe93936b802f31494c92e41d3d53a54b53589791bc
                                  • Instruction Fuzzy Hash: 11C08C30990108CFCB40ABADF0088A53BAAEF8422A31040E1F61D87631EB22EC00CE90
                                  Function 0639015E Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445915344.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6390000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 277943a16a16edf545c8e280d83dd485b8bbb9555d294f98dbf6be8c5a45164a
                                  • Instruction ID: 286e52dc4784cfa817677751d2fba2405e1b2715bf8b6e36e1f7cedbf159be03
                                  • Opcode Fuzzy Hash: 277943a16a16edf545c8e280d83dd485b8bbb9555d294f98dbf6be8c5a45164a
                                  • Instruction Fuzzy Hash: CFD0927454120ACFEB14DF50D169BAE7B71FF05348F600818D002AA651C7768A45DFE1

                                  Non-executed Functions

                                  Function 0638A40B Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1445881867.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6380000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10fbee141a71ba824f3bd5fece91c416d190df74ddd3fad4490b478e57286092
                                  • Instruction ID: fd08016e9f5b62529e8fa58d2e2758ff32f97ccdb3bc745d09e8fe441731e4ca
                                  • Opcode Fuzzy Hash: 10fbee141a71ba824f3bd5fece91c416d190df74ddd3fad4490b478e57286092
                                  • Instruction Fuzzy Hash: C0E06D70C4960DCEEB54EF61C0097FEBA34AB85300FA07406980673240CE749A88CBE5