Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hObXeMHkSShI8GL7378ICT2M.exe

Overview

General Information

Sample name:hObXeMHkSShI8GL7378ICT2M.exe
Analysis ID:1483179
MD5:9e96179dbd4fa2006157a4617e270555
SHA1:6d46e5f13b7fa00b0034a4881d07b8d5776faa10
SHA256:7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
Tags:exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hObXeMHkSShI8GL7378ICT2M.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exe" MD5: 9E96179DBD4FA2006157A4617E270555)
    • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7348 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1683008996.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      Process Memory Space: RegAsm.exe PID: 7348JoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.RegAsm.exe.400000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
          2.2.RegAsm.exe.400000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            2.2.RegAsm.exe.400000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x4a5bb:$s1: file:///
            • 0x4a4f3:$s2: {11111-22222-10009-11112}
            • 0x4a54b:$s3: {11111-22222-50001-00000}
            • 0x475a5:$s4: get_Module
            • 0x41730:$s5: Reverse
            • 0x42512:$s6: BlockCopy
            • 0x4170d:$s7: ReadByte
            • 0x4a5cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
            0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-26T19:21:16.347532+0200
                SID:2022930
                Source Port:443
                Destination Port:49735
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-26T19:21:55.841273+0200
                SID:2022930
                Source Port:443
                Destination Port:55184
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: hObXeMHkSShI8GL7378ICT2M.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: hObXeMHkSShI8GL7378ICT2M.exeReversingLabs: Detection: 71%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: hObXeMHkSShI8GL7378ICT2M.exeJoe Sandbox ML: detected
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00267E68 FindFirstFileExW,0_2_00267E68
                Source: RegAsm.exe, 00000002.00000002.1684595853.00000000029F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1684595853.00000000029F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1684595853.00000000029F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1684595853.00000000029F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1684595853.00000000029F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_254d4716-9

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_002670FA0_2_002670FA
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0026A7190_2_0026A719
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_027825B02_2_027825B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_027825A22_2_027825A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_027808782_2_02780878
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_027808692_2_02780869
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_04F210B42_2_04F210B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_04F230782_2_04F23078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_04F230692_2_04F23069
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: SecurityJump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: String function: 00258900 appears 49 times
                Source: hObXeMHkSShI8GL7378ICT2M.exe, 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOzzus.exe" vs hObXeMHkSShI8GL7378ICT2M.exe
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@0/0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCommand line argument: &0_2_0026E840
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: hObXeMHkSShI8GL7378ICT2M.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exe "C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exe"
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: hObXeMHkSShI8GL7378ICT2M.exeStatic PE information: section name: .zzz
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_002580D5 push ecx; ret 0_2_002580E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_04F2A350 push esp; ret 2_2_04F2A351
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00267E68 FindFirstFileExW,0_2_00267E68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0025872E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025872E
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0025FEDA mov ecx, dword ptr fs:[00000030h]0_2_0025FEDA
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00263792 mov eax, dword ptr fs:[00000030h]0_2_00263792
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00269050 GetProcessHeap,0_2_00269050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0025888A SetUnhandledExceptionFilter,0_2_0025888A
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00258945 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00258945
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0025872E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025872E
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_0025C713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025C713
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00BD018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00BD018D
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45A000Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 462000Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9ED008Jump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: RegAsm.exe, 00000002.00000002.1684595853.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00258525 cpuid 0_2_00258525
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: EnumSystemLocalesW,0_2_00263015
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0026B07B
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,0_2_0026B2CE
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0026B3F7
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0026AC68
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,0_2_0026B4FD
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,0_2_0026353B
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0026B5CC
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: GetLocaleInfoW,0_2_0026AE63
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: EnumSystemLocalesW,0_2_0026AF0A
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: EnumSystemLocalesW,0_2_0026AF55
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: EnumSystemLocalesW,0_2_0026AFF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exeCode function: 0_2_00258B42 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00258B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1683008996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7348, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPE

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1683008996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7348, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hObXeMHkSShI8GL7378ICT2M.exe.250000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		11
                Input Capture                		1
                System Time Discovery                		Remote Services11
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory121
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Obfuscated Files or Information                		Cached Domain Credentials33
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                hObXeMHkSShI8GL7378ICT2M.exe71%ReversingLabsWin32.Trojan.Fragtor
                hObXeMHkSShI8GL7378ICT2M.exe100%AviraHEUR/AGEN.1317026
                hObXeMHkSShI8GL7378ICT2M.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                https://api.ip.sb/ip0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ip.s0%Avira URL Cloudsafe
                https://discord.com/api/v9/users/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersGRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.ip.sb/ipRegAsm.exe, 00000002.00000002.1684595853.0000000002911000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/bTheRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.tiro.comRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.ip.sRegAsm.exe, 00000002.00000002.1684595853.0000000002911000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-user.htmlRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://discord.com/api/v9/users/RegAsm.exe, 00000002.00000002.1684595853.0000000002A42000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers8RegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleaseRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.comRegAsm.exe, 00000002.00000002.1689580353.0000000006B32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1483179
                Start date and time:2024-07-26 19:20:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 46s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:hObXeMHkSShI8GL7378ICT2M.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@5/1@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 38
                • Number of non-executed functions: 51
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: hObXeMHkSShI8GL7378ICT2M.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1119
                Entropy (8bit):5.345080863654519
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                MD5:88593431AEF401417595E7A00FE86E5F
                SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                Static File Info

                General

                File type:PE32 executable (console) Intel 80386, for MS Windows
                Entropy (8bit):7.7280710304698665
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:hObXeMHkSShI8GL7378ICT2M.exe
                File size:573'440 bytes
                MD5:9e96179dbd4fa2006157a4617e270555
                SHA1:6d46e5f13b7fa00b0034a4881d07b8d5776faa10
                SHA256:7a4b5e91d0222c145a45c4c844136be284a4df98737c6dae589d65c439d0e6d2
                SHA512:43aa1f59512b9ea927d3fba965431f88d9e37485b54d00b9e48c3423601a0b40b359e6e6b9c5bd7418d79d17a5e3b8d8f4fa4f97bb376c3ef3d37bf368092909
                SSDEEP:12288:eem1DVVYweJUFHk8oVw/oKMlfx062I4Nt91gYgs:e7DzESHkfsoKMlfxUIJYgs
                TLSH:E2C4F11279C1C0B3D6772A350AE4D7B8AA7EF9604E719DAF77540B3E0F305C2EA21616
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.Z.............r.......r..o....r.......r..........D...........................5.......5.......Rich............PE..L...|*.f...

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x408401
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows cui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x66A12A7C [Wed Jul 24 16:23:24 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:6addd02d82538c2ca23958c8c292883b

                Entrypoint Preview

                Instruction
                call 00007F1E2CFB3D7Eh
                jmp 00007F1E2CFB3469h
                int3
                int3
                int3
                int3
                int3
                push ecx
                lea ecx, dword ptr [esp+08h]
                sub ecx, eax
                and ecx, 0Fh
                add eax, ecx
                sbb ecx, ecx
                or eax, ecx
                pop ecx
                jmp 00007F1E2CFB3E6Fh
                push ecx
                lea ecx, dword ptr [esp+08h]
                sub ecx, eax
                and ecx, 07h
                add eax, ecx
                sbb ecx, ecx
                or eax, ecx
                pop ecx
                jmp 00007F1E2CFB3E59h
                int3
                int3
                int3
                int3
                push ebx
                push esi
                mov eax, dword ptr [esp+18h]
                or eax, eax
                jne 00007F1E2CFB360Ah
                mov ecx, dword ptr [esp+14h]
                mov eax, dword ptr [esp+10h]
                xor edx, edx
                div ecx
                mov ebx, eax
                mov eax, dword ptr [esp+0Ch]
                div ecx
                mov edx, ebx
                jmp 00007F1E2CFB3633h
                mov ecx, eax
                mov ebx, dword ptr [esp+14h]
                mov edx, dword ptr [esp+10h]
                mov eax, dword ptr [esp+0Ch]
                shr ecx, 1
                rcr ebx, 1
                shr edx, 1
                rcr eax, 1
                or ecx, ecx
                jne 00007F1E2CFB35E6h
                div ebx
                mov esi, eax
                mul dword ptr [esp+18h]
                mov ecx, eax
                mov eax, dword ptr [esp+14h]
                mul esi
                add edx, ecx
                jc 00007F1E2CFB3600h
                cmp edx, dword ptr [esp+10h]
                jnbe 00007F1E2CFB35FAh
                jc 00007F1E2CFB35F9h
                cmp eax, dword ptr [esp+0Ch]
                jbe 00007F1E2CFB35F3h
                dec esi
                xor edx, edx
                mov eax, esi
                pop esi
                pop ebx
                retn 0010h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                push ebx
                mov eax, dword ptr [esp+14h]
                or eax, eax
                jne 00007F1E2CFB360Ah
                mov ecx, dword ptr [esp+10h]
                mov eax, dword ptr [esp+0Ch]
                xor edx, edx
                div ecx
                mov eax, dword ptr [esp+08h]

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x2ae040x28.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000x1fa4.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x283b80x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x284000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x282f80x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x210000x16c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x1e3b70x1e400b6b08c161c5bf92ce1ba8431211d738aFalse0.5810304752066116data6.610879411166099IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .zzz0x200000x7130x800b863b2e179e2d3390b1c64e6852463b6False0.6708984375data6.108932867613365IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x210000xa67e0xa800ef532f5667cc860b731c37a415dd6163False0.38204520089285715OpenPGP Public Key Version 2; User ID4.619965008761279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x2c0000x616c40x608000f5d5243dcef2de011e1156b32705dccFalse0.9859233322538861data7.990999283321883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0x8e0000x1fa40x2000e7aca2b985cb464f4615194f007ea2fdFalse0.7523193359375data6.509163912377112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                KERNEL32.dllWaitForSingleObject, CreateThread, VirtualAllocEx, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, CreateFileW, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW

                Network Behavior

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 26, 2024 19:21:18.235683918 CEST53524401.1.1.1192.168.2.4

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:13:20:55
                Start date:26/07/2024
                Path:C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\hObXeMHkSShI8GL7378ICT2M.exe"
                Imagebase:0x250000
                File size:573'440 bytes
                MD5 hash:9E96179DBD4FA2006157A4617E270555
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:13:20:55
                Start date:26/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:13:20:55
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0x660000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1683008996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:13:20:55
                Start date:26/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:5.5%
                  Dynamic/Decrypted Code Coverage:0.3%
                  Signature Coverage:1.3%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:38
                  execution_graph 18034 251005 18039 254ceb 18034->18039 18041 254cfb 18039->18041 18042 25100a 18039->18042 18041->18042 18046 25786e InitializeCriticalSectionEx 18041->18046 18043 257ffd 18042->18043 18047 257fd0 18043->18047 18046->18041 18048 257fe6 18047->18048 18049 257fdf 18047->18049 18056 2608d6 18048->18056 18053 260859 18049->18053 18052 251014 18054 2608d6 44 API calls 18053->18054 18055 26086b 18054->18055 18055->18052 18059 260622 18056->18059 18060 26062e ___scrt_is_nonwritable_in_current_image 18059->18060 18067 25d528 EnterCriticalSection 18060->18067 18062 26063c 18068 26067d 18062->18068 18064 260649 18078 260671 18064->18078 18067->18062 18069 260698 18068->18069 18070 26070b _unexpected 18068->18070 18069->18070 18071 2606eb 18069->18071 18081 268fe3 18069->18081 18070->18064 18071->18070 18072 268fe3 44 API calls 18071->18072 18074 260701 18072->18074 18077 262a7b ___free_lconv_mon 14 API calls 18074->18077 18075 2606e1 18076 262a7b ___free_lconv_mon 14 API calls 18075->18076 18076->18071 18077->18070 18109 25d570 LeaveCriticalSection 18078->18109 18080 26065a 18080->18052 18082 268ff0 18081->18082 18083 26900b 18081->18083 18082->18083 18084 268ffc 18082->18084 18087 26901a 18083->18087 18090 26cc09 18083->18090 18085 25f587 __strnicoll 14 API calls 18084->18085 18089 269001 __fread_nolock 18085->18089 18097 267740 18087->18097 18089->18075 18091 26cc14 18090->18091 18092 26cc29 HeapSize 18090->18092 18093 25f587 __strnicoll 14 API calls 18091->18093 18092->18087 18094 26cc19 18093->18094 18095 25c90f __strnicoll 41 API calls 18094->18095 18096 26cc24 18095->18096 18096->18087 18098 26774d 18097->18098 18099 267758 18097->18099 18100 2637c3 __fread_nolock 15 API calls 18098->18100 18101 267760 18099->18101 18108 267769 __dosmaperr 18099->18108 18106 267755 18100->18106 18102 262a7b ___free_lconv_mon 14 API calls 18101->18102 18102->18106 18103 267793 HeapReAlloc 18103->18106 18103->18108 18104 26776e 18105 25f587 __strnicoll 14 API calls 18104->18105 18105->18106 18106->18089 18107 25faa9 std::_Facet_Register 2 API calls 18107->18108 18108->18103 18108->18104 18108->18107 18109->18080 18110 25c001 18116 25bfa3 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 18110->18116 18112 25c01c 18113 25c98b CallUnexpected 41 API calls 18112->18113 18114 25c021 __FrameHandler3::FrameUnwindToState 18112->18114 18115 25c05c 18113->18115 18116->18112 18117 25c043 18116->18117 18122 25b2f6 18117->18122 18119 25c048 18120 25c053 18119->18120 18121 25b2f6 _unexpected 51 API calls 18119->18121 18120->18112 18121->18120 18135 25b304 18122->18135 18124 25b2fb 18124->18119 18149 262b83 18124->18149 18127 25c99b 18129 25c9a5 IsProcessorFeaturePresent 18127->18129 18130 25c9c4 18127->18130 18131 25c9b1 18129->18131 18132 25ffab CallUnexpected 23 API calls 18130->18132 18133 25c713 CallUnexpected 8 API calls 18131->18133 18134 25c9ce 18132->18134 18133->18130 18136 25b310 GetLastError 18135->18136 18137 25b30d 18135->18137 18179 25c4c8 18136->18179 18137->18124 18139 25b38a SetLastError 18139->18124 18141 25c503 ___vcrt_FlsSetValue 6 API calls 18142 25b33e __Getctype 18141->18142 18143 25b366 18142->18143 18144 25c503 ___vcrt_FlsSetValue 6 API calls 18142->18144 18148 25b344 18142->18148 18145 25c503 ___vcrt_FlsSetValue 6 API calls 18143->18145 18146 25b37a 18143->18146 18144->18143 18145->18146 18147 25c970 ___std_exception_destroy 14 API calls 18146->18147 18147->18148 18148->18139 18184 262ab5 18149->18184 18152 262bc8 18153 262bd4 ___scrt_is_nonwritable_in_current_image 18152->18153 18154 2628e1 __dosmaperr 14 API calls 18153->18154 18158 262c01 CallUnexpected 18153->18158 18159 262bfb CallUnexpected 18153->18159 18154->18159 18155 262c48 18156 25f587 __strnicoll 14 API calls 18155->18156 18157 262c4d 18156->18157 18160 25c90f __strnicoll 41 API calls 18157->18160 18163 262c74 18158->18163 18195 25d528 EnterCriticalSection 18158->18195 18159->18155 18159->18158 18161 262c32 18159->18161 18160->18161 18161->18127 18165 262cb6 18163->18165 18166 262da7 18163->18166 18176 262ce5 18163->18176 18171 262790 _unexpected 41 API calls 18165->18171 18165->18176 18168 262db2 18166->18168 18200 25d570 LeaveCriticalSection 18166->18200 18170 25ffab CallUnexpected 23 API calls 18168->18170 18172 262dba 18170->18172 18174 262cda 18171->18174 18173 262790 _unexpected 41 API calls 18177 262d3a 18173->18177 18175 262790 _unexpected 41 API calls 18174->18175 18175->18176 18196 262d54 18176->18196 18177->18161 18178 262790 _unexpected 41 API calls 18177->18178 18178->18161 18180 25c367 ___vcrt_FlsFree 5 API calls 18179->18180 18181 25c4e2 18180->18181 18182 25c4fa TlsGetValue 18181->18182 18183 25b325 18181->18183 18182->18183 18183->18139 18183->18141 18183->18148 18185 262ac1 ___scrt_is_nonwritable_in_current_image 18184->18185 18190 25d528 EnterCriticalSection 18185->18190 18187 262acf 18191 262b0d 18187->18191 18190->18187 18194 25d570 LeaveCriticalSection 18191->18194 18193 25c990 18193->18127 18193->18152 18194->18193 18195->18163 18197 262d2b 18196->18197 18198 262d5a 18196->18198 18197->18161 18197->18173 18197->18177 18201 25d570 LeaveCriticalSection 18198->18201 18200->18168 18201->18197 20391 25720d 20392 257219 20391->20392 20394 257250 20392->20394 20397 25f344 20392->20397 20396 256bf3 41 API calls 20396->20394 20398 25f357 _Fputc 20397->20398 20403 25f27b 20398->20403 20400 25f36c 20401 25c64b _Fputc 41 API calls 20400->20401 20402 25723d 20401->20402 20402->20394 20402->20396 20404 25f2b0 20403->20404 20405 25f28d 20403->20405 20404->20405 20408 25f2d7 20404->20408 20406 25c892 __strnicoll 41 API calls 20405->20406 20407 25f2a8 20406->20407 20407->20400 20411 25f180 20408->20411 20412 25f18c ___scrt_is_nonwritable_in_current_image 20411->20412 20419 25d713 EnterCriticalSection 20412->20419 20414 25f19a 20420 25f1db 20414->20420 20416 25f1a7 20429 25f1cf 20416->20429 20419->20414 20421 25e53e ___scrt_uninitialize_crt 66 API calls 20420->20421 20422 25f1f6 20421->20422 20423 2638bc 14 API calls 20422->20423 20424 25f200 20423->20424 20425 262fab __dosmaperr 14 API calls 20424->20425 20428 25f21b 20424->20428 20426 25f23f 20425->20426 20427 262a7b ___free_lconv_mon 14 API calls 20426->20427 20427->20428 20428->20416 20432 25d727 LeaveCriticalSection 20429->20432 20431 25f1b8 20431->20400 20432->20431 20440 257265 20441 25729d 20440->20441 20442 25726e 20440->20442 20442->20441 20445 25e615 20442->20445 20444 257290 20446 25e627 20445->20446 20449 25e630 ___scrt_uninitialize_crt 20445->20449 20447 25e499 ___scrt_uninitialize_crt 70 API calls 20446->20447 20448 25e62d 20447->20448 20448->20444 20450 25e641 20449->20450 20453 25e439 20449->20453 20450->20444 20454 25e445 ___scrt_is_nonwritable_in_current_image 20453->20454 20461 25d713 EnterCriticalSection 20454->20461 20456 25e453 20457 25e5a7 ___scrt_uninitialize_crt 70 API calls 20456->20457 20458 25e464 20457->20458 20462 25e48d 20458->20462 20461->20456 20465 25d727 LeaveCriticalSection 20462->20465 20464 25e476 20464->20444 20465->20464 16078 270464 16095 257d7e 16078->16095 16081 270499 16084 2704ab 16081->16084 16124 254387 16081->16124 16086 2704f5 16084->16086 16128 2519e3 16084->16128 16107 25222a 16086->16107 16090 270534 16142 2580c7 16090->16142 16091 270514 _Deallocate 16091->16090 16138 251800 16091->16138 16094 270543 16097 257d83 16095->16097 16098 257d9d 16097->16098 16100 257d9f 16097->16100 16149 25d59e 16097->16149 16159 25faa9 16097->16159 16098->16081 16120 25217e 16098->16120 16101 254246 Concurrency::cancel_current_task 16100->16101 16103 257da9 std::_Facet_Register 16100->16103 16156 2592f2 16101->16156 16105 2592f2 Concurrency::cancel_current_task RaiseException 16103->16105 16104 254262 16106 25871c 16105->16106 16380 251777 16107->16380 16109 25224d 16110 270545 16109->16110 16111 27061a 16110->16111 16119 270560 16110->16119 16556 25433b 16111->16556 16114 251eb7 98 API calls 16114->16119 16115 2513cb 71 API calls 16115->16119 16118 251800 _Deallocate 41 API calls 16118->16119 16119->16111 16119->16114 16119->16115 16119->16118 16540 25d3de 16119->16540 16546 251920 16119->16546 16121 25219b _strlen 16120->16121 16740 251653 16121->16740 16123 2521a8 16123->16081 16125 254392 16124->16125 16126 25439b 16124->16126 16127 251800 _Deallocate 41 API calls 16125->16127 16126->16084 16127->16126 16129 2519ef __EH_prolog3_catch 16128->16129 16130 251a0f 16129->16130 16131 251a9b 16129->16131 16134 25454e 43 API calls 16130->16134 16132 254528 43 API calls 16131->16132 16133 251aa0 16132->16133 16135 251a24 16134->16135 16136 25340b 41 API calls 16135->16136 16137 251a7a Concurrency::details::_ContextCallback::_CallInContext 16136->16137 16137->16084 16139 25180d 16138->16139 16140 25181a _Deallocate 16138->16140 16750 2530c2 16139->16750 16140->16090 16143 2580d0 IsProcessorFeaturePresent 16142->16143 16144 2580cf 16142->16144 16146 258982 16143->16146 16144->16094 16757 258945 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16146->16757 16148 258a65 16148->16094 16154 2637c3 __dosmaperr 16149->16154 16150 263801 16162 25f587 16150->16162 16152 2637ec RtlAllocateHeap 16153 2637ff 16152->16153 16152->16154 16153->16097 16154->16150 16154->16152 16155 25faa9 std::_Facet_Register 2 API calls 16154->16155 16155->16154 16157 259339 RaiseException 16156->16157 16158 25930c 16156->16158 16157->16104 16158->16157 16369 25fad6 16159->16369 16165 2628e1 GetLastError 16162->16165 16164 25f58c 16164->16153 16166 2628f7 16165->16166 16167 2628fd 16165->16167 16188 2634ba 16166->16188 16185 262901 SetLastError 16167->16185 16193 2634f9 16167->16193 16173 26292e 16174 262936 16173->16174 16175 262947 16173->16175 16176 2634f9 __dosmaperr 6 API calls 16174->16176 16177 2634f9 __dosmaperr 6 API calls 16175->16177 16178 262944 16176->16178 16179 262953 16177->16179 16205 262a7b 16178->16205 16180 262957 16179->16180 16181 26296e 16179->16181 16182 2634f9 __dosmaperr 6 API calls 16180->16182 16211 2625be 16181->16211 16182->16178 16185->16164 16187 262a7b ___free_lconv_mon 12 API calls 16187->16185 16216 2632a9 16188->16216 16191 2634f1 TlsGetValue 16192 2634df 16192->16167 16194 2632a9 _unexpected 5 API calls 16193->16194 16195 263515 16194->16195 16196 263533 TlsSetValue 16195->16196 16197 262919 16195->16197 16197->16185 16198 262fab 16197->16198 16203 262fb8 __dosmaperr 16198->16203 16199 262ff8 16202 25f587 __strnicoll 13 API calls 16199->16202 16200 262fe3 HeapAlloc 16201 262ff6 16200->16201 16200->16203 16201->16173 16202->16201 16203->16199 16203->16200 16204 25faa9 std::_Facet_Register 2 API calls 16203->16204 16204->16203 16206 262a86 HeapFree 16205->16206 16210 262ab0 16205->16210 16207 262a9b GetLastError 16206->16207 16206->16210 16208 262aa8 __dosmaperr 16207->16208 16209 25f587 __strnicoll 12 API calls 16208->16209 16209->16210 16210->16185 16231 262452 16211->16231 16217 2632d7 16216->16217 16221 2632d3 16216->16221 16217->16221 16223 2631de 16217->16223 16220 2632f1 GetProcAddress 16220->16221 16222 263301 _unexpected 16220->16222 16221->16191 16221->16192 16222->16221 16229 2631ef ___vcrt_FlsFree 16223->16229 16224 263285 16224->16220 16224->16221 16225 26320d LoadLibraryExW 16226 26328c 16225->16226 16227 263228 GetLastError 16225->16227 16226->16224 16228 26329e FreeLibrary 16226->16228 16227->16229 16228->16224 16229->16224 16229->16225 16230 26325b LoadLibraryExW 16229->16230 16230->16226 16230->16229 16232 26245e ___scrt_is_nonwritable_in_current_image 16231->16232 16245 25d528 EnterCriticalSection 16232->16245 16234 262468 16246 262498 16234->16246 16237 262564 16238 262570 ___scrt_is_nonwritable_in_current_image 16237->16238 16250 25d528 EnterCriticalSection 16238->16250 16240 26257a 16251 262745 16240->16251 16242 262592 16255 2625b2 16242->16255 16245->16234 16249 25d570 LeaveCriticalSection 16246->16249 16248 262486 16248->16237 16249->16248 16250->16240 16252 26277b __Getctype 16251->16252 16253 262754 __Getctype 16251->16253 16252->16242 16253->16252 16258 26a24f 16253->16258 16368 25d570 LeaveCriticalSection 16255->16368 16257 2625a0 16257->16187 16259 26a265 16258->16259 16261 26a2cf 16258->16261 16259->16261 16263 26a298 16259->16263 16268 262a7b ___free_lconv_mon 14 API calls 16259->16268 16262 262a7b ___free_lconv_mon 14 API calls 16261->16262 16285 26a31d 16261->16285 16264 26a2f1 16262->16264 16265 26a2ba 16263->16265 16273 262a7b ___free_lconv_mon 14 API calls 16263->16273 16266 262a7b ___free_lconv_mon 14 API calls 16264->16266 16267 262a7b ___free_lconv_mon 14 API calls 16265->16267 16269 26a304 16266->16269 16270 26a2c4 16267->16270 16272 26a28d 16268->16272 16274 262a7b ___free_lconv_mon 14 API calls 16269->16274 16275 262a7b ___free_lconv_mon 14 API calls 16270->16275 16271 26a38b 16276 262a7b ___free_lconv_mon 14 API calls 16271->16276 16286 269505 16272->16286 16278 26a2af 16273->16278 16279 26a312 16274->16279 16275->16261 16280 26a391 16276->16280 16314 2699b9 16278->16314 16283 262a7b ___free_lconv_mon 14 API calls 16279->16283 16280->16252 16281 26a32b 16281->16271 16284 262a7b 14 API calls ___free_lconv_mon 16281->16284 16283->16285 16284->16281 16326 26a3c0 16285->16326 16287 269516 16286->16287 16313 2695ff 16286->16313 16288 269527 16287->16288 16290 262a7b ___free_lconv_mon 14 API calls 16287->16290 16289 269539 16288->16289 16291 262a7b ___free_lconv_mon 14 API calls 16288->16291 16292 26954b 16289->16292 16293 262a7b ___free_lconv_mon 14 API calls 16289->16293 16290->16288 16291->16289 16294 26955d 16292->16294 16295 262a7b ___free_lconv_mon 14 API calls 16292->16295 16293->16292 16296 26956f 16294->16296 16298 262a7b ___free_lconv_mon 14 API calls 16294->16298 16295->16294 16297 269581 16296->16297 16299 262a7b ___free_lconv_mon 14 API calls 16296->16299 16300 262a7b ___free_lconv_mon 14 API calls 16297->16300 16302 269593 16297->16302 16298->16296 16299->16297 16300->16302 16301 2695a5 16304 2695b7 16301->16304 16306 262a7b ___free_lconv_mon 14 API calls 16301->16306 16302->16301 16303 262a7b ___free_lconv_mon 14 API calls 16302->16303 16303->16301 16305 2695c9 16304->16305 16307 262a7b ___free_lconv_mon 14 API calls 16304->16307 16308 2695db 16305->16308 16309 262a7b ___free_lconv_mon 14 API calls 16305->16309 16306->16304 16307->16305 16310 2695ed 16308->16310 16311 262a7b ___free_lconv_mon 14 API calls 16308->16311 16309->16308 16312 262a7b ___free_lconv_mon 14 API calls 16310->16312 16310->16313 16311->16310 16312->16313 16313->16263 16315 2699c6 16314->16315 16325 269a1e 16314->16325 16316 262a7b ___free_lconv_mon 14 API calls 16315->16316 16317 2699d6 16315->16317 16316->16317 16318 2699e8 16317->16318 16319 262a7b ___free_lconv_mon 14 API calls 16317->16319 16320 2699fa 16318->16320 16321 262a7b ___free_lconv_mon 14 API calls 16318->16321 16319->16318 16322 269a0c 16320->16322 16323 262a7b ___free_lconv_mon 14 API calls 16320->16323 16321->16320 16324 262a7b ___free_lconv_mon 14 API calls 16322->16324 16322->16325 16323->16322 16324->16325 16325->16265 16327 26a3cd 16326->16327 16331 26a3ec 16326->16331 16327->16331 16332 269ed4 16327->16332 16330 262a7b ___free_lconv_mon 14 API calls 16330->16331 16331->16281 16333 269fb2 16332->16333 16334 269ee5 16332->16334 16333->16330 16335 269c33 __Getctype 14 API calls 16334->16335 16336 269eed 16335->16336 16337 269c33 __Getctype 14 API calls 16336->16337 16338 269ef8 16337->16338 16339 269c33 __Getctype 14 API calls 16338->16339 16340 269f03 16339->16340 16341 269c33 __Getctype 14 API calls 16340->16341 16342 269f0e 16341->16342 16343 269c33 __Getctype 14 API calls 16342->16343 16344 269f1c 16343->16344 16345 262a7b ___free_lconv_mon 14 API calls 16344->16345 16346 269f27 16345->16346 16347 262a7b ___free_lconv_mon 14 API calls 16346->16347 16348 269f32 16347->16348 16349 262a7b ___free_lconv_mon 14 API calls 16348->16349 16350 269f3d 16349->16350 16351 269c33 __Getctype 14 API calls 16350->16351 16352 269f4b 16351->16352 16353 269c33 __Getctype 14 API calls 16352->16353 16354 269f59 16353->16354 16355 269c33 __Getctype 14 API calls 16354->16355 16356 269f6a 16355->16356 16357 269c33 __Getctype 14 API calls 16356->16357 16358 269f78 16357->16358 16368->16257 16370 25fae2 ___scrt_is_nonwritable_in_current_image 16369->16370 16375 25d528 EnterCriticalSection 16370->16375 16372 25faed 16376 25fb29 16372->16376 16375->16372 16379 25d570 LeaveCriticalSection 16376->16379 16378 25fab4 16378->16097 16379->16378 16381 25178a 16380->16381 16382 251781 16380->16382 16381->16109 16384 253106 16382->16384 16385 253116 16384->16385 16386 25312c 16384->16386 16391 25454e 16385->16391 16398 254528 16386->16398 16392 254566 16391->16392 16393 254559 16391->16393 16409 254246 16392->16409 16401 251578 16393->16401 16396 25311c 16396->16381 16506 254e6f 16398->16506 16402 251583 16401->16402 16403 25158b 16401->16403 16413 25159a 16402->16413 16405 251597 16403->16405 16407 257d7e std::_Facet_Register 16 API calls 16403->16407 16405->16396 16408 251595 16407->16408 16408->16396 16410 254254 Concurrency::cancel_current_task 16409->16410 16411 2592f2 Concurrency::cancel_current_task RaiseException 16410->16411 16412 254262 16411->16412 16414 254246 Concurrency::cancel_current_task 16413->16414 16415 2515a9 16413->16415 16418 2592f2 Concurrency::cancel_current_task RaiseException 16414->16418 16416 257d7e std::_Facet_Register 16 API calls 16415->16416 16417 2515af 16416->16417 16417->16414 16419 251589 16417->16419 16420 25c91f 16417->16420 16421 254262 16418->16421 16419->16396 16426 25c85b 16420->16426 16425 25c93b 16427 25c86d _Fputc 16426->16427 16436 25c892 16427->16436 16429 25c885 16447 25c64b 16429->16447 16432 25c93c IsProcessorFeaturePresent 16433 25c948 16432->16433 16500 25c713 16433->16500 16437 25c8a2 16436->16437 16440 25c8a9 16436->16440 16453 25c6b0 GetLastError 16437->16453 16441 25c8b7 16440->16441 16457 25c687 16440->16457 16441->16429 16442 25c8de 16442->16441 16443 25c93c __Getctype 11 API calls 16442->16443 16444 25c90e 16443->16444 16445 25c85b __strnicoll 41 API calls 16444->16445 16446 25c91b 16445->16446 16446->16429 16448 25c657 16447->16448 16449 25c66e 16448->16449 16482 25c6f6 16448->16482 16451 25c6f6 _Fputc 41 API calls 16449->16451 16452 25c681 16449->16452 16451->16452 16452->16432 16454 25c6c9 16453->16454 16460 262992 16454->16460 16458 25c692 GetLastError SetLastError 16457->16458 16459 25c6ab 16457->16459 16458->16442 16459->16442 16461 2629a5 16460->16461 16462 2629ab 16460->16462 16463 2634ba __dosmaperr 6 API calls 16461->16463 16464 2634f9 __dosmaperr 6 API calls 16462->16464 16481 25c6e1 SetLastError 16462->16481 16463->16462 16465 2629c5 16464->16465 16466 262fab __dosmaperr 14 API calls 16465->16466 16465->16481 16467 2629d5 16466->16467 16468 2629f2 16467->16468 16469 2629dd 16467->16469 16470 2634f9 __dosmaperr 6 API calls 16468->16470 16471 2634f9 __dosmaperr 6 API calls 16469->16471 16472 2629fe 16470->16472 16473 2629e9 16471->16473 16474 262a02 16472->16474 16475 262a11 16472->16475 16478 262a7b ___free_lconv_mon 14 API calls 16473->16478 16476 2634f9 __dosmaperr 6 API calls 16474->16476 16477 2625be __dosmaperr 14 API calls 16475->16477 16476->16473 16479 262a1c 16477->16479 16478->16481 16480 262a7b ___free_lconv_mon 14 API calls 16479->16480 16480->16481 16481->16440 16483 25c700 16482->16483 16484 25c709 16482->16484 16485 25c6b0 _Fputc 16 API calls 16483->16485 16484->16449 16486 25c705 16485->16486 16486->16484 16489 25c98b 16486->16489 16490 262b83 CallUnexpected EnterCriticalSection LeaveCriticalSection 16489->16490 16491 25c990 16490->16491 16492 25c99b 16491->16492 16493 262bc8 CallUnexpected 40 API calls 16491->16493 16494 25c9a5 IsProcessorFeaturePresent 16492->16494 16495 25c9c4 16492->16495 16493->16492 16496 25c9b1 16494->16496 16497 25ffab CallUnexpected 23 API calls 16495->16497 16498 25c713 CallUnexpected 8 API calls 16496->16498 16499 25c9ce 16497->16499 16498->16495 16501 25c72f __fread_nolock CallUnexpected 16500->16501 16502 25c75b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16501->16502 16505 25c82c CallUnexpected 16502->16505 16503 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16504 25c84a GetCurrentProcess TerminateProcess 16503->16504 16504->16425 16505->16503 16511 254e06 16506->16511 16509 2592f2 Concurrency::cancel_current_task RaiseException 16510 254e8e 16509->16510 16514 2525eb 16511->16514 16517 259270 16514->16517 16518 252617 16517->16518 16519 25927d 16517->16519 16518->16509 16519->16518 16520 25d59e ___std_exception_copy 15 API calls 16519->16520 16521 25929a 16520->16521 16522 2592aa 16521->16522 16525 262345 16521->16525 16534 25c970 16522->16534 16526 262361 16525->16526 16527 262353 16525->16527 16528 25f587 __strnicoll 14 API calls 16526->16528 16527->16526 16530 262379 16527->16530 16533 262369 16528->16533 16531 262373 16530->16531 16532 25f587 __strnicoll 14 API calls 16530->16532 16531->16522 16532->16533 16537 25c90f 16533->16537 16535 262a7b ___free_lconv_mon 14 API calls 16534->16535 16536 25c988 16535->16536 16536->16518 16538 25c85b __strnicoll 41 API calls 16537->16538 16539 25c91b 16538->16539 16539->16531 16541 25d3f1 _Fputc 16540->16541 16560 25ca00 16541->16560 16543 25d40b 16544 25c64b _Fputc 41 API calls 16543->16544 16545 25d418 16544->16545 16545->16119 16547 25192c __EH_prolog3_catch 16546->16547 16548 25194c 16547->16548 16549 2519d8 16547->16549 16552 25454e 43 API calls 16548->16552 16550 254528 43 API calls 16549->16550 16551 2519dd 16550->16551 16553 251961 16552->16553 16736 25340b 16553->16736 16555 2519b7 Concurrency::details::_ContextCallback::_CallInContext 16555->16119 16557 254343 16556->16557 16558 254353 16556->16558 16559 251800 _Deallocate 41 API calls 16557->16559 16558->16091 16559->16558 16574 25d30b 16560->16574 16562 25ca5a 16568 25ca7e 16562->16568 16581 25d2b0 16562->16581 16563 25ca27 16566 25c892 __strnicoll 41 API calls 16563->16566 16564 25ca12 16564->16562 16564->16563 16573 25ca42 std::_Locinfo::_Locinfo_ctor 16564->16573 16566->16573 16570 25caa2 16568->16570 16588 25d348 16568->16588 16569 25cb2a 16571 25d251 41 API calls 16569->16571 16570->16569 16595 25d251 16570->16595 16571->16573 16573->16543 16575 25d310 16574->16575 16576 25d323 16574->16576 16577 25f587 __strnicoll 14 API calls 16575->16577 16576->16564 16578 25d315 16577->16578 16579 25c90f __strnicoll 41 API calls 16578->16579 16580 25d320 16579->16580 16580->16564 16582 25c6f6 _Fputc 41 API calls 16581->16582 16583 25d2c0 16582->16583 16601 262f1c 16583->16601 16589 25d354 16588->16589 16590 25d36a 16588->16590 16679 25db61 16589->16679 16594 25d37a 16590->16594 16684 262e24 16590->16684 16592 25d35f std::_Locinfo::_Locinfo_ctor 16592->16568 16594->16568 16596 25d276 16595->16596 16597 25d262 16595->16597 16596->16569 16597->16596 16598 25f587 __strnicoll 14 API calls 16597->16598 16599 25d26b 16598->16599 16600 25c90f __strnicoll 41 API calls 16599->16600 16600->16596 16602 262f33 16601->16602 16603 25d2dd 16601->16603 16602->16603 16609 26a49b 16602->16609 16605 262f7a 16603->16605 16606 262f91 16605->16606 16607 25d2ea 16605->16607 16606->16607 16658 268901 16606->16658 16607->16568 16610 26a4a7 ___scrt_is_nonwritable_in_current_image 16609->16610 16622 262790 GetLastError 16610->16622 16613 26a4f6 16613->16603 16615 26a4ce 16650 26a51c 16615->16650 16620 25c98b CallUnexpected 41 API calls 16621 26a51b 16620->16621 16623 2627a6 16622->16623 16624 2627ac 16622->16624 16625 2634ba __dosmaperr 6 API calls 16623->16625 16626 2634f9 __dosmaperr 6 API calls 16624->16626 16628 2627b0 SetLastError 16624->16628 16625->16624 16627 2627c8 16626->16627 16627->16628 16630 262fab __dosmaperr 14 API calls 16627->16630 16632 262845 16628->16632 16633 262840 16628->16633 16631 2627dd 16630->16631 16635 2627f6 16631->16635 16636 2627e5 16631->16636 16634 25c98b CallUnexpected 39 API calls 16632->16634 16633->16613 16649 25d528 EnterCriticalSection 16633->16649 16637 26284a 16634->16637 16639 2634f9 __dosmaperr 6 API calls 16635->16639 16638 2634f9 __dosmaperr 6 API calls 16636->16638 16643 2627f3 16638->16643 16640 262802 16639->16640 16641 262806 16640->16641 16642 26281d 16640->16642 16644 2634f9 __dosmaperr 6 API calls 16641->16644 16646 2625be __dosmaperr 14 API calls 16642->16646 16645 262a7b ___free_lconv_mon 14 API calls 16643->16645 16644->16643 16645->16628 16647 262828 16646->16647 16648 262a7b ___free_lconv_mon 14 API calls 16647->16648 16648->16628 16649->16615 16651 26a4df 16650->16651 16652 26a52a __Getctype 16650->16652 16654 26a4fb 16651->16654 16652->16651 16653 26a24f __Getctype 14 API calls 16652->16653 16653->16651 16657 25d570 LeaveCriticalSection 16654->16657 16656 26a4f2 16656->16613 16656->16620 16657->16656 16659 262790 _unexpected 41 API calls 16658->16659 16660 268906 16659->16660 16663 268819 16660->16663 16664 268825 ___scrt_is_nonwritable_in_current_image 16663->16664 16666 26883f 16664->16666 16674 25d528 EnterCriticalSection 16664->16674 16668 268846 16666->16668 16670 25c98b CallUnexpected 41 API calls 16666->16670 16667 26887b 16675 268898 16667->16675 16668->16607 16671 2688b8 16670->16671 16672 26884f 16672->16667 16673 262a7b ___free_lconv_mon 14 API calls 16672->16673 16673->16667 16674->16672 16678 25d570 LeaveCriticalSection 16675->16678 16677 26889f 16677->16666 16678->16677 16680 262790 _unexpected 41 API calls 16679->16680 16681 25db6c 16680->16681 16691 262eef 16681->16691 16695 25f59a 16684->16695 16688 262e51 16689 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16688->16689 16690 262eed 16689->16690 16690->16594 16692 262f02 16691->16692 16693 25db7c 16691->16693 16692->16693 16694 26a49b __Getctype 41 API calls 16692->16694 16693->16592 16694->16693 16696 25f5b1 16695->16696 16697 25f5b8 16695->16697 16696->16688 16703 2647d4 16696->16703 16697->16696 16698 262790 _unexpected 41 API calls 16697->16698 16699 25f5d9 16698->16699 16700 262eef __Getctype 41 API calls 16699->16700 16701 25f5ef 16700->16701 16718 262f4d 16701->16718 16704 25f59a __strnicoll 41 API calls 16703->16704 16705 2647f4 16704->16705 16722 2678e9 16705->16722 16707 2648b8 16710 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16707->16710 16708 2648b0 16732 257b86 16708->16732 16709 264821 16709->16707 16709->16708 16714 264846 __fread_nolock __alloca_probe_16 16709->16714 16725 2637c3 16709->16725 16713 2648db 16710->16713 16713->16688 16714->16708 16715 2678e9 __strnicoll MultiByteToWideChar 16714->16715 16716 264891 16715->16716 16716->16708 16717 26489c GetStringTypeW 16716->16717 16717->16708 16719 262f60 16718->16719 16721 262f75 16718->16721 16720 268901 __strnicoll 41 API calls 16719->16720 16719->16721 16720->16721 16721->16696 16723 2678fa MultiByteToWideChar 16722->16723 16723->16709 16726 263801 16725->16726 16730 2637d1 __dosmaperr 16725->16730 16727 25f587 __strnicoll 14 API calls 16726->16727 16729 2637ff 16727->16729 16728 2637ec RtlAllocateHeap 16728->16729 16728->16730 16729->16714 16730->16726 16730->16728 16731 25faa9 std::_Facet_Register 2 API calls 16730->16731 16731->16730 16733 257b90 16732->16733 16734 257ba1 16732->16734 16733->16734 16735 25c970 ___std_exception_destroy 14 API calls 16733->16735 16734->16707 16735->16734 16737 253423 16736->16737 16738 253413 16736->16738 16737->16555 16739 251800 _Deallocate 41 API calls 16738->16739 16739->16737 16741 2516be 16740->16741 16744 251664 std::_Throw_Cpp_error 16740->16744 16747 25451d 16741->16747 16745 251578 std::_Throw_Cpp_error 43 API calls 16744->16745 16746 25166b std::_Throw_Cpp_error 16744->16746 16745->16746 16746->16123 16748 254e6f std::_Throw_Cpp_error 43 API calls 16747->16748 16749 254527 16748->16749 16751 2530dc 16750->16751 16752 2530df 16750->16752 16751->16140 16753 25c85b __strnicoll 41 API calls 16752->16753 16754 25c92e 16753->16754 16755 25c93c __Getctype 11 API calls 16754->16755 16756 25c93b 16755->16756 16757->16148 18227 269062 18228 269099 18227->18228 18229 26907b 18227->18229 18229->18228 18230 2639b2 2 API calls 18229->18230 18230->18229 20466 263a62 20467 263a6e ___scrt_is_nonwritable_in_current_image 20466->20467 20478 25d528 EnterCriticalSection 20467->20478 20469 263a75 20479 269310 20469->20479 20472 263a93 20498 263ab9 20472->20498 20477 2639b2 2 API calls 20477->20472 20478->20469 20480 26931c ___scrt_is_nonwritable_in_current_image 20479->20480 20481 269346 20480->20481 20482 269325 20480->20482 20501 25d528 EnterCriticalSection 20481->20501 20483 25f587 __strnicoll 14 API calls 20482->20483 20485 26932a 20483->20485 20486 25c90f __strnicoll 41 API calls 20485->20486 20487 263a84 20486->20487 20487->20472 20492 2638fc GetStartupInfoW 20487->20492 20488 26937e 20509 2693a5 20488->20509 20489 269352 20489->20488 20502 269260 20489->20502 20493 2639ad 20492->20493 20494 263919 20492->20494 20493->20477 20494->20493 20495 269310 42 API calls 20494->20495 20496 263941 20495->20496 20496->20493 20497 263971 GetFileType 20496->20497 20497->20496 20513 25d570 LeaveCriticalSection 20498->20513 20500 263aa4 20501->20489 20503 262fab __dosmaperr 14 API calls 20502->20503 20506 269272 20503->20506 20504 26927f 20505 262a7b ___free_lconv_mon 14 API calls 20504->20505 20507 2692d4 20505->20507 20506->20504 20508 2635b6 _unexpected 6 API calls 20506->20508 20507->20489 20508->20506 20512 25d570 LeaveCriticalSection 20509->20512 20511 2693ac 20511->20487 20512->20511 20513->20500 16957 25827f 16958 25828b ___scrt_is_nonwritable_in_current_image 16957->16958 16983 257e37 16958->16983 16960 258292 16961 2583eb 16960->16961 16969 2582bc ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 16960->16969 17026 25872e IsProcessorFeaturePresent 16961->17026 16963 2583f2 17001 25ffe7 16963->17001 16968 2582db 16969->16968 16972 25835c 16969->16972 17004 25ffc1 16969->17004 16994 2605ae 16972->16994 16973 258362 16998 270705 FreeConsole 16973->16998 16978 258387 16979 258390 16978->16979 17017 25ff9c 16978->17017 17020 257fa8 16979->17020 16984 257e40 16983->16984 17033 258525 IsProcessorFeaturePresent 16984->17033 16988 257e51 16993 257e55 16988->16993 17043 260a04 16988->17043 16991 257e6c 16991->16960 16993->16960 16995 2605b7 16994->16995 16997 2605bc 16994->16997 17115 260308 16995->17115 16997->16973 17357 27062d CreateThread WaitForSingleObject 16998->17357 17000 258379 17015 258848 GetModuleHandleW 17000->17015 17848 25fdcf 17001->17848 17005 25ffd7 _unexpected 17004->17005 17006 25d4ab ___scrt_is_nonwritable_in_current_image 17004->17006 17005->16972 17007 262790 _unexpected 41 API calls 17006->17007 17009 25d4bc 17007->17009 17008 25c98b CallUnexpected 41 API calls 17011 25d4e6 17008->17011 17009->17008 17012 25d51b 17011->17012 17013 25d517 17011->17013 17925 2635b6 17011->17925 17930 25d53f 17012->17930 17013->16972 17016 258383 17015->17016 17016->16963 17016->16978 17018 25fdcf CallUnexpected 23 API calls 17017->17018 17019 25ffa7 17018->17019 17019->16979 17021 257fb4 17020->17021 17022 257fca 17021->17022 17934 260a16 17021->17934 17022->16968 17024 257fc2 17025 25b0db ___scrt_uninitialize_crt 7 API calls 17024->17025 17025->17022 17027 258744 __fread_nolock CallUnexpected 17026->17027 17028 2587ef IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17027->17028 17029 258833 CallUnexpected 17028->17029 17029->16963 17030 25ffab 17031 25fdcf CallUnexpected 23 API calls 17030->17031 17032 258400 17031->17032 17034 257e4c 17033->17034 17035 25b0bc 17034->17035 17052 25c18c 17035->17052 17038 25b0c5 17038->16988 17040 25b0cd 17041 25b0d8 17040->17041 17066 25c1c8 17040->17066 17041->16988 17106 26906b 17043->17106 17046 25b0db 17047 25b0e4 17046->17047 17048 25b0ee 17046->17048 17049 25b400 ___vcrt_uninitialize_ptd 6 API calls 17047->17049 17048->16993 17050 25b0e9 17049->17050 17051 25c1c8 ___vcrt_uninitialize_locks DeleteCriticalSection 17050->17051 17051->17048 17053 25c195 17052->17053 17055 25c1be 17053->17055 17057 25b0c1 17053->17057 17070 25c541 17053->17070 17056 25c1c8 ___vcrt_uninitialize_locks DeleteCriticalSection 17055->17056 17056->17057 17057->17038 17058 25b3cd 17057->17058 17087 25c452 17058->17087 17061 25b3e2 17061->17040 17064 25b3fd 17064->17040 17067 25c1f2 17066->17067 17068 25c1d3 17066->17068 17067->17038 17069 25c1dd DeleteCriticalSection 17068->17069 17069->17067 17069->17069 17075 25c367 17070->17075 17073 25c579 InitializeCriticalSectionAndSpinCount 17074 25c564 17073->17074 17074->17053 17076 25c384 17075->17076 17077 25c388 17075->17077 17076->17073 17076->17074 17077->17076 17078 25c3f0 GetProcAddress 17077->17078 17080 25c3e1 17077->17080 17082 25c407 LoadLibraryExW 17077->17082 17078->17076 17080->17078 17081 25c3e9 FreeLibrary 17080->17081 17081->17078 17083 25c44e 17082->17083 17084 25c41e GetLastError 17082->17084 17083->17077 17084->17083 17085 25c429 ___vcrt_FlsFree 17084->17085 17085->17083 17086 25c43f LoadLibraryExW 17085->17086 17086->17077 17088 25c367 ___vcrt_FlsFree 5 API calls 17087->17088 17089 25c46c 17088->17089 17090 25c485 TlsAlloc 17089->17090 17091 25b3d7 17089->17091 17091->17061 17092 25c503 17091->17092 17093 25c367 ___vcrt_FlsFree 5 API calls 17092->17093 17094 25c51d 17093->17094 17095 25b3f0 17094->17095 17096 25c538 TlsSetValue 17094->17096 17095->17064 17097 25b400 17095->17097 17096->17095 17098 25b410 17097->17098 17099 25b40a 17097->17099 17098->17061 17101 25c48d 17099->17101 17102 25c367 ___vcrt_FlsFree 5 API calls 17101->17102 17103 25c4a7 17102->17103 17104 25c4bf TlsFree 17103->17104 17105 25c4b3 17103->17105 17104->17105 17105->17098 17107 257e5e 17106->17107 17108 26907b 17106->17108 17107->16991 17107->17046 17108->17107 17110 2639b2 17108->17110 17111 2639b9 17110->17111 17112 2639fc GetStdHandle 17111->17112 17113 263a5e 17111->17113 17114 263a0f GetFileType 17111->17114 17112->17111 17113->17108 17114->17111 17116 260327 17115->17116 17117 260311 17115->17117 17116->16997 17117->17116 17121 260334 17117->17121 17119 26031e 17119->17116 17138 26049f 17119->17138 17122 260340 17121->17122 17123 26033d 17121->17123 17146 2688b9 17122->17146 17123->17119 17128 260351 17130 262a7b ___free_lconv_mon 14 API calls 17128->17130 17129 26035d 17173 26038e 17129->17173 17132 260357 17130->17132 17132->17119 17134 262a7b ___free_lconv_mon 14 API calls 17135 260381 17134->17135 17136 262a7b ___free_lconv_mon 14 API calls 17135->17136 17137 260387 17136->17137 17137->17119 17143 260510 17138->17143 17144 2604ae 17138->17144 17139 267965 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 17139->17144 17140 262fab __dosmaperr 14 API calls 17140->17144 17141 260514 17142 262a7b ___free_lconv_mon 14 API calls 17141->17142 17142->17143 17143->17116 17144->17139 17144->17140 17144->17141 17144->17143 17145 262a7b ___free_lconv_mon 14 API calls 17144->17145 17145->17144 17147 2688c2 17146->17147 17148 260346 17146->17148 17195 26284b 17147->17195 17152 268bbb GetEnvironmentStringsW 17148->17152 17153 268bd3 17152->17153 17154 26034b 17152->17154 17155 267965 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 17153->17155 17154->17128 17154->17129 17156 268bf0 17155->17156 17157 268c05 17156->17157 17158 268bfa FreeEnvironmentStringsW 17156->17158 17159 2637c3 __fread_nolock 15 API calls 17157->17159 17158->17154 17160 268c0c 17159->17160 17161 268c14 17160->17161 17162 268c25 17160->17162 17163 262a7b ___free_lconv_mon 14 API calls 17161->17163 17164 267965 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 17162->17164 17165 268c19 FreeEnvironmentStringsW 17163->17165 17166 268c35 17164->17166 17165->17154 17167 268c44 17166->17167 17168 268c3c 17166->17168 17170 262a7b ___free_lconv_mon 14 API calls 17167->17170 17169 262a7b ___free_lconv_mon 14 API calls 17168->17169 17171 268c42 FreeEnvironmentStringsW 17169->17171 17170->17171 17171->17154 17174 2603a3 17173->17174 17175 262fab __dosmaperr 14 API calls 17174->17175 17176 2603ca 17175->17176 17177 2603d2 17176->17177 17186 2603dc 17176->17186 17178 262a7b ___free_lconv_mon 14 API calls 17177->17178 17194 260364 17178->17194 17179 260439 17180 262a7b ___free_lconv_mon 14 API calls 17179->17180 17180->17194 17181 262fab __dosmaperr 14 API calls 17181->17186 17182 260448 17351 260470 17182->17351 17184 262345 ___std_exception_copy 41 API calls 17184->17186 17186->17179 17186->17181 17186->17182 17186->17184 17188 260463 17186->17188 17191 262a7b ___free_lconv_mon 14 API calls 17186->17191 17187 262a7b ___free_lconv_mon 14 API calls 17190 260455 17187->17190 17189 25c93c __Getctype 11 API calls 17188->17189 17192 26046f 17189->17192 17193 262a7b ___free_lconv_mon 14 API calls 17190->17193 17191->17186 17193->17194 17194->17134 17196 262856 17195->17196 17197 26285c 17195->17197 17198 2634ba __dosmaperr 6 API calls 17196->17198 17199 2634f9 __dosmaperr 6 API calls 17197->17199 17202 262862 17197->17202 17198->17197 17200 262876 17199->17200 17201 26287a 17200->17201 17200->17202 17203 262fab __dosmaperr 14 API calls 17201->17203 17204 25c98b CallUnexpected 41 API calls 17202->17204 17205 262867 17202->17205 17206 262886 17203->17206 17207 2628e0 17204->17207 17223 2686c4 17205->17223 17208 2628a3 17206->17208 17209 26288e 17206->17209 17211 2634f9 __dosmaperr 6 API calls 17208->17211 17210 2634f9 __dosmaperr 6 API calls 17209->17210 17213 26289a 17210->17213 17212 2628af 17211->17212 17214 2628c2 17212->17214 17215 2628b3 17212->17215 17217 262a7b ___free_lconv_mon 14 API calls 17213->17217 17216 2625be __dosmaperr 14 API calls 17214->17216 17218 2634f9 __dosmaperr 6 API calls 17215->17218 17219 2628cd 17216->17219 17220 2628a0 17217->17220 17218->17213 17221 262a7b ___free_lconv_mon 14 API calls 17219->17221 17220->17202 17222 2628d4 17221->17222 17222->17205 17224 268819 __strnicoll 41 API calls 17223->17224 17225 2686ee 17224->17225 17246 268444 17225->17246 17228 268707 17228->17148 17229 2637c3 __fread_nolock 15 API calls 17230 268718 17229->17230 17231 268720 17230->17231 17232 26872e 17230->17232 17234 262a7b ___free_lconv_mon 14 API calls 17231->17234 17253 268914 17232->17253 17234->17228 17236 268766 17237 25f587 __strnicoll 14 API calls 17236->17237 17238 26876b 17237->17238 17241 262a7b ___free_lconv_mon 14 API calls 17238->17241 17239 2687ad 17240 2687f6 17239->17240 17264 268336 17239->17264 17244 262a7b ___free_lconv_mon 14 API calls 17240->17244 17241->17228 17242 268781 17242->17239 17245 262a7b ___free_lconv_mon 14 API calls 17242->17245 17244->17228 17245->17239 17247 25f59a __strnicoll 41 API calls 17246->17247 17248 268456 17247->17248 17249 268477 17248->17249 17250 268465 GetOEMCP 17248->17250 17251 26848e 17249->17251 17252 26847c GetACP 17249->17252 17250->17251 17251->17228 17251->17229 17252->17251 17254 268444 43 API calls 17253->17254 17255 268934 17254->17255 17256 268971 IsValidCodePage 17255->17256 17261 2689ad __fread_nolock 17255->17261 17258 268983 17256->17258 17256->17261 17257 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17259 26875b 17257->17259 17260 2689b2 GetCPInfo 17258->17260 17263 26898c __fread_nolock 17258->17263 17259->17236 17259->17242 17260->17261 17260->17263 17261->17257 17272 268518 17263->17272 17265 268342 ___scrt_is_nonwritable_in_current_image 17264->17265 17325 25d528 EnterCriticalSection 17265->17325 17267 26834c 17326 268383 17267->17326 17273 268540 GetCPInfo 17272->17273 17282 268609 17272->17282 17278 268558 17273->17278 17273->17282 17274 2647d4 std::_Locinfo::_Locinfo_ctor 44 API calls 17276 2685c0 17274->17276 17275 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17277 2686c2 17275->17277 17283 264acb 17276->17283 17277->17261 17278->17274 17281 264acb 46 API calls 17281->17282 17282->17275 17284 25f59a __strnicoll 41 API calls 17283->17284 17285 264ade 17284->17285 17288 2648dd 17285->17288 17289 2648f8 __strnicoll 17288->17289 17290 2678e9 __strnicoll MultiByteToWideChar 17289->17290 17294 26493e 17290->17294 17291 264ab6 17292 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17291->17292 17293 264ac9 17292->17293 17293->17281 17294->17291 17295 2637c3 __fread_nolock 15 API calls 17294->17295 17297 264964 __alloca_probe_16 17294->17297 17308 2649ea 17294->17308 17295->17297 17296 257b86 __freea 14 API calls 17296->17291 17298 2678e9 __strnicoll MultiByteToWideChar 17297->17298 17297->17308 17299 2649a9 17298->17299 17299->17308 17316 263678 17299->17316 17302 264a13 17304 264a9e 17302->17304 17306 2637c3 __fread_nolock 15 API calls 17302->17306 17309 264a25 __alloca_probe_16 17302->17309 17303 2649db 17303->17308 17306->17309 17308->17296 17309->17304 17317 2631aa std::_Locinfo::_Locinfo_ctor 5 API calls 17316->17317 17318 263683 17317->17318 17319 2636b0 17318->17319 17320 263689 LCMapStringEx 17318->17320 17321 2636d5 __strnicoll 5 API calls 17319->17321 17324 2636d0 17320->17324 17323 2636c9 LCMapStringW 17321->17323 17323->17324 17324->17302 17324->17303 17324->17308 17325->17267 17336 25eaad 17326->17336 17328 2683a5 17329 25eaad __fread_nolock 41 API calls 17328->17329 17330 2683c4 17329->17330 17331 268359 17330->17331 17332 262a7b ___free_lconv_mon 14 API calls 17330->17332 17333 268377 17331->17333 17332->17331 17350 25d570 LeaveCriticalSection 17333->17350 17335 268365 17335->17240 17337 25eabe 17336->17337 17346 25eaba ctype 17336->17346 17338 25eac5 17337->17338 17341 25ead8 __fread_nolock 17337->17341 17339 25f587 __strnicoll 14 API calls 17338->17339 17340 25eaca 17339->17340 17342 25c90f __strnicoll 41 API calls 17340->17342 17343 25eb06 17341->17343 17344 25eb0f 17341->17344 17341->17346 17342->17346 17345 25f587 __strnicoll 14 API calls 17343->17345 17344->17346 17348 25f587 __strnicoll 14 API calls 17344->17348 17347 25eb0b 17345->17347 17346->17328 17349 25c90f __strnicoll 41 API calls 17347->17349 17348->17347 17349->17346 17350->17335 17352 26047d 17351->17352 17356 26044e 17351->17356 17353 260494 17352->17353 17355 262a7b ___free_lconv_mon 14 API calls 17352->17355 17354 262a7b ___free_lconv_mon 14 API calls 17353->17354 17354->17356 17355->17352 17356->17187 17357->17000 17358 270649 17357->17358 17359 25217e std::_Throw_Cpp_error 43 API calls 17358->17359 17360 270669 17359->17360 17361 257d7e std::_Facet_Register 16 API calls 17360->17361 17362 270670 17361->17362 17363 270680 VirtualAllocEx 17362->17363 17378 27005a 17362->17378 17375 251d8b 17363->17375 17395 251da2 17375->17395 17377 251d9a 17389 2548a3 17377->17389 17387 27008a 17378->17387 17388 270154 17378->17388 17380 25217e 43 API calls std::_Throw_Cpp_error 17380->17387 17382 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17383 27016e 17382->17383 17383->17363 17384 25d3de 44 API calls 17384->17387 17385 254a6d 43 API calls 17385->17387 17386 254387 41 API calls std::_Throw_Cpp_error 17386->17387 17387->17380 17387->17384 17387->17385 17387->17386 17387->17388 17458 254361 17388->17458 17462 253983 17389->17462 17400 251b10 17395->17400 17397 251dbb 17411 2538be 17397->17411 17399 251dd0 17399->17377 17401 251b49 17400->17401 17402 251b19 17400->17402 17403 257d7e std::_Facet_Register 16 API calls 17401->17403 17402->17401 17404 251b1e 17402->17404 17405 251b53 17403->17405 17406 257d7e std::_Facet_Register 16 API calls 17404->17406 17407 251b64 17405->17407 17416 25136c 17405->17416 17410 251b29 17406->17410 17407->17397 17410->17397 17413 2538c6 17411->17413 17412 2538d4 17412->17399 17413->17412 17450 254280 17413->17450 17417 25137d 17416->17417 17422 252849 17417->17422 17419 25139a 17425 251e60 17419->17425 17434 253851 17422->17434 17424 252857 17424->17419 17444 254533 17425->17444 17437 251e1a InitOnceBeginInitialize 17434->17437 17436 253861 17436->17424 17438 251e55 17437->17438 17439 251e34 17437->17439 17440 25c98b CallUnexpected 41 API calls 17438->17440 17441 25386a 50 API calls 17439->17441 17442 251e52 17439->17442 17440->17442 17443 251e3e InitOnceComplete 17441->17443 17442->17436 17443->17442 17446 252bcf 17444->17446 17447 252bec 17446->17447 17448 252bda 17446->17448 17449 2515c5 43 API calls 17448->17449 17449->17447 17455 25269c 17450->17455 17453 2592f2 Concurrency::cancel_current_task RaiseException 17454 25429f 17453->17454 17456 2525eb std::exception::exception 42 API calls 17455->17456 17457 2526a9 17456->17457 17457->17453 17459 254379 17458->17459 17460 254369 17458->17460 17459->17382 17461 251800 _Deallocate 41 API calls 17460->17461 17461->17459 17463 25398b 17462->17463 17464 254280 43 API calls 17463->17464 17465 2539a4 17464->17465 17466 2539b7 17465->17466 17470 254476 17465->17470 17479 253c44 17466->17479 17471 254482 __EH_prolog3_catch 17470->17471 17472 25449b 17471->17472 17484 253093 17471->17484 17474 253093 53 API calls 17472->17474 17475 2544be 17472->17475 17474->17475 17476 2544c6 Concurrency::details::_ContextCallback::_CallInContext 17475->17476 17491 253dd9 17475->17491 17476->17466 17565 2526db 17479->17565 17481 2592f2 Concurrency::cancel_current_task RaiseException 17482 253c57 17481->17482 17482->17479 17482->17481 17483 254471 17482->17483 17483->17483 17495 254999 17484->17495 17486 2530b6 17506 2559e3 17486->17506 17489 2530a2 17489->17486 17501 255b7e 17489->17501 17492 253de1 17491->17492 17551 254be1 17492->17551 17509 2559d2 17495->17509 17497 2549a2 17500 2549b6 17497->17500 17512 255d4f 17497->17512 17500->17489 17543 255b2d 17501->17543 17505 255b9e 17505->17489 17507 2530bb 17506->17507 17508 2559ef ReleaseSRWLockExclusive 17506->17508 17507->17472 17508->17507 17518 255a01 GetCurrentThreadId 17509->17518 17513 255d65 std::_Throw_Cpp_error 17512->17513 17533 255c8c 17513->17533 17519 255a2b 17518->17519 17520 255a4a 17518->17520 17523 255a30 AcquireSRWLockExclusive 17519->17523 17529 255a40 17519->17529 17521 255a53 17520->17521 17522 255a6a 17520->17522 17524 255a5e AcquireSRWLockExclusive 17521->17524 17521->17529 17525 255ac9 17522->17525 17531 255a82 17522->17531 17523->17529 17524->17529 17527 255ad0 TryAcquireSRWLockExclusive 17525->17527 17525->17529 17526 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17528 2559df 17526->17528 17527->17529 17528->17497 17529->17526 17530 25789f GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime 17530->17531 17531->17529 17531->17530 17532 255ab9 TryAcquireSRWLockExclusive 17531->17532 17532->17529 17532->17531 17534 255c98 __EH_prolog3_GS 17533->17534 17535 25217e std::_Throw_Cpp_error 43 API calls 17534->17535 17536 255cac 17535->17536 17537 2523dc std::_Throw_Cpp_error 43 API calls 17536->17537 17538 255cc1 17537->17538 17539 254387 std::_Throw_Cpp_error 41 API calls 17538->17539 17540 255cc9 17539->17540 17541 2580e9 std::_Throw_Cpp_error 5 API calls 17540->17541 17550 255b48 SleepConditionVariableSRW 17543->17550 17545 255b3a 17546 255b3e 17545->17546 17547 25c98b CallUnexpected 41 API calls 17545->17547 17549 255ba4 GetCurrentThreadId 17546->17549 17548 255b47 17547->17548 17549->17505 17550->17545 17554 2558d9 17551->17554 17555 2558f4 __InternalCxxFrameHandler 17554->17555 17556 25590a 17554->17556 17559 2592f2 Concurrency::cancel_current_task RaiseException 17555->17559 17557 25597b RaiseException 17556->17557 17561 25599d 17556->17561 17564 25595b __alloca_probe_16 17556->17564 17558 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17557->17558 17560 254beb 17558->17560 17559->17556 17562 25c98b CallUnexpected 41 API calls 17561->17562 17563 2559a2 17562->17563 17564->17557 17566 2525eb std::exception::exception 42 API calls 17565->17566 17567 2526e7 17566->17567 17567->17482 17849 25fdfc 17848->17849 17850 25fe0e 17848->17850 17875 25fe97 GetModuleHandleW 17849->17875 17860 25fc78 17850->17860 17855 2583f8 17855->17030 17861 25fc84 ___scrt_is_nonwritable_in_current_image 17860->17861 17883 25d528 EnterCriticalSection 17861->17883 17863 25fc8e 17884 25fce4 17863->17884 17865 25fc9b 17888 25fcb9 17865->17888 17868 25fe66 17913 25feda 17868->17913 17871 25fe84 17873 25fefc CallUnexpected 3 API calls 17871->17873 17872 25fe74 GetCurrentProcess TerminateProcess 17872->17871 17874 25fe8c ExitProcess 17873->17874 17876 25fe01 17875->17876 17876->17850 17877 25fefc GetModuleHandleExW 17876->17877 17878 25ff5c 17877->17878 17879 25ff3b GetProcAddress 17877->17879 17881 25ff62 FreeLibrary 17878->17881 17882 25fe0d 17878->17882 17879->17878 17880 25ff4f 17879->17880 17880->17878 17881->17882 17882->17850 17883->17863 17885 25fcf0 ___scrt_is_nonwritable_in_current_image 17884->17885 17887 25fd57 CallUnexpected 17885->17887 17891 26086f 17885->17891 17887->17865 17912 25d570 LeaveCriticalSection 17888->17912 17890 25fca7 17890->17855 17890->17868 17892 26087b __EH_prolog3 17891->17892 17895 2605c7 17892->17895 17894 2608a2 Concurrency::details::_ContextCallback::_CallInContext 17894->17887 17896 2605d3 ___scrt_is_nonwritable_in_current_image 17895->17896 17903 25d528 EnterCriticalSection 17896->17903 17898 2605e1 17904 26077f 17898->17904 17903->17898 17905 2605ee 17904->17905 17906 26079e 17904->17906 17908 260616 17905->17908 17906->17905 17907 262a7b ___free_lconv_mon 14 API calls 17906->17907 17907->17905 17911 25d570 LeaveCriticalSection 17908->17911 17910 2605ff 17910->17894 17911->17910 17912->17890 17918 263792 GetPEB 17913->17918 17916 25fee4 GetPEB 17917 25fe70 17916->17917 17917->17871 17917->17872 17919 2637ac 17918->17919 17920 25fedf 17918->17920 17922 26332c 17919->17922 17920->17916 17920->17917 17923 2632a9 _unexpected 5 API calls 17922->17923 17924 263348 17923->17924 17924->17920 17926 2632a9 _unexpected 5 API calls 17925->17926 17927 2635d2 17926->17927 17928 2635f0 InitializeCriticalSectionAndSpinCount 17927->17928 17929 2635db 17927->17929 17928->17929 17929->17011 17931 25d54c 17930->17931 17933 25d56b 17930->17933 17932 25d556 DeleteCriticalSection 17931->17932 17932->17932 17932->17933 17933->17013 17935 260a33 ___scrt_uninitialize_crt 17934->17935 17936 260a21 17934->17936 17935->17024 17937 260a2f 17936->17937 17939 25e60c 17936->17939 17937->17024 17942 25e499 17939->17942 17945 25e38d 17942->17945 17946 25e399 ___scrt_is_nonwritable_in_current_image 17945->17946 17953 25d528 EnterCriticalSection 17946->17953 17948 25e40f 17962 25e42d 17948->17962 17950 25e3a3 ___scrt_uninitialize_crt 17950->17948 17954 25e301 17950->17954 17953->17950 17955 25e30d ___scrt_is_nonwritable_in_current_image 17954->17955 17965 25d713 EnterCriticalSection 17955->17965 17957 25e317 ___scrt_uninitialize_crt 17961 25e350 17957->17961 17966 25e5a7 17957->17966 17979 25e381 17961->17979 18017 25d570 LeaveCriticalSection 17962->18017 17964 25e41b 17964->17937 17965->17957 17967 25e5bc _Fputc 17966->17967 17968 25e5c3 17967->17968 17969 25e5ce 17967->17969 17971 25e499 ___scrt_uninitialize_crt 70 API calls 17968->17971 17982 25e53e 17969->17982 17973 25e5c9 17971->17973 17974 25c64b _Fputc 41 API calls 17973->17974 17976 25e606 17974->17976 17975 263aee __fread_nolock 41 API calls 17977 25e5ef 17975->17977 17976->17961 17988 264e29 17977->17988 18016 25d727 LeaveCriticalSection 17979->18016 17981 25e36f 17981->17950 17983 25e557 17982->17983 17984 25e57e 17982->17984 17983->17984 17985 263aee __fread_nolock 41 API calls 17983->17985 17984->17973 17984->17975 17986 25e573 17985->17986 17987 265654 ___scrt_uninitialize_crt 66 API calls 17986->17987 17987->17984 17989 264e47 17988->17989 17990 264e3a 17988->17990 17992 264e90 17989->17992 17994 264e6e 17989->17994 17991 25f587 __strnicoll 14 API calls 17990->17991 17998 264e3f 17991->17998 17993 25f587 __strnicoll 14 API calls 17992->17993 17995 264e95 17993->17995 17999 264d87 17994->17999 17997 25c90f __strnicoll 41 API calls 17995->17997 17997->17998 17998->17973 18000 264d93 ___scrt_is_nonwritable_in_current_image 17999->18000 18012 2693ae EnterCriticalSection 18000->18012 18002 264da2 18003 264de7 18002->18003 18004 269485 __fread_nolock 41 API calls 18002->18004 18005 25f587 __strnicoll 14 API calls 18003->18005 18006 264dce FlushFileBuffers 18004->18006 18007 264dee 18005->18007 18006->18007 18008 264dda GetLastError 18006->18008 18013 264e1d 18007->18013 18009 25f574 __dosmaperr 14 API calls 18008->18009 18009->18003 18012->18002 18014 2693d1 ___scrt_uninitialize_crt LeaveCriticalSection 18013->18014 18015 264e06 18014->18015 18015->17998 18016->17981 18017->17964 18241 25707e 18242 257092 18241->18242 18248 2570ed 18242->18248 18249 256a88 18242->18249 18245 2570da 18245->18248 18261 25e7b2 18245->18261 18250 256af1 18249->18250 18253 256aa2 18249->18253 18251 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18250->18251 18252 256b08 18251->18252 18252->18245 18252->18248 18255 25ee44 18252->18255 18253->18250 18254 25f146 69 API calls 18253->18254 18254->18250 18256 25ee57 _Fputc 18255->18256 18275 25ebe3 18256->18275 18259 25c64b _Fputc 41 API calls 18260 25ee79 18259->18260 18260->18245 18262 25e7d2 18261->18262 18263 25e7bd 18261->18263 18265 25e7ef 18262->18265 18266 25e7da 18262->18266 18264 25f587 __strnicoll 14 API calls 18263->18264 18268 25e7c2 18264->18268 18310 2660e1 18265->18310 18269 25f587 __strnicoll 14 API calls 18266->18269 18271 25c90f __strnicoll 41 API calls 18268->18271 18272 25e7df 18269->18272 18270 25e7ea 18270->18248 18274 25e7cd 18271->18274 18273 25c90f __strnicoll 41 API calls 18272->18273 18273->18270 18274->18248 18278 25ebef ___scrt_is_nonwritable_in_current_image 18275->18278 18276 25ebf5 18277 25c892 __strnicoll 41 API calls 18276->18277 18285 25ec10 18277->18285 18278->18276 18279 25ec29 18278->18279 18286 25d713 EnterCriticalSection 18279->18286 18281 25ec35 18287 25ed58 18281->18287 18283 25ec4c 18296 25ec75 18283->18296 18285->18259 18286->18281 18288 25ed7e 18287->18288 18289 25ed6b 18287->18289 18299 25ec7f 18288->18299 18289->18283 18291 25ee2f 18291->18283 18292 25e53e ___scrt_uninitialize_crt 66 API calls 18294 25edcf 18292->18294 18293 25eda1 18293->18291 18293->18292 18295 266ce2 ___scrt_uninitialize_crt 43 API calls 18294->18295 18295->18291 18309 25d727 LeaveCriticalSection 18296->18309 18298 25ec7d 18298->18285 18300 25ec90 18299->18300 18302 25ece8 18299->18302 18300->18302 18303 266ca2 18300->18303 18302->18293 18304 266cb6 _Fputc 18303->18304 18305 266bc1 __fread_nolock 43 API calls 18304->18305 18306 266ccb 18305->18306 18307 25c64b _Fputc 41 API calls 18306->18307 18308 266cda 18307->18308 18308->18302 18309->18298 18311 2660f5 _Fputc 18310->18311 18316 265af6 18311->18316 18314 25c64b _Fputc 41 API calls 18315 26610f 18314->18315 18315->18270 18317 265b02 ___scrt_is_nonwritable_in_current_image 18316->18317 18318 265b2c 18317->18318 18319 265b09 18317->18319 18327 25d713 EnterCriticalSection 18318->18327 18320 25c892 __strnicoll 41 API calls 18319->18320 18322 265b22 18320->18322 18322->18314 18323 265b3a 18328 265b85 18323->18328 18325 265b49 18341 265b7b 18325->18341 18327->18323 18329 265b94 18328->18329 18330 265bbc 18328->18330 18331 25c892 __strnicoll 41 API calls 18329->18331 18332 263aee __fread_nolock 41 API calls 18330->18332 18340 265baf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18331->18340 18333 265bc5 18332->18333 18344 266c84 18333->18344 18336 265c6f 18347 265ee5 18336->18347 18338 265c86 18338->18340 18359 265d26 18338->18359 18340->18325 18366 25d727 LeaveCriticalSection 18341->18366 18343 265b83 18343->18322 18345 266a9b 45 API calls 18344->18345 18346 265be3 18345->18346 18346->18336 18346->18338 18346->18340 18348 265ef4 ___scrt_uninitialize_crt 18347->18348 18349 263aee __fread_nolock 41 API calls 18348->18349 18350 265f10 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18349->18350 18352 266c84 45 API calls 18350->18352 18358 265f1c 18350->18358 18351 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18353 26608e 18351->18353 18354 265f70 18352->18354 18353->18340 18355 265fa2 ReadFile 18354->18355 18354->18358 18356 265fc9 18355->18356 18355->18358 18357 266c84 45 API calls 18356->18357 18357->18358 18358->18351 18360 263aee __fread_nolock 41 API calls 18359->18360 18361 265d39 18360->18361 18362 266c84 45 API calls 18361->18362 18365 265d81 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18361->18365 18363 265dd4 18362->18363 18364 266c84 45 API calls 18363->18364 18363->18365 18364->18365 18365->18340 18366->18343 20575 262657 20576 262672 20575->20576 20577 262662 20575->20577 20581 262678 20577->20581 20580 262a7b ___free_lconv_mon 14 API calls 20580->20576 20582 262693 20581->20582 20583 26268d 20581->20583 20585 262a7b ___free_lconv_mon 14 API calls 20582->20585 20584 262a7b ___free_lconv_mon 14 API calls 20583->20584 20584->20582 20586 26269f 20585->20586 20587 262a7b ___free_lconv_mon 14 API calls 20586->20587 20588 2626aa 20587->20588 20589 262a7b ___free_lconv_mon 14 API calls 20588->20589 20590 2626b5 20589->20590 20591 262a7b ___free_lconv_mon 14 API calls 20590->20591 20592 2626c0 20591->20592 20593 262a7b ___free_lconv_mon 14 API calls 20592->20593 20594 2626cb 20593->20594 20595 262a7b ___free_lconv_mon 14 API calls 20594->20595 20596 2626d6 20595->20596 20597 262a7b ___free_lconv_mon 14 API calls 20596->20597 20598 2626e1 20597->20598 20599 262a7b ___free_lconv_mon 14 API calls 20598->20599 20600 2626ec 20599->20600 20601 262a7b ___free_lconv_mon 14 API calls 20600->20601 20602 2626fa 20601->20602 20607 2624a4 20602->20607 20608 2624b0 ___scrt_is_nonwritable_in_current_image 20607->20608 20623 25d528 EnterCriticalSection 20608->20623 20610 2624ba 20613 262a7b ___free_lconv_mon 14 API calls 20610->20613 20614 2624e4 20610->20614 20613->20614 20624 262503 20614->20624 20615 26250f 20616 26251b ___scrt_is_nonwritable_in_current_image 20615->20616 20628 25d528 EnterCriticalSection 20616->20628 20618 262525 20619 262745 __dosmaperr 14 API calls 20618->20619 20620 262538 20619->20620 20629 262558 20620->20629 20623->20610 20627 25d570 LeaveCriticalSection 20624->20627 20626 2624f1 20626->20615 20627->20626 20628->20618 20632 25d570 LeaveCriticalSection 20629->20632 20631 262546 20631->20580 20632->20631 20644 2572a4 20645 2572b0 __EH_prolog3_GS 20644->20645 20648 257316 20645->20648 20649 2572fd 20645->20649 20652 2572c7 20645->20652 20663 25e6a6 20648->20663 20660 2565dd 20649->20660 20700 2580e9 20652->20700 20654 254387 std::_Throw_Cpp_error 41 API calls 20654->20652 20655 2573d5 20655->20654 20657 257335 20657->20655 20658 2573ee 20657->20658 20659 25e6a6 43 API calls 20657->20659 20683 254a6d 20657->20683 20658->20655 20687 25f477 20658->20687 20659->20657 20661 25e6a6 43 API calls 20660->20661 20662 2565e8 20661->20662 20662->20652 20664 25e6b2 ___scrt_is_nonwritable_in_current_image 20663->20664 20665 25e6d4 20664->20665 20666 25e6bc 20664->20666 20703 25d713 EnterCriticalSection 20665->20703 20667 25f587 __strnicoll 14 API calls 20666->20667 20669 25e6c1 20667->20669 20672 25c90f __strnicoll 41 API calls 20669->20672 20670 25e6de 20671 25e77a 20670->20671 20673 263aee __fread_nolock 41 API calls 20670->20673 20704 25e66a 20671->20704 20682 25e6cc _Fputc 20672->20682 20678 25e6fb 20673->20678 20675 25e780 20711 25e7aa 20675->20711 20677 25e752 20679 25f587 __strnicoll 14 API calls 20677->20679 20678->20671 20678->20677 20680 25e757 20679->20680 20681 25c90f __strnicoll 41 API calls 20680->20681 20681->20682 20682->20657 20684 254a94 20683->20684 20685 254a79 20683->20685 20715 251bc8 20684->20715 20685->20657 20688 25f483 ___scrt_is_nonwritable_in_current_image 20687->20688 20689 25f49f 20688->20689 20690 25f48a 20688->20690 20724 25d713 EnterCriticalSection 20689->20724 20691 25f587 __strnicoll 14 API calls 20690->20691 20694 25f48f 20691->20694 20693 25f4a9 20725 25f37e 20693->20725 20696 25c90f __strnicoll 41 API calls 20694->20696 20698 25f49a 20696->20698 20698->20658 20701 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20700->20701 20702 2580f3 20701->20702 20702->20702 20703->20670 20705 25e676 20704->20705 20709 25e68b __fread_nolock 20704->20709 20706 25f587 __strnicoll 14 API calls 20705->20706 20707 25e67b 20706->20707 20708 25c90f __strnicoll 41 API calls 20707->20708 20710 25e686 20708->20710 20709->20675 20710->20675 20714 25d727 LeaveCriticalSection 20711->20714 20713 25e7b0 20713->20682 20714->20713 20716 251c4d 20715->20716 20718 251be1 std::_Throw_Cpp_error 20715->20718 20717 25451d std::_Throw_Cpp_error 43 API calls 20716->20717 20719 251c52 20717->20719 20720 251578 std::_Throw_Cpp_error 43 API calls 20718->20720 20721 251c00 20720->20721 20722 251800 _Deallocate 41 API calls 20721->20722 20723 251c32 20721->20723 20722->20723 20723->20685 20724->20693 20726 25f396 20725->20726 20728 25f406 20725->20728 20727 263aee __fread_nolock 41 API calls 20726->20727 20731 25f39c 20727->20731 20729 266d00 14 API calls 20728->20729 20730 25f3fe 20728->20730 20729->20730 20736 25f4e2 20730->20736 20731->20728 20732 25f3ee 20731->20732 20733 25f587 __strnicoll 14 API calls 20732->20733 20734 25f3f3 20733->20734 20735 25c90f __strnicoll 41 API calls 20734->20735 20735->20730 20739 25d727 LeaveCriticalSection 20736->20739 20738 25f4e8 20738->20698 20739->20738 20784 25d681 20785 25e60c ___scrt_uninitialize_crt 70 API calls 20784->20785 20786 25d689 20785->20786 20794 263811 20786->20794 20788 25d68e 20789 2638bc 14 API calls 20788->20789 20790 25d69d DeleteCriticalSection 20789->20790 20790->20788 20791 25d6b8 20790->20791 20792 262a7b ___free_lconv_mon 14 API calls 20791->20792 20793 25d6c3 20792->20793 20795 26381d ___scrt_is_nonwritable_in_current_image 20794->20795 20804 25d528 EnterCriticalSection 20795->20804 20797 263894 20805 2638b3 20797->20805 20799 263828 20799->20797 20800 263868 DeleteCriticalSection 20799->20800 20802 25e2d1 71 API calls 20799->20802 20803 262a7b ___free_lconv_mon 14 API calls 20800->20803 20802->20799 20803->20799 20804->20799 20808 25d570 LeaveCriticalSection 20805->20808 20807 2638a0 20807->20788 20808->20807 16071 bd018d 16077 bd01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 16071->16077 16073 bd03a2 WriteProcessMemory 16074 bd03e7 16073->16074 16075 bd03ec WriteProcessMemory 16074->16075 16076 bd0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 16074->16076 16075->16074 16077->16073 16758 263b15 16770 263aee 16758->16770 16760 263b2e 16761 263b22 16761->16760 16762 263b7a 16761->16762 16788 263cdd 16761->16788 16762->16760 16769 263bdc 16762->16769 16796 263d6d 16762->16796 16777 263c0b 16769->16777 16771 263b0f 16770->16771 16772 263afa 16770->16772 16771->16761 16773 25f587 __strnicoll 14 API calls 16772->16773 16774 263aff 16773->16774 16775 25c90f __strnicoll 41 API calls 16774->16775 16776 263b0a 16775->16776 16776->16761 16778 263aee __fread_nolock 41 API calls 16777->16778 16779 263c1a 16778->16779 16780 263cc0 16779->16780 16781 263c2d 16779->16781 16807 265654 16780->16807 16782 263c4a 16781->16782 16786 263c71 16781->16786 16784 265654 ___scrt_uninitialize_crt 66 API calls 16782->16784 16785 263bed 16784->16785 16786->16785 16818 266c44 16786->16818 16789 263cf7 16788->16789 16790 263cf3 16788->16790 16791 269485 __fread_nolock 41 API calls 16789->16791 16793 263d46 16789->16793 16790->16762 16792 263d18 16791->16792 16792->16793 16794 263d20 SetFilePointerEx 16792->16794 16793->16762 16794->16793 16795 263d37 GetFileSizeEx 16794->16795 16795->16793 16797 263d79 16796->16797 16798 263bcf 16797->16798 16799 263aee __fread_nolock 41 API calls 16797->16799 16798->16769 16802 266d00 16798->16802 16800 263d94 16799->16800 16801 26bd3f __fread_nolock 41 API calls 16800->16801 16801->16798 16803 262fab __dosmaperr 14 API calls 16802->16803 16804 266d1d 16803->16804 16805 262a7b ___free_lconv_mon 14 API calls 16804->16805 16806 266d27 16805->16806 16806->16769 16810 265660 ___scrt_is_nonwritable_in_current_image 16807->16810 16808 265668 16808->16785 16809 265724 16811 25c892 __strnicoll 41 API calls 16809->16811 16810->16808 16810->16809 16812 2656b5 16810->16812 16811->16808 16824 2693ae EnterCriticalSection 16812->16824 16814 2656bb 16815 2656d8 16814->16815 16825 26575c 16814->16825 16853 26571c 16815->16853 16819 266c58 _Fputc 16818->16819 16941 266a9b 16819->16941 16822 25c64b _Fputc 41 API calls 16823 266c7c 16822->16823 16823->16785 16824->16814 16826 2657a4 __fread_nolock 16825->16826 16827 265781 16825->16827 16826->16815 16828 265785 16827->16828 16830 2657e3 16827->16830 16829 25c892 __strnicoll 41 API calls 16828->16829 16829->16826 16831 2657fa 16830->16831 16870 266ce2 16830->16870 16856 2652e0 16831->16856 16835 26584a 16837 26585e 16835->16837 16838 2658ad WriteFile 16835->16838 16836 26580a 16839 265834 16836->16839 16840 265811 16836->16840 16844 265866 16837->16844 16845 26589b 16837->16845 16841 2658cf GetLastError 16838->16841 16842 265845 16838->16842 16878 264ea6 GetConsoleOutputCP 16839->16878 16840->16826 16873 265278 16840->16873 16841->16842 16842->16826 16846 26586b 16844->16846 16847 265889 16844->16847 16863 26535e 16845->16863 16846->16826 16850 265874 16846->16850 16898 265522 16847->16898 16891 265439 16850->16891 16940 2693d1 LeaveCriticalSection 16853->16940 16855 265722 16855->16808 16906 26bd3f 16856->16906 16858 2652f2 16859 25d2b0 std::_Locinfo::_Locinfo_ctor 41 API calls 16858->16859 16860 265320 16858->16860 16862 265353 16858->16862 16859->16860 16861 26533a GetConsoleMode 16860->16861 16860->16862 16861->16862 16862->16835 16862->16836 16868 26536d ___scrt_uninitialize_crt 16863->16868 16864 26541e 16865 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16864->16865 16866 265437 16865->16866 16866->16826 16867 2653dd WriteFile 16867->16868 16869 265420 GetLastError 16867->16869 16868->16864 16868->16867 16869->16864 16915 266bc1 16870->16915 16872 266cfb 16872->16831 16874 26529a 16873->16874 16875 2652cf 16873->16875 16874->16875 16876 26c0da 5 API calls ___scrt_uninitialize_crt 16874->16876 16877 2652d1 GetLastError 16874->16877 16875->16826 16876->16874 16877->16875 16879 264f18 16878->16879 16887 264f1f ctype 16878->16887 16880 25d2b0 std::_Locinfo::_Locinfo_ctor 41 API calls 16879->16880 16880->16887 16881 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16882 265271 16881->16882 16882->16842 16883 2677b6 42 API calls ___scrt_uninitialize_crt 16883->16887 16884 2651dc 16884->16881 16885 26be04 5 API calls std::_Locinfo::_Locinfo_ctor 16885->16887 16887->16883 16887->16884 16887->16885 16888 265157 WriteFile 16887->16888 16890 265197 WriteFile 16887->16890 16937 267965 16887->16937 16888->16887 16889 26524f GetLastError 16888->16889 16889->16884 16890->16887 16890->16889 16892 265448 ___scrt_uninitialize_crt 16891->16892 16893 265507 16892->16893 16895 2654bd WriteFile 16892->16895 16894 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16893->16894 16896 265520 16894->16896 16895->16892 16897 265509 GetLastError 16895->16897 16896->16826 16897->16893 16905 265531 ___scrt_uninitialize_crt 16898->16905 16899 265639 16900 2580c7 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16899->16900 16901 265652 16900->16901 16901->16842 16902 267965 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 16902->16905 16903 26563b GetLastError 16903->16899 16904 2655f0 WriteFile 16904->16903 16904->16905 16905->16899 16905->16902 16905->16903 16905->16904 16907 26bd4c 16906->16907 16909 26bd59 16906->16909 16908 25f587 __strnicoll 14 API calls 16907->16908 16910 26bd51 16908->16910 16911 26bd65 16909->16911 16912 25f587 __strnicoll 14 API calls 16909->16912 16910->16858 16911->16858 16913 26bd86 16912->16913 16914 25c90f __strnicoll 41 API calls 16913->16914 16914->16910 16921 269485 16915->16921 16917 266bd3 16918 266bef SetFilePointerEx 16917->16918 16920 266bdb __fread_nolock 16917->16920 16919 266c07 GetLastError 16918->16919 16918->16920 16919->16920 16920->16872 16922 2694a7 16921->16922 16923 269492 16921->16923 16926 25f574 __dosmaperr 14 API calls 16922->16926 16928 2694cc 16922->16928 16934 25f574 16923->16934 16929 2694d7 16926->16929 16927 25f587 __strnicoll 14 API calls 16931 26949f 16927->16931 16928->16917 16930 25f587 __strnicoll 14 API calls 16929->16930 16932 2694df 16930->16932 16931->16917 16933 25c90f __strnicoll 41 API calls 16932->16933 16933->16931 16935 2628e1 __dosmaperr 14 API calls 16934->16935 16936 25f579 16935->16936 16936->16927 16939 26797c WideCharToMultiByte 16937->16939 16939->16887 16940->16855 16944 266aa7 ___scrt_is_nonwritable_in_current_image 16941->16944 16942 266aaf 16942->16822 16943 266b85 16945 25c892 __strnicoll 41 API calls 16943->16945 16944->16942 16944->16943 16946 266b03 16944->16946 16945->16942 16952 2693ae EnterCriticalSection 16946->16952 16948 266b09 16949 266b2e 16948->16949 16950 266bc1 __fread_nolock 43 API calls 16948->16950 16953 266b7d 16949->16953 16950->16949 16952->16948 16956 2693d1 LeaveCriticalSection 16953->16956 16955 266b83 16955->16942 16956->16955 19482 256d45 19483 256d4c 19482->19483 19484 256d51 19482->19484 19486 25d713 EnterCriticalSection 19483->19486 19486->19484 19506 256942 19509 256816 19506->19509 19508 25694d _Deallocate 19510 256847 19509->19510 19512 256859 19510->19512 19513 256ddb 19510->19513 19512->19508 19514 256e03 19513->19514 19515 256de5 19513->19515 19514->19512 19516 256a88 69 API calls 19515->19516 19517 256df2 19516->19517 19519 25e2d1 19517->19519 19520 25e2e4 _Fputc 19519->19520 19525 25e1ac 19520->19525 19522 25e2f0 19523 25c64b _Fputc 41 API calls 19522->19523 19524 25e2fc 19523->19524 19524->19514 19526 25e1b8 ___scrt_is_nonwritable_in_current_image 19525->19526 19527 25e1c2 19526->19527 19529 25e1e5 19526->19529 19528 25c892 __strnicoll 41 API calls 19527->19528 19535 25e1dd 19528->19535 19529->19535 19536 25d713 EnterCriticalSection 19529->19536 19531 25e203 19537 25e243 19531->19537 19533 25e210 19551 25e23b 19533->19551 19535->19522 19536->19531 19538 25e250 19537->19538 19539 25e273 19537->19539 19540 25c892 __strnicoll 41 API calls 19538->19540 19541 25e26b 19539->19541 19542 25e53e ___scrt_uninitialize_crt 66 API calls 19539->19542 19540->19541 19541->19533 19543 25e28b 19542->19543 19554 2638bc 19543->19554 19546 263aee __fread_nolock 41 API calls 19547 25e29f 19546->19547 19558 264c09 19547->19558 19550 262a7b ___free_lconv_mon 14 API calls 19550->19541 19600 25d727 LeaveCriticalSection 19551->19600 19553 25e241 19553->19535 19555 25e293 19554->19555 19556 2638d3 19554->19556 19555->19546 19556->19555 19557 262a7b ___free_lconv_mon 14 API calls 19556->19557 19557->19555 19559 264c32 19558->19559 19564 25e2a6 19558->19564 19560 264c81 19559->19560 19562 264c59 19559->19562 19561 25c892 __strnicoll 41 API calls 19560->19561 19561->19564 19565 264b78 19562->19565 19564->19541 19564->19550 19566 264b84 ___scrt_is_nonwritable_in_current_image 19565->19566 19573 2693ae EnterCriticalSection 19566->19573 19568 264b92 19569 264bc3 19568->19569 19574 264cac 19568->19574 19587 264bfd 19569->19587 19573->19568 19575 269485 __fread_nolock 41 API calls 19574->19575 19576 264cbc 19575->19576 19577 264cc2 19576->19577 19579 264cf4 19576->19579 19580 269485 __fread_nolock 41 API calls 19576->19580 19590 2693f4 19577->19590 19579->19577 19581 269485 __fread_nolock 41 API calls 19579->19581 19582 264ceb 19580->19582 19583 264d00 CloseHandle 19581->19583 19584 269485 __fread_nolock 41 API calls 19582->19584 19583->19577 19585 264d0c GetLastError 19583->19585 19584->19579 19585->19577 19586 264d1a __fread_nolock 19586->19569 19599 2693d1 LeaveCriticalSection 19587->19599 19589 264be6 19589->19564 19591 269403 19590->19591 19592 26946a 19590->19592 19591->19592 19598 26942d 19591->19598 19593 25f587 __strnicoll 14 API calls 19592->19593 19594 26946f 19593->19594 19595 25f574 __dosmaperr 14 API calls 19594->19595 19596 26945a 19595->19596 19596->19586 19597 269454 SetStdHandle 19597->19596 19598->19596 19598->19597 19599->19589 19600->19553 21207 260f4a 21210 260c16 21207->21210 21211 260c22 ___scrt_is_nonwritable_in_current_image 21210->21211 21218 25d528 EnterCriticalSection 21211->21218 21213 260c2c 21214 260c5a 21213->21214 21217 26a51c __Getctype 14 API calls 21213->21217 21219 260c78 21214->21219 21217->21213 21218->21213 21222 25d570 LeaveCriticalSection 21219->21222 21221 260c66 21222->21221 19637 26595c 19638 265969 19637->19638 19642 265981 19637->19642 19639 25f587 __strnicoll 14 API calls 19638->19639 19640 26596e 19639->19640 19641 25c90f __strnicoll 41 API calls 19640->19641 19651 265979 19641->19651 19643 2659e0 19642->19643 19645 266d00 14 API calls 19642->19645 19642->19651 19644 263aee __fread_nolock 41 API calls 19643->19644 19646 2659f9 19644->19646 19645->19643 19657 2665e8 19646->19657 19649 263aee __fread_nolock 41 API calls 19650 265a32 19649->19650 19650->19651 19652 263aee __fread_nolock 41 API calls 19650->19652 19653 265a40 19652->19653 19653->19651 19654 263aee __fread_nolock 41 API calls 19653->19654 19655 265a4e 19654->19655 19656 263aee __fread_nolock 41 API calls 19655->19656 19656->19651 19658 2665f4 ___scrt_is_nonwritable_in_current_image 19657->19658 19659 266614 19658->19659 19660 2665fc 19658->19660 19662 2666d1 19659->19662 19666 26664a 19659->19666 19661 25f574 __dosmaperr 14 API calls 19660->19661 19663 266601 19661->19663 19664 25f574 __dosmaperr 14 API calls 19662->19664 19665 25f587 __strnicoll 14 API calls 19663->19665 19667 2666d6 19664->19667 19668 265a01 19665->19668 19669 266653 19666->19669 19670 266668 19666->19670 19671 25f587 __strnicoll 14 API calls 19667->19671 19668->19649 19668->19651 19672 25f574 __dosmaperr 14 API calls 19669->19672 19687 2693ae EnterCriticalSection 19670->19687 19682 266660 19671->19682 19675 266658 19672->19675 19674 26666e 19676 26669f 19674->19676 19677 26668a 19674->19677 19679 25f587 __strnicoll 14 API calls 19675->19679 19688 2666fc 19676->19688 19680 25f587 __strnicoll 14 API calls 19677->19680 19678 25c90f __strnicoll 41 API calls 19678->19668 19679->19682 19683 26668f 19680->19683 19682->19678 19685 25f574 __dosmaperr 14 API calls 19683->19685 19684 26669a 19751 2666c9 19684->19751 19685->19684 19687->19674 19689 266726 19688->19689 19690 26670e 19688->19690 19692 266a7c 19689->19692 19697 26676c 19689->19697 19691 25f574 __dosmaperr 14 API calls 19690->19691 19693 266713 19691->19693 19694 25f574 __dosmaperr 14 API calls 19692->19694 19695 25f587 __strnicoll 14 API calls 19693->19695 19696 266a81 19694->19696 19698 26671b 19695->19698 19699 25f587 __strnicoll 14 API calls 19696->19699 19697->19698 19700 266777 19697->19700 19704 2667a7 19697->19704 19698->19684 19701 266784 19699->19701 19702 25f574 __dosmaperr 14 API calls 19700->19702 19705 25c90f __strnicoll 41 API calls 19701->19705 19703 26677c 19702->19703 19706 25f587 __strnicoll 14 API calls 19703->19706 19707 2667c0 19704->19707 19708 2667da 19704->19708 19709 26680b 19704->19709 19705->19698 19706->19701 19707->19708 19710 2667c5 19707->19710 19711 25f574 __dosmaperr 14 API calls 19708->19711 19712 2637c3 __fread_nolock 15 API calls 19709->19712 19716 26bd3f __fread_nolock 41 API calls 19710->19716 19713 2667df 19711->19713 19714 26681c 19712->19714 19715 25f587 __strnicoll 14 API calls 19713->19715 19717 262a7b ___free_lconv_mon 14 API calls 19714->19717 19718 2667e6 19715->19718 19719 266958 19716->19719 19720 266825 19717->19720 19721 25c90f __strnicoll 41 API calls 19718->19721 19722 2669cc 19719->19722 19723 266971 GetConsoleMode 19719->19723 19724 262a7b ___free_lconv_mon 14 API calls 19720->19724 19750 2667f1 __fread_nolock 19721->19750 19725 2669d0 ReadFile 19722->19725 19723->19722 19726 266982 19723->19726 19727 26682c 19724->19727 19728 266a44 GetLastError 19725->19728 19729 2669e8 19725->19729 19726->19725 19730 266988 ReadConsoleW 19726->19730 19731 266836 19727->19731 19732 266851 19727->19732 19733 266a51 19728->19733 19734 2669a8 19728->19734 19729->19728 19735 2669c1 19729->19735 19730->19735 19736 2669a2 GetLastError 19730->19736 19738 25f587 __strnicoll 14 API calls 19731->19738 19739 266ca2 __fread_nolock 43 API calls 19732->19739 19740 25f587 __strnicoll 14 API calls 19733->19740 19742 25f52d __dosmaperr 14 API calls 19734->19742 19734->19750 19745 266a24 19735->19745 19746 266a0d 19735->19746 19735->19750 19736->19734 19737 262a7b ___free_lconv_mon 14 API calls 19737->19698 19743 26683b 19738->19743 19739->19710 19741 266a56 19740->19741 19744 25f574 __dosmaperr 14 API calls 19741->19744 19742->19750 19747 25f574 __dosmaperr 14 API calls 19743->19747 19744->19750 19745->19750 19767 26626e 19745->19767 19754 266416 19746->19754 19747->19750 19750->19737 19779 2693d1 LeaveCriticalSection 19751->19779 19753 2666cf 19753->19668 19773 266122 19754->19773 19756 2678e9 __strnicoll MultiByteToWideChar 19758 26652a 19756->19758 19761 266533 GetLastError 19758->19761 19764 26645e 19758->19764 19759 2664b8 19765 266472 19759->19765 19766 266ca2 __fread_nolock 43 API calls 19759->19766 19760 2664a8 19762 25f587 __strnicoll 14 API calls 19760->19762 19763 25f52d __dosmaperr 14 API calls 19761->19763 19762->19764 19763->19764 19764->19750 19765->19756 19766->19765 19768 2662a5 19767->19768 19769 26633a ReadFile 19768->19769 19771 266335 19768->19771 19770 266357 19769->19770 19769->19771 19770->19771 19772 266ca2 __fread_nolock 43 API calls 19770->19772 19771->19750 19772->19771 19774 266156 19773->19774 19775 2661c5 ReadFile 19774->19775 19776 2661c0 19774->19776 19775->19776 19777 2661de 19775->19777 19776->19759 19776->19760 19776->19764 19776->19765 19777->19776 19778 266ca2 __fread_nolock 43 API calls 19777->19778 19778->19776 19779->19753 20068 25e9f3 20071 25ea10 20068->20071 20073 25ea1c ___scrt_is_nonwritable_in_current_image 20071->20073 20072 25ea0b 20073->20072 20074 25ea66 20073->20074 20075 25ea2f __fread_nolock 20073->20075 20084 25d713 EnterCriticalSection 20074->20084 20078 25f587 __strnicoll 14 API calls 20075->20078 20077 25ea70 20085 25e80d 20077->20085 20080 25ea49 20078->20080 20082 25c90f __strnicoll 41 API calls 20080->20082 20082->20072 20084->20077 20087 25e81e __fread_nolock 20085->20087 20091 25e83a 20085->20091 20086 25e82a 20088 25f587 __strnicoll 14 API calls 20086->20088 20087->20086 20087->20091 20095 25e87c __fread_nolock 20087->20095 20089 25e82f 20088->20089 20090 25c90f __strnicoll 41 API calls 20089->20090 20090->20091 20098 25eaa5 20091->20098 20092 25e9a3 __fread_nolock 20096 25f587 __strnicoll 14 API calls 20092->20096 20093 25eaad __fread_nolock 41 API calls 20093->20095 20094 263aee __fread_nolock 41 API calls 20094->20095 20095->20091 20095->20092 20095->20093 20095->20094 20097 2666fc __fread_nolock 53 API calls 20095->20097 20096->20089 20097->20095 20101 25d727 LeaveCriticalSection 20098->20101 20100 25eaab 20100->20072 20101->20100

                  Executed Functions

                  Function 00BD018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00BD00FF,00BD00EF), ref: 00BD02FC
                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00BD030F
                  • Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 00BD032D
                  • ReadProcessMemory.KERNELBASE(00000098,?,00BD0143,00000004,00000000), ref: 00BD0351
                  • VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 00BD037C
                  • WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 00BD03D4
                  • WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 00BD041F
                  • WriteProcessMemory.KERNELBASE(00000098,?,?,00000004,00000000), ref: 00BD045D
                  • Wow64SetThreadContext.KERNEL32(0000009C,00BE0000), ref: 00BD0499
                  • ResumeThread.KERNELBASE(0000009C), ref: 00BD04A8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666446228.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_bd0000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Similarity
                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                  • API String ID: 2687962208-1257834847
                  • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                  • Instruction ID: a06622b0dc33a45f7ce97c7a1d9bda8f3232c04a86a811d9b038afe6c0680d61
                  • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                  • Instruction Fuzzy Hash: C5B1F67660024AAFDB60CF68CC80BDA73E5FF88714F158165EA0CAB341D770FA418B94
                  Function 00263792 Relevance: 1.3, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6a,
                  • API String ID: 0-1499783603
                  • Opcode ID: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
                  • Instruction ID: b4013b4a66954d14ed41fd63a486d49668484fb008c4f99413c6311c481a5151
                  • Opcode Fuzzy Hash: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
                  • Instruction Fuzzy Hash: 82E046B2921228EBCB16DF98894498AF2FCEB48B00B510096B902D3200C270DF50CBD0
                  Function 0025FEDA Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e8f6b386abd769ad1aa34007715f148021cb4ecf1aa09ef3fb483fba9ae76088
                  • Instruction ID: f7c19a916d2ff4493b7062705775c8baa1517821262e8c2eb600808cdc032624
                  • Opcode Fuzzy Hash: e8f6b386abd769ad1aa34007715f148021cb4ecf1aa09ef3fb483fba9ae76088
                  • Instruction Fuzzy Hash: 0BC0807405054086CD159D24977236C3355E391783F54049DC94207A53D52D5C95D600
                  Function 002648DD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 23 2648dd-2648f6 24 26490c-264911 23->24 25 2648f8-264908 call 25f666 23->25 27 264913-26491d 24->27 28 264920-264946 call 2678e9 24->28 25->24 31 26490a 25->31 27->28 33 26494c-264957 28->33 34 264ab9-264aca call 2580c7 28->34 31->24 36 264aac 33->36 37 26495d-264962 33->37 38 264aae 36->38 40 264977-264982 call 2637c3 37->40 41 264964-26496d call 258410 37->41 43 264ab0-264ab7 call 257b86 38->43 48 264984 40->48 49 26498d-264991 40->49 41->49 51 26496f-264975 41->51 43->34 52 26498a 48->52 49->38 53 264997-2649ae call 2678e9 49->53 51->52 52->49 53->38 56 2649b4-2649c6 call 263678 53->56 58 2649cb-2649cf 56->58 59 2649d1-2649d9 58->59 60 2649ea-2649ec 58->60 61 264a13-264a1f 59->61 62 2649db-2649e0 59->62 60->38 63 264a21-264a23 61->63 64 264a9e 61->64 65 2649e6-2649e8 62->65 66 264a92-264a94 62->66 67 264a25-264a2e call 258410 63->67 68 264a38-264a43 call 2637c3 63->68 69 264aa0-264aa7 call 257b86 64->69 65->60 70 2649f1-264a0b call 263678 65->70 66->43 67->69 80 264a30-264a36 67->80 68->69 81 264a45 68->81 69->60 70->66 79 264a11 70->79 79->60 82 264a4b-264a50 80->82 81->82 82->69 83 264a52-264a6a call 263678 82->83 83->69 86 264a6c-264a73 83->86 87 264a96-264a9c 86->87 88 264a75-264a76 86->88 89 264a77-264a89 call 267965 87->89 88->89 89->69 92 264a8b-264a91 call 257b86 89->92 92->66
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 00264964
                  • __alloca_probe_16.LIBCMT ref: 00264A25
                  • __freea.LIBCMT ref: 00264A8C
                    • Part of subcall function 002637C3: RtlAllocateHeap.NTDLL(00000000,00254E80,?,?,0025929A,?,?,?,?,?,00252617,00254E80,?,?,?,?), ref: 002637F5
                  • __freea.LIBCMT ref: 00264AA1
                  • __freea.LIBCMT ref: 00264AB1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                  • String ID: 6a,
                  • API String ID: 1423051803-1499783603
                  • Opcode ID: 80f8a9fc7f219d4e6c774bb2cc540c28e3d12254bfdc317263e1ba179c656ce1
                  • Instruction ID: b7e1be0e78ff160e3ccecd9f0281509afa7f35bed86ce3fe807571c39c5ce8b8
                  • Opcode Fuzzy Hash: 80f8a9fc7f219d4e6c774bb2cc540c28e3d12254bfdc317263e1ba179c656ce1
                  • Instruction Fuzzy Hash: BC51D272671207BFEB20AEA4DC52EBF76A9EF44314B150129FD44D7250E771CCA08BA4
                  Function 002631DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 95 2631de-2631ea 96 26327c-26327f 95->96 97 263285 96->97 98 2631ef-263200 96->98 99 263287-26328b 97->99 100 263202-263205 98->100 101 26320d-263226 LoadLibraryExW 98->101 104 2632a5-2632a7 100->104 105 26320b 100->105 102 26328c-26329c 101->102 103 263228-263231 GetLastError 101->103 102->104 108 26329e-26329f FreeLibrary 102->108 106 263233-263245 call 262418 103->106 107 26326a-263277 103->107 104->99 109 263279 105->109 106->107 112 263247-263259 call 262418 106->112 107->109 108->104 109->96 112->107 115 26325b-263268 LoadLibraryExW 112->115 115->102 115->107
                  APIs
                  • FreeLibrary.KERNEL32(00000000,?,002632EB,?,?,00254E80,00000000,?,?,00263515,00000021,FlsSetValue,002747D0,002747D8,00254E80), ref: 0026329F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLibrary
                  • String ID: api-ms-$ext-ms-
                  • API String ID: 3664257935-537541572
                  • Opcode ID: 59d0eb0dce4b611c796d76b17181c543fce9f208c33859e504aac7f41671441a
                  • Instruction ID: e2807b0b1df68eb38f198fff27c8d958373ddd1a6e04adaa7a03017e96a419ee
                  • Opcode Fuzzy Hash: 59d0eb0dce4b611c796d76b17181c543fce9f208c33859e504aac7f41671441a
                  • Instruction Fuzzy Hash: EC215031A11121E7D721DF69FC58A6A3768AF027A0F200114FD09E7290D730EFE0C6D0
                  Function 00268914 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 116 268914-26893c call 268444 119 268b04-268b05 call 2684b5 116->119 120 268942-268948 116->120 123 268b0a-268b0c 119->123 122 26894b-268951 120->122 124 268957-268963 122->124 125 268a53-268a72 call 2598e0 122->125 127 268b0d-268b1b call 2580c7 123->127 124->122 128 268965-26896b 124->128 134 268a75-268a7a 125->134 129 268971-26897d IsValidCodePage 128->129 130 268a4b-268a4e 128->130 129->130 133 268983-26898a 129->133 130->127 136 2689b2-2689bf GetCPInfo 133->136 137 26898c-268998 133->137 138 268ab7-268ac1 134->138 139 268a7c-268a81 134->139 142 2689c1-2689e0 call 2598e0 136->142 143 268a3f-268a45 136->143 140 26899c-2689a8 call 268518 137->140 138->134 141 268ac3-268aed call 268406 138->141 144 268ab4 139->144 145 268a83-268a8b 139->145 151 2689ad 140->151 155 268aee-268afd 141->155 142->140 156 2689e2-2689e9 142->156 143->119 143->130 144->138 149 268aac-268ab2 145->149 150 268a8d-268a90 145->150 149->139 149->144 154 268a92-268a98 150->154 151->123 154->149 157 268a9a-268aaa 154->157 155->155 158 268aff 155->158 159 268a15-268a18 156->159 160 2689eb-2689f0 156->160 157->149 157->154 158->119 161 268a1d-268a24 159->161 160->159 162 2689f2-2689fa 160->162 161->161 163 268a26-268a3a call 268406 161->163 164 2689fc-268a03 162->164 165 268a0d-268a13 162->165 163->140 167 268a04-268a0b 164->167 165->159 165->160 167->165 167->167
                  APIs
                    • Part of subcall function 00268444: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 0026846F
                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0026875B,?,00000000,?,00000000,?), ref: 00268975
                  • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026875B,?,00000000,?,00000000,?), ref: 002689B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: CodeInfoPageValid
                  • String ID: 6a,
                  • API String ID: 546120528-1499783603
                  • Opcode ID: b56244940432c0ccdd0061d8b28f54e47f5ca300022ec6468b5a9f31552b7ccc
                  • Instruction ID: 08588e8d85f466c1835b4cfb9cb8ee93bb3433808ad7a0d9acbf48e74f412790
                  • Opcode Fuzzy Hash: b56244940432c0ccdd0061d8b28f54e47f5ca300022ec6468b5a9f31552b7ccc
                  • Instruction Fuzzy Hash: 615144719203468FDB20CFB5C885ABABBF4EF95304F14826FD48687251DF749996CB81
                  Function 0026535E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 169 26535e-2653b3 call 258ca0 172 2653b5 169->172 173 265428-265438 call 2580c7 169->173 175 2653bb 172->175 177 2653c1-2653c3 175->177 178 2653c5-2653ca 177->178 179 2653dd-265402 WriteFile 177->179 180 2653d3-2653db 178->180 181 2653cc-2653d2 178->181 182 265404-26540f 179->182 183 265420-265426 GetLastError 179->183 180->177 180->179 181->180 182->173 184 265411-26541c 182->184 183->173 184->175 185 26541e 184->185 185->173
                  APIs
                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,002658AB,?,00000000,00000000,00000000,00000000,00000000), ref: 002653FA
                  • GetLastError.KERNEL32(?,002658AB,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0025E210,00000000,00000000,0027A8F8,00000010), ref: 00265420
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: 6a,
                  • API String ID: 442123175-1499783603
                  • Opcode ID: 2b7699c78e6fa36fd31e45587ba570126233488bcc4a3429ffabf3da4ebecb65
                  • Instruction ID: 49063311f95cd4aa7eba97481d37d59e22228b94e08b9eecbcd36973a1faf212
                  • Opcode Fuzzy Hash: 2b7699c78e6fa36fd31e45587ba570126233488bcc4a3429ffabf3da4ebecb65
                  • Instruction Fuzzy Hash: 59218230A102299BCB15CF29DC809DDB7B9EB48302F2441EAE946D7251D6709E95CF65
                  Function 00270545 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 186 270545-27055a 187 270560-27056a 186->187 188 27061d-27062a call 25433b 186->188 189 270570-27057e 187->189 190 27061b-27061c 187->190 192 270582-270594 call 2513cb 189->192 190->188 195 270599-270614 call 251eb7 call 2513cb call 251eb7 call 25d3de call 251920 call 251800 192->195 195->192 208 27061a 195->208 208->190
                  APIs
                    • Part of subcall function 002513CB: __EH_prolog3_catch.LIBCMT ref: 002513D2
                    • Part of subcall function 002513CB: _strlen.LIBCMT ref: 002513E4
                    • Part of subcall function 00251920: __EH_prolog3_catch.LIBCMT ref: 00251927
                  • _Deallocate.LIBCONCRT ref: 002705FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3_catch$Deallocate_strlen
                  • String ID: Earth$Own head
                  • API String ID: 1170754441-4036566267
                  • Opcode ID: 971e970e987ad3ea5c0956eff008cb7b77d474c755b617fcfd90b59200268c31
                  • Instruction ID: 627a6e1d00d28f0bf3f72f6a5ca710511144d4949db50e12e2ef24fa308f19a3
                  • Opcode Fuzzy Hash: 971e970e987ad3ea5c0956eff008cb7b77d474c755b617fcfd90b59200268c31
                  • Instruction Fuzzy Hash: 5E219A72419342AEC700EF3C989199BFBE8BD55308F541A5EF49552142C630E66DCBA6
                  Function 00270649 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0025217E: _strlen.LIBCMT ref: 00252196
                  • VirtualAllocEx.KERNELBASE(?,00000000,000004AC,00001000,00000040,0000000006:1@0000000005:@), ref: 00270693
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual_strlen
                  • String ID: 0000000006:1@0000000005:@$6a,
                  • API String ID: 3554592677-2799131470
                  • Opcode ID: c75bef7eb9374ac77106b85deec2d13799447cee33758fd210b75cb62d176fc3
                  • Instruction ID: 4306879be6778f2942f8e40af76ea78bbc77d46f58babc59724b2b7660fbfea4
                  • Opcode Fuzzy Hash: c75bef7eb9374ac77106b85deec2d13799447cee33758fd210b75cb62d176fc3
                  • Instruction Fuzzy Hash: FA110871A21204A6DB04EBA4DC92FEE7378EF85726F10811DF905B21C1DE749D6D8A68
                  Function 0025FE66 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,0025FE60,00000016,0025C712,?,?,EC2C6136,0025C712,?), ref: 0025FE77
                  • TerminateProcess.KERNEL32(00000000,?,0025FE60,00000016,0025C712,?,?,EC2C6136,0025C712,?), ref: 0025FE7E
                  • ExitProcess.KERNEL32 ref: 0025FE90
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: b19b179369e87318d29b4da94a6c63ac451ee666ed54986c5c5b54a942a27b37
                  • Instruction ID: 28f8815178386cbb325199408a688563f20911fcdc1e4231be43d7a187e68d7e
                  • Opcode Fuzzy Hash: b19b179369e87318d29b4da94a6c63ac451ee666ed54986c5c5b54a942a27b37
                  • Instruction Fuzzy Hash: 94D06731410148AFCF413F69ED0E95A3F25AF44352B544024BD0999072CB3199E5DA48
                  Function 00268518 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 241 268518-26853a 242 268653-268679 241->242 243 268540-268552 GetCPInfo 241->243 244 26867e-268683 242->244 243->242 245 268558-26855f 243->245 246 268685-26868b 244->246 247 26868d-268693 244->247 248 268561-26856b 245->248 249 26869b-26869d 246->249 250 268695-268698 247->250 251 26869f 247->251 248->248 252 26856d-268580 248->252 253 2686a1-2686b3 249->253 250->249 251->253 254 2685a1-2685a3 252->254 253->244 257 2686b5-2686c3 call 2580c7 253->257 255 2685a5-2685dc call 2647d4 call 264acb 254->255 256 268582-268589 254->256 267 2685e1-268616 call 264acb 255->267 258 268598-26859a 256->258 261 26859c-26859f 258->261 262 26858b-26858d 258->262 261->254 262->261 265 26858f-268597 262->265 265->258 270 268618-268622 267->270 271 268624-26862e 270->271 272 268630-268632 270->272 273 268642-26864f 271->273 274 268634-26863e 272->274 275 268640 272->275 273->270 276 268651 273->276 274->273 275->273 276->257
                  APIs
                  • GetCPInfo.KERNEL32(E8458D00,?,00268767,0026875B,00000000), ref: 0026854A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Info
                  • String ID: 6a,
                  • API String ID: 1807457897-1499783603
                  • Opcode ID: cd4056fa13bd4b5cd77a1387877b351711ca58b8767dde42341ecb08ef1631f0
                  • Instruction ID: 5b16679e5fe93b322cfdddac4578c1ecf44109bcaf89b602ec6ff0682b13b2bb
                  • Opcode Fuzzy Hash: cd4056fa13bd4b5cd77a1387877b351711ca58b8767dde42341ecb08ef1631f0
                  • Instruction Fuzzy Hash: AE5168719142589ACB218E28CD84AEA7BBCEB49304F2446ADE59AC7182C7719ED58F20
                  Function 00256EEC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 277 256eec-256f06 278 256f0f-256f17 277->278 279 256f08-256f0a 277->279 281 256f19-256f23 278->281 282 256f3b-256f3f 278->282 280 256fe6-256ff3 call 2580c7 279->280 281->282 284 256f25-256f36 281->284 285 256f45-256f56 call 256d53 282->285 286 256fe2 282->286 290 256fde-256fe0 284->290 292 256f5e-256f92 285->292 293 256f58-256f5c 285->293 288 256fe5 286->288 288->280 290->288 300 256fb5-256fbd 292->300 301 256f94-256f97 292->301 294 256fa5 call 2565fd 293->294 297 256faa-256fae 294->297 297->290 299 256fb0-256fb3 297->299 299->290 302 256fd2-256fdc 300->302 303 256fbf-256fd0 call 25f146 300->303 301->300 304 256f99-256f9d 301->304 302->286 302->290 303->286 303->302 304->286 306 256f9f-256fa2 304->306 306->294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6a,
                  • API String ID: 0-1499783603
                  • Opcode ID: 7301570d265ec4a523a65ea13d579c2b6260b943a2c8497f209df28dbc70bff3
                  • Instruction ID: bb7eed0a7dd74a9dfa43018989d0837f54e1be97fd08f7dc64fdccd50023633b
                  • Opcode Fuzzy Hash: 7301570d265ec4a523a65ea13d579c2b6260b943a2c8497f209df28dbc70bff3
                  • Instruction Fuzzy Hash: 03318831D2011B9FCB14CF68E488DEDB7B9BF09311B944155E906A7A90E731FD68CB94
                  Function 002632A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 308 2632a9-2632d1 309 2632d7-2632d9 308->309 310 2632d3-2632d5 308->310 312 2632df-2632e6 call 2631de 309->312 313 2632db-2632dd 309->313 311 263328-26332b 310->311 315 2632eb-2632ef 312->315 313->311 316 2632f1-2632ff GetProcAddress 315->316 317 26330e-263325 315->317 316->317 319 263301-26330c call 25fcc5 316->319 318 263327 317->318 318->311 319->318
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6a,
                  • API String ID: 0-1499783603
                  • Opcode ID: 4fedd26fa0e9819a273cc88b3e5da5c71884450258ad21850f853691536fe572
                  • Instruction ID: 3d08d32ee11e8933898ea3f7b7d95537e8a48c5324b7d2685ea35dda160f1205
                  • Opcode Fuzzy Hash: 4fedd26fa0e9819a273cc88b3e5da5c71884450258ad21850f853691536fe572
                  • Instruction Fuzzy Hash: A201F133B202566FAB12CE6AED4595A37D7BB853203244162FD04CB294DA31CDA18AD1
                  Function 0026575C Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 322 26575c-26577b 323 265955 322->323 324 265781-265783 322->324 327 265957-26595b 323->327 325 265785-2657a4 call 25c892 324->325 326 2657af-2657d5 324->326 335 2657a7-2657aa 325->335 328 2657d7-2657d9 326->328 329 2657db-2657e1 326->329 328->329 331 2657e3-2657ed 328->331 329->325 329->331 333 2657ef-2657fa call 266ce2 331->333 334 2657fd-265808 call 2652e0 331->334 333->334 340 26584a-26585c 334->340 341 26580a-26580f 334->341 335->327 342 26585e-265864 340->342 343 2658ad-2658cd WriteFile 340->343 344 265834-265848 call 264ea6 341->344 345 265811-265815 341->345 349 265866-265869 342->349 350 26589b-2658a6 call 26535e 342->350 346 2658cf-2658d5 GetLastError 343->346 347 2658d8 343->347 361 26582d-26582f 344->361 351 26591d-26592f 345->351 352 26581b-26582a call 265278 345->352 346->347 354 2658db-2658e6 347->354 355 26586b-26586e 349->355 356 265889-265899 call 265522 349->356 367 2658ab 350->367 357 265931-265937 351->357 358 265939-26594b 351->358 352->361 362 265950-265953 354->362 363 2658e8-2658ed 354->363 355->351 364 265874-26587f call 265439 355->364 372 265884-265887 356->372 357->323 357->358 358->335 361->354 362->327 368 2658ef-2658f4 363->368 369 26591b 363->369 364->372 367->372 373 2658f6-265908 368->373 374 26590d-265916 call 25f550 368->374 369->351 372->361 373->335 374->335
                  APIs
                    • Part of subcall function 00264EA6: GetConsoleOutputCP.KERNEL32(EC2C6136,00000000,00000000,00000000), ref: 00264F09
                  • WriteFile.KERNEL32(?,00000000,00000000,0025E210,00000000,00000000,00000000,00000000,00000000,?,0025E210,00000000,00000000,0027A8F8,00000010,00000000), ref: 002658C5
                  • GetLastError.KERNEL32(?,0025E210,00000000,00000000,0027A8F8,00000010,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002658CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleErrorFileLastOutputWrite
                  • String ID:
                  • API String ID: 2915228174-0
                  • Opcode ID: 7449d389dfe4e5a62fd4454dca353f409431365a941d576078ae4f56382b9e35
                  • Instruction ID: 86139bfd2d393ec666b5b28ea1be2c3ccb2cbfe69c64537cffdde2be7d9a03d5
                  • Opcode Fuzzy Hash: 7449d389dfe4e5a62fd4454dca353f409431365a941d576078ae4f56382b9e35
                  • Instruction Fuzzy Hash: C961D471D2056AAFDF11CFA8C844EEEBBB9AF09314F144095E804A7252D371D9A1CFA0
                  Function 002513CB Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 377 2513cb-2513fe call 258161 call 25d420 382 251416-251421 377->382 383 251400 377->383 386 251424-251434 call 25277e 382->386 384 251410-251414 383->384 385 251402-251404 383->385 384->386 385->382 387 251406-251408 385->387 392 251436-25143b 386->392 393 251440-251454 386->393 387->382 389 25140a 387->389 389->384 391 25140c-25140e 389->391 391->382 391->384 394 251545-25156f call 2545c5 call 252b1a call 2580d5 392->394 395 251456 393->395 396 251492-2514a2 call 257690 393->396 398 251459-25145b 395->398 402 2514a5-2514a8 396->402 399 251490 398->399 400 25145d 398->400 399->396 403 251463-25147a call 254c21 400->403 404 25145f-251461 400->404 406 2514ef-2514f4 402->406 407 2514aa-2514ac 402->407 403->406 415 25147c-25148e 403->415 404->399 404->403 409 2514f7-251508 406->409 407->406 411 2514ae 407->411 409->394 414 2514b1-2514b3 411->414 417 2514b5 414->417 418 2514e8-2514ed 414->418 415->398 419 2514b7-2514b9 417->419 420 2514bb-2514d2 call 254c21 417->420 418->409 419->418 419->420 420->406 423 2514d4-2514e6 420->423 423->414
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3_catch_strlen
                  • String ID:
                  • API String ID: 3133806014-0
                  • Opcode ID: 3184da69244dcc2bd11f65de90fda42702f86215b96422158414467251cdb7b3
                  • Instruction ID: 6aab51c19f62895065f08550e79a916d5cfc621b9527645d8922799c9d8dae5e
                  • Opcode Fuzzy Hash: 3184da69244dcc2bd11f65de90fda42702f86215b96422158414467251cdb7b3
                  • Instruction Fuzzy Hash: 2B51C271E205158FCB20DFA8C880AADB7F1BF48325B25525AEC24EB392D770DC69CB55
                  Function 002639B2 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 425 2639b2-2639b7 426 2639b9-2639d1 425->426 427 2639d3-2639d7 426->427 428 2639df-2639e8 426->428 427->428 429 2639d9-2639dd 427->429 430 2639fa 428->430 431 2639ea-2639ed 428->431 432 263a54-263a58 429->432 435 2639fc-263a09 GetStdHandle 430->435 433 2639f6-2639f8 431->433 434 2639ef-2639f4 431->434 432->426 438 263a5e-263a61 432->438 433->435 434->435 436 263a36-263a48 435->436 437 263a0b-263a0d 435->437 436->432 440 263a4a-263a4d 436->440 437->436 439 263a0f-263a18 GetFileType 437->439 439->436 441 263a1a-263a23 439->441 440->432 442 263a25-263a29 441->442 443 263a2b-263a2e 441->443 442->432 443->432 444 263a30-263a34 443->444 444->432
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 002639FE
                  • GetFileType.KERNELBASE(00000000), ref: 00263A10
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileHandleType
                  • String ID:
                  • API String ID: 3000768030-0
                  • Opcode ID: 905d2a96b2ecc3316d2237ccaf5b1870182c8470f753c07cd2f59f67bc2320dc
                  • Instruction ID: ca699dd72b0c885909dbed5796edbe1c175b07cdeb224150148499fdb42ecef5
                  • Opcode Fuzzy Hash: 905d2a96b2ecc3316d2237ccaf5b1870182c8470f753c07cd2f59f67bc2320dc
                  • Instruction Fuzzy Hash: 47118B325247424AC730CE7E9C8D522BA94A755330B34071ED5F6C65F1C670DEE9E541
                  Function 00263678 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 445 263678-263687 call 2631aa 448 2636b0-2636ca call 2636d5 LCMapStringW 445->448 449 263689-2636ae LCMapStringEx 445->449 453 2636d0-2636d2 448->453 449->453
                  APIs
                  • LCMapStringEx.KERNELBASE(?,002649CB,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002636AC
                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,002649CB,?,?,00000000,?,00000000), ref: 002636CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: String
                  • String ID:
                  • API String ID: 2568140703-0
                  • Opcode ID: 23e5b590f82b200af7bc20df6e0f16f51b21623646018fe8d68ce901c95e0bc0
                  • Instruction ID: bd57ee9a75a68da3455bfb8aee60d8cf9bcc41b7ba4b59ad0c71ce6c95bd4c31
                  • Opcode Fuzzy Hash: 23e5b590f82b200af7bc20df6e0f16f51b21623646018fe8d68ce901c95e0bc0
                  • Instruction Fuzzy Hash: 6AF07A3651011ABBCF129F91EC09EDE3F2AEF483A0F058010FE1925120CB32D9B1AF98
                  Function 0027062D Relevance: 3.0, APIs: 2, Instructions: 12synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,Function_00020649,00000000,00000000,00000000), ref: 00270639
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00270642
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateObjectSingleThreadWait
                  • String ID:
                  • API String ID: 1891408510-0
                  • Opcode ID: 3a2b520e90306ae3e219e46d3cf2c3f2581db6bdf8a24c2f76282478591e4bb5
                  • Instruction ID: ca7f6282568069830c176f4d1ba73f7123a63a2be5afcaba7d9e157a59f164f5
                  • Opcode Fuzzy Hash: 3a2b520e90306ae3e219e46d3cf2c3f2581db6bdf8a24c2f76282478591e4bb5
                  • Instruction Fuzzy Hash: 5EC092F4954240BEBE0017B86D0CC37351CEA413623200B007D29D20E8D9348CA08634
                  Function 002637C3 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,00254E80,?,?,0025929A,?,?,?,?,?,00252617,00254E80,?,?,?,?), ref: 002637F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: c6233d6f7a82240e3783bde4ed5662a56c5c5984a4b4f13bd012d5d8c3f08a10
                  • Instruction ID: edb98af7c0ca4fe91e83aed80844c615df28083e29a8af5c15c8b1cc14879dad
                  • Opcode Fuzzy Hash: c6233d6f7a82240e3783bde4ed5662a56c5c5984a4b4f13bd012d5d8c3f08a10
                  • Instruction Fuzzy Hash: 43E0E57563065266EB21AE65AC04B9B7E8DAF413B1F100221FC099B4C0DB71CDE086E5
                  Function 00270705 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                  Download Yara Rule
                  APIs
                  • FreeConsole.KERNELBASE(00258379,00000000,00000000,00000000,0027A770,00000014), ref: 00270705
                    • Part of subcall function 0027062D: CreateThread.KERNELBASE(00000000,00000000,Function_00020649,00000000,00000000,00000000), ref: 00270639
                    • Part of subcall function 0027062D: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00270642
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleCreateFreeObjectSingleThreadWait
                  • String ID:
                  • API String ID: 973188901-0
                  • Opcode ID: 52e45cdcef0756c90c3dffaa33bfd3a4a3ccfb6c417d9a67a7eecd9a8cb1c5ff
                  • Instruction ID: a4b64c28eaffa387d1b56b9da81dd080b011a78028ab983529ad235813c3c1d7
                  • Opcode Fuzzy Hash: 52e45cdcef0756c90c3dffaa33bfd3a4a3ccfb6c417d9a67a7eecd9a8cb1c5ff
                  • Instruction Fuzzy Hash: 3F9002A5131040C687402734BD9D11A26545A84303B10D5A0B619C0025DF6044B45920

                  Non-executed Functions

                  Function 0026B5CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 183COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0026B6D8
                  • IsValidCodePage.KERNEL32(00000000), ref: 0026B721
                  • IsValidLocale.KERNEL32(?,00000001), ref: 0026B730
                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0026B778
                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0026B797
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                  • String ID: N'$6a,
                  • API String ID: 415426439-2590016995
                  • Opcode ID: 77f3f980cc4aecf6916104f34ec04907a3fb7827d586f0ca064c1e45ec51527a
                  • Instruction ID: 1672a29bd19cd2d3ed18b7ec33369f6372c0fd680efd2b92e9fe8df7d5dd6a92
                  • Opcode Fuzzy Hash: 77f3f980cc4aecf6916104f34ec04907a3fb7827d586f0ca064c1e45ec51527a
                  • Instruction Fuzzy Hash: 22517071A20206ABDB12EFA5DC45ABE77BCFF14700F144029E915EB191EBB0D9E4CB61
                  Function 0026AC68 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 251COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetACP.KERNEL32(?,?,?,?,?,?,0026133E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0026AD29
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0026133E,?,?,?,00000055,?,-00000050,?,?), ref: 0026AD54
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0026AEB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$CodeInfoLocalePageValid
                  • String ID: N'$6a,$utf8
                  • API String ID: 607553120-2421541106
                  • Opcode ID: 717f910322eb4cef71c407521390aa3eb6a4cdaa073269b5ff2cfe8d74e71dc5
                  • Instruction ID: 92382c9fb6b0caec334b1eec2de2aee8092390f08d3c4119d736c35c9044205b
                  • Opcode Fuzzy Hash: 717f910322eb4cef71c407521390aa3eb6a4cdaa073269b5ff2cfe8d74e71dc5
                  • Instruction Fuzzy Hash: BA71D971A20706AADB25AF74CC46B6A73ACEF45710F144039F505E7181FB75E9E08F62
                  Function 0026B3F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(?,2000000B,0026B715,00000002,00000000,?,?,?,0026B715,?,00000000), ref: 0026B490
                  • GetLocaleInfoW.KERNEL32(?,20001004,0026B715,00000002,00000000,?,?,?,0026B715,?,00000000), ref: 0026B4B9
                  • GetACP.KERNEL32(?,?,0026B715,?,00000000), ref: 0026B4CE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP
                  • API String ID: 2299586839-711371036
                  • Opcode ID: deb1c104a461dee895f2e1332450d68eb5c2d050eacd7fd7e3e0ca131d4a72ec
                  • Instruction ID: d3840a8b613506e0014e990ec232aaf50e8d557eda68df73c42bee4d56b6c679
                  • Opcode Fuzzy Hash: deb1c104a461dee895f2e1332450d68eb5c2d050eacd7fd7e3e0ca131d4a72ec
                  • Instruction Fuzzy Hash: 78218332A30102E6DB368F54C925BA773A6EF54BA4B568474E90ADB116EF32DDE0C350
                  Function 0026B07B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026B0CF
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026B119
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026B1DF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale$ErrorLast
                  • String ID: 6a,
                  • API String ID: 661929714-1499783603
                  • Opcode ID: 33ce0d1ac09fdd324b403a31516cd2923cfb2939ad811741098dcedeb7f8c555
                  • Instruction ID: 9a4f365147c509b9554335a0e631e0c5877766aeb48f987cc8cc76f656b43809
                  • Opcode Fuzzy Hash: 33ce0d1ac09fdd324b403a31516cd2923cfb2939ad811741098dcedeb7f8c555
                  • Instruction Fuzzy Hash: 23618F719602079FEB2A9F28CC92BBA77E8EF05300F1041B9ED09D6585EB74D9E5CB50
                  Function 0025C713 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00254E80), ref: 0025C80B
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00254E80), ref: 0025C815
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00254E80), ref: 0025C822
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID: 6a,
                  • API String ID: 3906539128-1499783603
                  • Opcode ID: d9f10975ad87952294ded54349b7a6a8f000360701edea0df2934c141c7a8828
                  • Instruction ID: 723f660b1e5140b4436bf39aa50d8b8752de928a98118b2a98b3d22e1fc43a9a
                  • Opcode Fuzzy Hash: d9f10975ad87952294ded54349b7a6a8f000360701edea0df2934c141c7a8828
                  • Instruction Fuzzy Hash: 6D31D3749112289BCB21DF28DC8979DBBB8BF18311F5041EAE80CA7250EB709B95CF48
                  Function 0025872E Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0025873A
                  • IsDebuggerPresent.KERNEL32 ref: 00258806
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0025881F
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00258829
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                  • String ID:
                  • API String ID: 254469556-0
                  • Opcode ID: 5539136cce2ffc4daed4a80ab6b17d7166fd18846cb9763005bdb0292a3265ef
                  • Instruction ID: a0d0b706a3fb9659d40c598f41e3a70b1e358baaeae17141e2ec691503a2682c
                  • Opcode Fuzzy Hash: 5539136cce2ffc4daed4a80ab6b17d7166fd18846cb9763005bdb0292a3265ef
                  • Instruction Fuzzy Hash: EA31F675D1521D9BDB20EFA4D949BCDBBB8AF08301F1041AAE80CAB250EB709AD4CF45
                  Function 00267E68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6a,
                  • API String ID: 0-1499783603
                  • Opcode ID: adfa3f483b91ce66a9de569370d1c06829053871cd211c7d802c8b49061cfefe
                  • Instruction ID: f75d0851c15904d190e5b625807f0053c9e0b289e271f9e2ac99ce34d0c5d2cd
                  • Opcode Fuzzy Hash: adfa3f483b91ce66a9de569370d1c06829053871cd211c7d802c8b49061cfefe
                  • Instruction Fuzzy Hash: DB41B1B581421DAECF20DF69DC89EAABBB9EF45304F1442D9E40DD3201EA359E958F10
                  Function 0026B2CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026B322
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale
                  • String ID: 6a,
                  • API String ID: 3736152602-1499783603
                  • Opcode ID: 9ee04b07554c3a3f732229b2591af15bd76336418b2bf18f3f369de1d1edd500
                  • Instruction ID: e5f1ef78242d1cd09ad8a98752e157da1d2bb2be18221232e11187ce055c8545
                  • Opcode Fuzzy Hash: 9ee04b07554c3a3f732229b2591af15bd76336418b2bf18f3f369de1d1edd500
                  • Instruction Fuzzy Hash: E6219272A35207ABDF299E25DC42A7A73ACEF44314B1040BAFD05D6241EB74EDF48B50
                  Function 0026AE63 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0026AEB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale
                  • String ID: N'$6a,$utf8
                  • API String ID: 3736152602-2421541106
                  • Opcode ID: 2a6329d80223566c471041e7d2e2205e43cf78f9943c123f980fb46d19c43c84
                  • Instruction ID: 4d1183dd7d29d8c8a1c3d9a39ca090882b3392fd4403787652304d7c50477e2f
                  • Opcode Fuzzy Hash: 2a6329d80223566c471041e7d2e2205e43cf78f9943c123f980fb46d19c43c84
                  • Instruction Fuzzy Hash: 7EF0FC32A20205EBC715AF78DC4AEBE73ECDF49311F10407EB606E7281DA74AD588B95
                  Function 00263015 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0025D528: EnterCriticalSection.KERNEL32(-00088158,?,0025FAED,00000000,0027AA38,0000000C,0025FAB4,?,?,00262FDE,?,?,0026292E,00000001,00000364,00254E80), ref: 0025D537
                  • EnumSystemLocalesW.KERNEL32(00263008,00000001,0027AC28,0000000C,00263437,00000000), ref: 0026304D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID: 6a,
                  • API String ID: 1272433827-1499783603
                  • Opcode ID: a6681c6279a0e53dbb49dcea2968cc7a6424275ac597c1fb03951e4fe8540a5a
                  • Instruction ID: b7622d799063e40357a6d1bc106bf4dc7d3c0f87fbf633bfe388feda3ffe66b3
                  • Opcode Fuzzy Hash: a6681c6279a0e53dbb49dcea2968cc7a6424275ac597c1fb03951e4fe8540a5a
                  • Instruction Fuzzy Hash: B2F04936A20204EFD700DF98E846B9D7BB0EB85B22F10406BF815DB2A1DBB54958CF46
                  Function 002670FA Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,002670F5,?,?,?,?,?,?,00000000), ref: 00267327
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 7c93238af9de553adf8ddaaf787ed3a3ccab1d929be41eabd7fcb56b698c618a
                  • Instruction ID: 32ad9cc8a23aea5e298a266795ec4bd489574a97e9c52609f23f4ae46598f75c
                  • Opcode Fuzzy Hash: 7c93238af9de553adf8ddaaf787ed3a3ccab1d929be41eabd7fcb56b698c618a
                  • Instruction Fuzzy Hash: 89B15E31224609CFD715CF28D496B657BE0FF45368F258699F89ACF2A1C335E9A1CB40
                  Function 00258525 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0025853B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-0
                  • Opcode ID: e1904938c8f6db7d3e86123c53a19754140ad81b9715cf7b774fd49cc9f38440
                  • Instruction ID: 986f0c3b55cc7d4c77faf7d288625fe9316632b2fbeb8e1c7cc068af620106ab
                  • Opcode Fuzzy Hash: e1904938c8f6db7d3e86123c53a19754140ad81b9715cf7b774fd49cc9f38440
                  • Instruction Fuzzy Hash: BC5169B1D212168FDB14CF58E89A6AABBF8FB48305F24806BD801EB294D7B5DD14CF54
                  Function 0026A719 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                  • String ID: 6a,
                  • API String ID: 3471368781-1499783603
                  • Opcode ID: c2f40b862bf615bca4c868a736c68a90fafd1cccccd96b13a51c61e8f365d12d
                  • Instruction ID: 08d515a657180be17d84246a447a7b61975f762d45c3e3d8b931cd33ec6d286f
                  • Opcode Fuzzy Hash: c2f40b862bf615bca4c868a736c68a90fafd1cccccd96b13a51c61e8f365d12d
                  • Instruction Fuzzy Hash: 70B106355207069BDB38AF24CC92AB7B3E8EF44308F64452DE983D7580EAB4A9D5CF51
                  Function 0026AF55 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • EnumSystemLocalesW.KERNEL32(0026B07B,00000001,00000000,?,-00000050,?,0026B6AC,00000000,?,?,?,00000055,?), ref: 0026AFC7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID:
                  • API String ID: 2417226690-0
                  • Opcode ID: 491732872b838d5e567e6d4daa68bcb78efa76d86e68f951bf1d01070a500151
                  • Instruction ID: 3ce8649b31d3befaffaffea01d01fea45c2b138dfdc32b8877507294ab55fcff
                  • Opcode Fuzzy Hash: 491732872b838d5e567e6d4daa68bcb78efa76d86e68f951bf1d01070a500151
                  • Instruction Fuzzy Hash: D7110C7B6107059FDB189F39C89167ABB91FF84358B14442DE94797A40D372B993CB40
                  Function 0026B4FD Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0026B297,00000000,00000000,?), ref: 0026B529
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale
                  • String ID:
                  • API String ID: 3736152602-0
                  • Opcode ID: 56a00fc3d020393aa3e4f5b04a13747678b50c09fbc83564087b2a7f2323a51f
                  • Instruction ID: 5c30bbe291ee828418a5813ea460959db052a77cd9b2f77855a9f53193db37e2
                  • Opcode Fuzzy Hash: 56a00fc3d020393aa3e4f5b04a13747678b50c09fbc83564087b2a7f2323a51f
                  • Instruction Fuzzy Hash: ECF0F932920216ABDB259E34C805AFB7768EB40754F540425ED07F3150FB74FDD1C590
                  Function 0026AFF0 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • EnumSystemLocalesW.KERNEL32(0026B2CE,00000001,?,?,-00000050,?,0026B670,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0026B03A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID:
                  • API String ID: 2417226690-0
                  • Opcode ID: 1797dfb00013f5abb90d2760cf2fb5cd70e13f1bf513f56be315713222f795a6
                  • Instruction ID: 72d11fcfcbc15bc00f959d4de90000564d5ebbc25b31baf64819f1894d79cfce
                  • Opcode Fuzzy Hash: 1797dfb00013f5abb90d2760cf2fb5cd70e13f1bf513f56be315713222f795a6
                  • Instruction Fuzzy Hash: 26F046362203059FCB255F389C81B7BBF91EF80368B14842CF9058B680C371ACD2CA00
                  Function 0026AF0A Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00262790: GetLastError.KERNEL32(?,00000008,00262D8F), ref: 00262794
                    • Part of subcall function 00262790: SetLastError.KERNEL32(00000000,00254E80,00000002,000000FF), ref: 00262836
                  • EnumSystemLocalesW.KERNEL32(0026AE63,00000001,?,?,?,0026B6CE,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0026AF41
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID:
                  • API String ID: 2417226690-0
                  • Opcode ID: d062736d6c1354e8aa2d786322a514b69e8890826b48f7738288397278650b83
                  • Instruction ID: e1edebfaf8eba86271ae25f8d4d503673aec413b5ff5d6153033f0bd28d12183
                  • Opcode Fuzzy Hash: d062736d6c1354e8aa2d786322a514b69e8890826b48f7738288397278650b83
                  • Instruction Fuzzy Hash: B4F0553A71020657CB04AF39D889B6ABF94EFC2720B064058EE099B640C2729892CB91
                  Function 0026353B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00261EA4,?,20001004,00000000,00000002,?,?,002614A6), ref: 0026356F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 908fb8171db6e0046af88b602ac10dae61d9cf5392f24b316daf62c3f3202364
                  • Instruction ID: ddeb35e5b55dbf3a3679e2c99309695b29f3b937e4e0c3eb48711a807b293356
                  • Opcode Fuzzy Hash: 908fb8171db6e0046af88b602ac10dae61d9cf5392f24b316daf62c3f3202364
                  • Instruction Fuzzy Hash: 3CE04F35510218BBCF12AF65EC08A9E7F29EF497A1F544010FD0A66260CB728AB0AA94
                  Function 0025888A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_00008896,00258272), ref: 0025888F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 9ab50a556b021a94aa44fbc0d58b339f41e7cb257a1dbe05b0461612621f45c9
                  • Instruction ID: e8f9a20431f3ae5dd85544dc5bd41e38eb92406403092a1966ff5f6a711e9da6
                  • Opcode Fuzzy Hash: 9ab50a556b021a94aa44fbc0d58b339f41e7cb257a1dbe05b0461612621f45c9
                  • Instruction Fuzzy Hash:
                  Function 00269050 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: 6c11b0c0ee52e50e1fef8c7b08313ed25261a5ec1a86f0da872ff54dcafc939b
                  • Instruction ID: 488efa6ca7634c09ed11c91dcc1a296db0d1914d1adfbed709be6f8d560c0171
                  • Opcode Fuzzy Hash: 6c11b0c0ee52e50e1fef8c7b08313ed25261a5ec1a86f0da872ff54dcafc939b
                  • Instruction Fuzzy Hash: DAA01130A022008B83008F3ABA0E20A3BA8AA00280308002AA00CC8220EB2088A0AA80
                  Function 0026D5F9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 248COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(010C05C8,010C05C8,?,7FFFFFFF,?,0026D8C9,010C05C8,010C05C8,?,010C05C8,?,?,?,?,010C05C8,?), ref: 0026D69F
                  • __alloca_probe_16.LIBCMT ref: 0026D75A
                  • __alloca_probe_16.LIBCMT ref: 0026D7E9
                  • __freea.LIBCMT ref: 0026D834
                  • __freea.LIBCMT ref: 0026D83A
                  • __freea.LIBCMT ref: 0026D870
                  • __freea.LIBCMT ref: 0026D876
                  • __freea.LIBCMT ref: 0026D886
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: __freea$__alloca_probe_16$Info
                  • String ID: 6a,
                  • API String ID: 127012223-1499783603
                  • Opcode ID: 147a49854d829b61841e766290da14439ce076014b5874fee664d47e3abc1c04
                  • Instruction ID: 69be809166c2b89c39e6a1a779273f11a0f6d7fc4278cd1e2e6a39471e6c95d6
                  • Opcode Fuzzy Hash: 147a49854d829b61841e766290da14439ce076014b5874fee664d47e3abc1c04
                  • Instruction Fuzzy Hash: 67713772F2420E9BDF219EA4DC45FAE77A9AF45314F280119EC04A7281D771DCA18BA1
                  Function 002579BA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00257A03
                  • __alloca_probe_16.LIBCMT ref: 00257A2F
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00257A6E
                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00257A8B
                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00257ACA
                  • __alloca_probe_16.LIBCMT ref: 00257AE7
                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00257B29
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00257B4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                  • String ID: 6a,
                  • API String ID: 2040435927-1499783603
                  • Opcode ID: c0bbc2ccd5d58c868b9e479c9878b69efc92ea7483243480abc1d40fd05a35c6
                  • Instruction ID: 65cee99c9bd5d92db75cafe17db39f3016eb5327ab466e971c29384c6a48eb52
                  • Opcode Fuzzy Hash: c0bbc2ccd5d58c868b9e479c9878b69efc92ea7483243480abc1d40fd05a35c6
                  • Instruction Fuzzy Hash: 7351D07256420BABEF204F64EC45FAF7BA9EF40746F104525FD04A6150E770CD68CB68
                  Function 0025B672 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • type_info::operator==.LIBVCRUNTIME ref: 0025B791
                  • ___TypeMatch.LIBVCRUNTIME ref: 0025B89F
                  • _UnwindNestedFrames.LIBCMT ref: 0025B9F1
                  • CallUnexpected.LIBVCRUNTIME ref: 0025BA0C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                  • String ID: csm$csm$csm$%'
                  • API String ID: 2751267872-1470287703
                  • Opcode ID: 5d86adc9815fc88aa827de48a20a7ae06fb87b4334eae1fc1333970ea39f18ff
                  • Instruction ID: 4d038d164756df558631d9be520b6b348664fb0fc483cd2ca3d86f284ec3807a
                  • Opcode Fuzzy Hash: 5d86adc9815fc88aa827de48a20a7ae06fb87b4334eae1fc1333970ea39f18ff
                  • Instruction Fuzzy Hash: 78B16B7182020ADFCF16DFA4C8859AEBBB5FF18312F14405AED146B212D730DA69CF99
                  Function 002666FC Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 298COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $P%
                  • API String ID: 0-3100162476
                  • Opcode ID: b742f590390221b67627f0ac6c707ac805a7ec43c553cbbb1e4f100636a52990
                  • Instruction ID: 8c4e76e19737ca6c9d094466972cadb61edfd01a796e51780b4e2f64a373b980
                  • Opcode Fuzzy Hash: b742f590390221b67627f0ac6c707ac805a7ec43c553cbbb1e4f100636a52990
                  • Instruction Fuzzy Hash: 42B12670E24246AFDB11DFA8C888BBDBBB1FF49300F144169E844AB291C7719DA5CF61
                  Function 00257CE4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00257CEA
                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00257CF8
                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00257D09
                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00257D1A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                  • API String ID: 667068680-1247241052
                  • Opcode ID: fae115b7efd16f7078e25fdf39877cf027cb867a279a820c1c02df0a58ed6e36
                  • Instruction ID: 75c1342769c6553ac38cce44ced9c15070d49482d7f97852336984b7dcbd8aa5
                  • Opcode Fuzzy Hash: fae115b7efd16f7078e25fdf39877cf027cb867a279a820c1c02df0a58ed6e36
                  • Instruction Fuzzy Hash: 8EE0ECB196A251EFC7109FB8BC1F9963BE4EE0A7157108113FA09D2160E67048E4CB61
                  Function 0025B140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                  Download Yara Rule
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 0025B177
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0025B17F
                  • _ValidateLocalCookies.LIBCMT ref: 0025B208
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0025B233
                  • _ValidateLocalCookies.LIBCMT ref: 0025B288
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                  • String ID: 6a,$csm
                  • API String ID: 1170836740-1036119200
                  • Opcode ID: d1d7cd8d30827704b2da632078697a928c0c5158c79abc8a9a346c1a014f4c81
                  • Instruction ID: ad64623d1bee242e1e1676eeb1fccd52e07c5688e9e321429da77a4dd5b661e5
                  • Opcode Fuzzy Hash: d1d7cd8d30827704b2da632078697a928c0c5158c79abc8a9a346c1a014f4c81
                  • Instruction Fuzzy Hash: F641B234A20209AFCF11DF68C855A9E7BB1EF45315F24C095EC18AB392D7319E29CFA5
                  Function 00255A01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 00255A15
                  • AcquireSRWLockExclusive.KERNEL32(00000000,?,002549A2,?,?,00253B2B), ref: 00255A34
                  • AcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,002549A2,?,?,00253B2B), ref: 00255A62
                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,002549A2,?,?,00253B2B), ref: 00255ABD
                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,002549A2,?,?,00253B2B), ref: 00255AD4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AcquireExclusiveLock$CurrentThread
                  • String ID: 6a,
                  • API String ID: 66001078-1499783603
                  • Opcode ID: 4d4c618ee9760c792419f3e0d1ed72b13cb9e3e6f01fbbec016853954a676004
                  • Instruction ID: 1ed210e54782266ef6efa6c124859c2b99b8282af2d7fff846990bcad8e97fab
                  • Opcode Fuzzy Hash: 4d4c618ee9760c792419f3e0d1ed72b13cb9e3e6f01fbbec016853954a676004
                  • Instruction Fuzzy Hash: 01413B35920A2ADFCB24DF65C4E596AB3F5FF08312B20462AEC46D7540D770F9A8CB58
                  Function 0025FEFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,EC2C6136,?,?,00000000,0026F0FA,000000FF,?,0025FE8C,?,?,0025FE60,00000016), ref: 0025FF31
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0025FF43
                  • FreeLibrary.KERNEL32(00000000,?,00000000,0026F0FA,000000FF,?,0025FE8C,?,?,0025FE60,00000016), ref: 0025FF65
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: 6a,$CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-4024719385
                  • Opcode ID: 6ae6d064f04ade9b51a3a000d2cdc4f3afdb1e0627a23eb451e03d7ca6c1292a
                  • Instruction ID: e526af323784b7aab25ad531cb4f8cf207effb308fd7b76920113bdff03bd685
                  • Opcode Fuzzy Hash: 6ae6d064f04ade9b51a3a000d2cdc4f3afdb1e0627a23eb451e03d7ca6c1292a
                  • Instruction Fuzzy Hash: 7901FD31A24669AFCB119F54EC0ABAEBBB8FB05B11F004125EC16E2AD0DB758950CB90
                  Function 00264EA6 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 338fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleOutputCP.KERNEL32(EC2C6136,00000000,00000000,00000000), ref: 00264F09
                    • Part of subcall function 00267965: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00264A82,?,00000000,-00000008), ref: 00267A11
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00265164
                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002651AC
                  • GetLastError.KERNEL32 ref: 0026524F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                  • String ID: 6a,
                  • API String ID: 2112829910-1499783603
                  • Opcode ID: 4f6efde2c1727cf64bb5331368650e528b74645006f1210534fa57546a1afbed
                  • Instruction ID: 3e41bf0b8f86c2fbbd8959cc3439cbb5a3308bba2a661ebf23711c662b7faf69
                  • Opcode Fuzzy Hash: 4f6efde2c1727cf64bb5331368650e528b74645006f1210534fa57546a1afbed
                  • Instruction Fuzzy Hash: 51D19AB5E106589FCF05CFA8D890AADBBB5FF49300F18816AE866E7341D730A991CF50
                  Function 00256617 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 0025661E
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00256628
                  • int.LIBCPMT ref: 0025663F
                    • Part of subcall function 00252C1B: std::_Lockit::_Lockit.LIBCPMT ref: 00252C2C
                    • Part of subcall function 00252C1B: std::_Lockit::~_Lockit.LIBCPMT ref: 00252C46
                  • codecvt.LIBCPMT ref: 00256662
                  • std::_Facet_Register.LIBCPMT ref: 00256679
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00256699
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                  • String ID:
                  • API String ID: 712880209-0
                  • Opcode ID: 0cecf6f93d2f7ac4269e95bc54b588524820dac1ea781532841b79b7cd9dcaa1
                  • Instruction ID: 3471527e06ad1946ca41ce32518be99af316575d6ef172ce08ffe0975dfbbbab
                  • Opcode Fuzzy Hash: 0cecf6f93d2f7ac4269e95bc54b588524820dac1ea781532841b79b7cd9dcaa1
                  • Instruction Fuzzy Hash: AC11E4319206268FCB04EF64D8466AEB7B4AF44326F60040AFC05E7381DF74AE59CF88
                  Function 0025B304 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,0025B2FB,002598C0,00255818,EC2C6136,?,?,?,?,0026EED3,000000FF), ref: 0025B312
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0025B320
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0025B339
                  • SetLastError.KERNEL32(00000000,?,0025B2FB,002598C0,00255818,EC2C6136,?,?,?,?,0026EED3,000000FF), ref: 0025B38B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 46943e4335a59450aa078109a595c893bc87d4d4e64dd103ad7e9774a22fac7c
                  • Instruction ID: 1b597613f8f7072210624762081781c249750d297e696b4c17e72af366af6d18
                  • Opcode Fuzzy Hash: 46943e4335a59450aa078109a595c893bc87d4d4e64dd103ad7e9774a22fac7c
                  • Instruction Fuzzy Hash: AC01F53253A3126E9B252AB47C4A96A2745EB01373330037BFE20A00F0FFB20C6D9549
                  Function 002558D9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 00255961
                  • RaiseException.KERNEL32(?,?,?,00254BEB,?,?,?,?,?,?,?,?,?,?,00254BEB,00000001), ref: 00255986
                    • Part of subcall function 002592F2: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00254E8E,?,0027A210,?), ref: 00259352
                    • Part of subcall function 0025C98B: IsProcessorFeaturePresent.KERNEL32(00000017,0025C712,?,0025C681,00254E80,00000016,0025C890,?,?,?,?,?,00000000,?,?), ref: 0025C9A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                  • String ID: 6a,$csm$K%
                  • API String ID: 1924019822-1092551451
                  • Opcode ID: d5d63f157f7a0f61df6e84057ca805ac938017623098f25898affaf52ea17195
                  • Instruction ID: 7a907f92eb1b322f1d1dc7dd1109ca7b4c170934db1f3b94b2e767da9d1f8820
                  • Opcode Fuzzy Hash: d5d63f157f7a0f61df6e84057ca805ac938017623098f25898affaf52ea17195
                  • Instruction Fuzzy Hash: BD21C131C20629DBCF24DF95C895AAEB3B5FF40722F144409EC05AB150D734AD68CBC5
                  Function 00255F15 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00255F1C
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00255F27
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00255F95
                    • Part of subcall function 00256078: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00256090
                  • std::locale::_Setgloballocale.LIBCPMT ref: 00255F42
                  • _Yarn.LIBCPMT ref: 00255F58
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                  • String ID:
                  • API String ID: 1088826258-0
                  • Opcode ID: f18b7a798979657b23d1735fe21ecac83dd44c8d53aab6b12bf59f53fb7165fd
                  • Instruction ID: e845cf794f593b2cfc8a8db07f6a588c036523f1a9e6569afbe8d1004eed584f
                  • Opcode Fuzzy Hash: f18b7a798979657b23d1735fe21ecac83dd44c8d53aab6b12bf59f53fb7165fd
                  • Instruction Fuzzy Hash: A001B175A225218BC705EF20E85967D7771BF86751B644009EC01673C2DF346E6ACF89
                  Function 002647D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 00264846
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 002648A4
                  • __freea.LIBCMT ref: 002648B3
                    • Part of subcall function 002637C3: RtlAllocateHeap.NTDLL(00000000,00254E80,?,?,0025929A,?,?,?,?,?,00252617,00254E80,?,?,?,?), ref: 002637F5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapStringType__alloca_probe_16__freea
                  • String ID: 6a,
                  • API String ID: 2035984020-1499783603
                  • Opcode ID: f9c40312ad245e08f5e2b0fc80a0500a0174ff4b47ba0009b77e1145e5716f53
                  • Instruction ID: af8a8a738cc8ebec4c3697aeaf86b86b41a237d27d71ecf8d350e06c95d59c53
                  • Opcode Fuzzy Hash: f9c40312ad245e08f5e2b0fc80a0500a0174ff4b47ba0009b77e1145e5716f53
                  • Instruction Fuzzy Hash: D431BE71E2024AABDF21AF65DC49EAF7BA5EF44720F044128FD04A7251E774CDA4DBA0
                  Function 00268295 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 002682BA
                  • GetLastError.KERNEL32 ref: 002682C4
                  • __dosmaperr.LIBCMT ref: 002682CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastModuleName__dosmaperr
                  • String ID: 6a,
                  • API String ID: 4076908705-1499783603
                  • Opcode ID: 91e33c7177dad845608a70ab0f1865368ad338dd42059c3b30bcf1735484b54e
                  • Instruction ID: c990be8005366bff9762fde4748cda66bae6b0c9328ad3aaa95d9b1b1586f596
                  • Opcode Fuzzy Hash: 91e33c7177dad845608a70ab0f1865368ad338dd42059c3b30bcf1735484b54e
                  • Instruction Fuzzy Hash: 78115E7191025CEBCB50DFA8EC4DBDEB7B8EF08304F1041D9E509E7240EA709A988F55
                  Function 0025C407 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0025C3B8,?,?,00000000,?,?,?,0025C4E2,00000002,FlsGetValue,00273070,FlsGetValue), ref: 0025C414
                  • GetLastError.KERNEL32(?,0025C3B8,?,?,00000000,?,?,?,0025C4E2,00000002,FlsGetValue,00273070,FlsGetValue,?,?,0025B325), ref: 0025C41E
                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0025C446
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID: api-ms-
                  • API String ID: 3177248105-2084034818
                  • Opcode ID: b3551b6645a834bd3ff46f5d1b5c66d41802ecfd3f682b2fb251b611fa0c8c82
                  • Instruction ID: 0a89ce3e16647c61ec700179c21873930b3a02fa4d0dc8d29d068be7911f2382
                  • Opcode Fuzzy Hash: b3551b6645a834bd3ff46f5d1b5c66d41802ecfd3f682b2fb251b611fa0c8c82
                  • Instruction Fuzzy Hash: C7E01230254349BAEF201F55ED0AF693A559F00B81F208060FD4CE44E1E77299B49685
                  Function 0025B41B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: AdjustPointer
                  • String ID:
                  • API String ID: 1740715915-0
                  • Opcode ID: 06232095c6ea6bfecd0242da060c3f3644fc8b44e4d3ae9873a1f678c117594d
                  • Instruction ID: 6d2296b45ea100617a47dcbe757eb37fcfa937674c70caae291ed72cc19d88d9
                  • Opcode Fuzzy Hash: 06232095c6ea6bfecd0242da060c3f3644fc8b44e4d3ae9873a1f678c117594d
                  • Instruction Fuzzy Hash: F251E472A212029FDF2A8F14D851B7AB7A4EF00313F64412DED0657691E771EDB8CB98
                  Function 00267C25 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00267965: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00264A82,?,00000000,-00000008), ref: 00267A11
                  • GetLastError.KERNEL32 ref: 00267C89
                  • __dosmaperr.LIBCMT ref: 00267C90
                  • GetLastError.KERNEL32(?,?,?,?), ref: 00267CCA
                  • __dosmaperr.LIBCMT ref: 00267CD1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                  • String ID:
                  • API String ID: 1913693674-0
                  • Opcode ID: ef81f6af07c6306f090722fad240cec022726902362b9838fe1877beea60d0a3
                  • Instruction ID: 047f02512f50ac892014371f663739e00769412fd69e277c3629494a31de0182
                  • Opcode Fuzzy Hash: ef81f6af07c6306f090722fad240cec022726902362b9838fe1877beea60d0a3
                  • Instruction Fuzzy Hash: 0E21D771628606AFDB20AF75E981C6AB7A9FF04368710452AFD1997151E730ECF09FD0
                  Function 0025F734 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f6ed43db293cb8497c35f8e3d8e6bc978b16d367930e21aabd9895c20d81f06
                  • Instruction ID: 22c42d8b00e2dd0b9b7c5bd06450fd218db6eaf2365f135a7c7b1ffe92744578
                  • Opcode Fuzzy Hash: 5f6ed43db293cb8497c35f8e3d8e6bc978b16d367930e21aabd9895c20d81f06
                  • Instruction Fuzzy Hash: AF21C271220206AFDB90AF74DE80C6AB7A9EF08366B218535FD15D7140EB70EC68CB94
                  Function 00268BBB Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00268BC3
                    • Part of subcall function 00267965: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00264A82,?,00000000,-00000008), ref: 00267A11
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00268BFB
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00268C1B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                  • String ID:
                  • API String ID: 158306478-0
                  • Opcode ID: 1311f04b4c24ce94288ab906b30575e554e6cab0ba85ea1ec0817261703812b6
                  • Instruction ID: 0186217f972a4dd519b4b1cd949006597e25b3901f5451b668ddb5492271a5f4
                  • Opcode Fuzzy Hash: 1311f04b4c24ce94288ab906b30575e554e6cab0ba85ea1ec0817261703812b6
                  • Instruction Fuzzy Hash: 8D1104E1922515BEAB252BB56C8DC7F7BACDE453D83100A15FA06D1201FE608DE18571
                  Function 00251F5B Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00251F67
                  • int.LIBCPMT ref: 00251F7A
                    • Part of subcall function 00252C1B: std::_Lockit::_Lockit.LIBCPMT ref: 00252C2C
                    • Part of subcall function 00252C1B: std::_Lockit::~_Lockit.LIBCPMT ref: 00252C46
                  • std::_Facet_Register.LIBCPMT ref: 00251FAD
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00251FC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                  • String ID:
                  • API String ID: 459529453-0
                  • Opcode ID: a2619327b497ee0cbaf0c44208e6d062d494ebc7431e137e969b910219b9f3bb
                  • Instruction ID: 557fb3032f6b25f2bd12bd3c1c29114d4cee3416926356b4985ac7d859c1f209
                  • Opcode Fuzzy Hash: a2619327b497ee0cbaf0c44208e6d062d494ebc7431e137e969b910219b9f3bb
                  • Instruction Fuzzy Hash: 3C01F772924115ABCB14FBA4D8059AD77ACDF80765B20010AFC0197291EB30EE69CFC8
                  Function 0026D1BE Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0026C0F8,00000000,00000001,00000000,00000000,?,002652A3,00000000,00000000,00000000), ref: 0026D1D5
                  • GetLastError.KERNEL32(?,0026C0F8,00000000,00000001,00000000,00000000,?,002652A3,00000000,00000000,00000000,00000000,00000000,?,0026582A,?), ref: 0026D1E1
                    • Part of subcall function 0026D1A7: CloseHandle.KERNEL32(FFFFFFFE,0026D1F1,?,0026C0F8,00000000,00000001,00000000,00000000,?,002652A3,00000000,00000000,00000000,00000000,00000000), ref: 0026D1B7
                  • ___initconout.LIBCMT ref: 0026D1F1
                    • Part of subcall function 0026D169: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0026D198,0026C0E5,00000000,?,002652A3,00000000,00000000,00000000,00000000), ref: 0026D17C
                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0026C0F8,00000000,00000001,00000000,00000000,?,002652A3,00000000,00000000,00000000,00000000), ref: 0026D206
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                  • String ID:
                  • API String ID: 2744216297-0
                  • Opcode ID: 73b5e9b3136933a566d7537c6d1e1bd8b9e8ddd2809ec1e22b1bcc1e6294704f
                  • Instruction ID: 75021d7130742b4bf8b920b24e17c62a1114d1614616b16c427a936f5300471a
                  • Opcode Fuzzy Hash: 73b5e9b3136933a566d7537c6d1e1bd8b9e8ddd2809ec1e22b1bcc1e6294704f
                  • Instruction Fuzzy Hash: 5BF01C3A910259BBCF222F95EC1C99A3F66EF0A3A0B454055FE1C85530CA32C8B0EB90
                  Function 0025DCF0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 357COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Info
                  • String ID: 6a,$@4'
                  • API String ID: 1807457897-3564056633
                  • Opcode ID: 1205777df759a705bd87ba764e017e12bd7d84dcb1aa6120d8bc11e16a01703a
                  • Instruction ID: 425d36de0406b3b020fd595bd0d4ba7623e60f319f286d4c1341e5530c392e1c
                  • Opcode Fuzzy Hash: 1205777df759a705bd87ba764e017e12bd7d84dcb1aa6120d8bc11e16a01703a
                  • Instruction Fuzzy Hash: CBD1AE7191030A9FDB25DFB4C881BEEBBF5BF08300F144529E895AB292D771AD99CB14
                  Function 00265EE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00265F35
                  • ReadFile.KERNEL32(?,?,00001000,?,00000000,00265C7E,00000001,00000000,?,00000000,?,?,00000000,?,?,00266101), ref: 00265FBB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: 6a,
                  • API String ID: 1834446548-1499783603
                  • Opcode ID: 74449f2c7ec33b3bb3abf8d0364787eb1c5d73312ed5e8d4da5b5baf3e6f5814
                  • Instruction ID: adba8b0d0f4f32e134fe76b085455d317161734d2fcb2fa6eb59e827149d3c02
                  • Opcode Fuzzy Hash: 74449f2c7ec33b3bb3abf8d0364787eb1c5d73312ed5e8d4da5b5baf3e6f5814
                  • Instruction Fuzzy Hash: A741DF31A10255AFCF21DF28CD88BE9BBB5BF48304F1081A9E58997141D7B5DEE18F90
                  Function 0025BA17 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • EncodePointer.KERNEL32(00000000,?), ref: 0025BA3C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: EncodePointer
                  • String ID: MOC$RCC
                  • API String ID: 2118026453-2084237596
                  • Opcode ID: e68a1c3767b5a468cb2c27594a3f49046ae2de5609defee04ac333cf2010bdba
                  • Instruction ID: 7d391a6e1a39ae218e5700f5c5c2a023f9c707cbcb2498360df6dd327077e811
                  • Opcode Fuzzy Hash: e68a1c3767b5a468cb2c27594a3f49046ae2de5609defee04ac333cf2010bdba
                  • Instruction Fuzzy Hash: 1F41587191020AAFCF16CF98CC81AEEBBB5FF08305F188059FD04A6265D3759964DB54
                  Function 00265522 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,00265899,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0025E210), ref: 0026560B
                  • GetLastError.KERNEL32(00265899,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0025E210,00000000,00000000,0027A8F8,00000010,00000000), ref: 0026563B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: 6a,
                  • API String ID: 442123175-1499783603
                  • Opcode ID: feb8602432742418e6e0c382cd59f1422ae3f254e8632162a4b7bcef7a7e6623
                  • Instruction ID: 6755de4ac26306c55d3b766f6a736b6e69d29db3c8c6c51d101c153f9cb12afe
                  • Opcode Fuzzy Hash: feb8602432742418e6e0c382cd59f1422ae3f254e8632162a4b7bcef7a7e6623
                  • Instruction Fuzzy Hash: 88317271B10629AFDB14CF69DC85BE973A9EB44300F5440A9E906D7290DA70EED4CF64
                  Function 0026453D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alloca_probe_16__freea
                  • String ID: 6a,
                  • API String ID: 1635606685-1499783603
                  • Opcode ID: 0dcad0dc16b12cae889e15a4a5e2d931b6ba889f88c48a98afe38e8ea3830e44
                  • Instruction ID: 2fb146062b78b2b7dd8347db3fadfb73d5fe28ae981a7457bf8056ac3546e9e3
                  • Opcode Fuzzy Hash: 0dcad0dc16b12cae889e15a4a5e2d931b6ba889f88c48a98afe38e8ea3830e44
                  • Instruction Fuzzy Hash: D221E472920156ABDF20AFA5DC45DAF7BB4EF44720F540628FC11AB291D730CDA4CB90
                  Function 00265439 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,00265884,?,00000000,00000000,00000000,00000000,00000000), ref: 002654E3
                  • GetLastError.KERNEL32(?,00265884,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0025E210,00000000,00000000,0027A8F8,00000010), ref: 00265509
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: 6a,
                  • API String ID: 442123175-1499783603
                  • Opcode ID: bb6af4b1d01ecb633bc07335077c72396c039f25e08091685c60f8fe95b1ee46
                  • Instruction ID: 7b5f3d78812b5fbdd8126f4c026d1ed6b83692ff41e46fc39517c01a6a1f902f
                  • Opcode Fuzzy Hash: bb6af4b1d01ecb633bc07335077c72396c039f25e08091685c60f8fe95b1ee46
                  • Instruction Fuzzy Hash: 9E21D231A102289BCF24CF19DC85AE9B3BAFF48305F5044AAE90AD7250DB30DDD5CAA0
                  Function 002580C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00258978
                  • ___raise_securityfailure.LIBCMT ref: 00258A60
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: FeaturePresentProcessor___raise_securityfailure
                  • String ID: 6a,
                  • API String ID: 3761405300-1499783603
                  • Opcode ID: b0cb2cf19e24711d6b9503dde2b7f2be23146e692a579d2211e5a6fdc36ad237
                  • Instruction ID: 5e54ec6a3ad2c294f5f057aba90fce40711a88ae55f58ac6b66f7fb8b14bef0c
                  • Opcode Fuzzy Hash: b0cb2cf19e24711d6b9503dde2b7f2be23146e692a579d2211e5a6fdc36ad237
                  • Instruction Fuzzy Hash: D221E7B4D62202DBD714CF19FD4AA543BA5BB48314F30812BEA18DB3A0EBB19C84CF45
                  Function 002522C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 002522CF
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00252307
                    • Part of subcall function 00256013: _Yarn.LIBCPMT ref: 00256032
                    • Part of subcall function 00256013: _Yarn.LIBCPMT ref: 00256056
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                  • String ID: bad locale name
                  • API String ID: 1908188788-1405518554
                  • Opcode ID: 197579d3930a0715293464fa32dc3f22b7e5655c6fc99379bc3400920b8a94d5
                  • Instruction ID: 3d0df8755686f4148d63e78eab131294dbae91c78f0814d7eee4c073c49e9ec0
                  • Opcode Fuzzy Hash: 197579d3930a0715293464fa32dc3f22b7e5655c6fc99379bc3400920b8a94d5
                  • Instruction Fuzzy Hash: E1F01D71515B509E83309F7A8481447FBE4BE2D2113908A6EE4DEC3A11D730A558CFA9
                  Function 00257D29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,002578EB,?,00000000,00000000,?,002578AA,?,?,00000000,?,00255A8B,?,?,00000000), ref: 00257D61
                  • GetSystemTimeAsFileTime.KERNEL32(?,EC2C6136,?,?,0026F0DD,000000FF,?,002578EB,?,00000000,00000000,?,002578AA,?,?,00000000), ref: 00257D65
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1666253803.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                  • Associated: 00000000.00000002.1666224326.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666294499.0000000000271000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666321351.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1666373342.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_250000_hObXeMHkSShI8GL7378ICT2M.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$FileSystem$Precise
                  • String ID: 6a,
                  • API String ID: 743729956-1499783603
                  • Opcode ID: 70ee487713739515031f4da9c0ea36e6cbd6b53932a3a305e37ddf53c6411bf3
                  • Instruction ID: ab1184cfea64db2a98f2b3536695fb1c76e44f2cf13ba36c823f59e1bc56dcd2
                  • Opcode Fuzzy Hash: 70ee487713739515031f4da9c0ea36e6cbd6b53932a3a305e37ddf53c6411bf3
                  • Instruction Fuzzy Hash: D6F0A036959554EBCB118F54FC05B69B7A8EB08B10F104227EC1293390CB75A800CB94

                  Execution Graph

                  Execution Coverage:11.9%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:476
                  Total number of Limit Nodes:33
                  execution_graph 35857 278e458 35858 278e49a 35857->35858 35859 278e4a0 GetModuleHandleW 35857->35859 35858->35859 35860 278e4cd 35859->35860 35861 4f2acd0 35862 4f2ad1a 35861->35862 35863 4f26468 2 API calls 35862->35863 35864 4f2ad58 35863->35864 35611 4f250f1 35613 4f250f6 35611->35613 35612 4f252b6 35613->35612 35615 4f24f48 35613->35615 35618 4f2418c 35615->35618 35619 4f24f78 SetWindowLongW 35618->35619 35620 4f24f60 35619->35620 35620->35612 35865 27877d0 35866 27877ed 35865->35866 35867 27877f5 35866->35867 35888 278794f 35866->35888 35874 2786fa0 35867->35874 35875 2786fab 35874->35875 35893 4f29648 35875->35893 35898 4f29609 35875->35898 35902 4f29618 35875->35902 35876 2787815 35880 4f6bdb0 35876->35880 35884 4f6bdc0 35876->35884 35881 4f6bdd2 35880->35881 35943 4f69c6c 35881->35943 35885 4f6bdd2 35884->35885 35886 4f69c6c PostMessageW 35885->35886 35887 278781e 35886->35887 35889 2787965 35888->35889 35974 2787a3f 35889->35974 35979 2787a50 35889->35979 35894 4f29606 35893->35894 35895 4f29656 35893->35895 35896 4f29640 35894->35896 35906 4f29cb4 35894->35906 35896->35876 35899 4f2962d 35898->35899 35900 4f29640 35899->35900 35901 4f29cb4 2 API calls 35899->35901 35900->35876 35901->35900 35903 4f2962d 35902->35903 35904 4f29640 35903->35904 35905 4f29cb4 2 API calls 35903->35905 35904->35876 35905->35904 35907 4f29cd0 35906->35907 35911 4f2ed48 35907->35911 35924 4f2ed2e 35907->35924 35908 4f29f70 35913 4f2ed5d 35911->35913 35912 4f2ede3 35922 4f2ed48 2 API calls 35912->35922 35923 4f2ed2e 2 API calls 35912->35923 35913->35912 35915 4f2ee18 35913->35915 35914 4f2eded 35914->35908 35919 4f2ef1c 35915->35919 35937 4f2d264 35915->35937 35917 4f2ef40 35918 4f2d264 2 API calls 35917->35918 35920 4f2ef4a 35918->35920 35919->35908 35920->35919 35941 4f203ac CreateWindowExW PostMessageW 35920->35941 35922->35914 35923->35914 35926 4f2ed5d 35924->35926 35925 4f2ede3 35935 4f2ed48 2 API calls 35925->35935 35936 4f2ed2e 2 API calls 35925->35936 35926->35925 35928 4f2ee18 35926->35928 35927 4f2eded 35927->35908 35929 4f2d264 2 API calls 35928->35929 35932 4f2ef1c 35928->35932 35930 4f2ef40 35929->35930 35931 4f2d264 2 API calls 35930->35931 35933 4f2ef4a 35931->35933 35932->35908 35933->35932 35942 4f203ac CreateWindowExW PostMessageW 35933->35942 35935->35927 35936->35927 35938 4f2d26f 35937->35938 35939 4f275e0 2 API calls 35938->35939 35940 4f2f251 35938->35940 35939->35940 35940->35917 35941->35919 35942->35932 35945 4f69c77 35943->35945 35947 4f69cac 35945->35947 35946 4f6bf04 35946->35946 35949 4f69cb7 35947->35949 35948 4f69ef4 PostMessageW 35952 4f6c171 35948->35952 35951 4f6c016 35949->35951 35949->35952 35953 4f69ef4 35949->35953 35951->35948 35951->35952 35952->35946 35954 4f69eff 35953->35954 35955 4f6c3ac 35954->35955 35958 4f6c7c8 35954->35958 35966 4f6c7a8 35954->35966 35955->35951 35960 4f6c7ee 35958->35960 35959 4f6c802 35959->35955 35960->35959 35961 4f6c8df 35960->35961 35964 4f6c942 35960->35964 35962 4f69f94 PostMessageW 35961->35962 35963 4f6c93d 35961->35963 35962->35963 35963->35955 35964->35963 35965 4f65b80 PostMessageW 35964->35965 35965->35963 35969 4f6c7ad 35966->35969 35967 4f6c802 35967->35955 35968 4f6c942 35972 4f6c93d 35968->35972 35973 4f65b80 PostMessageW 35968->35973 35969->35967 35969->35968 35970 4f6c8df 35969->35970 35971 4f69f94 PostMessageW 35970->35971 35970->35972 35971->35972 35972->35955 35973->35972 35975 278796f 35974->35975 35977 2787a4f 35974->35977 35975->35867 35976 2787b54 35976->35976 35977->35976 35983 27876a0 35977->35983 35981 2787a77 35979->35981 35980 2787b54 35980->35980 35981->35980 35982 27876a0 CreateActCtxA 35981->35982 35982->35980 35984 2788ee0 CreateActCtxA 35983->35984 35986 2788fa3 35984->35986 35987 4f22998 35988 4f229cf 35987->35988 35990 4f21188 35987->35990 35991 4f21193 35990->35991 35992 4f22b41 35991->35992 35993 4f22aa2 35991->35993 35995 4f22ba0 2 API calls 35991->35995 35996 4f22b88 2 API calls 35991->35996 35992->35988 35993->35992 35994 4f21188 2 API calls 35993->35994 35994->35993 35995->35993 35996->35993 35621 4f6e1b8 35622 4f6e200 SetWindowTextW 35621->35622 35623 4f6e1fa 35621->35623 35624 4f6e231 35622->35624 35623->35622 35997 4f6e518 35999 4f6e532 35997->35999 35998 4f6e5bc 36002 4f6d4d0 35999->36002 36008 4f6d4c0 35999->36008 36003 4f6d516 36002->36003 36004 4f6d539 36003->36004 36014 4f242a4 36003->36014 36021 4f2720d 36003->36021 36029 4f2429b 36003->36029 36004->35998 36009 4f6d516 36008->36009 36010 4f6d539 36009->36010 36011 4f242a4 5 API calls 36009->36011 36012 4f2429b 5 API calls 36009->36012 36013 4f2720d 5 API calls 36009->36013 36010->35998 36011->36010 36012->36010 36013->36010 36015 4f242af 36014->36015 36016 4f27342 36015->36016 36017 4f273ec 36015->36017 36019 4f2739a CallWindowProcW 36016->36019 36020 4f27349 36016->36020 36036 4f2417c 36017->36036 36019->36020 36020->36004 36022 4f2722a 36021->36022 36023 4f2729a 36022->36023 36024 4f27342 36022->36024 36025 4f273ec 36022->36025 36023->36004 36027 4f2739a CallWindowProcW 36024->36027 36028 4f27349 36024->36028 36026 4f2417c 4 API calls 36025->36026 36026->36028 36027->36028 36028->36004 36030 4f242af 36029->36030 36031 4f27342 36030->36031 36032 4f273ec 36030->36032 36034 4f2739a CallWindowProcW 36031->36034 36035 4f27349 36031->36035 36033 4f2417c 4 API calls 36032->36033 36033->36035 36034->36035 36035->36004 36037 4f24187 36036->36037 36038 4f25cb9 36037->36038 36040 4f25ca9 36037->36040 36039 4f242a4 5 API calls 36038->36039 36041 4f25cb7 36039->36041 36045 4f25de0 36040->36045 36050 4f25eac 36040->36050 36056 4f25ddf 36040->36056 36047 4f25df4 36045->36047 36046 4f25e80 36046->36041 36061 4f25e97 36047->36061 36066 4f25e98 36047->36066 36051 4f25eba 36050->36051 36052 4f25e6a 36050->36052 36054 4f25e97 5 API calls 36052->36054 36055 4f25e98 5 API calls 36052->36055 36053 4f25e80 36053->36041 36054->36053 36055->36053 36058 4f25df4 36056->36058 36057 4f25e80 36057->36041 36059 4f25e97 5 API calls 36058->36059 36060 4f25e98 5 API calls 36058->36060 36059->36057 36060->36057 36062 4f25ea9 36061->36062 36071 4f6ce4f 36061->36071 36086 4f6ce60 36061->36086 36101 4f272de 36061->36101 36062->36046 36067 4f25ea9 36066->36067 36068 4f6ce60 5 API calls 36066->36068 36069 4f6ce4f 5 API calls 36066->36069 36070 4f272de 5 API calls 36066->36070 36067->36046 36068->36067 36069->36067 36070->36067 36072 4f6ce79 36071->36072 36078 4f6ce95 36071->36078 36073 4f6cec0 36072->36073 36074 4f6ce7e 36072->36074 36075 4f6d14c 36073->36075 36073->36078 36076 4f6ce8c 36074->36076 36077 4f6d0aa 36074->36077 36074->36078 36108 4f6c640 36075->36108 36076->36078 36079 4f6d122 36076->36079 36104 4f6c590 36077->36104 36083 4f6cfc6 36078->36083 36112 4f6d430 36078->36112 36117 4f6d420 36078->36117 36122 4f6c610 CreateWindowExW CallWindowProcW CallWindowProcW CallWindowProcW PostMessageW 36079->36122 36083->36062 36087 4f6ce79 36086->36087 36093 4f6ce95 36086->36093 36088 4f6cec0 36087->36088 36089 4f6ce7e 36087->36089 36090 4f6d14c 36088->36090 36088->36093 36091 4f6ce8c 36089->36091 36092 4f6d0aa 36089->36092 36089->36093 36096 4f6c640 5 API calls 36090->36096 36091->36093 36094 4f6d122 36091->36094 36095 4f6c590 5 API calls 36092->36095 36098 4f6cfc6 36093->36098 36099 4f6d430 5 API calls 36093->36099 36100 4f6d420 5 API calls 36093->36100 36144 4f6c610 CreateWindowExW CallWindowProcW CallWindowProcW CallWindowProcW PostMessageW 36094->36144 36095->36098 36096->36098 36098->36062 36099->36098 36100->36098 36102 4f242a4 5 API calls 36101->36102 36103 4f272ea 36102->36103 36103->36062 36105 4f6c59b 36104->36105 36106 4f6d430 5 API calls 36105->36106 36107 4f6d646 36106->36107 36107->36083 36109 4f6c64b 36108->36109 36110 4f6d430 5 API calls 36109->36110 36111 4f6e5f1 36110->36111 36111->36083 36113 4f6d442 36112->36113 36114 4f6d43b 36112->36114 36123 4f6d450 36113->36123 36114->36083 36115 4f6d448 36115->36083 36118 4f6d442 36117->36118 36119 4f6d43b 36117->36119 36121 4f6d450 5 API calls 36118->36121 36119->36083 36120 4f6d448 36120->36083 36121->36120 36122->36083 36124 4f6d46e 36123->36124 36126 4f6d490 36123->36126 36125 4f6d47c 36124->36125 36130 4f266ba 36124->36130 36135 4f26e3a 36124->36135 36139 4f266c8 36124->36139 36125->36115 36126->36115 36132 4f266b0 36130->36132 36131 4f269b4 36131->36125 36132->36130 36132->36131 36133 4f6d4d0 5 API calls 36132->36133 36134 4f6d4c0 5 API calls 36132->36134 36133->36131 36134->36131 36136 4f26e48 36135->36136 36137 4f26364 2 API calls 36136->36137 36138 4f26e50 36137->36138 36138->36125 36141 4f26714 36139->36141 36140 4f269b4 36140->36125 36141->36140 36142 4f6d4d0 5 API calls 36141->36142 36143 4f6d4c0 5 API calls 36141->36143 36142->36140 36143->36140 36144->36098 36145 273d01c 36146 273d034 36145->36146 36147 273d08e 36146->36147 36151 4f2417c 5 API calls 36146->36151 36152 4f25c48 36146->36152 36161 4f24ed8 36146->36161 36165 4f24ee8 36146->36165 36151->36147 36155 4f25c85 36152->36155 36153 4f25cb9 36154 4f242a4 5 API calls 36153->36154 36157 4f25cb7 36154->36157 36155->36153 36156 4f25ca9 36155->36156 36158 4f25de0 5 API calls 36156->36158 36159 4f25ddf 5 API calls 36156->36159 36160 4f25eac 5 API calls 36156->36160 36158->36157 36159->36157 36160->36157 36162 4f24f0e 36161->36162 36163 4f2417c 5 API calls 36162->36163 36164 4f24f2f 36163->36164 36164->36147 36166 4f24f0e 36165->36166 36167 4f2417c 5 API calls 36166->36167 36168 4f24f2f 36167->36168 36168->36147 36169 4f2cc00 36173 4f2cc40 36169->36173 36177 4f2cc2f 36169->36177 36174 4f2cc67 36173->36174 36175 4f210f4 2 API calls 36174->36175 36176 4f2cc9a 36175->36176 36178 4f2cc67 36177->36178 36179 4f210f4 2 API calls 36178->36179 36180 4f2cc9a 36179->36180 36181 4f22340 36184 4f2236c 36181->36184 36182 4f21094 2 API calls 36183 4f223bc 36182->36183 36184->36182 36185 4f223c1 36184->36185 36186 278e500 36187 278e514 36186->36187 36188 278e539 36187->36188 36190 278df78 36187->36190 36192 278e6e0 LoadLibraryExW 36190->36192 36193 278e759 36192->36193 36193->36188 35625 4f27468 35626 4f27478 35625->35626 35635 4f26364 35626->35635 35629 4f274a1 35638 4f2636f 35635->35638 35681 4f26468 35638->35681 35639 4f28aa8 35643 4f28ad4 35639->35643 35641 4f275e0 2 API calls 35642 4f28eb4 35641->35642 35642->35629 35650 4f28d0c 35643->35650 35844 4f286a4 35643->35844 35644 4f28b8d 35645 4f275e0 2 API calls 35644->35645 35649 4f28c35 35644->35649 35646 4f28bff 35645->35646 35647 4f275e0 2 API calls 35646->35647 35647->35649 35648 4f275e0 2 API calls 35648->35650 35649->35648 35650->35641 35650->35642 35651 4f28d54 35652 4f28d5d 35651->35652 35654 4f28d7b 35651->35654 35653 4f275e0 2 API calls 35652->35653 35652->35654 35653->35654 35655 4f275e0 2 API calls 35654->35655 35656 4f28eb4 35654->35656 35655->35656 35656->35629 35657 4f6e0f8 35658 4f6e13d 35657->35658 35662 4f28d54 2 API calls 35658->35662 35659 4f6e192 35850 4f65b04 PostMessageW 35659->35850 35661 4f6e199 35661->35629 35662->35659 35663 4f6e108 35664 4f6e13d 35663->35664 35668 4f28d54 2 API calls 35664->35668 35665 4f6e192 35851 4f65b04 PostMessageW 35665->35851 35667 4f6e199 35667->35629 35668->35665 35669 4f28a88 35673 4f28a8d 35669->35673 35670 4f286a4 2 API calls 35674 4f28b8d 35670->35674 35671 4f275e0 2 API calls 35672 4f28eb4 35671->35672 35672->35629 35673->35670 35680 4f28d0c 35673->35680 35675 4f275e0 2 API calls 35674->35675 35679 4f28c35 35674->35679 35676 4f28bff 35675->35676 35677 4f275e0 2 API calls 35676->35677 35677->35679 35678 4f275e0 2 API calls 35678->35680 35679->35678 35680->35671 35680->35672 35682 4f26473 35681->35682 35683 4f277da 35682->35683 35688 4f2ad78 35682->35688 35692 4f2ad68 35682->35692 35684 4f27491 35683->35684 35697 4f2e8d8 35683->35697 35684->35639 35684->35651 35684->35657 35684->35663 35684->35669 35701 4f2adf0 35688->35701 35705 4f2ae00 35688->35705 35689 4f2ad94 35689->35683 35693 4f2ad78 35692->35693 35695 4f2adf0 2 API calls 35693->35695 35696 4f2ae00 2 API calls 35693->35696 35694 4f2ad94 35694->35683 35695->35694 35696->35694 35836 4f2e960 35697->35836 35840 4f2e958 35697->35840 35698 4f2e8f4 35698->35684 35702 4f2ae00 35701->35702 35703 4f2ae78 35702->35703 35709 4f210f4 35702->35709 35703->35689 35707 4f2ae0f 35705->35707 35706 4f2ae78 35706->35689 35707->35706 35708 4f210f4 2 API calls 35707->35708 35708->35706 35710 4f210ff 35709->35710 35711 4f2d328 35710->35711 35712 4f2d2fc 35710->35712 35715 4f2d309 35710->35715 35714 4f275e0 2 API calls 35711->35714 35716 4f275e0 35712->35716 35714->35715 35715->35703 35717 4f275f0 35716->35717 35718 4f2762d 35717->35718 35721 4f6cb68 35717->35721 35739 4f6cb58 35717->35739 35718->35715 35724 4f6cba1 35721->35724 35726 4f6cc3f 35724->35726 35757 4f22ba0 35724->35757 35765 4f22b88 35724->35765 35773 4f6c45c 35726->35773 35727 4f6ccb5 35728 4f6cdb8 35727->35728 35785 4f6c48c 35727->35785 35790 4f21094 35728->35790 35798 4f2244f 35728->35798 35730 4f6ce28 35730->35730 35731 4f6cd7c 35731->35728 35732 4f6c48c CreateWindowExW 35731->35732 35733 4f6cda7 35732->35733 35733->35728 35734 4f6c48c CreateWindowExW 35733->35734 35734->35728 35742 4f6cba1 35739->35742 35740 4f6c45c CreateWindowExW 35741 4f6ccab 35740->35741 35743 4f65b80 PostMessageW 35741->35743 35744 4f6cc3f 35742->35744 35753 4f22ba0 2 API calls 35742->35753 35754 4f22b88 2 API calls 35742->35754 35745 4f6ccb5 35743->35745 35744->35740 35746 4f6cdb8 35745->35746 35747 4f6c48c CreateWindowExW 35745->35747 35755 4f21094 2 API calls 35746->35755 35756 4f2244f 2 API calls 35746->35756 35749 4f6cd7c 35747->35749 35748 4f6ce28 35748->35748 35749->35746 35750 4f6c48c CreateWindowExW 35749->35750 35751 4f6cda7 35750->35751 35751->35746 35752 4f6c48c CreateWindowExW 35751->35752 35752->35746 35753->35744 35754->35744 35755->35748 35756->35748 35759 4f22cde 35757->35759 35760 4f22bd1 35757->35760 35758 4f22bdd 35758->35726 35759->35726 35760->35758 35806 4f239f8 35760->35806 35811 4f239e8 35760->35811 35766 4f22bd1 35765->35766 35768 4f22cde 35765->35768 35767 4f22bdd 35766->35767 35771 4f239f8 CreateWindowExW 35766->35771 35772 4f239e8 CreateWindowExW 35766->35772 35767->35726 35768->35726 35769 4f22cd1 35822 4f211b8 CreateWindowExW PostMessageW 35769->35822 35771->35769 35772->35769 35775 4f6c467 35773->35775 35774 4f6ccab 35777 4f65b80 35774->35777 35775->35774 35776 4f6c48c CreateWindowExW 35775->35776 35776->35774 35778 4f65b8b 35777->35778 35780 4f6709e 35778->35780 35823 4f6fc00 35778->35823 35827 4f6fbb1 35778->35827 35779 4f6713f 35783 4f6fc00 PostMessageW 35779->35783 35784 4f6fbb1 PostMessageW 35779->35784 35780->35727 35783->35780 35784->35780 35786 4f6c497 35785->35786 35787 4f6fb83 35786->35787 35788 4f239f8 CreateWindowExW 35786->35788 35789 4f239e8 CreateWindowExW 35786->35789 35787->35731 35788->35787 35789->35787 35791 4f2109f 35790->35791 35792 4f224f5 35791->35792 35793 4f22485 35791->35793 35796 4f22500 35791->35796 35792->35730 35793->35792 35834 4f203ac CreateWindowExW PostMessageW 35793->35834 35794 4f22628 35794->35730 35796->35794 35797 4f210f4 2 API calls 35796->35797 35797->35794 35799 4f2247f 35798->35799 35800 4f224f5 35798->35800 35801 4f22500 35799->35801 35802 4f22485 35799->35802 35800->35730 35803 4f22628 35801->35803 35805 4f210f4 2 API calls 35801->35805 35802->35800 35835 4f203ac CreateWindowExW PostMessageW 35802->35835 35803->35730 35805->35803 35807 4f23a23 35806->35807 35808 4f23ad2 35807->35808 35816 4f24ce0 35807->35816 35819 4f24cd1 35807->35819 35813 4f23a23 35811->35813 35812 4f23ad2 35812->35812 35813->35812 35814 4f24ce0 CreateWindowExW 35813->35814 35815 4f24cd1 CreateWindowExW 35813->35815 35814->35812 35815->35812 35817 4f24150 CreateWindowExW 35816->35817 35818 4f24d15 35817->35818 35818->35808 35820 4f24d15 35819->35820 35821 4f24150 CreateWindowExW 35819->35821 35820->35808 35821->35820 35822->35768 35824 4f6fc10 35823->35824 35831 4f69f94 35824->35831 35828 4f6fc10 35827->35828 35829 4f69f94 PostMessageW 35828->35829 35830 4f6fc21 35829->35830 35830->35779 35832 4f6fc38 PostMessageW 35831->35832 35833 4f6fc21 35832->35833 35833->35779 35834->35792 35835->35800 35838 4f2e96e 35836->35838 35837 4f2e990 35837->35698 35838->35837 35839 4f210f4 2 API calls 35838->35839 35839->35837 35843 4f2e96e 35840->35843 35841 4f2e990 35841->35698 35842 4f210f4 2 API calls 35842->35841 35843->35841 35843->35842 35846 4f286af 35844->35846 35845 4f275e0 2 API calls 35849 4f29009 35845->35849 35847 4f275e0 2 API calls 35846->35847 35848 4f29047 35846->35848 35846->35849 35847->35849 35848->35644 35849->35845 35849->35848 35850->35661 35851->35667 35852 4f21f28 35853 4f21f45 35852->35853 35855 4f21f89 35853->35855 35856 4f203ac CreateWindowExW PostMessageW 35853->35856 35856->35855

                  Executed Functions

                  Function 04F24D25 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 857 4f24d25-4f24d96 858 4f24da1-4f24da8 857->858 859 4f24d98-4f24d9e 857->859 860 4f24db3-4f24deb 858->860 861 4f24daa-4f24db0 858->861 859->858 862 4f24df3-4f24e52 CreateWindowExW 860->862 861->860 863 4f24e54-4f24e5a 862->863 864 4f24e5b-4f24e93 862->864 863->864 868 4f24ea0 864->868 869 4f24e95-4f24e98 864->869 870 4f24ea1 868->870 869->868 870->870
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F24E42
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688615675.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f20000_RegAsm.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: e1d714a596895c44192b90cfabc538ced64661aa6b9705b451fc73604c632838
                  • Instruction ID: e863d57a0e832e4699c5e0c28776d2f69757925b8d84600c3f20bd2c2a59846d
                  • Opcode Fuzzy Hash: e1d714a596895c44192b90cfabc538ced64661aa6b9705b451fc73604c632838
                  • Instruction Fuzzy Hash: A151C2B1D003599FDB14CFA9C984ADEBBB5FF48314F24812AE418AB210D775A986CF91
                  Function 04F24150 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 871 4f24150-4f24d96 873 4f24da1-4f24da8 871->873 874 4f24d98-4f24d9e 871->874 875 4f24db3-4f24e52 CreateWindowExW 873->875 876 4f24daa-4f24db0 873->876 874->873 878 4f24e54-4f24e5a 875->878 879 4f24e5b-4f24e93 875->879 876->875 878->879 883 4f24ea0 879->883 884 4f24e95-4f24e98 879->884 885 4f24ea1 883->885 884->883 885->885
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F24E42
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688615675.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f20000_RegAsm.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 58afb51ab63a7091fd102a38326ee89f007d7621f52f5db9ce7a47f31d75678a
                  • Instruction ID: a8ae97292dfb22074db2fe06e7e26ac5801c86985b04e61f8c2e32b991158bd0
                  • Opcode Fuzzy Hash: 58afb51ab63a7091fd102a38326ee89f007d7621f52f5db9ce7a47f31d75678a
                  • Instruction Fuzzy Hash: BE51C1B1D00319AFDB14CF99C984ADEBBB5BF48314F24812AE418AB214D7B0A845CF91
                  Function 04F242A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 886 4f242a4-4f2733c 889 4f27342-4f27347 886->889 890 4f273ec-4f2740c call 4f2417c 886->890 892 4f2739a-4f273d2 CallWindowProcW 889->892 893 4f27349-4f27380 889->893 897 4f2740f-4f2741c 890->897 894 4f273d4-4f273da 892->894 895 4f273db-4f273ea 892->895 900 4f27382-4f27388 893->900 901 4f27389-4f27398 893->901 894->895 895->897 900->901 901->897
                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F273C1
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688615675.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f20000_RegAsm.jbxd
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 6f23f23ba29a36c3d3fc0dbe069732a4a8ed054b9d0bd5b66c0adaf292d02ff1
                  • Instruction ID: 9704ab73f4a33099978e7bd5fd2ea887f70a2f3f93fe5421484291dcc0190fa0
                  • Opcode Fuzzy Hash: 6f23f23ba29a36c3d3fc0dbe069732a4a8ed054b9d0bd5b66c0adaf292d02ff1
                  • Instruction Fuzzy Hash: F64149B5A00215DFDB04DF99C948AABBBF5FF88314F24C459E519AB321D374B841CBA0
                  Function 027876A0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 903 27876a0-2788fa1 CreateActCtxA 906 2788faa-2789004 903->906 907 2788fa3-2788fa9 903->907 914 2789013-2789017 906->914 915 2789006-2789009 906->915 907->906 916 2789028 914->916 917 2789019-2789025 914->917 915->914 919 2789029 916->919 917->916 919->919
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 02788F91
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684382511.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_2780000_RegAsm.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 55d48d5845d2e3ac4e728753387ae2e078fbda894f51569a70ceffc4004b268a
                  • Instruction ID: 04a94bb2720f1e679074f4c20f1f687e6b421e67ff031f0dc6273be62005cd69
                  • Opcode Fuzzy Hash: 55d48d5845d2e3ac4e728753387ae2e078fbda894f51569a70ceffc4004b268a
                  • Instruction Fuzzy Hash: A741F1B1C0061DCFDB24DFA9C844B9EBBF5BF45304F20806AD408AB254DB756946CF91
                  Function 0278DF78 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 920 278df78-278e720 922 278e728-278e757 LoadLibraryExW 920->922 923 278e722-278e725 920->923 924 278e759-278e75f 922->924 925 278e760-278e77d 922->925 923->922 924->925
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0278E539,00000800,00000000,00000000), ref: 0278E74A
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684382511.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_2780000_RegAsm.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: dc5080dea0335494c4277d0b98090acf6f3e58a25b1cd6616a8c733eb5dce629
                  • Instruction ID: f496a1b722b3ea4d92e826fd2e0ad185f466c9bde5b58d49ba123e4dda4d5b31
                  • Opcode Fuzzy Hash: dc5080dea0335494c4277d0b98090acf6f3e58a25b1cd6616a8c733eb5dce629
                  • Instruction Fuzzy Hash: 091112B69002099FEB20DF9AC944ADEFBF4EB89324F14842AE559B7210C375A544CFA4
                  Function 04F6E1B1 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 928 4f6e1b1-4f6e1f8 929 4f6e200-4f6e22f SetWindowTextW 928->929 930 4f6e1fa-4f6e1fd 928->930 931 4f6e231-4f6e237 929->931 932 4f6e238-4f6e259 929->932 930->929 931->932
                  APIs
                  • SetWindowTextW.USER32(?,00000000), ref: 04F6E222
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688857824.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f60000_RegAsm.jbxd
                  Similarity
                  • API ID: TextWindow
                  • String ID:
                  • API String ID: 530164218-0
                  • Opcode ID: 31b82bae3ddda698efe159bd6263c739770717e0b1a750887b04434b945fc616
                  • Instruction ID: 0d11c516b95a67918985684985ac9bf0fcf31c0d82c3810ab577474631e51eb3
                  • Opcode Fuzzy Hash: 31b82bae3ddda698efe159bd6263c739770717e0b1a750887b04434b945fc616
                  • Instruction Fuzzy Hash: 721133B6C002498FDB10CF9AC444ADEBBF5EF88320F10842AD869A7250D338A546CFA1
                  Function 04F6E1B8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 934 4f6e1b8-4f6e1f8 935 4f6e200-4f6e22f SetWindowTextW 934->935 936 4f6e1fa-4f6e1fd 934->936 937 4f6e231-4f6e237 935->937 938 4f6e238-4f6e259 935->938 936->935 937->938
                  APIs
                  • SetWindowTextW.USER32(?,00000000), ref: 04F6E222
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688857824.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f60000_RegAsm.jbxd
                  Similarity
                  • API ID: TextWindow
                  • String ID:
                  • API String ID: 530164218-0
                  • Opcode ID: baa58bbd7bc07c63b1faa8e24881ccbf3062c0bd6104f453a7b4529d71b34b02
                  • Instruction ID: 54ec23ddafeaaa6f31660fafb67081108c05389ee41173491d6b1c3db467940b
                  • Opcode Fuzzy Hash: baa58bbd7bc07c63b1faa8e24881ccbf3062c0bd6104f453a7b4529d71b34b02
                  • Instruction Fuzzy Hash: 691123B6C002498FDB14CF9AC844BDEFBF5EB88320F14C42AD869A7240D338A545CFA1
                  Function 04F24F72 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04F24F60,?,?,?,?), ref: 04F24FD5
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688615675.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f20000_RegAsm.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: 75fb4fa5aa8f8fe4e86c64b735bc44276a74e6996b1e0014507f89be18fcf517
                  • Instruction ID: 0e7e6e1b2879a3ebe7ef1d78117e76add7c660a8f1754c66212fb33a5271e0b0
                  • Opcode Fuzzy Hash: 75fb4fa5aa8f8fe4e86c64b735bc44276a74e6996b1e0014507f89be18fcf517
                  • Instruction Fuzzy Hash: FE1103B5800258DFDB10CF99D585BDEBBF4EB88324F10851AD958A7700C379A985CFA1
                  Function 04F2418C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04F24F60,?,?,?,?), ref: 04F24FD5
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688615675.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f20000_RegAsm.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: 51491c3dab91d2abd223d64649d3924ea9c6a4c892d640828ebc462e9c7fcd96
                  • Instruction ID: eb328a069cee657003cf1372a11c4a45bc5589bcce99e4d35a1022b46f11a10c
                  • Opcode Fuzzy Hash: 51491c3dab91d2abd223d64649d3924ea9c6a4c892d640828ebc462e9c7fcd96
                  • Instruction Fuzzy Hash: 3C11F5B5900258DFDB10CF99C545BDEBBF4EB88324F10841AE954A7300D374B944CFA5
                  Function 0278E458 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0278E4BE
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684382511.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_2780000_RegAsm.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 1f0dc275edbfa07e5bbfd691aa8d6aeb293f0cf59dc68893ffe2dabfcfef1fac
                  • Instruction ID: f57b349f0ba660ec686d6614428a76112673afa5ea669534ab7c299b34a1d007
                  • Opcode Fuzzy Hash: 1f0dc275edbfa07e5bbfd691aa8d6aeb293f0cf59dc68893ffe2dabfcfef1fac
                  • Instruction Fuzzy Hash: 1D1110B6D002498FCB10DF9AC444ADEFBF4AB88328F10842AE468A7210C374A545CFA1
                  Function 04F69F94 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 04F6FC95
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688857824.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f60000_RegAsm.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 6c9cd6d7f09a133e62589ae9238009c1897600a446d61c76784ec4f238d5fd86
                  • Instruction ID: 4ff6cfd5e7480a988577320223015457ff1a7b64c41c1e958af581a21dbe4117
                  • Opcode Fuzzy Hash: 6c9cd6d7f09a133e62589ae9238009c1897600a446d61c76784ec4f238d5fd86
                  • Instruction Fuzzy Hash: 7B1106B6800348DFDB10CF9AD545BDEBBF8EB48324F108419E955A7300D374A944CFA5
                  Function 04F6FC31 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 04F6FC95
                  Memory Dump Source
                  • Source File: 00000002.00000002.1688857824.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_4f60000_RegAsm.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 3c4988faa234adbc8fb111f727377ee92280e0b32b5b63e27915743e03388073
                  • Instruction ID: accee7ce1f261028088c5d219979d1eacdefa24f87f15c09566b12b035717a8a
                  • Opcode Fuzzy Hash: 3c4988faa234adbc8fb111f727377ee92280e0b32b5b63e27915743e03388073
                  • Instruction Fuzzy Hash: 9E1100B6800248DFDB10CF9AD985BDEBBF8EB48324F10881AD958B7210C374A584CFA1
                  Function 00BBD4D8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1683689672.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_bbd000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f532f5b2b4888917b4268c86aac9b148db068e1da300b7a25959c9e80091c375
                  • Instruction ID: 85e7403e216b814fea2cecabcfea2df0030c501dd2103e76a70824a8bf30c84c
                  • Opcode Fuzzy Hash: f532f5b2b4888917b4268c86aac9b148db068e1da300b7a25959c9e80091c375
                  • Instruction Fuzzy Hash: D1212571500200DFCB15DF14D9C0B66BFA5FBA8318F2486A9D9094B256D37AD856CAA2
                  Function 0273D1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684148008.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_273d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ebc2c0a8dd6424b87f9721f5b2c63c99cb039ff9c3479c1bfdb248ba0d20fc1
                  • Instruction ID: 0bddb8c9b225145bf38ae7de4541dad738fe0f6992e7bc90cb87a109afac1f88
                  • Opcode Fuzzy Hash: 0ebc2c0a8dd6424b87f9721f5b2c63c99cb039ff9c3479c1bfdb248ba0d20fc1
                  • Instruction Fuzzy Hash: 5D2126B1504204EFDB26DF14DAC0B27BBA5FB88314F24C66DE8495B257C736D446CA61
                  Function 0273D01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684148008.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_273d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 40a49d33aa1bd1afa4865449afb1fa376015dcb8c1a14584f306974ac7eca327
                  • Instruction ID: 85803cf5c1a401b975140f8946e07dd6ca49bf0c4bef82501a638ece154cdcd9
                  • Opcode Fuzzy Hash: 40a49d33aa1bd1afa4865449afb1fa376015dcb8c1a14584f306974ac7eca327
                  • Instruction Fuzzy Hash: DE2134B1604200DFDB26DF24D9C4B26BFA5FB84B14F20C56DD84A4B257C33AD447CA61
                  Function 0273D007 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684148008.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_273d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1322337873049426af25d286277dcbad3a17c4a72ccb278f9b3d5d691f9f0db5
                  • Instruction ID: 63b263949f46ba8826f8a5ff4606764667e716f7100d03d33899c499ee14a4b0
                  • Opcode Fuzzy Hash: 1322337873049426af25d286277dcbad3a17c4a72ccb278f9b3d5d691f9f0db5
                  • Instruction Fuzzy Hash: 8E218E755093C08FCB13CF24D994715BF71EB46614F28C5DAD8898F667C33A980ACB62
                  Function 00BBD4D3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1683689672.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_bbd000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                  • Instruction ID: 4f299bdd82f7a96a5ae41475022701b832e4349e6a7c0843e57dd1059fb9e024
                  • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                  • Instruction Fuzzy Hash: 3011D676504240CFCB15CF14D5C4B66BFB1FBA4318F24C6A9D9094B616C33AD856CB91
                  Function 0273D1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1684148008.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_273d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction ID: 531674381a2f446f3312f6565a8d7b4f8dce2b537f5e58f1597882b59c2761a8
                  • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction Fuzzy Hash: 4F119D75504280DFDB16CF14D5C4B16FFA1FB84328F28C6AED8494B656C33AD45ACB61