Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
drop1.exe

Overview

General Information

Sample name:drop1.exe
Analysis ID:1584392
MD5:cf2ac2dce038a884fce94f9350327033
SHA1:a2d1c361993e3b1b3289e4905287cb2c9a1714de
SHA256:6d38c8152edc5634fa7cae67424a5b28e1dca4b1037d99704c331c91faca77b7
Tags:exeuser-juroots
Infos:

Detection

CredGrabber, Meduza Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • drop1.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\drop1.exe" MD5: CF2AC2DCE038A884FCE94F9350327033)
    • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • drop1.exe (PID: 3444 cmdline: "C:\Users\user\Desktop\drop1.exe" MD5: CF2AC2DCE038A884FCE94F9350327033)
  • cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "1", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
    00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
      00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmpinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
      • 0xff0dc:$str01: emoji
      • 0x1018d8:$str02: %d-%m-%Y, %H:%M:%S
      • 0x101940:$str03: [UTC
      • 0x10194c:$str04: user_name
      • 0x101970:$str05: computer_name
      • 0x101994:$str06: timezone
      • 0x1018c4:$str07: current_path()
      • 0xff0a8:$str08: [json.exception.
      • 0x11502e:$str09: GDI32.dll
      • 0x1152a0:$str10: GdipGetImageEncoders
      • 0x115318:$str10: GdipGetImageEncoders
      • 0x114948:$str11: GetGeoInfoA
      Process Memory Space: drop1.exe PID: 3444JoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
        Process Memory Space: drop1.exe PID: 3444JoeSecurity_CredGrabberYara detected CredGrabberJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.drop1.exe.1416e20.1.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
            0.2.drop1.exe.1416e20.1.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
            • 0xfbcdc:$str01: emoji
            • 0xfe4d8:$str02: %d-%m-%Y, %H:%M:%S
            • 0xfe540:$str03: [UTC
            • 0xfe54c:$str04: user_name
            • 0xfe570:$str05: computer_name
            • 0xfe594:$str06: timezone
            • 0xfe4c4:$str07: current_path()
            • 0xfbca8:$str08: [json.exception.
            • 0x111c2e:$str09: GDI32.dll
            • 0x111ea0:$str10: GdipGetImageEncoders
            • 0x111f18:$str10: GdipGetImageEncoders
            • 0x111548:$str11: GetGeoInfoA
            2.2.drop1.exe.400000.0.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
              2.2.drop1.exe.400000.0.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
              • 0xfd6dc:$str01: emoji
              • 0xffed8:$str02: %d-%m-%Y, %H:%M:%S
              • 0xfff40:$str03: [UTC
              • 0xfff4c:$str04: user_name
              • 0xfff70:$str05: computer_name
              • 0xfff94:$str06: timezone
              • 0xffec4:$str07: current_path()
              • 0xfd6a8:$str08: [json.exception.
              • 0x11362e:$str09: GDI32.dll
              • 0x1138a0:$str10: GdipGetImageEncoders
              • 0x113918:$str10: GdipGetImageEncoders
              • 0x112f48:$str11: GetGeoInfoA
              2.2.drop1.exe.400000.0.raw.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020494411A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020508061A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                2025-01-05T11:54:10.974496+010020508061A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-05T11:54:10.969583+010020508071A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP
                2025-01-05T11:54:10.974496+010020508071A Network Trojan was detected192.168.2.44973366.63.187.17315666TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.drop1.exe.1416e20.1.unpackMalware Configuration Extractor: Meduza Stealer {"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "1", "links": "", "port": 15666}
                Multi AV Scanner detection for submitted file
                Source: drop1.exeVirustotal: Detection: 78%Perma Link
                Source: drop1.exeReversingLabs: Detection: 76%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047A610 CryptUnprotectData,LocalFree,2_2_0047A610
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043D4A0 BCryptDestroyKey,2_2_0043D4A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047A950 CryptProtectData,LocalFree,2_2_0047A950
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AAE0 BCryptDecrypt,BCryptDecrypt,2_2_0047AAE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00440B60 CryptUnprotectData,LocalFree,2_2_00440B60
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AE10 BCryptCloseAlgorithmProvider,2_2_0047AE10
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047AE80 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,2_2_0047AE80
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A3123B CryptContextAddRef,2_2_00A3123B
                Source: drop1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: drop1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A436A9 FindFirstFileExW,0_2_00A436A9
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A4375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A4375A
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004402D0 FindFirstFileW,FindNextFileW,2_2_004402D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84C0 FindClose,FindFirstFileExW,GetLastError,2_2_004B84C0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B8545 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,2_2_004B8545
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84E0 FindFirstFileExW,2_2_004B84E0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00487550 GetLogicalDriveStringsW,2_2_00487550
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\wtr\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49733 -> 66.63.187.173:15666
                Source: Network trafficSuricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49733 -> 66.63.187.173:15666
                Source: global trafficTCP traffic: 192.168.2.4:49733 -> 66.63.187.173:15666
                Source: global trafficTCP traffic: 192.168.2.4:49308 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: Network trafficSuricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49733 -> 66.63.187.173:15666
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00485350 recv,recv,recv,recv,recv,recv,closesocket,WSACleanup,2_2_00485350
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                Source: drop1.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: drop1.exe, 00000002.00000003.1782810357.000000000110D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1783620887.000000000110D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000002.1979975777.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1781335416.0000000001112000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1781374886.0000000001112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: drop1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                Source: drop1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                Source: drop1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                Source: drop1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                Source: drop1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                Source: drop1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                Source: drop1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                Source: drop1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                Source: drop1.exe, 00000002.00000002.1980297371.000000000130E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979361344.000000000130B000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979420774.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adob/1.0/.Y
                Source: drop1.exe, 00000002.00000003.1979361344.000000000130B000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979420774.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoft.co2/t/Re
                Source: drop1.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: drop1.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/d
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org2
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: drop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: drop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: drop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: drop1.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: drop1.exe, 00000002.00000003.1790572642.0000000004220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.moz
                Source: drop1.exe, 00000002.00000003.1790572642.0000000004219000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B28000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790425715.0000000004858000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047DA000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B20000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.0000000004825000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                Source: drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                Source: drop1.exe, 00000002.00000003.1784605548.00000000047D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: drop1.exe, 00000002.00000003.1784605548.00000000047B1000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784851444.000000000115E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784605548.000000000478B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: drop1.exe, 00000002.00000003.1784605548.00000000047D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: drop1.exe, 00000002.00000003.1784605548.00000000047B1000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784851444.000000000115E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784605548.000000000478B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: drop1.exe, 00000002.00000003.1790572642.0000000004219000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B28000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790425715.0000000004858000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047DA000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B20000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.0000000004825000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: drop1.exe, 00000002.00000003.1790572642.0000000004220000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B88000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B2F000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: drop1.exe, 00000002.00000003.1790572642.0000000004220000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B88000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B2F000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00485F00 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,2_2_00485F00

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.drop1.exe.1416e20.1.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 2.2.drop1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 2.2.drop1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 0.2.drop1.exe.1416e20.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0048A0A0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,2_2_0048A0A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0048A710 RtlAcquirePebLock,NtAllocateVirtualMemory,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,2_2_0048A710
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A310000_2_00A31000
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A34C8C0_2_00A34C8C
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A46F3A0_2_00A46F3A
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004422D02_2_004422D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043A2B02_2_0043A2B0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004464002_2_00446400
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004884002_2_00488400
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043E4F02_2_0043E4F0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004395D02_2_004395D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004877802_2_00487780
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004858402_2_00485840
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043C9702_2_0043C970
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004479C02_2_004479C0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00459A062_2_00459A06
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0046EB702_2_0046EB70
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0046BCE02_2_0046BCE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00439D602_2_00439D60
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00470EF02_2_00470EF0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043BF702_2_0043BF70
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004620802_2_00462080
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004320A02_2_004320A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004A70A72_2_004A70A7
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0042D1502_2_0042D150
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004791302_2_00479130
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004741902_2_00474190
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004612502_2_00461250
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004082702_2_00408270
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B63802_2_004B6380
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004074702_2_00407470
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004624102_2_00462410
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0045C4C02_2_0045C4C0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043D4A02_2_0043D4A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047E5802_2_0047E580
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0046B6202_2_0046B620
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004687502_2_00468750
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004197702_2_00419770
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0045C7002_2_0045C700
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004917CA2_2_004917CA
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0045D7A02_2_0045D7A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004627A02_2_004627A0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0049687E2_2_0049687E
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B68702_2_004B6870
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043A8002_2_0043A800
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004938002_2_00493800
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0049F8A22_2_0049F8A2
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004619402_2_00461940
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004459502_2_00445950
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004789902_2_00478990
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004ACA4B2_2_004ACA4B
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00406AE02_2_00406AE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B3AE02_2_004B3AE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00430AF02_2_00430AF0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0048AA802_2_0048AA80
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00414AA02_2_00414AA0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0045EAA02_2_0045EAA0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00476AB62_2_00476AB6
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00462B502_2_00462B50
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00482C4B2_2_00482C4B
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004BCC402_2_004BCC40
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00461CC02_2_00461CC0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00478D402_2_00478D40
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B6D302_2_004B6D30
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B1D302_2_004B1D30
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00440DE02_2_00440DE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0043AE502_2_0043AE50
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0042EEA02_2_0042EEA0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00406F402_2_00406F40
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00444F502_2_00444F50
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00443F002_2_00443F00
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00456F002_2_00456F00
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00412FA02_2_00412FA0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A310002_2_00A31000
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A34C8C2_2_00A34C8C
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A46F3A2_2_00A46F3A
                Source: C:\Users\user\Desktop\drop1.exeCode function: String function: 004AC500 appears 58 times
                Source: C:\Users\user\Desktop\drop1.exeCode function: String function: 004517F0 appears 53 times
                Source: C:\Users\user\Desktop\drop1.exeCode function: String function: 00A35190 appears 91 times
                Source: C:\Users\user\Desktop\drop1.exeCode function: String function: 00A3F534 appears 34 times
                Source: C:\Users\user\Desktop\drop1.exeCode function: String function: 00A3B767 appears 42 times
                Source: drop1.exeStatic PE information: invalid certificate
                Source: drop1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 0.2.drop1.exe.1416e20.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 2.2.drop1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 2.2.drop1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 0.2.drop1.exe.1416e20.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: drop1.exeStatic PE information: Section: .bss ZLIB complexity 1.0003138195647467
                Source: drop1.exeStatic PE information: Section: .bss ZLIB complexity 1.0003138195647467
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@1/2
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0048CB50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,2_2_0048CB50
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004473D0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_004473D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00477EE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysStringByteLen,SysFreeString,SysFreeString,2_2_00477EE0
                Source: C:\Users\user\Desktop\drop1.exeMutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E696363D80FD0
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
                Source: C:\Users\user\Desktop\drop1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: drop1.exeVirustotal: Detection: 78%
                Source: drop1.exeReversingLabs: Detection: 76%
                Source: C:\Users\user\Desktop\drop1.exeFile read: C:\Users\user\Desktop\drop1.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\drop1.exe "C:\Users\user\Desktop\drop1.exe"
                Source: C:\Users\user\Desktop\drop1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\drop1.exeProcess created: C:\Users\user\Desktop\drop1.exe "C:\Users\user\Desktop\drop1.exe"
                Source: C:\Users\user\Desktop\drop1.exeProcess created: C:\Users\user\Desktop\drop1.exe "C:\Users\user\Desktop\drop1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: drop1.exeStatic file information: File size 2537088 > 1048576
                Source: drop1.exeStatic PE information: Raw size of .bss is bigger than: 0x100000 < 0x120a00
                Source: drop1.exeStatic PE information: Raw size of .bss is bigger than: 0x100000 < 0x120a00
                Source: drop1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                Source: drop1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: drop1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: drop1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: drop1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: drop1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00446400 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_00446400
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A3326B pushad ; retf 0_2_00A3326D
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A3534A push ecx; ret 0_2_00A3535D
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A56ECF push ss; ret 0_2_00A56EDC
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004ACE0C push ecx; ret 2_2_004ACE1F
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A422C7 push ecx; iretd 2_2_00A422C8
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A3534A push ecx; ret 2_2_00A3535D
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A485CD push esi; ret 2_2_00A485CF
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047E240 GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,ExitProcess,ReleaseMutex,CloseHandle,2_2_0047E240
                Source: C:\Users\user\Desktop\drop1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-60760
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A436A9 FindFirstFileExW,0_2_00A436A9
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A4375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A4375A
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004402D0 FindFirstFileW,FindNextFileW,2_2_004402D0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84C0 FindClose,FindFirstFileExW,GetLastError,2_2_004B84C0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B8545 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,2_2_004B8545
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004B84E0 FindFirstFileExW,2_2_004B84E0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00487550 GetLogicalDriveStringsW,2_2_00487550
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00498574 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,2_2_00498574
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\migration\wtr\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
                Source: drop1.exe, 00000002.00000003.1783663510.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1782852697.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000002.1979975777.00000000010E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[As
                Source: drop1.exe, 00000002.00000003.1783663510.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1782852697.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000002.1979975777.00000000010E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\drop1.exeAPI call chain: ExitProcess graph end nodegraph_0-13464
                Source: C:\Users\user\Desktop\drop1.exeAPI call chain: ExitProcess graph end nodegraph_2-60780
                Source: C:\Users\user\Desktop\drop1.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0048A710 RtlAcquirePebLock,NtAllocateVirtualMemory,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,2_2_0048A710
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A35020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A35020
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00498574 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C2_2_00498574
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00446400 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_00446400
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A5519E mov edi, dword ptr fs:[00000030h]0_2_00A5519E
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A31614 mov edi, dword ptr fs:[00000030h]0_2_00A31614
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A31614 mov edi, dword ptr fs:[00000030h]2_2_00A31614
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A3FE2C GetProcessHeap,0_2_00A3FE2C
                Source: C:\Users\user\Desktop\drop1.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A35020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A35020
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A35014 SetUnhandledExceptionFilter,0_2_00A35014
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A3B4B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A3B4B9
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A34C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A34C64
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004AC6BF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004AC6BF
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004AC80A SetUnhandledExceptionFilter,2_2_004AC80A
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00497B2D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00497B2D
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004ABFD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004ABFD4
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A35020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A35020
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A35014 SetUnhandledExceptionFilter,2_2_00A35014
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A3B4B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A3B4B9
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00A34C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00A34C64

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A5519E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00A5519E
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\drop1.exeMemory written: C:\Users\user\Desktop\drop1.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_0047D2F0 ShellExecuteW,OpenProcessToken,GetCurrentProcess,GetTokenInformation,std::ios_base::_Ios_base_dtor,2_2_0047D2F0
                Source: C:\Users\user\Desktop\drop1.exeProcess created: C:\Users\user\Desktop\drop1.exe "C:\Users\user\Desktop\drop1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_00486C50 cpuid 2_2_00486C50
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,0_2_00A43086
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,0_2_00A430D1
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A43178
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A42A13
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,0_2_00A3F21C
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,0_2_00A4327E
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00A42CFF
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,0_2_00A42C64
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,0_2_00A42FB1
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,0_2_00A3F717
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,0_2_00A42F52
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004A6109
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoEx,FormatMessageA,2_2_004B824D
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_004A620F
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_004A62E5
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_0049C70E
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_004A5C67
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_004A5C1A
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_004A5C1C
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_0049CCB0
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_004A5D02
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_004A5D8D
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_004A5FE0
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_00A43086
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_00A430D1
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00A43178
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_00A3F21C
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_00A4327E
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_00A3F717
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00A42A13
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00A42CFF
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_00A42C64
                Source: C:\Users\user\Desktop\drop1.exeCode function: GetLocaleInfoW,2_2_00A42FB1
                Source: C:\Users\user\Desktop\drop1.exeCode function: EnumSystemLocalesW,2_2_00A42F52
                Source: C:\Users\user\Desktop\drop1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyNameJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeCode function: 0_2_00A359A7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A359A7
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004863F0 GetUserNameW,2_2_004863F0
                Source: C:\Users\user\Desktop\drop1.exeCode function: 2_2_004A1074 GetTimeZoneInformation,2_2_004A1074

                Stealing of Sensitive Information

                barindex
                Yara detected CredGrabber
                Source: Yara matchFile source: Process Memory Space: drop1.exe PID: 3444, type: MEMORYSTR
                Yara detected Meduza Stealer
                Source: Yara matchFile source: 0.2.drop1.exe.1416e20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.drop1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.drop1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.drop1.exe.1416e20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: drop1.exe PID: 3444, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum-LTC\config
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash\config
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus\exodus.wallet
                Source: drop1.exe, 00000002.00000002.1979975777.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldbs|+
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
                Source: drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
                Tries to harvest and steal Bitcoin Wallet information
                Source: C:\Users\user\Desktop\drop1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCKJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\drop1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\drop1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected CredGrabber
                Source: Yara matchFile source: Process Memory Space: drop1.exe PID: 3444, type: MEMORYSTR
                Yara detected Meduza Stealer
                Source: Yara matchFile source: 0.2.drop1.exe.1416e20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.drop1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.drop1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.drop1.exe.1416e20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: drop1.exe PID: 3444, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		12
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                Process Injection                		1
                Software Packing                		NTDS34
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Query Registry                		SSHKeylogging3
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Access Token Manipulation                		Cached Domain Credentials21
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                Process Injection                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Network Configuration Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                drop1.exe79%VirustotalBrowse
                drop1.exe76%ReversingLabsWin32.Spyware.Meduzastealer

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.org20%Avira URL Cloudsafe
                http://ns.microsoft.co2/t/Re0%Avira URL Cloudsafe
                https://support.moz0%Avira URL Cloudsafe
                http://ns.adob/1.0/.Y0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabdrop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFdrop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/ac/?q=drop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://sectigo.com/CPS0drop1.exefalse
                            		high
                            http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#drop1.exefalse
                              		high
                              https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgdrop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icodrop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0drop1.exefalse
                                    		high
                                    http://ocsp.sectigo.com0drop1.exefalse
                                      		high
                                      https://api.ipify.org2drop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#drop1.exefalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=drop1.exe, 00000002.00000003.1784006302.000000000478D000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784006302.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.0000000004774000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://ns.microsoft.co2/t/Redrop1.exe, 00000002.00000003.1979361344.000000000130B000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979420774.000000000130C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctadrop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016drop1.exe, 00000002.00000003.1784605548.00000000047D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#drop1.exefalse
                                                    		high
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17drop1.exe, 00000002.00000003.1784605548.00000000047D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brdrop1.exe, 00000002.00000003.1790425715.000000000485F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ac.ecosia.org/autocomplete?q=drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0drop1.exefalse
                                                              		high
                                                              https://api.ipify.orgdrop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://support.mozdrop1.exe, 00000002.00000003.1790572642.0000000004220000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ydrop1.exefalse
                                                                  		high
                                                                  https://api.ipify.org/ddrop1.exe, 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgdrop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYidrop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zdrop1.exefalse
                                                                          		high
                                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installdrop1.exe, 00000002.00000003.1784605548.00000000047B1000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784851444.000000000115E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784605548.000000000478B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdrop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://ns.adob/1.0/.Ydrop1.exe, 00000002.00000002.1980297371.000000000130E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979361344.000000000130B000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1979420774.000000000130C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://support.mozilla.orgdrop1.exe, 00000002.00000003.1790572642.0000000004219000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B28000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790425715.0000000004858000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.00000000047DA000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789452784.0000000003B20000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1789672860.0000000004825000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1790222997.0000000003B80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesdrop1.exe, 00000002.00000003.1784605548.00000000047B1000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784851444.000000000115E000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784605548.000000000478B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=drop1.exe, 00000002.00000003.1784152367.0000000001164000.00000004.00000020.00020000.00000000.sdmp, drop1.exe, 00000002.00000003.1784201858.000000000478D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94drop1.exe, 00000002.00000003.1794443745.000000000117A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#drop1.exefalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        66.63.187.173
                                                                                        		unknownUnited States
                                                                                        		8100ASN-QUADRANET-GLOBALUStrue
                                                                                        104.26.13.205
                                                                                        		api.ipify.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1584392
                                                                                        Start date and time:2025-01-05 11:53:05 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 4m 33s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:6
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:drop1.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@4/0@1/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 80
                                                                                        • Number of non-executed functions: 136
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Stop behavior analysis, all processes terminated

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        No simulations

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        66.63.187.173file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          104.26.13.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                          • api.ipify.org/
                                                                                          BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                                          • api.ipify.org/
                                                                                          lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                                          • api.ipify.org/
                                                                                          Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                          • api.ipify.org/
                                                                                          2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                          • api.ipify.org/
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • api.ipify.org/
                                                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                          • api.ipify.org/
                                                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                          • api.ipify.org/
                                                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                          • api.ipify.org/
                                                                                          Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                          • api.ipify.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          api.ipify.orgYoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.12.205
                                                                                          Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          • 104.26.12.205
                                                                                          http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                          • 172.67.74.152
                                                                                          https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                          • 104.26.12.205
                                                                                          vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                          • 104.26.12.205
                                                                                          Statement of Account - USD 16,720.00.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 104.26.12.205
                                                                                          RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                          • 104.26.12.205
                                                                                          Loader.exeGet hashmaliciousMeduza StealerBrowse
                                                                                          • 104.26.13.205
                                                                                          Jx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.12.205

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          ASN-QUADRANET-GLOBALUSfile.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          • 66.63.187.173
                                                                                          Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 104.223.10.34
                                                                                          1.elfGet hashmaliciousUnknownBrowse
                                                                                          • 72.11.146.74
                                                                                          Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                          • 193.111.248.108
                                                                                          Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                                                                          • 193.111.248.108
                                                                                          Aqua.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                          • 193.111.248.108
                                                                                          DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 162.220.9.64
                                                                                          Hilix.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                          • 45.199.228.221
                                                                                          Hilix.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                          • 45.199.228.219
                                                                                          CLOUDFLARENETUSavaydna.exeGet hashmaliciousNjratBrowse
                                                                                          • 104.17.25.14
                                                                                          HateSpeech2024_Summary.pdf.lnk.bin.lnkGet hashmaliciousEmmenhtal Loader, MalLnkBrowse
                                                                                          • 104.21.2.79
                                                                                          paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                                          • 162.159.137.232
                                                                                          K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.56.70
                                                                                          hkMUtKbCqV.exeGet hashmaliciousUnknownBrowse
                                                                                          • 162.159.135.234
                                                                                          IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.56.70
                                                                                          3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.43.44
                                                                                          3jL3mqtjCn.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.48.1
                                                                                          3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.219.93
                                                                                          elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                                                          • 188.114.96.3

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          37f463bf4616ecd445d4a1937da06e192b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.26.13.205
                                                                                          IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.26.13.205
                                                                                          Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                                                          • 104.26.13.205
                                                                                          c2.htaGet hashmaliciousRemcosBrowse
                                                                                          • 104.26.13.205
                                                                                          file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          • 104.26.13.205
                                                                                          J18zxRjOes.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.26.13.205
                                                                                          HGwpjJUqhW.exeGet hashmaliciousGhostRatBrowse
                                                                                          • 104.26.13.205

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          No created / dropped files found

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.97910480270726
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:drop1.exe
                                                                                          File size:2'537'088 bytes
                                                                                          MD5:cf2ac2dce038a884fce94f9350327033
                                                                                          SHA1:a2d1c361993e3b1b3289e4905287cb2c9a1714de
                                                                                          SHA256:6d38c8152edc5634fa7cae67424a5b28e1dca4b1037d99704c331c91faca77b7
                                                                                          SHA512:635c847a0dba3dea3a902ab2394f466c7230e5d355c5a2aa6364b83fd7f9ab6bcc194d2dc6ae6d3b3b9623bfe110d3222bfddb2b5987ca77d95b7d871ef7a1df
                                                                                          SSDEEP:49152:mGnxuIaLAA4B6oztxtwt81xuIaLAA4B6oztxtwt8N:mi1NvztxuG1NvztxuU
                                                                                          TLSH:22C5236235D59031DCA35071EDE2D370CB2EB920A771BEDBA384063E5B121D6A77A32D
                                                                                          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@...........................&...........@..................................7..<..

                                                                                          File Icon

                                                                                          Icon Hash:90cececece8e8eb0

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x405952
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:true
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows cui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x67601EA3 [Mon Dec 16 12:35:47 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:6
                                                                                          OS Version Minor:0
                                                                                          File Version Major:6
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:6
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:2ab4b10182ffafd3eedee95a25f64213

                                                                                          Authenticode Signature

                                                                                          Signature Valid:false
                                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                          Error Number:-2146869232
                                                                                          Not Before, Not After
                                                                                          • 31/08/2023 01:00:00 31/08/2026 00:59:59
                                                                                          Subject Chain
                                                                                          • CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
                                                                                          Version:3
                                                                                          Thumbprint MD5:AD1BCBF19AE2F91BB114D33B85359E56
                                                                                          Thumbprint SHA-1:141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
                                                                                          Thumbprint SHA-256:A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
                                                                                          Serial:00D0461B529F67189D43744E9CEFE172AE

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007F8B78AFCA0Ah
                                                                                          jmp 00007F8B78AFC879h
                                                                                          mov ecx, dword ptr [004257C0h]
                                                                                          push esi
                                                                                          push edi
                                                                                          mov edi, BB40E64Eh
                                                                                          mov esi, FFFF0000h
                                                                                          cmp ecx, edi
                                                                                          je 00007F8B78AFCA06h
                                                                                          test esi, ecx
                                                                                          jne 00007F8B78AFCA28h
                                                                                          call 00007F8B78AFCA31h
                                                                                          mov ecx, eax
                                                                                          cmp ecx, edi
                                                                                          jne 00007F8B78AFCA09h
                                                                                          mov ecx, BB40E64Fh
                                                                                          jmp 00007F8B78AFCA10h
                                                                                          test esi, ecx
                                                                                          jne 00007F8B78AFCA0Ch
                                                                                          or eax, 00004711h
                                                                                          shl eax, 10h
                                                                                          or ecx, eax
                                                                                          mov dword ptr [004257C0h], ecx
                                                                                          not ecx
                                                                                          pop edi
                                                                                          mov dword ptr [00425800h], ecx
                                                                                          pop esi
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 14h
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          xorps xmm0, xmm0
                                                                                          push eax
                                                                                          movlpd qword ptr [ebp-0Ch], xmm0
                                                                                          call dword ptr [004239D8h]
                                                                                          mov eax, dword ptr [ebp-08h]
                                                                                          xor eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr [ebp-04h], eax
                                                                                          call dword ptr [00423990h]
                                                                                          xor dword ptr [ebp-04h], eax
                                                                                          call dword ptr [0042398Ch]
                                                                                          xor dword ptr [ebp-04h], eax
                                                                                          lea eax, dword ptr [ebp-14h]
                                                                                          push eax
                                                                                          call dword ptr [00423A20h]
                                                                                          mov eax, dword ptr [ebp-10h]
                                                                                          lea ecx, dword ptr [ebp-04h]
                                                                                          xor eax, dword ptr [ebp-14h]
                                                                                          xor eax, dword ptr [ebp-04h]
                                                                                          xor eax, ecx
                                                                                          leave
                                                                                          ret
                                                                                          mov eax, 00004000h
                                                                                          ret
                                                                                          push 00426AA8h
                                                                                          call dword ptr [004239F8h]
                                                                                          ret
                                                                                          push 00030000h
                                                                                          push 00010000h
                                                                                          push 00000000h
                                                                                          call 00007F8B78B019BAh
                                                                                          add esp, 0Ch

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x237980x3c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a0000xe8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x2688000x2e80.bss
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b0000x1940.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x1fe580x18.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cde80xc0.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x239280x154.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x1a89c0x1aa002c90bf01d6a75cfa91195eab195cb511False0.5897795627934272data6.625714555730625IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x1c0000x8b240x8c00d082dcd702b8cfd5c38fc05ef266a1f7False0.3864955357142857xBase (0xa) DBF * 0, update-date 170-1-3, with index file .MDX, with memo .FPT4.662128172849137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x250000x226c0x1600982bdad040c9e55617b82cb91da6c951False0.39417613636363635data4.554102284484849IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .bsS0x280000x530x200f5c8cf64c90793e21e616701e55b6530False0.17578125data1.411880155989052IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .tls0x290000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x2a0000xe80x200267fca3a548bff3d326d56604fef4ee6False0.306640625data2.344915704357875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x2b0000x19400x1a00ad27a2fd39c0f74f88141246becd5b06False0.7587139423076923data6.513010283131139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                          .bss0x2d0000x120a000x120a00efbff3ab6ace47c3f7ec21199d5a24afFalse1.0003138195647467data7.999828133959274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .bss0x14e0000x120a000x120a00efbff3ab6ace47c3f7ec21199d5a24afFalse1.0003138195647467data7.999828133959274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_MANIFEST0x2a0600x87XML 1.0 document, ASCII textEnglishUnited States0.8222222222222222

                                                                                          Imports

                                                                                          DLLImport
                                                                                          ADVAPI32.dllCryptContextAddRef
                                                                                          KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-01-05T11:54:10.969583+01002049441ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt1192.168.2.44973366.63.187.17315666TCP
                                                                                          2025-01-05T11:54:10.969583+01002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.44973366.63.187.17315666TCP
                                                                                          2025-01-05T11:54:10.969583+01002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.44973366.63.187.17315666TCP
                                                                                          2025-01-05T11:54:10.974496+01002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.44973366.63.187.17315666TCP
                                                                                          2025-01-05T11:54:10.974496+01002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.44973366.63.187.17315666TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 5, 2025 11:54:07.142132044 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:07.147100925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.147173882 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:07.212558985 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.212578058 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.212807894 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.230053902 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.230068922 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.689429998 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.689512014 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.741281033 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.741292000 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.741569996 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.741624117 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.744940996 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.787337065 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.848509073 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.848551035 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.848552942 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:07.848594904 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.849226952 CET49734443192.168.2.4104.26.13.205
                                                                                          Jan 5, 2025 11:54:07.849236965 CET44349734104.26.13.205192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.969583035 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.974416971 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974427938 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974442959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974452019 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974459887 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974495888 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.974596977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974606037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974662066 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.974674940 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974684000 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974750042 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.974780083 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.974836111 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979360104 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979368925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979377985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979396105 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979404926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979415894 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979435921 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979482889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979491949 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979517937 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979520082 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979563951 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979588032 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979597092 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979633093 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979662895 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979702950 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.979722977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.979826927 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984239101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984298944 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984308004 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984316111 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984390020 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984390974 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984400034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984409094 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984415054 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984448910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984489918 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984505892 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984539986 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984549999 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984559059 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984627962 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984638929 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984647989 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984663963 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984669924 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984673023 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984684944 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984704971 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984725952 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984743118 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984796047 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984802008 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984816074 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984824896 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984833002 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984857082 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984862089 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984869003 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984873056 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984888077 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984895945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.984920979 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.984950066 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989130020 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989140034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989156961 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989165068 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989173889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989188910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989196062 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989239931 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989248991 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989284039 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989288092 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989305973 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989322901 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989331007 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989339113 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989367008 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989396095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989404917 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989422083 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989453077 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989460945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989470005 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989480019 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989490032 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989512920 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989521027 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989553928 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989562988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989568949 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989578009 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989613056 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989626884 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989634991 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989666939 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989686966 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989696980 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989700079 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989706993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989739895 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989764929 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989773989 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989782095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989783049 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989840031 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989842892 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989850044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989857912 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989866972 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989892960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989897013 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989903927 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989911079 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989912033 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989921093 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989934921 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989974022 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.989979029 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989988089 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.989996910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990005016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990020037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990027905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990039110 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990060091 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990071058 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990077972 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990086079 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990088940 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990102053 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990109921 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990120888 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990128994 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990140915 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990144014 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990154028 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990163088 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990165949 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990180016 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990185022 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990195036 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990202904 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990211964 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990212917 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990236044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990238905 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990245104 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990253925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990255117 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990262985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990291119 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990326881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990336895 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990345001 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990354061 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.990362883 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990377903 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.990466118 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994092941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994102955 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994126081 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994134903 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994144917 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994154930 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994178057 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994179010 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994214058 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994227886 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994237900 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994239092 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994254112 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994262934 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994287968 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994309902 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994318962 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994321108 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994371891 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994410992 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994430065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994437933 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994446039 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994453907 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994462967 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994477987 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994486094 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994494915 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994494915 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994504929 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994527102 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994532108 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994541883 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994541883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994585037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994594097 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994615078 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994623899 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994632959 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994653940 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994661093 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994663954 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994707108 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994716883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994733095 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994756937 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994761944 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994765997 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994775057 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994784117 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994798899 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994807005 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994813919 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994823933 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994832993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994843006 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994851112 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994858027 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994868994 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994873047 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994878054 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994900942 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994909048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994910002 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.994976997 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.994992971 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995002031 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995029926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995038986 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995059967 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995100021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995104074 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995110035 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995119095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995126963 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995136023 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995151997 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995161057 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995182037 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995184898 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995197058 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995204926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995213032 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995213985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995239019 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995259047 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995333910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995343924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995353937 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995362997 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995372057 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995381117 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995388985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995397091 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995404959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995409012 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995412111 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995429993 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995436907 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995445967 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995460987 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995470047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995476961 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995481014 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995485067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995493889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995502949 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995503902 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995531082 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995544910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995554924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995563984 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995573044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995580912 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995580912 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995589972 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995598078 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995599031 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995615005 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995624065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995631933 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995641947 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995651007 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995651960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995660067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995668888 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995695114 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995737076 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995747089 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995754957 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995764017 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995771885 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995780945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995795965 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995800018 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995805025 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995814085 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995822906 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995826960 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995832920 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995842934 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995883942 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995903969 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995914936 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995923042 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995930910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995939016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995946884 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995958090 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995961905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995971918 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995974064 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.995980978 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995990038 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.995999098 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996002913 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996011972 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996015072 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996025085 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996033907 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996036053 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996042967 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996052980 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996053934 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996074915 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996084929 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996093035 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996093988 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996102095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996109009 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996113062 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996129990 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996138096 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996141911 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996146917 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996155977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996161938 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996174097 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996181965 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996189117 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996198893 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996220112 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996256113 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996265888 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996273041 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996280909 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996290922 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.996290922 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.996315956 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999293089 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999304056 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999320030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999397039 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999407053 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999448061 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999449015 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999458075 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999475002 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999484062 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999491930 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999497890 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999505997 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999532938 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999608040 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999618053 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999624968 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999634027 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999641895 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999651909 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999660015 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999665976 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999667883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999685049 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999713898 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999723911 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999731064 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999739885 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999744892 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999748945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999758959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999761105 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999775887 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999784946 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999794006 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999804974 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999824047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999833107 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999841928 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999864101 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999866009 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999874115 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999882936 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999906063 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999955893 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999960899 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:10.999965906 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999974966 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999983072 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999990940 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:10.999999046 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000014067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000014067 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000022888 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000025988 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000031948 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000049114 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000057936 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000066042 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000073910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000072002 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000082970 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000092030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000099897 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000099897 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000112057 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000124931 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000133038 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000140905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000149012 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000164032 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000179052 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000211954 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000221014 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000236034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000241041 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000247955 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000257015 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000264883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000273943 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000276089 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000283003 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000298023 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000298977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000308037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000309944 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000317097 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000325918 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000333071 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000356913 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000402927 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000412941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000417948 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000422955 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000432968 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000439882 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000447989 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000457048 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000469923 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000474930 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000484943 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000494003 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000502110 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000507116 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000526905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000535965 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000543118 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000544071 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000552893 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000557899 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000564098 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000574112 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000575066 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000582933 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000591993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000607967 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000616074 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000623941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000627995 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000633001 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000648975 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000650883 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000658035 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000667095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000674009 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000674963 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000713110 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000740051 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.000744104 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000808001 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.000991106 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001000881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001008987 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001017094 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001032114 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001039982 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001048088 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001056910 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001065016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001070976 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001113892 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001167059 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001177073 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001183987 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001193047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001200914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001208067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001223087 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001228094 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001231909 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001240969 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001250029 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001265049 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001274109 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001274109 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001281977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001313925 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001333952 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001344919 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001353025 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001358032 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001382113 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001413107 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001420975 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001422882 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001540899 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001710892 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001719952 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001728058 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001735926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001743078 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001750946 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001765966 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001775026 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001782894 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001782894 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001791954 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001799107 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001801014 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001810074 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001820087 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001822948 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001830101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001835108 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001843929 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001857996 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.001878977 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.001946926 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.045841932 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.046171904 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046231985 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046288013 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046329975 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046389103 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046446085 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046489000 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046550035 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046591043 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046648026 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046690941 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046753883 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.046789885 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.062172890 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.062393904 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.062465906 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.062514067 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.062572002 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.062603951 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.067209959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.067390919 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.067456961 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.067487955 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.109683990 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.110965967 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.158818007 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.159039974 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159101009 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159141064 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159193039 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159233093 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159281969 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159328938 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159389973 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159439087 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159501076 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.159513950 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.163944006 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.164144039 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.164208889 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.164242029 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.209788084 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.210038900 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.217187881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.217380047 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.217441082 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.217483044 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.217534065 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.222274065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.222429991 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.222507954 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.222544909 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.265738964 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.265790939 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292009115 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.292107105 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.292200089 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292309999 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292371988 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292459011 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292510033 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292574883 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292628050 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292686939 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.292707920 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.297076941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.297236919 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.337758064 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.337842941 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.354968071 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.355065107 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.355190039 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355257034 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355309963 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355370998 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355428934 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355511904 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355581999 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355655909 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.355685949 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360081911 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.360302925 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360388041 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360450983 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360513926 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360568047 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360631943 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.360650063 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.405766010 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.405915976 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414041996 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.414264917 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414323092 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414374113 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414426088 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414469957 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414519072 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414561033 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414608002 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414654970 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414714098 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414753914 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414819002 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414861917 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414916992 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.414953947 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419107914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419118881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419137001 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419158936 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419182062 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419187069 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419197083 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419214010 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419225931 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419234991 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419258118 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419282913 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419306993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419321060 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419337988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419369936 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419441938 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419451952 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419459105 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419466972 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419475079 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419482946 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419490099 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419506073 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419513941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419533014 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419557095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419565916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419567108 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419574022 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419584036 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419600964 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419605017 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419609070 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419637918 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419680119 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419689894 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419698000 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419706106 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419717073 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419723034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419733047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419732094 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419787884 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419817924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419826984 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419836998 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419846058 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419852972 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419861078 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419867992 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419903040 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419913054 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419915915 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419919968 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419929028 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419948101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419955969 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419970036 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.419970989 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.419980049 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420001984 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420005083 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420016050 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420017004 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420039892 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420047998 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420077085 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420079947 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420097113 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420113087 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420118093 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420120955 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420155048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420177937 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420186996 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420207977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420216084 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420239925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420243025 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420248985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420278072 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420291901 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420300007 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420301914 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420382023 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420388937 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420398951 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420407057 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420414925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420440912 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420511007 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420512915 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420521975 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420531034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420541048 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420548916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420557976 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420572042 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420578003 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420583010 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420591116 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420602083 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420610905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420618057 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420619011 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420629025 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420636892 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420689106 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420698881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420700073 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420707941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420716047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420723915 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420732021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420739889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420739889 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420747995 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420763969 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420773029 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420773983 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420804024 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420804977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420815945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420816898 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420819998 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420830965 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420839071 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420845985 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420860052 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420867920 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420867920 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420880079 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420886993 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420888901 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420906067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420914888 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420923948 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.420958042 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420969009 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.420975924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421003103 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421101093 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421111107 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421118021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421124935 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421128988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421132088 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421135902 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421155930 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421164036 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421170950 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421179056 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421192884 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421200037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421204090 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421207905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421216011 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421221018 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421224117 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421226025 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421256065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421258926 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421264887 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421268940 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421272993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421294928 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421303988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421308041 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421329021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421341896 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421361923 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421391964 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421401978 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421410084 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421412945 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421495914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421504974 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421508074 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421519041 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421521902 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421565056 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421574116 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421597004 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421606064 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421627998 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421681881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421691895 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.421715021 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.421843052 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.466856003 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.467170000 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467672110 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467730045 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467768908 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467818975 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467860937 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467907906 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.467947006 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468010902 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468053102 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468100071 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468138933 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468204021 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468250990 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468316078 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468360901 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468415022 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468456984 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468506098 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.468523979 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.477696896 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477766991 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477786064 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477793932 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477803946 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477818966 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477838993 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.477875948 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477885008 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.477885008 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477902889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477927923 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477936029 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477950096 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477958918 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477982998 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.477993965 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478015900 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478040934 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478049994 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478063107 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478070021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478075027 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478084087 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478122950 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478122950 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478137970 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478147984 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478214979 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478245020 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478254080 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478260040 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478266954 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478291988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478300095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478301048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478353977 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478363037 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478372097 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478384972 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478388071 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478399038 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478413105 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478430033 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478458881 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478467941 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478480101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478490114 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478492022 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478516102 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478523016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478527069 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478549957 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478554964 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478579044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478620052 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478627920 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478668928 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478677034 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478691101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478712082 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478715897 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478753090 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478771925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478780031 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478787899 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478816986 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478825092 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478832960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478857040 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478889942 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478915930 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478931904 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478939056 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478951931 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478957891 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478965998 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478980064 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.478982925 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.478993893 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479013920 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479017019 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479026079 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479044914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479048967 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479063988 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479073048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479084015 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479094028 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479120016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479126930 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479129076 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479176044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479183912 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479191065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479229927 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479238033 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479245901 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479248047 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479279995 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479288101 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479300022 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479324102 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479331970 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479351044 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479357958 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479360104 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479367971 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479379892 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479433060 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479440928 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479445934 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479486942 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479494095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479504108 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479511023 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479525089 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479532957 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479556084 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479588032 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479597092 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479604006 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479612112 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479619980 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479648113 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479652882 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479662895 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479677916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479686022 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479707956 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479717016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479727983 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479752064 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479774952 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479783058 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479790926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479806900 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479808092 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479816914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479830980 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479840994 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479846954 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479865074 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479867935 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479883909 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479899883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479918003 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479926109 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479932070 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.479944944 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.479959965 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480025053 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480026007 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480035067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480041981 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480050087 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480052948 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480071068 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480077982 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480078936 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480098009 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480107069 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480110884 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480134964 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480139971 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480156898 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480207920 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480216980 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480223894 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480227947 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480228901 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480267048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480278969 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480288029 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480302095 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480309010 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480324030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480335951 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480376959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480386019 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480400085 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480405092 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480408907 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480420113 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480432987 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480436087 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480473995 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480496883 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480505943 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480513096 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480526924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480535030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480559111 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480566025 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480577946 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480591059 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480612040 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480669022 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480676889 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480684042 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480690956 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480696917 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480700016 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480710030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480710983 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480721951 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480734110 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480742931 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480751991 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480767012 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480798960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480813026 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480813980 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480823040 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480849028 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480871916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480880976 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480887890 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480901957 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480910063 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480932951 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480936050 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480940104 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480962038 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.480973005 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480982065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.480994940 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481005907 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481020927 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481040955 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481071949 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481072903 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481082916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481091976 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481128931 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481144905 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481153011 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481161118 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481178045 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481223106 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481230021 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481231928 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481239080 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481255054 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481277943 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481292009 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481300116 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481319904 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481338978 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481368065 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481375933 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481389999 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481396914 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481419086 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481426954 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481435061 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481456041 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481461048 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481482983 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481489897 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481513023 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481520891 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481547117 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481561899 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481570959 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481581926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481590986 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481606960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481612921 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481635094 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481638908 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481657028 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481662035 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481698990 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481708050 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481714964 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481756926 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481766939 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481779099 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481786013 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481787920 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481796026 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481815100 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481836081 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481844902 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481848001 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481895924 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481905937 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481911898 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481919050 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481931925 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481961966 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.481981039 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481988907 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.481992960 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482008934 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482017040 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482027054 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482045889 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.482065916 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482075930 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482081890 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.482115030 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482124090 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482131004 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482147932 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.482192993 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482202053 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482212067 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482218981 CET156664973366.63.187.173192.168.2.4
                                                                                          Jan 5, 2025 11:54:11.482228994 CET4973315666192.168.2.466.63.187.173
                                                                                          Jan 5, 2025 11:54:11.482237101 CET156664973366.63.187.173192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jan 5, 2025 11:54:07.195625067 CET192.168.2.41.1.1.10x378eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jan 5, 2025 11:54:07.202430010 CET1.1.1.1192.168.2.40x378eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                          Jan 5, 2025 11:54:07.202430010 CET1.1.1.1192.168.2.40x378eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                          Jan 5, 2025 11:54:07.202430010 CET1.1.1.1192.168.2.40x378eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449734104.26.13.2054433444C:\Users\user\Desktop\drop1.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-05 10:54:07 UTC100OUTGET / HTTP/1.1
                                                                                          Accept: text/html; text/plain; */*
                                                                                          Host: api.ipify.org
                                                                                          Cache-Control: no-cache
                                                                                          2025-01-05 10:54:07 UTC424INHTTP/1.1 200 OK
                                                                                          Date: Sun, 05 Jan 2025 10:54:07 GMT
                                                                                          Content-Type: text/plain
                                                                                          Content-Length: 12
                                                                                          Connection: close
                                                                                          Vary: Origin
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd2edb2b90d7d05-EWR
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=1943&rtt_var=835&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=738&delivery_rate=1502830&cwnd=195&unsent_bytes=0&cid=df368f3a209bae22&ts=169&x=0"
                                                                                          2025-01-05 10:54:07 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                          Data Ascii: 8.46.123.189


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:05:53:53
                                                                                          Start date:05/01/2025
                                                                                          Path:C:\Users\user\Desktop\drop1.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\drop1.exe"
                                                                                          Imagebase:0xa30000
                                                                                          File size:2'537'088 bytes
                                                                                          MD5 hash:CF2AC2DCE038A884FCE94F9350327033
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:05:53:53
                                                                                          Start date:05/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:05:54:06
                                                                                          Start date:05/01/2025
                                                                                          Path:C:\Users\user\Desktop\drop1.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\drop1.exe"
                                                                                          Imagebase:0xa30000
                                                                                          File size:2'537'088 bytes
                                                                                          MD5 hash:CF2AC2DCE038A884FCE94F9350327033
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000002.00000002.1979975777.0000000001098000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: infostealer_win_meduzastealer, Description: Finds MeduzaStealer samples based on specific strings, Source: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Sekoia.io
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:4.6%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:2%
                                                                                            Total number of Nodes:1786
                                                                                            Total number of Limit Nodes:23
                                                                                            execution_graph 15571 a33fa3 15573 a33fb9 _Yarn 15571->15573 15572 a33fbf 15573->15572 15574 a34065 15573->15574 15577 a3c32c 15573->15577 15574->15572 15576 a3c32c __fread_nolock 31 API calls 15574->15576 15576->15572 15580 a3c28f 15577->15580 15581 a3c29b ___scrt_is_nonwritable_in_current_image 15580->15581 15582 a3c2d3 15581->15582 15583 a3c2e5 15581->15583 15584 a3c2ae __fread_nolock 15581->15584 15582->15573 15593 a3875f EnterCriticalSection 15583->15593 15586 a3ad6d __dosmaperr 12 API calls 15584->15586 15588 a3c2c8 15586->15588 15587 a3c2ef 15594 a3c349 15587->15594 15590 a3b458 __strnicoll 27 API calls 15588->15590 15590->15582 15593->15587 15596 a3c35b __fread_nolock 15594->15596 15600 a3c306 15594->15600 15595 a3c368 15597 a3ad6d __dosmaperr 12 API calls 15595->15597 15596->15595 15596->15600 15603 a3c3b9 15596->15603 15598 a3c36d 15597->15598 15599 a3b458 __strnicoll 27 API calls 15598->15599 15599->15600 15607 a3c324 15600->15607 15601 a45d52 __fread_nolock 29 API calls 15601->15603 15602 a3c4e4 __fread_nolock 15606 a3ad6d __dosmaperr 12 API calls 15602->15606 15603->15600 15603->15601 15603->15602 15604 a3c20e __fread_nolock 27 API calls 15603->15604 15605 a40efc __fread_nolock 27 API calls 15603->15605 15604->15603 15605->15603 15606->15598 15610 a38773 LeaveCriticalSection 15607->15610 15609 a3c32a 15609->15582 15610->15609 14336 a342bc 14338 a342c8 14336->14338 14337 a342ff 14338->14337 14342 a3cc2c 14338->14342 14340 a342ec 14340->14337 14346 a34362 14340->14346 14343 a3cc3f _Fputc 14342->14343 14350 a3cc99 14343->14350 14345 a3cc54 _Fputc 14345->14340 14347 a34381 14346->14347 14348 a343a3 14347->14348 14376 a38719 14347->14376 14348->14337 14351 a3ccab 14350->14351 14352 a3ccce 14350->14352 14353 a3b601 __strnicoll 27 API calls 14351->14353 14352->14351 14355 a3ccf5 14352->14355 14354 a3ccc6 14353->14354 14354->14345 14358 a3cdcf 14355->14358 14359 a3cddb ___scrt_is_nonwritable_in_current_image 14358->14359 14366 a3875f EnterCriticalSection 14359->14366 14361 a3cde9 14367 a3cd2f 14361->14367 14363 a3cdf6 14372 a3ce1e 14363->14372 14366->14361 14368 a3bc27 ___scrt_uninitialize_crt 62 API calls 14367->14368 14369 a3cd4a 14368->14369 14370 a3cd6f 14369->14370 14371 a3f807 __Getctype 12 API calls 14369->14371 14370->14363 14371->14370 14375 a38773 LeaveCriticalSection 14372->14375 14374 a3cd2d 14374->14345 14375->14374 14377 a38725 14376->14377 14380 a3873a 14376->14380 14378 a3ad6d __dosmaperr 12 API calls 14377->14378 14379 a3872a 14378->14379 14381 a3b458 __strnicoll 27 API calls 14379->14381 14380->14348 14382 a38735 14381->14382 14382->14348 14300 a5519e 14301 a551d4 14300->14301 14301->14301 14302 a55321 GetPEB 14301->14302 14303 a55333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 14301->14303 14302->14303 14303->14301 14304 a553da WriteProcessMemory 14303->14304 14305 a5541f 14304->14305 14306 a55424 WriteProcessMemory 14305->14306 14307 a55461 WriteProcessMemory Wow64SetThreadContext ResumeThread 14305->14307 14306->14305 12595 a357d0 12596 a357dc ___scrt_is_nonwritable_in_current_image 12595->12596 12622 a32baf 12596->12622 12598 a357e3 12599 a3593c 12598->12599 12607 a3580d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 12598->12607 12658 a35020 IsProcessorFeaturePresent 12599->12658 12601 a35943 12602 a35949 12601->12602 12662 a38bd6 12601->12662 12665 a38bec 12602->12665 12606 a3582c 12607->12606 12608 a358ad 12607->12608 12610 a358a6 12607->12610 12640 a3b145 12608->12640 12633 a38c20 12610->12633 12612 a358b3 12644 a5804b 12612->12644 12617 a358d8 12618 a358e1 12617->12618 12649 a38c02 12617->12649 12652 a32be8 12618->12652 12623 a32bb8 12622->12623 12668 a34c8c IsProcessorFeaturePresent 12623->12668 12627 a32bc9 12628 a32bcd 12627->12628 12678 a3867a 12627->12678 12628->12598 12631 a32be4 12631->12598 12634 a38c36 std::_Lockit::_Lockit 12633->12634 12635 a3cf0b ___scrt_is_nonwritable_in_current_image 12633->12635 12634->12608 12750 a3e783 GetLastError 12635->12750 12641 a3b153 12640->12641 12642 a3b14e 12640->12642 12641->12612 12985 a3b26e 12642->12985 13464 a58000 GetModuleHandleA GetModuleFileNameA ExitProcess 12644->13464 12647 a34fcd GetModuleHandleW 12648 a34fd9 12647->12648 12648->12601 12648->12617 13467 a38d21 12649->13467 12653 a32bf4 12652->12653 12654 a32c0a 12653->12654 13532 a3868c 12653->13532 12654->12606 12656 a32c02 12657 a36188 ___scrt_uninitialize_crt 7 API calls 12656->12657 12657->12654 12659 a35036 __fread_nolock CallUnexpected 12658->12659 12660 a350e1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12659->12660 12661 a35125 CallUnexpected 12660->12661 12661->12601 12663 a38d21 CallUnexpected 14 API calls 12662->12663 12664 a38be7 12663->12664 12664->12602 12666 a38d21 CallUnexpected 14 API calls 12665->12666 12667 a35951 12666->12667 12669 a32bc4 12668->12669 12670 a36169 12669->12670 12687 a3e1c6 12670->12687 12673 a36172 12673->12627 12675 a3617a 12676 a36185 12675->12676 12701 a3e202 12675->12701 12676->12627 12741 a40815 12678->12741 12681 a36188 12682 a36191 12681->12682 12683 a3619b 12681->12683 12684 a3d297 ___vcrt_uninitialize_ptd 6 API calls 12682->12684 12683->12628 12685 a36196 12684->12685 12686 a3e202 ___vcrt_uninitialize_locks DeleteCriticalSection 12685->12686 12686->12683 12688 a3e1cf 12687->12688 12690 a3e1f8 12688->12690 12691 a3616e 12688->12691 12705 a47e4b 12688->12705 12692 a3e202 ___vcrt_uninitialize_locks DeleteCriticalSection 12690->12692 12691->12673 12693 a3d264 12691->12693 12692->12691 12722 a47d5c 12693->12722 12696 a3d279 12696->12675 12699 a3d294 12699->12675 12702 a3e22c 12701->12702 12703 a3e20d 12701->12703 12702->12673 12704 a3e217 DeleteCriticalSection 12703->12704 12704->12702 12704->12704 12710 a47edd 12705->12710 12708 a47e83 InitializeCriticalSectionAndSpinCount 12709 a47e6e 12708->12709 12709->12688 12711 a47efe 12710->12711 12712 a47e65 12710->12712 12711->12712 12713 a47f66 GetProcAddress 12711->12713 12715 a47f57 12711->12715 12717 a47e92 LoadLibraryExW 12711->12717 12712->12708 12712->12709 12713->12712 12715->12713 12716 a47f5f FreeLibrary 12715->12716 12716->12713 12718 a47ea9 GetLastError 12717->12718 12719 a47ed9 12717->12719 12718->12719 12720 a47eb4 ___vcrt_FlsGetValue 12718->12720 12719->12711 12720->12719 12721 a47eca LoadLibraryExW 12720->12721 12721->12711 12723 a47edd ___vcrt_FlsGetValue 5 API calls 12722->12723 12724 a47d76 12723->12724 12725 a47d8f TlsAlloc 12724->12725 12726 a3d26e 12724->12726 12726->12696 12727 a47e0d 12726->12727 12728 a47edd ___vcrt_FlsGetValue 5 API calls 12727->12728 12729 a47e27 12728->12729 12730 a47e42 TlsSetValue 12729->12730 12731 a3d287 12729->12731 12730->12731 12731->12699 12732 a3d297 12731->12732 12733 a3d2a1 12732->12733 12734 a3d2a7 12732->12734 12736 a47d97 12733->12736 12734->12696 12737 a47edd ___vcrt_FlsGetValue 5 API calls 12736->12737 12738 a47db1 12737->12738 12739 a47dc9 TlsFree 12738->12739 12740 a47dbd 12738->12740 12739->12740 12740->12734 12742 a40825 12741->12742 12743 a32bd6 12741->12743 12742->12743 12745 a3ff89 12742->12745 12743->12631 12743->12681 12746 a3ff90 12745->12746 12747 a3ffd3 GetStdHandle 12746->12747 12748 a40035 12746->12748 12749 a3ffe6 GetFileType 12746->12749 12747->12746 12748->12742 12749->12746 12751 a3e799 12750->12751 12754 a3e79f 12750->12754 12784 a3f19b 12751->12784 12772 a3e7a3 12754->12772 12789 a3f1da 12754->12789 12756 a3e828 SetLastError 12759 a3cf1c 12756->12759 12760 a3e838 12756->12760 12773 a3b9c2 12759->12773 12763 a3b9c2 CallUnexpected 35 API calls 12760->12763 12761 a3e7e9 12765 a3f1da __Getctype 6 API calls 12761->12765 12762 a3e7d8 12764 a3f1da __Getctype 6 API calls 12762->12764 12766 a3e83d 12763->12766 12764->12772 12767 a3e7f5 12765->12767 12768 a3e810 12767->12768 12769 a3e7f9 12767->12769 12801 a3ea94 12768->12801 12771 a3f1da __Getctype 6 API calls 12769->12771 12771->12772 12772->12756 12878 a408cc 12773->12878 12776 a3b9d2 12778 a3b9fb 12776->12778 12779 a3b9dc IsProcessorFeaturePresent 12776->12779 12781 a38bec CallUnexpected 14 API calls 12778->12781 12780 a3b9e8 12779->12780 12908 a3b4b9 12780->12908 12783 a3ba05 12781->12783 12806 a3f534 12784->12806 12786 a3f1b7 12787 a3f1d2 TlsGetValue 12786->12787 12788 a3f1c0 12786->12788 12788->12754 12790 a3f534 std::_Lockit::_Lockit 5 API calls 12789->12790 12791 a3f1f6 12790->12791 12792 a3f214 TlsSetValue 12791->12792 12793 a3e7bb 12791->12793 12793->12772 12794 a3f807 12793->12794 12799 a3f814 __Getctype 12794->12799 12795 a3f854 12823 a3ad6d 12795->12823 12796 a3f83f HeapAlloc 12798 a3e7d0 12796->12798 12796->12799 12798->12761 12798->12762 12799->12795 12799->12796 12820 a38f08 12799->12820 12856 a3ebfa 12801->12856 12807 a3f564 12806->12807 12811 a3f560 std::_Lockit::_Lockit 12806->12811 12807->12811 12812 a3f469 12807->12812 12810 a3f57e GetProcAddress 12810->12811 12811->12786 12818 a3f47a ___vcrt_FlsGetValue 12812->12818 12813 a3f510 12813->12810 12813->12811 12814 a3f498 LoadLibraryExW 12815 a3f4b3 GetLastError 12814->12815 12816 a3f517 12814->12816 12815->12818 12816->12813 12817 a3f529 FreeLibrary 12816->12817 12817->12813 12818->12813 12818->12814 12819 a3f4e6 LoadLibraryExW 12818->12819 12819->12816 12819->12818 12826 a38f43 12820->12826 12837 a3e8d4 GetLastError 12823->12837 12825 a3ad72 12825->12798 12827 a38f4f ___scrt_is_nonwritable_in_current_image 12826->12827 12832 a3b750 EnterCriticalSection 12827->12832 12829 a38f5a CallUnexpected 12833 a38f91 12829->12833 12832->12829 12836 a3b767 LeaveCriticalSection 12833->12836 12835 a38f13 12835->12799 12836->12835 12838 a3e8f0 12837->12838 12839 a3e8ea 12837->12839 12841 a3f1da __Getctype 6 API calls 12838->12841 12843 a3e8f4 12838->12843 12840 a3f19b __Getctype 6 API calls 12839->12840 12840->12838 12842 a3e90c 12841->12842 12842->12843 12845 a3f807 __Getctype 10 API calls 12842->12845 12844 a3e979 SetLastError 12843->12844 12844->12825 12846 a3e921 12845->12846 12847 a3e93a 12846->12847 12848 a3e929 12846->12848 12850 a3f1da __Getctype 6 API calls 12847->12850 12849 a3f1da __Getctype 6 API calls 12848->12849 12849->12843 12851 a3e946 12850->12851 12852 a3e961 12851->12852 12853 a3e94a 12851->12853 12854 a3ea94 __Getctype 2 API calls 12852->12854 12855 a3f1da __Getctype 6 API calls 12853->12855 12854->12843 12855->12843 12857 a3ec06 ___scrt_is_nonwritable_in_current_image 12856->12857 12868 a3b750 EnterCriticalSection 12857->12868 12859 a3ec10 12869 a3ec40 12859->12869 12862 a3ec4c 12863 a3ec58 ___scrt_is_nonwritable_in_current_image 12862->12863 12873 a3b750 EnterCriticalSection 12863->12873 12865 a3ec62 __Getctype 12874 a3ec9a 12865->12874 12868->12859 12872 a3b767 LeaveCriticalSection 12869->12872 12871 a3eb02 12871->12862 12872->12871 12873->12865 12877 a3b767 LeaveCriticalSection 12874->12877 12876 a3eb2b 12876->12772 12877->12876 12914 a40b4f 12878->12914 12881 a408f3 12886 a408ff ___scrt_is_nonwritable_in_current_image 12881->12886 12882 a3e8d4 __dosmaperr 12 API calls 12890 a40930 CallUnexpected 12882->12890 12883 a4094f 12885 a3ad6d __dosmaperr 12 API calls 12883->12885 12884 a40961 CallUnexpected 12887 a40997 CallUnexpected 12884->12887 12928 a3b750 EnterCriticalSection 12884->12928 12888 a40954 12885->12888 12886->12882 12886->12883 12886->12884 12886->12890 12893 a409d4 12887->12893 12894 a40ad1 12887->12894 12904 a40a02 12887->12904 12925 a3b458 12888->12925 12890->12883 12890->12884 12907 a40939 12890->12907 12899 a3e783 __Getctype 37 API calls 12893->12899 12893->12904 12895 a40adc 12894->12895 12933 a3b767 LeaveCriticalSection 12894->12933 12898 a38bec CallUnexpected 14 API calls 12895->12898 12900 a40ae4 12898->12900 12901 a409f7 12899->12901 12903 a3e783 __Getctype 37 API calls 12901->12903 12902 a3e783 __Getctype 37 API calls 12905 a40a57 12902->12905 12903->12904 12929 a40a7d 12904->12929 12906 a3e783 __Getctype 37 API calls 12905->12906 12905->12907 12906->12907 12907->12776 12909 a3b4d5 __fread_nolock CallUnexpected 12908->12909 12910 a3b501 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12909->12910 12913 a3b5d2 CallUnexpected 12910->12913 12912 a3b5f0 12912->12778 12977 a329c6 12913->12977 12915 a40b5b ___scrt_is_nonwritable_in_current_image 12914->12915 12920 a3b750 EnterCriticalSection 12915->12920 12917 a40b69 12921 a40bab 12917->12921 12920->12917 12924 a3b767 LeaveCriticalSection 12921->12924 12923 a3b9c7 12923->12776 12923->12881 12924->12923 12934 a3b6a7 12925->12934 12927 a3b464 12927->12907 12928->12887 12930 a40a81 12929->12930 12931 a40a49 12929->12931 12976 a3b767 LeaveCriticalSection 12930->12976 12931->12902 12931->12905 12931->12907 12933->12895 12935 a3b6b9 _Fputc 12934->12935 12938 a3b601 12935->12938 12937 a3b6d1 _Fputc 12937->12927 12939 a3b611 12938->12939 12940 a3b618 12938->12940 12947 a38af0 GetLastError 12939->12947 12942 a3b626 12940->12942 12951 a3b67e 12940->12951 12942->12937 12944 a3b64d 12944->12942 12954 a3b485 IsProcessorFeaturePresent 12944->12954 12946 a3b67d 12948 a38b09 12947->12948 12958 a3e985 12948->12958 12950 a38b25 SetLastError 12950->12940 12952 a3b6a2 12951->12952 12953 a3b689 GetLastError SetLastError 12951->12953 12952->12944 12953->12944 12955 a3b491 12954->12955 12956 a3b4b9 CallUnexpected 8 API calls 12955->12956 12957 a3b4a6 GetCurrentProcess TerminateProcess 12956->12957 12957->12946 12959 a3e99e 12958->12959 12960 a3e998 12958->12960 12962 a3f1da __Getctype 6 API calls 12959->12962 12964 a3e9a4 12959->12964 12961 a3f19b __Getctype 6 API calls 12960->12961 12961->12959 12963 a3e9b8 12962->12963 12963->12964 12965 a3f807 __Getctype 12 API calls 12963->12965 12964->12950 12966 a3e9c8 12965->12966 12967 a3e9d0 12966->12967 12968 a3e9e5 12966->12968 12970 a3f1da __Getctype 6 API calls 12967->12970 12969 a3f1da __Getctype 6 API calls 12968->12969 12971 a3e9f1 12969->12971 12970->12964 12972 a3e9f5 12971->12972 12973 a3ea04 12971->12973 12974 a3f1da __Getctype 6 API calls 12972->12974 12975 a3ea94 __Getctype 2 API calls 12973->12975 12974->12964 12975->12964 12976->12931 12978 a329cf IsProcessorFeaturePresent 12977->12978 12979 a329ce 12977->12979 12981 a34b7e 12978->12981 12979->12912 12984 a34c64 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12981->12984 12983 a34c61 12983->12912 12984->12983 12986 a3b28d 12985->12986 12987 a3b277 12985->12987 12986->12641 12987->12986 12991 a3b1af 12987->12991 12989 a3b284 12989->12986 13001 a3b37c 12989->13001 12992 a3b1bb 12991->12992 12993 a3b1b8 12991->12993 13007 a4004c 12992->13007 12993->12989 12998 a3b1cc 12998->12989 13000 a3b1df 13000->12989 13004 a3b38b 13001->13004 13005 a3b3ed 13001->13005 13002 a3e641 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 13002->13004 13003 a3f807 __Getctype 12 API calls 13003->13004 13004->13002 13004->13003 13004->13005 13236 a44926 13004->13236 13005->12986 13008 a40055 13007->13008 13012 a3b1c1 13007->13012 13038 a3e83e 13008->13038 13010 a40078 13059 a4040d 13010->13059 13013 a4484f GetEnvironmentStringsW 13012->13013 13014 a44867 13013->13014 13025 a3b1c6 13013->13025 13015 a3e641 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 13014->13015 13016 a44884 13015->13016 13017 a4488e FreeEnvironmentStringsW 13016->13017 13018 a44899 13016->13018 13017->13025 13019 a3e531 __strnicoll 13 API calls 13018->13019 13020 a448a0 13019->13020 13021 a448b9 13020->13021 13022 a448a8 13020->13022 13023 a3e641 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 13021->13023 13024 a448ad FreeEnvironmentStringsW 13022->13024 13026 a448c9 13023->13026 13024->13025 13025->12998 13028 a3b29a 13025->13028 13027 a448e0 FreeEnvironmentStringsW 13026->13027 13027->13025 13029 a3b2af 13028->13029 13030 a3f807 __Getctype 12 API calls 13029->13030 13032 a3b2d6 13030->13032 13031 a3b2de 13031->13000 13032->13031 13033 a3f807 __Getctype 12 API calls 13032->13033 13035 a3b36f 13032->13035 13227 a3e16c 13032->13227 13033->13032 13036 a3b485 __Getctype 11 API calls 13035->13036 13037 a3b37b 13036->13037 13039 a3e84f 13038->13039 13040 a3e849 13038->13040 13042 a3f1da __Getctype 6 API calls 13039->13042 13053 a3e855 13039->13053 13041 a3f19b __Getctype 6 API calls 13040->13041 13041->13039 13043 a3e869 13042->13043 13044 a3f807 __Getctype 12 API calls 13043->13044 13043->13053 13046 a3e879 13044->13046 13045 a3b9c2 CallUnexpected 37 API calls 13047 a3e8d3 13045->13047 13048 a3e881 13046->13048 13049 a3e896 13046->13049 13051 a3f1da __Getctype 6 API calls 13048->13051 13050 a3f1da __Getctype 6 API calls 13049->13050 13052 a3e8a2 13050->13052 13051->13053 13054 a3e8a6 13052->13054 13055 a3e8b5 13052->13055 13053->13045 13058 a3e85a 13053->13058 13056 a3f1da __Getctype 6 API calls 13054->13056 13057 a3ea94 __Getctype 2 API calls 13055->13057 13056->13053 13057->13058 13058->13010 13060 a40437 13059->13060 13072 a40299 13060->13072 13063 a40450 13063->13012 13068 a404af 13069 a3ad6d __dosmaperr 12 API calls 13068->13069 13069->13063 13070 a404ca 13070->13063 13097 a407c8 13070->13097 13105 a37e1a 13072->13105 13075 a402cc 13077 a402e3 13075->13077 13078 a402d1 GetACP 13075->13078 13076 a402ba GetOEMCP 13076->13077 13077->13063 13079 a3e531 13077->13079 13078->13077 13080 a3e56f 13079->13080 13084 a3e53f __Getctype 13079->13084 13082 a3ad6d __dosmaperr 12 API calls 13080->13082 13081 a3e55a RtlAllocateHeap 13083 a3e56d 13081->13083 13081->13084 13082->13083 13083->13063 13086 a40094 13083->13086 13084->13080 13084->13081 13085 a38f08 codecvt 2 API calls 13084->13085 13085->13084 13087 a40299 39 API calls 13086->13087 13089 a400b4 13087->13089 13088 a401b9 13091 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13088->13091 13089->13088 13090 a400f1 IsValidCodePage 13089->13090 13093 a4010c __fread_nolock 13089->13093 13090->13088 13092 a40103 13090->13092 13094 a40297 13091->13094 13092->13093 13095 a4012c GetCPInfo 13092->13095 13139 a40623 13093->13139 13094->13068 13094->13070 13095->13088 13095->13093 13098 a407d4 ___scrt_is_nonwritable_in_current_image 13097->13098 13203 a3b750 EnterCriticalSection 13098->13203 13100 a407de 13204 a40562 13100->13204 13102 a407eb 13209 a40809 13102->13209 13106 a37e31 13105->13106 13107 a37e38 13105->13107 13106->13075 13106->13076 13107->13106 13108 a3e783 __Getctype 37 API calls 13107->13108 13109 a37e59 13108->13109 13113 a3ed66 13109->13113 13114 a37e6f 13113->13114 13115 a3ed79 13113->13115 13117 a3ed93 13114->13117 13115->13114 13121 a42046 13115->13121 13118 a3edbb 13117->13118 13119 a3eda6 13117->13119 13118->13106 13119->13118 13136 a40039 13119->13136 13122 a42052 ___scrt_is_nonwritable_in_current_image 13121->13122 13123 a3e783 __Getctype 37 API calls 13122->13123 13124 a4205b 13123->13124 13125 a420a1 13124->13125 13132 a3b750 EnterCriticalSection 13124->13132 13125->13114 13127 a42079 __Getctype 13133 a420a6 13127->13133 13130 a3b9c2 CallUnexpected 37 API calls 13131 a420c6 13130->13131 13132->13127 13134 a3b767 std::_Lockit::~_Lockit LeaveCriticalSection 13133->13134 13135 a4209d 13134->13135 13135->13125 13135->13130 13137 a3e783 __Getctype 37 API calls 13136->13137 13138 a4003e 13137->13138 13138->13118 13140 a4064b GetCPInfo 13139->13140 13149 a40714 13139->13149 13145 a40663 13140->13145 13140->13149 13142 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13144 a407c6 13142->13144 13144->13088 13150 a3faf3 13145->13150 13148 a3fbf4 41 API calls 13148->13149 13149->13142 13151 a37e1a __strnicoll 37 API calls 13150->13151 13152 a3fb13 13151->13152 13168 a3e57f 13152->13168 13154 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13158 a3fbf2 13154->13158 13155 a3fbc7 __freea 13155->13154 13156 a3fb40 13156->13155 13157 a3e531 __strnicoll 13 API calls 13156->13157 13159 a3fb65 __fread_nolock __alloca_probe_16 13156->13159 13157->13159 13163 a3fbf4 13158->13163 13159->13155 13160 a3e57f __strnicoll MultiByteToWideChar 13159->13160 13161 a3fbae 13160->13161 13161->13155 13162 a3fbb5 GetStringTypeW 13161->13162 13162->13155 13164 a37e1a __strnicoll 37 API calls 13163->13164 13165 a3fc07 13164->13165 13173 a3fc3d 13165->13173 13171 a3e5a9 13168->13171 13172 a3e59b MultiByteToWideChar 13171->13172 13172->13156 13174 a3fc58 __strnicoll 13173->13174 13175 a3e57f __strnicoll MultiByteToWideChar 13174->13175 13177 a3fc9c 13175->13177 13176 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13178 a3fc28 13176->13178 13179 a3e531 __strnicoll 13 API calls 13177->13179 13180 a3fcc2 __alloca_probe_16 13177->13180 13193 a3fd6a __freea 13177->13193 13178->13148 13179->13180 13181 a3e57f __strnicoll MultiByteToWideChar 13180->13181 13180->13193 13182 a3fd0b 13181->13182 13182->13193 13194 a3f31a 13182->13194 13185 a3fd41 13187 a3f31a std::_Locinfo::_Locinfo_dtor 6 API calls 13185->13187 13185->13193 13186 a3fd79 13188 a3e531 __strnicoll 13 API calls 13186->13188 13189 a3fd8b __alloca_probe_16 13186->13189 13186->13193 13187->13193 13188->13189 13190 a3f31a std::_Locinfo::_Locinfo_dtor 6 API calls 13189->13190 13189->13193 13191 a3fdce 13190->13191 13191->13193 13200 a3e641 13191->13200 13193->13176 13195 a3f689 std::_Lockit::_Lockit 5 API calls 13194->13195 13196 a3f325 13195->13196 13197 a3f3b6 __strnicoll 5 API calls 13196->13197 13199 a3f32b 13196->13199 13198 a3f36b LCMapStringW 13197->13198 13198->13199 13199->13185 13199->13186 13199->13193 13202 a3e654 std::_Locinfo::_Locinfo_dtor 13200->13202 13201 a3e692 WideCharToMultiByte 13201->13193 13202->13201 13203->13100 13212 a3c20e 13204->13212 13206 a40584 13207 a3c20e __fread_nolock 27 API calls 13206->13207 13208 a405a3 13207->13208 13208->13102 13226 a3b767 LeaveCriticalSection 13209->13226 13211 a407f7 13211->13063 13213 a3c21f 13212->13213 13217 a3c21b _Yarn 13212->13217 13214 a3c226 13213->13214 13218 a3c239 __fread_nolock 13213->13218 13215 a3ad6d __dosmaperr 12 API calls 13214->13215 13216 a3c22b 13215->13216 13219 a3b458 __strnicoll 27 API calls 13216->13219 13217->13206 13218->13217 13220 a3c270 13218->13220 13221 a3c267 13218->13221 13219->13217 13220->13217 13224 a3ad6d __dosmaperr 12 API calls 13220->13224 13222 a3ad6d __dosmaperr 12 API calls 13221->13222 13223 a3c26c 13222->13223 13225 a3b458 __strnicoll 27 API calls 13223->13225 13224->13223 13225->13217 13226->13211 13228 a3e188 13227->13228 13229 a3e17a 13227->13229 13230 a3ad6d __dosmaperr 12 API calls 13228->13230 13229->13228 13231 a3e1a0 13229->13231 13235 a3e190 13230->13235 13233 a3e19a 13231->13233 13234 a3ad6d __dosmaperr 12 API calls 13231->13234 13232 a3b458 __strnicoll 27 API calls 13232->13233 13233->13032 13234->13235 13235->13232 13237 a44931 13236->13237 13238 a44942 13237->13238 13241 a44955 ___from_strstr_to_strchr 13237->13241 13239 a3ad6d __dosmaperr 12 API calls 13238->13239 13245 a44947 13239->13245 13240 a44b6c 13243 a3ad6d __dosmaperr 12 API calls 13240->13243 13241->13240 13242 a44975 13241->13242 13275 a44b91 13242->13275 13243->13245 13245->13004 13247 a449bb 13247->13245 13251 a3f807 __Getctype 12 API calls 13247->13251 13249 a44997 13252 a449b4 13249->13252 13253 a449a0 13249->13253 13257 a449c9 13251->13257 13254 a44b91 37 API calls 13252->13254 13255 a3ad6d __dosmaperr 12 API calls 13253->13255 13261 a449b9 13254->13261 13255->13245 13256 a44a79 13256->13245 13258 a43f46 std::ios_base::_Init 30 API calls 13256->13258 13257->13245 13260 a3f807 __Getctype 12 API calls 13257->13260 13257->13261 13263 a44a5a 13258->13263 13259 a44a2e 13259->13263 13283 a43f46 13259->13283 13260->13261 13261->13245 13279 a44bab 13261->13279 13263->13245 13264 a3f807 __Getctype 12 API calls 13263->13264 13265 a44af2 13264->13265 13265->13245 13266 a3e16c 27 API calls 13265->13266 13267 a44b0e 13266->13267 13268 a44b15 13267->13268 13269 a44b86 13267->13269 13292 a49a5c 13268->13292 13270 a3b485 __Getctype 11 API calls 13269->13270 13272 a44b90 13270->13272 13273 a44b36 13273->13245 13274 a3ad6d __dosmaperr 12 API calls 13273->13274 13274->13245 13276 a44b9e 13275->13276 13277 a44980 13275->13277 13303 a44c00 13276->13303 13277->13247 13277->13249 13277->13261 13280 a44a1e 13279->13280 13282 a44bc1 13279->13282 13280->13256 13280->13259 13282->13280 13315 a4996b 13282->13315 13284 a43f53 13283->13284 13285 a43f6e 13283->13285 13284->13285 13286 a43f5f 13284->13286 13288 a43f7d 13285->13288 13403 a49604 13285->13403 13289 a3ad6d __dosmaperr 12 API calls 13286->13289 13410 a4757c 13288->13410 13291 a43f64 __fread_nolock 13289->13291 13291->13263 13419 a3f7c8 13292->13419 13297 a3f7c8 37 API calls 13298 a49aac 13297->13298 13299 a37f14 15 API calls 13298->13299 13301 a49ab9 13299->13301 13300 a49acf 13300->13273 13301->13300 13302 a49ac3 SetEnvironmentVariableW 13301->13302 13302->13300 13304 a44c13 13303->13304 13307 a44c0e 13303->13307 13305 a3f807 __Getctype 12 API calls 13304->13305 13313 a44c30 13305->13313 13306 a44c9e 13308 a3b9c2 CallUnexpected 37 API calls 13306->13308 13307->13277 13309 a44ca3 13308->13309 13310 a3b485 __Getctype 11 API calls 13309->13310 13311 a44caf 13310->13311 13312 a3f807 __Getctype 12 API calls 13312->13313 13313->13306 13313->13307 13313->13309 13313->13312 13314 a3e16c 27 API calls 13313->13314 13314->13313 13316 a4997f 13315->13316 13317 a49979 13315->13317 13333 a49994 13316->13333 13320 a4a0b3 13317->13320 13321 a4a0fb 13317->13321 13323 a4a0b9 13320->13323 13325 a4a0d6 13320->13325 13353 a4a111 13321->13353 13324 a3ad6d __dosmaperr 12 API calls 13323->13324 13326 a4a0be 13324->13326 13328 a3ad6d __dosmaperr 12 API calls 13325->13328 13332 a4a0f4 13325->13332 13327 a3b458 __strnicoll 27 API calls 13326->13327 13329 a4a0c9 13327->13329 13330 a4a0e5 13328->13330 13329->13282 13331 a3b458 __strnicoll 27 API calls 13330->13331 13331->13329 13332->13282 13334 a37e1a __strnicoll 37 API calls 13333->13334 13335 a499aa 13334->13335 13336 a499c6 13335->13336 13337 a499dd 13335->13337 13349 a4998f 13335->13349 13338 a3ad6d __dosmaperr 12 API calls 13336->13338 13339 a499e6 13337->13339 13340 a499f8 13337->13340 13341 a499cb 13338->13341 13342 a3ad6d __dosmaperr 12 API calls 13339->13342 13343 a49a05 13340->13343 13344 a49a18 13340->13344 13345 a3b458 __strnicoll 27 API calls 13341->13345 13346 a499eb 13342->13346 13347 a4a111 __strnicoll 37 API calls 13343->13347 13371 a4a1dc 13344->13371 13345->13349 13350 a3b458 __strnicoll 27 API calls 13346->13350 13347->13349 13349->13282 13350->13349 13352 a3ad6d __dosmaperr 12 API calls 13352->13349 13354 a4a121 13353->13354 13355 a4a13b 13353->13355 13356 a3ad6d __dosmaperr 12 API calls 13354->13356 13357 a4a143 13355->13357 13358 a4a15a 13355->13358 13359 a4a126 13356->13359 13360 a3ad6d __dosmaperr 12 API calls 13357->13360 13361 a4a166 13358->13361 13362 a4a17d 13358->13362 13363 a3b458 __strnicoll 27 API calls 13359->13363 13364 a4a148 13360->13364 13365 a3ad6d __dosmaperr 12 API calls 13361->13365 13366 a37e1a __strnicoll 37 API calls 13362->13366 13369 a4a131 13362->13369 13363->13369 13367 a3b458 __strnicoll 27 API calls 13364->13367 13368 a4a16b 13365->13368 13366->13369 13367->13369 13370 a3b458 __strnicoll 27 API calls 13368->13370 13369->13329 13370->13369 13372 a37e1a __strnicoll 37 API calls 13371->13372 13373 a4a1ef 13372->13373 13376 a4a222 13373->13376 13377 a4a256 __strnicoll 13376->13377 13380 a4a2d6 13377->13380 13381 a4a4ba 13377->13381 13383 a4a2c3 GetCPInfo 13377->13383 13396 a4a2da __freea 13377->13396 13378 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13379 a49a2e 13378->13379 13379->13349 13379->13352 13382 a3e57f __strnicoll MultiByteToWideChar 13380->13382 13380->13396 13384 a4a35c 13382->13384 13383->13380 13383->13396 13385 a3e531 __strnicoll 13 API calls 13384->13385 13386 a4a383 __alloca_probe_16 13384->13386 13384->13396 13385->13386 13387 a3e57f __strnicoll MultiByteToWideChar 13386->13387 13386->13396 13388 a4a3cf 13387->13388 13389 a3e57f __strnicoll MultiByteToWideChar 13388->13389 13388->13396 13390 a4a3eb 13389->13390 13391 a3e531 __strnicoll 13 API calls 13390->13391 13392 a4a412 __alloca_probe_16 13390->13392 13390->13396 13391->13392 13393 a3e57f __strnicoll MultiByteToWideChar 13392->13393 13392->13396 13394 a4a455 13393->13394 13394->13396 13397 a3f06c 13394->13397 13396->13378 13396->13381 13398 a3f5d3 std::_Lockit::_Lockit 5 API calls 13397->13398 13399 a3f077 13398->13399 13400 a3f3b6 __strnicoll 5 API calls 13399->13400 13402 a3f07d 13399->13402 13401 a3f0bd CompareStringW 13400->13401 13401->13402 13402->13396 13404 a49624 HeapSize 13403->13404 13405 a4960f 13403->13405 13404->13288 13406 a3ad6d __dosmaperr 12 API calls 13405->13406 13407 a49614 13406->13407 13408 a3b458 __strnicoll 27 API calls 13407->13408 13409 a4961f 13408->13409 13409->13288 13411 a47594 __Getctype 13410->13411 13412 a47589 13410->13412 13414 a475cf HeapReAlloc 13411->13414 13415 a475aa 13411->13415 13416 a47591 13411->13416 13418 a38f08 codecvt 2 API calls 13411->13418 13413 a3e531 __strnicoll 13 API calls 13412->13413 13413->13416 13414->13411 13414->13416 13417 a3ad6d __dosmaperr 12 API calls 13415->13417 13416->13291 13417->13416 13418->13411 13420 a37e1a __strnicoll 37 API calls 13419->13420 13421 a3f7da 13420->13421 13423 a3f7ec 13421->13423 13427 a3f04d 13421->13427 13424 a37f14 13423->13424 13433 a37f6c 13424->13433 13426 a37f2c 13426->13297 13426->13300 13430 a3f5b9 13427->13430 13431 a3f534 std::_Lockit::_Lockit 5 API calls 13430->13431 13432 a3f055 13431->13432 13432->13423 13434 a37f94 13433->13434 13435 a37f7a 13433->13435 13436 a37f9b 13434->13436 13437 a37fba 13434->13437 13435->13426 13436->13435 13449 a37ebb 13436->13449 13438 a3e57f __strnicoll MultiByteToWideChar 13437->13438 13440 a37fc9 13438->13440 13441 a37fd0 GetLastError 13440->13441 13442 a37ff6 13440->13442 13445 a37ebb 13 API calls 13440->13445 13453 a3ad93 13441->13453 13442->13435 13446 a3e57f __strnicoll MultiByteToWideChar 13442->13446 13445->13442 13448 a3800d 13446->13448 13447 a3ad6d __dosmaperr 12 API calls 13447->13435 13448->13435 13448->13441 13450 a37ec9 13449->13450 13458 a37e9c 13450->13458 13461 a3ad80 13453->13461 13455 a3ad9e 13456 a3ad6d __dosmaperr 12 API calls 13455->13456 13457 a37fdc 13456->13457 13457->13447 13459 a3e531 __strnicoll 13 API calls 13458->13459 13460 a37ea9 13459->13460 13460->13435 13462 a3e8d4 __dosmaperr 12 API calls 13461->13462 13463 a3ad85 13462->13463 13463->13455 13465 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13464->13465 13466 a358ca 13465->13466 13466->12647 13468 a38d4e 13467->13468 13477 a38d5f 13467->13477 13469 a34fcd CallUnexpected GetModuleHandleW 13468->13469 13473 a38d53 13469->13473 13472 a38c0d 13472->12618 13473->13477 13478 a38c55 GetModuleHandleExW 13473->13478 13483 a38ebb 13477->13483 13479 a38c94 GetProcAddress 13478->13479 13482 a38ca8 13478->13482 13479->13482 13480 a38cc4 13480->13477 13481 a38cbb FreeLibrary 13481->13480 13482->13480 13482->13481 13484 a38ec7 ___scrt_is_nonwritable_in_current_image 13483->13484 13498 a3b750 EnterCriticalSection 13484->13498 13486 a38ed1 13499 a38db8 13486->13499 13488 a38ede 13503 a38efc 13488->13503 13491 a38cf0 13522 a38cd7 13491->13522 13493 a38cfa 13494 a38d0e 13493->13494 13495 a38cfe GetCurrentProcess TerminateProcess 13493->13495 13496 a38c55 CallUnexpected 3 API calls 13494->13496 13495->13494 13497 a38d16 ExitProcess 13496->13497 13498->13486 13501 a38dc4 ___scrt_is_nonwritable_in_current_image CallUnexpected 13499->13501 13500 a38e28 CallUnexpected 13500->13488 13501->13500 13506 a3aa87 13501->13506 13521 a3b767 LeaveCriticalSection 13503->13521 13505 a38d97 13505->13472 13505->13491 13507 a3aa93 __EH_prolog3 13506->13507 13510 a3ad12 13507->13510 13509 a3aaba codecvt 13509->13500 13511 a3ad1e ___scrt_is_nonwritable_in_current_image 13510->13511 13516 a3b750 EnterCriticalSection 13511->13516 13513 a3ad2c CallUnexpected 13517 a3ad61 13513->13517 13516->13513 13520 a3b767 LeaveCriticalSection 13517->13520 13519 a3ad4a 13519->13509 13520->13519 13521->13505 13525 a40f55 13522->13525 13524 a38cdc CallUnexpected 13524->13493 13526 a40f64 CallUnexpected 13525->13526 13527 a40f71 13526->13527 13529 a3f3e7 13526->13529 13527->13524 13530 a3f534 std::_Lockit::_Lockit 5 API calls 13529->13530 13531 a3f403 13530->13531 13531->13527 13533 a38697 13532->13533 13534 a386a9 ___scrt_uninitialize_crt 13532->13534 13535 a386a5 13533->13535 13537 a3bbb9 13533->13537 13534->12656 13535->12656 13540 a3bce4 13537->13540 13543 a3bdbd 13540->13543 13544 a3bdc9 ___scrt_is_nonwritable_in_current_image 13543->13544 13551 a3b750 EnterCriticalSection 13544->13551 13546 a3bdd3 ___scrt_uninitialize_crt 13547 a3be3f 13546->13547 13552 a3bd31 13546->13552 13560 a3be5d 13547->13560 13551->13546 13553 a3bd3d ___scrt_is_nonwritable_in_current_image 13552->13553 13563 a3875f EnterCriticalSection 13553->13563 13555 a3bd80 13575 a3bdb1 13555->13575 13556 a3bd47 ___scrt_uninitialize_crt 13556->13555 13564 a3bbc2 13556->13564 13676 a3b767 LeaveCriticalSection 13560->13676 13562 a3bbc0 13562->13535 13563->13556 13565 a3bbd7 _Fputc 13564->13565 13566 a3bbe9 13565->13566 13567 a3bbde 13565->13567 13578 a3bc27 13566->13578 13568 a3bce4 ___scrt_uninitialize_crt 66 API calls 13567->13568 13571 a3bbe4 _Fputc 13568->13571 13571->13555 13573 a3bc0a 13591 a45164 13573->13591 13675 a38773 LeaveCriticalSection 13575->13675 13577 a3bd9f 13577->13546 13579 a3bc40 13578->13579 13580 a3bbf3 13578->13580 13579->13580 13581 a40efc __fread_nolock 27 API calls 13579->13581 13580->13571 13584 a40efc 13580->13584 13582 a3bc5c 13581->13582 13602 a4549f 13582->13602 13585 a40f1d 13584->13585 13586 a40f08 13584->13586 13585->13573 13587 a3ad6d __dosmaperr 12 API calls 13586->13587 13588 a40f0d 13587->13588 13589 a3b458 __strnicoll 27 API calls 13588->13589 13590 a40f18 13589->13590 13590->13573 13592 a45175 13591->13592 13596 a45182 13591->13596 13593 a3ad6d __dosmaperr 12 API calls 13592->13593 13599 a4517a 13593->13599 13594 a451cb 13595 a3ad6d __dosmaperr 12 API calls 13594->13595 13598 a451d0 13595->13598 13596->13594 13597 a451a9 13596->13597 13645 a451e1 13597->13645 13601 a3b458 __strnicoll 27 API calls 13598->13601 13599->13571 13601->13599 13603 a454ab ___scrt_is_nonwritable_in_current_image 13602->13603 13604 a454ec 13603->13604 13606 a45532 13603->13606 13612 a454b3 13603->13612 13605 a3b601 __strnicoll 27 API calls 13604->13605 13605->13612 13613 a44ef9 EnterCriticalSection 13606->13613 13608 a45538 13609 a45556 13608->13609 13614 a45283 13608->13614 13642 a455a8 13609->13642 13612->13580 13613->13608 13615 a452ab 13614->13615 13641 a452ce _Fputc 13614->13641 13616 a452af 13615->13616 13618 a4530a 13615->13618 13617 a3b601 __strnicoll 27 API calls 13616->13617 13617->13641 13619 a45328 13618->13619 13620 a44033 _Fputc 29 API calls 13618->13620 13621 a455b0 _Fputc 38 API calls 13619->13621 13620->13619 13622 a4533a 13621->13622 13623 a45387 13622->13623 13624 a45340 13622->13624 13625 a453f0 WriteFile 13623->13625 13626 a4539b 13623->13626 13627 a4536f 13624->13627 13628 a45348 13624->13628 13629 a45412 GetLastError 13625->13629 13640 a45382 13625->13640 13631 a453a3 13626->13631 13632 a453dc 13626->13632 13630 a4562d _Fputc 43 API calls 13627->13630 13636 a459f4 _Fputc 6 API calls 13628->13636 13628->13641 13629->13640 13630->13640 13634 a453c8 13631->13634 13635 a453a8 13631->13635 13633 a45a5c _Fputc 7 API calls 13632->13633 13633->13641 13638 a45c20 _Fputc 8 API calls 13634->13638 13637 a453b1 13635->13637 13635->13641 13636->13641 13639 a45b37 _Fputc 7 API calls 13637->13639 13638->13640 13639->13641 13640->13641 13641->13609 13643 a44f1c __fread_nolock LeaveCriticalSection 13642->13643 13644 a455ae 13643->13644 13644->13612 13646 a451ed ___scrt_is_nonwritable_in_current_image 13645->13646 13658 a44ef9 EnterCriticalSection 13646->13658 13648 a451fc 13649 a45241 13648->13649 13659 a44cb0 13648->13659 13651 a3ad6d __dosmaperr 12 API calls 13649->13651 13653 a45248 13651->13653 13652 a45228 FlushFileBuffers 13652->13653 13654 a45234 GetLastError 13652->13654 13672 a45277 13653->13672 13655 a3ad80 __dosmaperr 12 API calls 13654->13655 13655->13649 13658->13648 13660 a44cbd 13659->13660 13663 a44cd2 13659->13663 13661 a3ad80 __dosmaperr 12 API calls 13660->13661 13662 a44cc2 13661->13662 13665 a3ad6d __dosmaperr 12 API calls 13662->13665 13664 a3ad80 __dosmaperr 12 API calls 13663->13664 13666 a44cf7 13663->13666 13667 a44d02 13664->13667 13668 a44cca 13665->13668 13666->13652 13669 a3ad6d __dosmaperr 12 API calls 13667->13669 13668->13652 13670 a44d0a 13669->13670 13671 a3b458 __strnicoll 27 API calls 13670->13671 13671->13668 13673 a44f1c __fread_nolock LeaveCriticalSection 13672->13673 13674 a45260 13673->13674 13674->13599 13675->13577 13676->13562 14786 a3422c 14787 a3424e 14786->14787 14791 a34263 14786->14791 14792 a343df 14787->14792 14795 a34448 14792->14795 14796 a343f9 14792->14796 14793 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14794 a34253 14793->14794 14794->14791 14798 a3c53d 14794->14798 14795->14793 14796->14795 14797 a3c578 67 API calls 14796->14797 14797->14795 14799 a3c548 14798->14799 14800 a3c55d 14798->14800 14801 a3ad6d __dosmaperr 12 API calls 14799->14801 14800->14799 14802 a3c564 14800->14802 14803 a3c54d 14801->14803 14808 a3ae1d 14802->14808 14805 a3b458 __strnicoll 27 API calls 14803->14805 14807 a3c558 14805->14807 14806 a3c573 14806->14791 14807->14791 14809 a3ae30 _Fputc 14808->14809 14812 a3b096 14809->14812 14811 a3ae45 _Fputc 14811->14806 14817 a3b0a2 ___scrt_is_nonwritable_in_current_image 14812->14817 14813 a3b0a8 14814 a3b601 __strnicoll 27 API calls 14813->14814 14816 a3b0c3 14814->14816 14815 a3b0eb 14823 a3875f EnterCriticalSection 14815->14823 14816->14811 14817->14813 14817->14815 14819 a3b0f7 14824 a3afaa 14819->14824 14821 a3b10d 14835 a3b136 14821->14835 14823->14819 14825 a3afd0 14824->14825 14826 a3afbd 14824->14826 14838 a3aed1 14825->14838 14826->14821 14828 a3aff3 14829 a3b081 14828->14829 14830 a3b00e 14828->14830 14842 a4424d 14828->14842 14829->14821 14832 a3bc27 ___scrt_uninitialize_crt 62 API calls 14830->14832 14834 a3b021 14832->14834 14856 a44033 14834->14856 14907 a38773 LeaveCriticalSection 14835->14907 14837 a3b13e 14837->14816 14839 a3aee2 14838->14839 14841 a3af3a 14838->14841 14839->14841 14859 a43ff3 14839->14859 14841->14828 14843 a4461f 14842->14843 14844 a44656 14843->14844 14845 a4462e 14843->14845 14846 a40efc __fread_nolock 27 API calls 14844->14846 14847 a3b601 __strnicoll 27 API calls 14845->14847 14848 a4465f 14846->14848 14855 a44649 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14847->14855 14869 a44051 14848->14869 14851 a44709 14872 a442a9 14851->14872 14853 a44720 14853->14855 14884 a44454 14853->14884 14855->14830 14857 a44194 _Fputc 29 API calls 14856->14857 14858 a4404c 14857->14858 14858->14829 14860 a44007 _Fputc 14859->14860 14863 a44194 14860->14863 14862 a4401c _Fputc 14862->14841 14864 a44cb0 _Fputc 27 API calls 14863->14864 14865 a441a6 14864->14865 14866 a441c2 SetFilePointerEx 14865->14866 14868 a441ae _Fputc 14865->14868 14867 a441da GetLastError 14866->14867 14866->14868 14867->14868 14868->14862 14891 a4406f 14869->14891 14873 a442b8 _Fputc 14872->14873 14874 a40efc __fread_nolock 27 API calls 14873->14874 14875 a442d4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14874->14875 14878 a44051 31 API calls 14875->14878 14883 a442e0 14875->14883 14876 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14877 a44452 14876->14877 14877->14855 14879 a44334 14878->14879 14880 a44366 ReadFile 14879->14880 14879->14883 14881 a4438d 14880->14881 14880->14883 14882 a44051 31 API calls 14881->14882 14882->14883 14883->14876 14885 a40efc __fread_nolock 27 API calls 14884->14885 14886 a44467 14885->14886 14887 a44051 31 API calls 14886->14887 14890 a444b1 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14886->14890 14888 a4450e 14887->14888 14889 a44051 31 API calls 14888->14889 14888->14890 14889->14890 14890->14855 14892 a4407b ___scrt_is_nonwritable_in_current_image 14891->14892 14893 a4406a 14892->14893 14894 a440be 14892->14894 14896 a44104 14892->14896 14893->14851 14893->14853 14893->14855 14895 a3b601 __strnicoll 27 API calls 14894->14895 14895->14893 14902 a44ef9 EnterCriticalSection 14896->14902 14898 a4410a 14899 a4412b 14898->14899 14900 a44194 _Fputc 29 API calls 14898->14900 14903 a4418c 14899->14903 14900->14899 14902->14898 14906 a44f1c LeaveCriticalSection 14903->14906 14905 a44192 14905->14893 14906->14905 14907->14837 15166 a33e04 15167 a33e10 __EH_prolog3_GS 15166->15167 15170 a33e60 15167->15170 15171 a33e79 15167->15171 15175 a33e2a 15167->15175 15180 a335ba 15170->15180 15183 a3bec9 15171->15183 15207 a3535e 15175->15207 15176 a33e98 15176->15175 15178 a3bec9 31 API calls 15176->15178 15179 a33f6d 15176->15179 15203 a333ee 15176->15203 15178->15176 15179->15175 15210 a3cf47 15179->15210 15181 a3bec9 31 API calls 15180->15181 15182 a335c5 15181->15182 15182->15175 15184 a3bed5 ___scrt_is_nonwritable_in_current_image 15183->15184 15185 a3bef7 15184->15185 15186 a3bedf 15184->15186 15223 a3875f EnterCriticalSection 15185->15223 15187 a3ad6d __dosmaperr 12 API calls 15186->15187 15189 a3bee4 15187->15189 15191 a3b458 __strnicoll 27 API calls 15189->15191 15190 a3bf02 15192 a40efc __fread_nolock 27 API calls 15190->15192 15195 a3bf1a 15190->15195 15202 a3beef _Fputc 15191->15202 15192->15195 15193 a3bf82 15196 a3ad6d __dosmaperr 12 API calls 15193->15196 15194 a3bfaa 15224 a3bfe2 15194->15224 15195->15193 15195->15194 15198 a3bf87 15196->15198 15201 a3b458 __strnicoll 27 API calls 15198->15201 15199 a3bfb0 15234 a3bfda 15199->15234 15201->15202 15202->15176 15204 a33422 15203->15204 15205 a333fe 15203->15205 15294 a346df 15204->15294 15205->15176 15208 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 15207->15208 15209 a35368 15208->15209 15209->15209 15211 a3cf53 ___scrt_is_nonwritable_in_current_image 15210->15211 15212 a3cf5a 15211->15212 15213 a3cf6f 15211->15213 15214 a3ad6d __dosmaperr 12 API calls 15212->15214 15307 a3875f EnterCriticalSection 15213->15307 15216 a3cf5f 15214->15216 15218 a3b458 __strnicoll 27 API calls 15216->15218 15217 a3cf79 15308 a3cfba 15217->15308 15222 a3cf6a 15218->15222 15222->15179 15223->15190 15225 a3c003 15224->15225 15226 a3bfee 15224->15226 15228 a3c012 15225->15228 15237 a45d52 15225->15237 15227 a3ad6d __dosmaperr 12 API calls 15226->15227 15229 a3bff3 15227->15229 15228->15199 15231 a3b458 __strnicoll 27 API calls 15229->15231 15233 a3bffe 15231->15233 15233->15199 15293 a38773 LeaveCriticalSection 15234->15293 15236 a3bfe0 15236->15202 15238 a45d5d 15237->15238 15239 a45d6a 15238->15239 15243 a45d82 15238->15243 15240 a3ad6d __dosmaperr 12 API calls 15239->15240 15241 a45d6f 15240->15241 15242 a3b458 __strnicoll 27 API calls 15241->15242 15252 a3c00f 15242->15252 15244 a45de1 15243->15244 15243->15252 15258 a47d00 15243->15258 15246 a40efc __fread_nolock 27 API calls 15244->15246 15247 a45dfa 15246->15247 15261 a46144 15247->15261 15250 a40efc __fread_nolock 27 API calls 15251 a45e33 15250->15251 15251->15252 15253 a40efc __fread_nolock 27 API calls 15251->15253 15252->15199 15254 a45e41 15253->15254 15254->15252 15255 a40efc __fread_nolock 27 API calls 15254->15255 15256 a45e4f 15255->15256 15257 a40efc __fread_nolock 27 API calls 15256->15257 15257->15252 15259 a3f807 __Getctype 12 API calls 15258->15259 15260 a47d1d 15259->15260 15260->15244 15262 a46150 ___scrt_is_nonwritable_in_current_image 15261->15262 15263 a46158 15262->15263 15267 a46173 15262->15267 15264 a3ad80 __dosmaperr 12 API calls 15263->15264 15265 a4615d 15264->15265 15266 a3ad6d __dosmaperr 12 API calls 15265->15266 15287 a45e02 15266->15287 15268 a4618a 15267->15268 15269 a461c5 15267->15269 15270 a3ad80 __dosmaperr 12 API calls 15268->15270 15271 a461e3 15269->15271 15272 a461ce 15269->15272 15273 a4618f 15270->15273 15288 a44ef9 EnterCriticalSection 15271->15288 15275 a3ad80 __dosmaperr 12 API calls 15272->15275 15274 a3ad6d __dosmaperr 12 API calls 15273->15274 15277 a46197 15274->15277 15278 a461d3 15275->15278 15282 a3b458 __strnicoll 27 API calls 15277->15282 15280 a3ad6d __dosmaperr 12 API calls 15278->15280 15279 a461e9 15281 a3ad6d __dosmaperr 12 API calls 15279->15281 15285 a46218 15279->15285 15280->15277 15283 a4620d 15281->15283 15282->15287 15284 a3ad80 __dosmaperr 12 API calls 15283->15284 15284->15285 15289 a46255 15285->15289 15287->15250 15287->15252 15288->15279 15292 a44f1c LeaveCriticalSection 15289->15292 15291 a4625b 15291->15287 15292->15291 15293->15236 15295 a34793 15294->15295 15296 a34703 15294->15296 15299 a347f6 15296->15299 15298 a34720 _Yarn _Deallocate 15298->15205 15300 a34802 15299->15300 15301 a34800 15299->15301 15302 a34811 15300->15302 15303 a3480a 15300->15303 15301->15298 15305 a32952 codecvt 14 API calls 15302->15305 15304 a3186a std::ios_base::_Init 14 API calls 15303->15304 15306 a3480f 15304->15306 15305->15306 15306->15298 15307->15217 15309 a3cfd2 15308->15309 15312 a3d042 15308->15312 15310 a40efc __fread_nolock 27 API calls 15309->15310 15311 a3cfd8 15310->15311 15311->15312 15314 a3d02a 15311->15314 15313 a47d00 __fread_nolock 12 API calls 15312->15313 15315 a3cf87 15312->15315 15313->15315 15316 a3ad6d __dosmaperr 12 API calls 15314->15316 15319 a3cfb2 15315->15319 15317 a3d02f 15316->15317 15318 a3b458 __strnicoll 27 API calls 15317->15318 15318->15315 15322 a38773 LeaveCriticalSection 15319->15322 15321 a3cfb8 15321->15222 15322->15321 16227 a3430a 16228 a34342 16227->16228 16229 a34313 16227->16229 16229->16228 16232 a3bb66 16229->16232 16231 a34335 16233 a3bb78 16232->16233 16237 a3bb81 ___scrt_uninitialize_crt 16232->16237 16234 a3bce4 ___scrt_uninitialize_crt 66 API calls 16233->16234 16235 a3bb7e 16234->16235 16235->16231 16236 a3bb90 16236->16231 16237->16236 16240 a3be69 16237->16240 16241 a3be75 ___scrt_is_nonwritable_in_current_image 16240->16241 16248 a3875f EnterCriticalSection 16241->16248 16243 a3be83 16244 a3bbc2 ___scrt_uninitialize_crt 66 API calls 16243->16244 16245 a3be94 16244->16245 16249 a3bebd 16245->16249 16248->16243 16252 a38773 LeaveCriticalSection 16249->16252 16251 a3bbb7 16251->16231 16252->16251 13677 a31614 GetPEB 13678 a31098 13677->13678 13679 a31653 CreateFileA 13678->13679 13680 a31680 GetFileSize 13679->13680 13681 a31828 13679->13681 13683 a31804 CloseHandle 13680->13683 13684 a31694 13680->13684 13682 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13681->13682 13685 a31836 13682->13685 13683->13681 13686 a3169c ReadFile 13684->13686 13687 a317fb 13686->13687 13688 a316b9 CloseHandle 13686->13688 13687->13683 13689 a316d0 _Yarn messages _strlen 13688->13689 13696 a317f9 13688->13696 13691 a31840 13689->13691 13689->13696 13697 a32952 13689->13697 13722 a3186a 13689->13722 13728 a3b468 13691->13728 13709 a3155c 13696->13709 13700 a32957 13697->13700 13699 a32971 13699->13689 13700->13699 13701 a38f08 codecvt 2 API calls 13700->13701 13702 a32973 13700->13702 13733 a3c994 13700->13733 13701->13700 13703 a34a6f codecvt 13702->13703 13704 a3297d Concurrency::cancel_current_task 13702->13704 13705 a35aba Concurrency::cancel_current_task RaiseException 13703->13705 13740 a35aba 13704->13740 13707 a34a8b 13705->13707 13708 a331cf 13710 a31098 13709->13710 13711 a31582 FreeConsole 13710->13711 13743 a3123b 13711->13743 13714 a3123b 102 API calls 13715 a315b9 13714->13715 13716 a315cc VirtualProtect 13715->13716 13717 a315f1 ExitProcess 13716->13717 13718 a315dd 13716->13718 13719 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13718->13719 13721 a315e7 13719->13721 13721->13681 13723 a31873 13722->13723 13724 a3188b 13722->13724 13725 a32952 codecvt 14 API calls 13723->13725 14297 a31890 13724->14297 13727 a3187c 13725->13727 13727->13689 13729 a3b6a7 __strnicoll 27 API calls 13728->13729 13730 a3b477 13729->13730 13731 a3b485 __Getctype 11 API calls 13730->13731 13732 a3b484 13731->13732 13738 a3e531 __Getctype 13733->13738 13734 a3e56f 13736 a3ad6d __dosmaperr 12 API calls 13734->13736 13735 a3e55a RtlAllocateHeap 13737 a3e56d 13735->13737 13735->13738 13736->13737 13737->13700 13738->13734 13738->13735 13739 a38f08 codecvt 2 API calls 13738->13739 13739->13738 13741 a35b02 RaiseException 13740->13741 13742 a35ad4 13740->13742 13741->13708 13742->13741 13749 a31263 13743->13749 13744 a31355 13746 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13744->13746 13745 a312c2 KiUserExceptionDispatcher 13745->13749 13747 a31363 13746->13747 13747->13714 13749->13744 13749->13745 13751 a3136e 13749->13751 13767 a31533 13749->13767 13752 a3138d _strlen 13751->13752 13774 a3197e 13752->13774 13754 a31444 13778 a3408b 13754->13778 13756 a31515 13803 a31a10 13756->13803 13759 a314c0 13788 a31ab6 13759->13788 13760 a313ad 13760->13754 13760->13759 13782 a319d8 13760->13782 13762 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13764 a31529 13762->13764 13763 a31466 13763->13759 13765 a319d8 67 API calls 13763->13765 13764->13749 13765->13763 14062 a323c4 13767->14062 13772 a31a3a 38 API calls 13773 a31558 13772->13773 13773->13749 13776 a31995 13774->13776 13775 a319a6 13775->13760 13776->13775 13807 a31a3a 13776->13807 13779 a3409a 13778->13779 13781 a340ad _Yarn 13778->13781 13779->13763 13781->13779 13817 a3c578 13781->13817 13783 a319e5 13782->13783 13784 a319ee 13783->13784 13888 a33c0b 13783->13888 13899 a33c29 13783->13899 13908 a33c1b 13783->13908 13784->13760 13789 a31ad6 13788->13789 13790 a31ae9 13788->13790 13791 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13789->13791 13792 a31af9 13790->13792 13793 a35aba Concurrency::cancel_current_task RaiseException 13790->13793 13795 a31ae1 13791->13795 13956 a31c57 13792->13956 13793->13792 13795->13756 13799 a35aba Concurrency::cancel_current_task RaiseException 13800 a31b3a 13799->13800 13967 a31e48 13800->13967 13804 a31a18 13803->13804 13805 a3151e 13804->13805 14058 a322fe 13804->14058 13805->13762 13808 a31aa2 13807->13808 13809 a31a5a 13807->13809 13811 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13808->13811 13810 a3197e 38 API calls 13809->13810 13812 a31a64 13810->13812 13813 a31aad 13811->13813 13814 a31a9b 13812->13814 13816 a31ab6 std::ios_base::_Init 38 API calls 13812->13816 13813->13775 13815 a31a10 38 API calls 13814->13815 13815->13808 13816->13814 13818 a3c58b _Fputc 13817->13818 13821 a3c759 13818->13821 13820 a3c5a0 _Fputc 13820->13779 13822 a3c78f 13821->13822 13823 a3c767 13821->13823 13822->13820 13823->13822 13824 a3c796 13823->13824 13825 a3c774 13823->13825 13829 a3c81c 13824->13829 13826 a3b601 __strnicoll 27 API calls 13825->13826 13826->13822 13830 a3c828 ___scrt_is_nonwritable_in_current_image 13829->13830 13837 a3875f EnterCriticalSection 13830->13837 13832 a3c836 13838 a3c7d0 13832->13838 13837->13832 13848 a40bb7 13838->13848 13840 a3c7e8 13853 a3c5b2 13840->13853 13845 a3c86b 13887 a38773 LeaveCriticalSection 13845->13887 13847 a3c7ce 13847->13820 13867 a40c62 13848->13867 13850 a40bc8 _Fputc 13851 a40c21 13850->13851 13852 a3e531 __strnicoll 13 API calls 13850->13852 13851->13840 13852->13851 13856 a3c5c4 13853->13856 13858 a3c5ed 13853->13858 13854 a3c5d2 13855 a3b601 __strnicoll 27 API calls 13854->13855 13855->13858 13856->13854 13856->13858 13861 a3c608 _Yarn 13856->13861 13863 a40ca0 13858->13863 13859 a3bc27 ___scrt_uninitialize_crt 62 API calls 13859->13861 13860 a40efc __fread_nolock 27 API calls 13860->13861 13861->13858 13861->13859 13861->13860 13862 a4549f _Fputc 62 API calls 13861->13862 13874 a45eec 13861->13874 13862->13861 13864 a3c812 13863->13864 13865 a40cab 13863->13865 13864->13845 13865->13864 13866 a3bc27 ___scrt_uninitialize_crt 62 API calls 13865->13866 13866->13864 13868 a40c6e _Fputc 13867->13868 13869 a40c98 13868->13869 13870 a40efc __fread_nolock 27 API calls 13868->13870 13869->13850 13871 a40c89 13870->13871 13872 a48994 _Fputc 27 API calls 13871->13872 13873 a40c8f 13872->13873 13873->13850 13875 a45f7c 13874->13875 13876 a40efc __fread_nolock 27 API calls 13875->13876 13878 a45f89 13876->13878 13877 a45f95 13877->13861 13878->13877 13879 a45ef7 _Fputc 29 API calls 13878->13879 13881 a45fe1 13878->13881 13879->13881 13880 a46043 13883 a46072 _Fputc 62 API calls 13880->13883 13881->13877 13881->13880 13882 a40c62 _Fputc 27 API calls 13881->13882 13884 a46036 13882->13884 13885 a46054 13883->13885 13884->13880 13886 a47d00 __fread_nolock 12 API calls 13884->13886 13885->13861 13886->13880 13887->13847 13889 a33c12 13888->13889 13891 a33c17 13888->13891 13924 a3875f EnterCriticalSection 13889->13924 13891->13784 13894 a33c92 13891->13894 13896 a33cf2 13891->13896 13897 a33c62 13891->13897 13892 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13893 a33d31 13892->13893 13893->13784 13894->13897 13921 a335da 13894->13921 13896->13897 13898 a3c578 67 API calls 13896->13898 13897->13892 13898->13897 13902 a33c4c 13899->13902 13904 a33c45 13899->13904 13900 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13901 a33d31 13900->13901 13901->13784 13902->13904 13905 a33cf2 13902->13905 13906 a33c92 13902->13906 13903 a335da _Fputc 66 API calls 13903->13904 13904->13900 13905->13904 13907 a3c578 67 API calls 13905->13907 13906->13903 13906->13904 13907->13904 13909 a33c22 13908->13909 13913 a33c6e 13908->13913 13955 a38773 LeaveCriticalSection 13909->13955 13911 a33bf9 13911->13784 13912 a33c27 13912->13784 13913->13784 13913->13911 13914 a33cf2 13913->13914 13916 a33cd3 13913->13916 13915 a3c578 67 API calls 13914->13915 13920 a33ce4 13914->13920 13915->13920 13918 a335da _Fputc 66 API calls 13916->13918 13916->13920 13917 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13919 a33d31 13917->13919 13918->13920 13919->13784 13920->13917 13925 a3c079 13921->13925 13923 a335ea 13923->13897 13924->13891 13926 a3c08c _Fputc 13925->13926 13929 a3c0da 13926->13929 13928 a3c09b _Fputc 13928->13923 13930 a3c0e6 ___scrt_is_nonwritable_in_current_image 13929->13930 13931 a3c113 13930->13931 13932 a3c0ef 13930->13932 13945 a3875f EnterCriticalSection 13931->13945 13934 a3b601 __strnicoll 27 API calls 13932->13934 13941 a3c108 _Fputc 13934->13941 13935 a3c11c 13936 a40efc __fread_nolock 27 API calls 13935->13936 13944 a3c131 13935->13944 13936->13944 13937 a3c1ce 13946 a3c0ad 13937->13946 13938 a3c19d 13939 a3b601 __strnicoll 27 API calls 13938->13939 13939->13941 13941->13928 13942 a3c1da 13951 a3c206 13942->13951 13944->13937 13944->13938 13945->13935 13947 a3c0bb 13946->13947 13948 a3c0cc 13946->13948 13949 a45eec _Fputc 64 API calls 13947->13949 13948->13942 13950 a3c0c7 13949->13950 13950->13942 13954 a38773 LeaveCriticalSection 13951->13954 13953 a3c20c 13953->13941 13954->13953 13955->13912 13957 a31b17 13956->13957 13958 a31c7a 13956->13958 13964 a31b3a 13957->13964 13981 a329d4 AcquireSRWLockExclusive 13958->13981 13960 a31c84 13960->13957 13986 a32a89 13960->13986 13965 a31e48 std::ios_base::_Init 38 API calls 13964->13965 13966 a31b2f 13965->13966 13966->13799 13968 a31e75 _strlen 13967->13968 13969 a31f5e 13968->13969 13970 a31ed0 13968->13970 13971 a31ec8 13968->13971 13975 a31e8f _Yarn 13968->13975 13972 a3b468 std::ios_base::_Init 27 API calls 13969->13972 13974 a32952 codecvt 14 API calls 13970->13974 13973 a3186a std::ios_base::_Init 14 API calls 13971->13973 13972->13969 13973->13975 13974->13975 14021 a31f68 13975->14021 13978 a31f30 messages 13979 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 13978->13979 13980 a31b4f 13979->13980 13980->13756 13982 a329e8 13981->13982 13983 a329ed ReleaseSRWLockExclusive 13982->13983 13990 a32a74 SleepConditionVariableSRW 13982->13990 13983->13960 13991 a32a9e 13986->13991 13989 a32a23 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 13989->13957 13990->13982 13992 a32ab4 13991->13992 13993 a32aad 13991->13993 14000 a3aa54 13992->14000 13997 a3aac5 13993->13997 13996 a31c9a 13996->13989 13998 a3aa54 std::ios_base::_Init 30 API calls 13997->13998 13999 a3aad7 13998->13999 13999->13996 14003 a3acb7 14000->14003 14004 a3acc3 ___scrt_is_nonwritable_in_current_image 14003->14004 14011 a3b750 EnterCriticalSection 14004->14011 14006 a3acd1 14012 a3aadb 14006->14012 14008 a3acde 14018 a3ad06 14008->14018 14011->14006 14013 a3aaf6 14012->14013 14014 a3ab5f std::_Lockit::_Lockit 14012->14014 14013->14014 14016 a43f46 std::ios_base::_Init 30 API calls 14013->14016 14017 a3ab3f 14013->14017 14014->14008 14015 a43f46 std::ios_base::_Init 30 API calls 14015->14014 14016->14017 14017->14014 14017->14015 14019 a3b767 std::_Lockit::~_Lockit LeaveCriticalSection 14018->14019 14020 a3aa85 14019->14020 14020->13996 14022 a31fa0 14021->14022 14023 a320be 14022->14023 14024 a31ff0 14022->14024 14025 a31fe8 14022->14025 14030 a31fb2 _Yarn 14022->14030 14026 a3b468 std::ios_base::_Init 27 API calls 14023->14026 14028 a32952 codecvt 14 API calls 14024->14028 14027 a3186a std::ios_base::_Init 14 API calls 14025->14027 14026->14023 14027->14030 14028->14030 14035 a320c8 14030->14035 14031 a32029 14031->14023 14032 a32085 messages 14031->14032 14033 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14032->14033 14034 a31f0d 14033->14034 14034->13969 14034->13978 14036 a320ea 14035->14036 14037 a320f8 14035->14037 14046 a3218a 14036->14046 14039 a3218a std::ios_base::_Init 38 API calls 14037->14039 14040 a3211b 14039->14040 14042 a32185 14040->14042 14043 a3213f messages 14040->14043 14041 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14044 a3217b 14041->14044 14045 a3b468 std::ios_base::_Init 27 API calls 14042->14045 14043->14041 14044->14031 14045->14042 14049 a321a9 14046->14049 14055 a3224f _Yarn messages 14046->14055 14047 a321e9 _Yarn 14051 a3b468 std::ios_base::_Init 27 API calls 14047->14051 14047->14055 14048 a321e3 14050 a3186a std::ios_base::_Init 14 API calls 14048->14050 14049->14047 14049->14048 14053 a322e8 14049->14053 14050->14047 14052 a322fd 14051->14052 14056 a32339 14052->14056 14057 a31ab6 std::ios_base::_Init 38 API calls 14052->14057 14054 a32952 codecvt 14 API calls 14053->14054 14054->14047 14055->14037 14056->14037 14057->14056 14059 a3230b 14058->14059 14060 a32339 14058->14060 14059->14060 14061 a31ab6 std::ios_base::_Init 38 API calls 14059->14061 14060->13805 14061->14060 14063 a323ea 14062->14063 14079 a3242b 14063->14079 14065 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14067 a31546 14065->14067 14068 a3233c 14067->14068 14069 a3197e 38 API calls 14068->14069 14070 a32358 14069->14070 14071 a32372 14070->14071 14072 a319d8 67 API calls 14070->14072 14073 a31ab6 std::ios_base::_Init 38 API calls 14071->14073 14072->14071 14074 a323a7 14073->14074 14075 a31a10 38 API calls 14074->14075 14076 a323ae 14075->14076 14077 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14076->14077 14078 a31551 14077->14078 14078->13772 14096 a32cd9 14079->14096 14083 a3245e 14084 a3248c 14083->14084 14110 a3254a 14083->14110 14128 a32d0a 14084->14128 14086 a324a8 14088 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14086->14088 14090 a323f0 14088->14090 14090->14065 14091 a32483 14122 a32d7d 14091->14122 14092 a324bc 14135 a325d6 14092->14135 14097 a32ce8 14096->14097 14098 a32cef 14096->14098 14146 a3b77e 14097->14146 14100 a3244b 14098->14100 14151 a351f8 EnterCriticalSection 14098->14151 14102 a324c2 14100->14102 14103 a324d8 14102->14103 14104 a324fc 14102->14104 14106 a32cd9 std::_Lockit::_Lockit 7 API calls 14103->14106 14105 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14104->14105 14107 a32509 14105->14107 14108 a324e3 14106->14108 14107->14083 14109 a32d0a std::_Lockit::~_Lockit 2 API calls 14108->14109 14109->14104 14111 a32563 14110->14111 14112 a325bf 14110->14112 14111->14112 14115 a32952 codecvt 14 API calls 14111->14115 14113 a329c6 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 14112->14113 14114 a3247b 14113->14114 14114->14091 14114->14092 14116 a32573 14115->14116 14200 a325fa 14116->14200 14123 a3c994 _Yarn 13 API calls 14122->14123 14124 a32d88 14123->14124 14125 a32d8f 14124->14125 14291 a331b3 14124->14291 14125->14084 14129 a32d14 14128->14129 14130 a3b78c 14128->14130 14131 a32d27 14129->14131 14295 a35206 LeaveCriticalSection 14129->14295 14296 a3b767 LeaveCriticalSection 14130->14296 14131->14086 14134 a3b793 14134->14086 14136 a325fa 14135->14136 14137 a35aba Concurrency::cancel_current_task RaiseException 14135->14137 14138 a32cd9 std::_Lockit::_Lockit 7 API calls 14136->14138 14137->14136 14139 a3260b 14138->14139 14140 a32647 14139->14140 14141 a32635 14139->14141 14143 a331f0 codecvt RaiseException 14140->14143 14142 a32dff codecvt 63 API calls 14141->14142 14145 a324c1 14142->14145 14144 a32651 14143->14144 14152 a3f432 14146->14152 14151->14100 14153 a3f5b9 std::_Lockit::_Lockit 5 API calls 14152->14153 14154 a3f437 14153->14154 14173 a3f5d3 14154->14173 14172 a3f464 14172->14172 14174 a3f534 std::_Lockit::_Lockit 5 API calls 14173->14174 14175 a3f43c 14174->14175 14176 a3f5ed 14175->14176 14177 a3f534 std::_Lockit::_Lockit 5 API calls 14176->14177 14178 a3f441 14177->14178 14179 a3f607 14178->14179 14180 a3f534 std::_Lockit::_Lockit 5 API calls 14179->14180 14181 a3f446 14180->14181 14182 a3f621 14181->14182 14183 a3f534 std::_Lockit::_Lockit 5 API calls 14182->14183 14184 a3f44b 14183->14184 14185 a3f63b 14184->14185 14186 a3f534 std::_Lockit::_Lockit 5 API calls 14185->14186 14187 a3f450 14186->14187 14188 a3f655 14187->14188 14189 a3f534 std::_Lockit::_Lockit 5 API calls 14188->14189 14190 a3f455 14189->14190 14191 a3f66f 14190->14191 14192 a3f534 std::_Lockit::_Lockit 5 API calls 14191->14192 14193 a3f45a 14192->14193 14194 a3f689 14193->14194 14195 a3f534 std::_Lockit::_Lockit 5 API calls 14194->14195 14196 a3f45f 14195->14196 14197 a3f6a3 14196->14197 14198 a3f534 std::_Lockit::_Lockit 5 API calls 14197->14198 14199 a3f6b9 14198->14199 14199->14172 14201 a32cd9 std::_Lockit::_Lockit 7 API calls 14200->14201 14202 a3260b 14201->14202 14203 a32647 14202->14203 14204 a32635 14202->14204 14233 a331f0 14203->14233 14224 a32dff 14204->14224 14207 a32651 14209 a34915 14254 a38588 14209->14254 14211 a3491e __Getctype 14212 a34956 14211->14212 14213 a34938 14211->14213 14215 a388c6 __Getctype 37 API calls 14212->14215 14259 a388c6 14213->14259 14216 a3493f 14215->14216 14264 a38561 14216->14264 14220 a325b3 14221 a32652 14220->14221 14287 a32e4b 14221->14287 14223 a3265b std::locale::_Locimp::~_Locimp 14237 a3c99f 14224->14237 14228 a32e24 14229 a32e33 14228->14229 14230 a3c99f std::_Locinfo::_Locinfo_dtor 62 API calls 14228->14230 14231 a32e65 _Yarn 13 API calls 14229->14231 14230->14229 14232 a3259b 14231->14232 14232->14209 14234 a33201 std::invalid_argument::invalid_argument 14233->14234 14235 a35aba Concurrency::cancel_current_task RaiseException 14234->14235 14236 a3320f std::bad_exception::bad_exception 14235->14236 14236->14207 14238 a3f432 std::_Lockit::_Lockit 5 API calls 14237->14238 14239 a3c9ac 14238->14239 14246 a3cbd1 14239->14246 14242 a32e65 14243 a32e73 std::locale::_Locimp::~_Locimp 14242->14243 14245 a32e9e _Yarn 14242->14245 14244 a3c994 _Yarn 13 API calls 14243->14244 14243->14245 14244->14245 14245->14228 14247 a3cbdd ___scrt_is_nonwritable_in_current_image 14246->14247 14248 a3b750 std::_Lockit::_Lockit EnterCriticalSection 14247->14248 14249 a3cbeb 14248->14249 14250 a3ca72 std::_Locinfo::_Locinfo_dtor 62 API calls 14249->14250 14251 a3cbf8 14250->14251 14252 a3cc20 std::_Locinfo::_Locinfo_dtor LeaveCriticalSection 14251->14252 14253 a32e0c 14252->14253 14253->14242 14255 a3e783 __Getctype 37 API calls 14254->14255 14256 a38593 14255->14256 14257 a3ed66 __Getctype 37 API calls 14256->14257 14258 a385a3 14257->14258 14258->14211 14260 a3e783 __Getctype 37 API calls 14259->14260 14261 a388d1 14260->14261 14262 a3ed66 __Getctype 37 API calls 14261->14262 14263 a388e1 14262->14263 14263->14216 14265 a3e783 __Getctype 37 API calls 14264->14265 14266 a3856c 14265->14266 14267 a3ed66 __Getctype 37 API calls 14266->14267 14268 a34967 14267->14268 14268->14220 14269 a3b963 14268->14269 14270 a3b970 14269->14270 14275 a3b9ab 14269->14275 14271 a3c994 _Yarn 13 API calls 14270->14271 14272 a3b993 14271->14272 14272->14275 14278 a3ee22 14272->14278 14275->14220 14276 a3b485 __Getctype 11 API calls 14277 a3b9c1 14276->14277 14279 a3ee3e 14278->14279 14280 a3ee30 14278->14280 14281 a3ad6d __dosmaperr 12 API calls 14279->14281 14280->14279 14285 a3ee58 14280->14285 14282 a3ee48 14281->14282 14283 a3b458 __strnicoll 27 API calls 14282->14283 14284 a3b9a4 14283->14284 14284->14275 14284->14276 14285->14284 14286 a3ad6d __dosmaperr 12 API calls 14285->14286 14286->14282 14288 a32e61 14287->14288 14289 a32e57 14287->14289 14288->14223 14290 a3c99f std::_Locinfo::_Locinfo_dtor 62 API calls 14289->14290 14290->14288 14292 a331c1 Concurrency::cancel_current_task 14291->14292 14293 a35aba Concurrency::cancel_current_task RaiseException 14292->14293 14294 a331cf 14293->14294 14295->14131 14296->14134 14298 a35aba Concurrency::cancel_current_task RaiseException 14297->14298 14299 a318b4 14298->14299 14299->13724 16281 a3416b 16282 a3417f 16281->16282 16283 a341da 16282->16283 16284 a343df 67 API calls 16282->16284 16285 a341aa 16284->16285 16285->16283 16286 a341c7 16285->16286 16287 a3ae1d 65 API calls 16285->16287 16286->16283 16289 a3c01e 16286->16289 16287->16286 16290 a3c029 16289->16290 16291 a3c03e 16289->16291 16294 a3ad6d __dosmaperr 12 API calls 16290->16294 16292 a3c046 16291->16292 16293 a3c05b 16291->16293 16295 a3ad6d __dosmaperr 12 API calls 16292->16295 16303 a44217 16293->16303 16297 a3c02e 16294->16297 16299 a3c04b 16295->16299 16298 a3b458 __strnicoll 27 API calls 16297->16298 16301 a3c039 16298->16301 16302 a3b458 __strnicoll 27 API calls 16299->16302 16300 a3c056 16300->16283 16301->16283 16302->16300 16304 a4422b _Fputc 16303->16304 16307 a447c0 16304->16307 16306 a44237 _Fputc 16306->16300 16308 a447cc ___scrt_is_nonwritable_in_current_image 16307->16308 16309 a447f6 16308->16309 16310 a447d3 16308->16310 16318 a3875f EnterCriticalSection 16309->16318 16312 a3b601 __strnicoll 27 API calls 16310->16312 16314 a447ec 16312->16314 16313 a44804 16319 a4461f 16313->16319 16314->16306 16316 a44813 16332 a44845 16316->16332 16318->16313 16320 a44656 16319->16320 16321 a4462e 16319->16321 16322 a40efc __fread_nolock 27 API calls 16320->16322 16323 a3b601 __strnicoll 27 API calls 16321->16323 16324 a4465f 16322->16324 16325 a44649 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16323->16325 16326 a44051 31 API calls 16324->16326 16325->16316 16327 a4467d 16326->16327 16327->16325 16328 a44720 16327->16328 16329 a44709 16327->16329 16328->16325 16331 a44454 31 API calls 16328->16331 16330 a442a9 32 API calls 16329->16330 16330->16325 16331->16325 16335 a38773 LeaveCriticalSection 16332->16335 16334 a4484d 16334->16314 16335->16334 15478 a3884f 15479 a3bbb9 ___scrt_uninitialize_crt 66 API calls 15478->15479 15480 a38857 15479->15480 15485 a40cde 15480->15485 15482 a3885c 15483 a3886b DeleteCriticalSection 15482->15483 15483->15482 15484 a38886 15483->15484 15486 a40cea ___scrt_is_nonwritable_in_current_image 15485->15486 15494 a3b750 EnterCriticalSection 15486->15494 15488 a40cf5 15489 a40d61 15488->15489 15491 a40d35 DeleteCriticalSection 15488->15491 15495 a3ba11 15488->15495 15499 a40d80 15489->15499 15491->15488 15494->15488 15496 a3ba24 _Fputc 15495->15496 15502 a3bacf 15496->15502 15498 a3ba30 _Fputc 15498->15488 15570 a3b767 LeaveCriticalSection 15499->15570 15501 a40d6d 15501->15482 15503 a3badb ___scrt_is_nonwritable_in_current_image 15502->15503 15504 a3bae5 15503->15504 15505 a3bb08 15503->15505 15506 a3b601 __strnicoll 27 API calls 15504->15506 15512 a3bb00 15505->15512 15513 a3875f EnterCriticalSection 15505->15513 15506->15512 15508 a3bb26 15514 a3ba41 15508->15514 15510 a3bb33 15524 a3bb5e 15510->15524 15512->15498 15513->15508 15515 a3ba71 15514->15515 15516 a3ba4e 15514->15516 15518 a3bc27 ___scrt_uninitialize_crt 62 API calls 15515->15518 15523 a3ba69 15515->15523 15517 a3b601 __strnicoll 27 API calls 15516->15517 15517->15523 15519 a3ba89 15518->15519 15520 a40efc __fread_nolock 27 API calls 15519->15520 15521 a3ba9d 15520->15521 15527 a44ff5 15521->15527 15523->15510 15569 a38773 LeaveCriticalSection 15524->15569 15526 a3bb64 15526->15512 15528 a45006 15527->15528 15529 a4501e 15527->15529 15528->15523 15530 a4506d 15529->15530 15532 a45045 15529->15532 15531 a3b601 __strnicoll 27 API calls 15530->15531 15531->15528 15534 a45098 15532->15534 15535 a450a4 ___scrt_is_nonwritable_in_current_image 15534->15535 15542 a44ef9 EnterCriticalSection 15535->15542 15537 a450b2 15538 a450e3 15537->15538 15543 a44f55 15537->15543 15556 a4511d 15538->15556 15542->15537 15544 a44cb0 _Fputc 27 API calls 15543->15544 15546 a44f65 15544->15546 15545 a44f6b 15559 a44d1a 15545->15559 15546->15545 15548 a44f9d 15546->15548 15549 a44cb0 _Fputc 27 API calls 15546->15549 15548->15545 15550 a44cb0 _Fputc 27 API calls 15548->15550 15551 a44f94 15549->15551 15552 a44fa9 CloseHandle 15550->15552 15553 a44cb0 _Fputc 27 API calls 15551->15553 15552->15545 15554 a44fb5 GetLastError 15552->15554 15553->15548 15554->15545 15555 a44fc3 _Fputc 15555->15538 15568 a44f1c LeaveCriticalSection 15556->15568 15558 a45106 15558->15528 15560 a44d90 15559->15560 15561 a44d29 15559->15561 15562 a3ad6d __dosmaperr 12 API calls 15560->15562 15561->15560 15567 a44d53 15561->15567 15563 a44d95 15562->15563 15564 a3ad80 __dosmaperr 12 API calls 15563->15564 15565 a44d80 15564->15565 15565->15555 15566 a44d7a SetStdHandle 15566->15565 15567->15565 15567->15566 15568->15558 15569->15526 15570->15501

                                                                                            Executed Functions

                                                                                            Function 00A5519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A55110,00A55100), ref: 00A55334
                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00A55347
                                                                                            • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 00A55365
                                                                                            • ReadProcessMemory.KERNELBASE(0000010C,?,00A55154,00000004,00000000), ref: 00A55389
                                                                                            • VirtualAllocEx.KERNELBASE(0000010C,?,?,00003000,00000040), ref: 00A553B4
                                                                                            • WriteProcessMemory.KERNELBASE(0000010C,00000000,?,?,00000000,?), ref: 00A5540C
                                                                                            • WriteProcessMemory.KERNELBASE(0000010C,00400000,?,?,00000000,?,00000028), ref: 00A55457
                                                                                            • WriteProcessMemory.KERNELBASE(0000010C,?,?,00000004,00000000), ref: 00A55495
                                                                                            • Wow64SetThreadContext.KERNEL32(0000008C,00E70000), ref: 00A554D1
                                                                                            • ResumeThread.KERNELBASE(0000008C), ref: 00A554E0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                            • API String ID: 2687962208-3857624555
                                                                                            • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                            • Instruction ID: a244eec38381f53e8ccb1554ca702baf08321115f45514bc0b5ca3083d933bc7
                                                                                            • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                            • Instruction Fuzzy Hash: 49B1077264064AAFDB60CF68CC80BDA73A5FF88715F158124EA0CAB341D774FA55CB94
                                                                                            Function 00A31614 Relevance: 9.2, APIs: 6, Instructions: 171fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE ref: 00A31675
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00A31685
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00A316AB
                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00A316BA
                                                                                            • _strlen.LIBCMT ref: 00A31705
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A31805
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$CreateReadSize_strlen
                                                                                            • String ID:
                                                                                            • API String ID: 1158390869-0
                                                                                            • Opcode ID: 85aa641e573c8d6752378e22f8846b43a925aae028bde1e0b640cbad4f40099c
                                                                                            • Instruction ID: 2e38e665e5b47aa0eedbf0a5f945e2f571f6a7968a065f1aae7265b06cbbbeda
                                                                                            • Opcode Fuzzy Hash: 85aa641e573c8d6752378e22f8846b43a925aae028bde1e0b640cbad4f40099c
                                                                                            • Instruction Fuzzy Hash: 4251FEB29043009BD700EF24DC85B2EBBE5FF88354F154A2DF88997252EB34E9458B62
                                                                                            Function 00A3155C Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • FreeConsole.KERNELBASE ref: 00A3158B
                                                                                              • Part of subcall function 00A3123B: KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00A312C7
                                                                                            • VirtualProtect.KERNELBASE(00A55011,00000549,00000040,?), ref: 00A315D7
                                                                                            • ExitProcess.KERNEL32 ref: 00A3160E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleDispatcherExceptionExitFreeProcessProtectUserVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1011651897-0
                                                                                            • Opcode ID: 3faad6ea0e13aa4970f94ccf4c2ac13543921558d1962a7aff5f1edc11eb815c
                                                                                            • Instruction ID: 98add4c229803cd8db06d93d0b8ebc8a200c9dfb6cdaab7615cc88a3a670b2b2
                                                                                            • Opcode Fuzzy Hash: 3faad6ea0e13aa4970f94ccf4c2ac13543921558d1962a7aff5f1edc11eb815c
                                                                                            • Instruction Fuzzy Hash: 6B11E372E00208ABEB00ABA59C52BBF7768FF85301F404425F908A7291E675AD154BE1
                                                                                            Function 00A3123B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 94 a3123b-a31261 95 a31263-a3127c 94->95 95->95 96 a3127e-a31280 95->96 97 a31282-a312ac 96->97 97->97 98 a312ae-a312b6 97->98 99 a31355-a3136d call a329c6 98->99 100 a312bc-a312c0 98->100 101 a312c2-a312df KiUserExceptionDispatcher 100->101 103 a312e1-a312eb call a3136e 101->103 104 a312fc-a3134f 101->104 107 a312f0-a312f9 call a31533 103->107 104->99 104->101 107->104
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00A312C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID: [+]
                                                                                            • API String ID: 6842923-4228040803
                                                                                            • Opcode ID: 2f755d89029a6b5e1b040ecaff60019269738b6030ad02bdcef24161bb0436a0
                                                                                            • Instruction ID: 29ff27674052fe35efbbc13f7f1f392d897bca75ae7c9326b9f6ecf994580a08
                                                                                            • Opcode Fuzzy Hash: 2f755d89029a6b5e1b040ecaff60019269738b6030ad02bdcef24161bb0436a0
                                                                                            • Instruction Fuzzy Hash: 2331093150C3804FD716AB74A8997EBBBD0BFBD318F18097DE8C987243D1615446CB62
                                                                                            Function 00A45283 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 110 a45283-a452a5 111 a45498 110->111 112 a452ab-a452ad 110->112 113 a4549a-a4549e 111->113 114 a452af-a452ce call a3b601 112->114 115 a452d9-a452fc 112->115 121 a452d1-a452d4 114->121 116 a45302-a45308 115->116 117 a452fe-a45300 115->117 116->114 119 a4530a-a4531b 116->119 117->116 117->119 122 a4531d-a4532b call a44033 119->122 123 a4532e-a4533e call a455b0 119->123 121->113 122->123 128 a45387-a45399 123->128 129 a45340-a45346 123->129 130 a453f0-a45410 WriteFile 128->130 131 a4539b-a453a1 128->131 132 a4536f-a45385 call a4562d 129->132 133 a45348-a4534b 129->133 134 a45412-a45418 GetLastError 130->134 135 a4541b 130->135 137 a453a3-a453a6 131->137 138 a453dc-a453e9 call a45a5c 131->138 150 a45368-a4536a 132->150 139 a45356-a45365 call a459f4 133->139 140 a4534d-a45350 133->140 134->135 143 a4541e-a45429 135->143 144 a453c8-a453da call a45c20 137->144 145 a453a8-a453ab 137->145 149 a453ee 138->149 139->150 140->139 146 a45430-a45433 140->146 151 a45493-a45496 143->151 152 a4542b-a4542e 143->152 156 a453c3-a453c6 144->156 153 a45436-a45438 145->153 154 a453b1-a453be call a45b37 145->154 146->153 149->156 150->143 151->113 152->146 157 a45466-a45472 153->157 158 a4543a-a4543f 153->158 154->156 156->150 163 a45474-a4547a 157->163 164 a4547c-a4548e 157->164 161 a45441-a45453 158->161 162 a45458-a45461 call a3adf9 158->162 161->121 162->121 163->111 163->164 164->121
                                                                                            APIs
                                                                                              • Part of subcall function 00A4562D: GetConsoleOutputCP.KERNEL32(1742AD29,00000000,00000000,?), ref: 00A45690
                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00A3BBF3,?), ref: 00A45408
                                                                                            • GetLastError.KERNEL32(?,?,00A3BBF3,?,00A3BE37,00000000,?,00000000,00A3BE37,?,?,?,00A54628,0000002C,00A3BD23,?), ref: 00A45412
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                                            • String ID:
                                                                                            • API String ID: 2915228174-0
                                                                                            • Opcode ID: 82822c8e0d2eb71417e0e8246d8cdc4e62ade44f56e8c15be2f2352056b40ac8
                                                                                            • Instruction ID: 92f69ab90aae3d2e83ac4d011aa7553abe97a6c1bbc91f8ac8d02fd82c8726b3
                                                                                            • Opcode Fuzzy Hash: 82822c8e0d2eb71417e0e8246d8cdc4e62ade44f56e8c15be2f2352056b40ac8
                                                                                            • Instruction Fuzzy Hash: AC61C27AD00619AFDF11CFB8C984AEEBBBABF89344F140155E900AB253D371DA45CB60
                                                                                            Function 00A45A5C Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 167 a45a5c-a45ab1 call a356e0 170 a45b26-a45b36 call a329c6 167->170 171 a45ab3 167->171 172 a45ab9 171->172 174 a45abf-a45ac1 172->174 176 a45ac3-a45ac8 174->176 177 a45adb-a45b00 WriteFile 174->177 178 a45ad1-a45ad9 176->178 179 a45aca-a45ad0 176->179 180 a45b02-a45b0d 177->180 181 a45b1e-a45b24 GetLastError 177->181 178->174 178->177 179->178 180->170 182 a45b0f-a45b1a 180->182 181->170 182->172 183 a45b1c 182->183 183->170
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00A453EE,00000000,00A3BE37,?,00000000,?,00000000), ref: 00A45AF8
                                                                                            • GetLastError.KERNEL32(?,00A453EE,00000000,00A3BE37,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00A3BBF3), ref: 00A45B1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID:
                                                                                            • API String ID: 442123175-0
                                                                                            • Opcode ID: 9ae3412d406646cdb84bf7280d9af145ab0cf28f3cbb46b9585c01548b3de4ef
                                                                                            • Instruction ID: 9976a8407a32bddea768a36fe24c9c5006f3c4588abbe8fb5334e8eb311d1bf2
                                                                                            • Opcode Fuzzy Hash: 9ae3412d406646cdb84bf7280d9af145ab0cf28f3cbb46b9585c01548b3de4ef
                                                                                            • Instruction Fuzzy Hash: 96218035E006199BCF15CF69DD849E9B7B9FB88341F2441A9E906D7212E6309E46CF60
                                                                                            Function 00A3FF89 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 184 a3ff89-a3ff8e 185 a3ff90-a3ffa8 184->185 186 a3ffb6-a3ffbf 185->186 187 a3ffaa-a3ffae 185->187 189 a3ffd1 186->189 190 a3ffc1-a3ffc4 186->190 187->186 188 a3ffb0-a3ffb4 187->188 191 a4002b-a4002f 188->191 194 a3ffd3-a3ffe0 GetStdHandle 189->194 192 a3ffc6-a3ffcb 190->192 193 a3ffcd-a3ffcf 190->193 191->185 195 a40035-a40038 191->195 192->194 193->194 196 a3ffe2-a3ffe4 194->196 197 a4000d-a4001f 194->197 196->197 198 a3ffe6-a3ffef GetFileType 196->198 197->191 199 a40021-a40024 197->199 198->197 200 a3fff1-a3fffa 198->200 199->191 201 a40002-a40005 200->201 202 a3fffc-a40000 200->202 201->191 203 a40007-a4000b 201->203 202->191 203->191
                                                                                            APIs
                                                                                            • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00A3FE78,00A54948), ref: 00A3FFD5
                                                                                            • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00A3FE78,00A54948), ref: 00A3FFE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandleType
                                                                                            • String ID:
                                                                                            • API String ID: 3000768030-0
                                                                                            • Opcode ID: 60679cbc01a743366b7a59bf88645a5119ec8aee40767857487893131451cb28
                                                                                            • Instruction ID: 9fb7cb5f07541a0b35efcb865a9811afac9d3e073d21e746882800e4ae797a21
                                                                                            • Opcode Fuzzy Hash: 60679cbc01a743366b7a59bf88645a5119ec8aee40767857487893131451cb28
                                                                                            • Instruction Fuzzy Hash: 681172759147514ECB308B3D9C88B22BAA5A7D6330F38072EE6B7875F1C330D946E651
                                                                                            Function 00A3136E Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 204 a3136e-a313b1 call a3ce80 call a3197e 209 a313b7-a313fa 204->209 210 a314c9-a314ce 204->210 211 a3144e-a31463 call a3408b 209->211 212 a313fc-a31404 209->212 213 a314f0-a31532 call a31ab6 call a31a10 call a329c6 210->213 218 a31466-a3147b 211->218 212->211 214 a31406-a31409 212->214 216 a3140d-a31425 call a319d8 214->216 227 a314d0-a314d5 216->227 228 a3142b-a31442 216->228 221 a314c0-a314c7 218->221 222 a3147d-a31485 218->222 223 a314e0-a314ec 221->223 222->221 226 a31487-a31489 222->226 223->213 230 a3148a-a314a5 call a319d8 226->230 227->223 228->216 231 a31444-a3144c 228->231 235 a314d7-a314dc 230->235 236 a314a7-a314be 230->236 231->211 235->223 236->221 236->230
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID:
                                                                                            • API String ID: 4218353326-0
                                                                                            • Opcode ID: 9e1107721e47c8f5bb44c7dcdd2bb3d908a353ad91f0cd6360978b00b8c5ec9b
                                                                                            • Instruction ID: 84a29e8b02ffb1e7640970112206018aad54b5dfb04277f06b0a2e09a5d056e4
                                                                                            • Opcode Fuzzy Hash: 9e1107721e47c8f5bb44c7dcdd2bb3d908a353ad91f0cd6360978b00b8c5ec9b
                                                                                            • Instruction Fuzzy Hash: E3519E713042048FCB14DF6CC994B6AB7E6EF88768F198668F969CB392D630ED05CB41
                                                                                            Function 00A33C0B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 238 a33c0b-a33c10 239 a33c12-a33c18 call a3875f 238->239 240 a33c5e-a33c60 238->240 239->240 241 a33c62-a33c73 240->241 242 a33c75-a33c79 240->242 244 a33cee-a33cf0 241->244 245 a33d21 242->245 246 a33c7f-a33c90 call a344b9 242->246 248 a33d24-a33d32 call a329c6 244->248 245->248 253 a33c92-a33c96 246->253 254 a33c98-a33ccc 246->254 256 a33cdf call a335da 253->256 261 a33cf2-a33cfa 254->261 262 a33cce-a33cd1 254->262 259 a33ce4-a33ceb 256->259 259->244 264 a33d0f-a33d1f 261->264 265 a33cfc-a33d0d call a3c578 261->265 262->261 263 a33cd3-a33cd7 262->263 263->245 267 a33cd9-a33cdc 263->267 264->248 265->245 265->264 267->256
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalEnterSection
                                                                                            • String ID:
                                                                                            • API String ID: 1904992153-0
                                                                                            • Opcode ID: 2db25939a48ce3064d53dc3846d77184a4eaf1e7849f4226592b61f381e35c23
                                                                                            • Instruction ID: d18efc7fcc286877e0adb626f0b45f059a988f15ee37823977d956c20400543b
                                                                                            • Opcode Fuzzy Hash: 2db25939a48ce3064d53dc3846d77184a4eaf1e7849f4226592b61f381e35c23
                                                                                            • Instruction Fuzzy Hash: A931D87390811AAFCF11DFA8D9949EDB7B8BF09324F145666F402F3690DB21EA44CB50
                                                                                            Function 00A33C29 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 269 a33c29-a33c43 270 a33c45-a33c47 269->270 271 a33c4c-a33c54 269->271 272 a33d25-a33d32 call a329c6 270->272 273 a33c56-a33c60 271->273 274 a33c75-a33c79 271->274 273->274 281 a33c62-a33c73 273->281 277 a33d21 274->277 278 a33c7f-a33c90 call a344b9 274->278 280 a33d24 277->280 285 a33c92-a33c96 278->285 286 a33c98-a33ccc 278->286 280->272 283 a33cee-a33cf0 281->283 283->280 287 a33cdf call a335da 285->287 292 a33cf2-a33cfa 286->292 293 a33cce-a33cd1 286->293 290 a33ce4-a33ceb 287->290 290->283 295 a33d0f-a33d1f 292->295 296 a33cfc-a33d0d call a3c578 292->296 293->292 294 a33cd3-a33cd7 293->294 294->277 298 a33cd9-a33cdc 294->298 295->280 296->277 296->295 298->287
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b9a1645dbf8aa3377b3ff8bb593b1d69a95ee5b16748dd56bc29cfc2aab44f3b
                                                                                            • Instruction ID: f8fd1eb13caf52fa521935577bc8697734bf31f8ed17969ce548cbb19d7357be
                                                                                            • Opcode Fuzzy Hash: b9a1645dbf8aa3377b3ff8bb593b1d69a95ee5b16748dd56bc29cfc2aab44f3b
                                                                                            • Instruction Fuzzy Hash: C1118F32608606EFCF08CF29E4909A9B3F5BF49324B60566DE802D7690DB31FA54CB90
                                                                                            Function 00A33C1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 300 a33c1b-a33c20 301 a33c22-a33c28 call a38773 300->301 302 a33c6e-a33c74 300->302 304 a33c76 302->304 305 a33bf9-a33c08 302->305 307 a33cc4-a33ccc 304->307 308 a33c78-a33c80 304->308 310 a33cf2-a33cfa 307->310 311 a33cce-a33cd1 307->311 308->307 313 a33d0f-a33d1f 310->313 314 a33cfc-a33d0d call a3c578 310->314 311->310 312 a33cd3-a33cd7 311->312 317 a33d21 312->317 318 a33cd9-a33cdf call a335da 312->318 316 a33d24-a33d32 call a329c6 313->316 314->313 314->317 317->316 325 a33ce4-a33cf0 318->325 325->316
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalLeaveSection
                                                                                            • String ID:
                                                                                            • API String ID: 3988221542-0
                                                                                            • Opcode ID: 3ea73b1645683f5b09456736a35afa41192eae603db40fca3c853cd996b0084e
                                                                                            • Instruction ID: c93a3538c985dc035879c32df081fb6024d9e7fff51e96e583d016a15b6d5762
                                                                                            • Opcode Fuzzy Hash: 3ea73b1645683f5b09456736a35afa41192eae603db40fca3c853cd996b0084e
                                                                                            • Instruction Fuzzy Hash: E0F0283760C2564ACF45CB7CEA667ACBB60FF86334F24915FF412D94D1CA124A55C310
                                                                                            Function 00A3E531 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 327 a3e531-a3e53d 328 a3e56f-a3e57a call a3ad6d 327->328 329 a3e53f-a3e541 327->329 337 a3e57c-a3e57e 328->337 330 a3e543-a3e544 329->330 331 a3e55a-a3e56b RtlAllocateHeap 329->331 330->331 333 a3e546-a3e54d call a3b92d 331->333 334 a3e56d 331->334 333->328 339 a3e54f-a3e558 call a38f08 333->339 334->337 339->328 339->331
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00A331E1,00A3186A,?,00A360C1,00A3186C,00A3186A,?,?,?,00A33181,00A331E1,00A3186E,00A3186A,00A3186A,00A3186A), ref: 00A3E563
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 83298f9d8c8f6da4d8b4d9d7501c02db3712ccd5e1dd47111e5cd384e2b38602
                                                                                            • Instruction ID: 486f9d10c397bb5cc9ce88186c0b1bbac174caf49523d7e940572caa7c03eb6b
                                                                                            • Opcode Fuzzy Hash: 83298f9d8c8f6da4d8b4d9d7501c02db3712ccd5e1dd47111e5cd384e2b38602
                                                                                            • Instruction Fuzzy Hash: 04E02231A4122457DB30EBA9AC01B5A3A4CAF417F8F140120FC46E70D1FB61CD0082B0

                                                                                            Non-executed Functions

                                                                                            Function 00A43178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,00A42B49,00000002,00000000,?,?,?,00A42B49,?,00000000), ref: 00A43211
                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,00A42B49,00000002,00000000,?,?,?,00A42B49,?,00000000), ref: 00A4323A
                                                                                            • GetACP.KERNEL32(?,?,00A42B49,?,00000000), ref: 00A4324F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 2299586839-711371036
                                                                                            • Opcode ID: 9ed6ee8dc8d25704b1d7263d6bdf93c44f2695e15696a3f032909470795970f4
                                                                                            • Instruction ID: d49d8a8879afe810d7751735bd993aaf06a6f69b8197ed2baf00ccd78099f4b7
                                                                                            • Opcode Fuzzy Hash: 9ed6ee8dc8d25704b1d7263d6bdf93c44f2695e15696a3f032909470795970f4
                                                                                            • Instruction Fuzzy Hash: 0221AC3B600101EADF348F68E905BEB73A6BFE4B51B268624E90AD7110E772DF41D350
                                                                                            Function 00A42A13 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00A42B1B
                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00A42B59
                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00A42B6C
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A42BB4
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A42BCF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                            • String ID:
                                                                                            • API String ID: 415426439-0
                                                                                            • Opcode ID: 5f8576cc40f2f856cf334241ed765f2661259ec3b98ecceb1b0590a86fbf1c7e
                                                                                            • Instruction ID: 2cebb25d7463f3634f39af6a6a6aa76e843fd3dbde9a79f0f32dd0ad6eecd653
                                                                                            • Opcode Fuzzy Hash: 5f8576cc40f2f856cf334241ed765f2661259ec3b98ecceb1b0590a86fbf1c7e
                                                                                            • Instruction Fuzzy Hash: FE517D76A00215AFDF21DFA4CC85BAE77B8FF94740F854469F900EB190EBB09A45CB61
                                                                                            Function 00A4375A Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A4384A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID:
                                                                                            • API String ID: 1974802433-0
                                                                                            • Opcode ID: af20cae6ab848a087ea9e5c906d02ffc1fa94090574b9e08c6f283a0f5f449bd
                                                                                            • Instruction ID: 602fa4cbe4807233ffbc21f6d82dddc0180ed9d97184a6906c619b9e6e9813aa
                                                                                            • Opcode Fuzzy Hash: af20cae6ab848a087ea9e5c906d02ffc1fa94090574b9e08c6f283a0f5f449bd
                                                                                            • Instruction Fuzzy Hash: F371E6BA905159AFDF20EF68CC9DAAEBBB8AF85300F1441DAE04993251DB714F859F10
                                                                                            Function 00A35020 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A3502C
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00A350F8
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A35111
                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00A3511B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 254469556-0
                                                                                            • Opcode ID: 1768d5ac103420a924d1a2497add70d71a90f1434368e2737eb0c63f64da00ca
                                                                                            • Instruction ID: 4953d4b3119afa4e89db6d2a5ecc32b39971cca95b1f42260a7eef8620979f4b
                                                                                            • Opcode Fuzzy Hash: 1768d5ac103420a924d1a2497add70d71a90f1434368e2737eb0c63f64da00ca
                                                                                            • Instruction Fuzzy Hash: 173114B5D053289BDF21EFA4D9497CDBBB8BF08340F1041AAE40DAB250EB719B858F44
                                                                                            Function 00A359A7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A359B9
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00A359C8
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00A359D1
                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00A359DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: aa099a6cb5d468291ee548edd8d402f2da9df7f2c6a8bdd8c2039e5d1ddc9a4f
                                                                                            • Instruction ID: 53d43602da9e60bc3695949c969fee92042a7199cbb4c7deb5d775830b2e0f5d
                                                                                            • Opcode Fuzzy Hash: aa099a6cb5d468291ee548edd8d402f2da9df7f2c6a8bdd8c2039e5d1ddc9a4f
                                                                                            • Instruction Fuzzy Hash: 3AF0AF71D1120CEBCF00DBF4C94998EFBF4FF5C241B918996A412E7110E670AB458F50
                                                                                            Function 00A42CFF Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A42D53
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A42D9D
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A42E63
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 661929714-0
                                                                                            • Opcode ID: ba89794c3459c8ef62f8d2b638cfeb3fa97279dad6acf4e4e471b538b34a741b
                                                                                            • Instruction ID: 1e435e6cd91dbb48fd13a22a00a1716af03ff6094ec870ea3da3a2e9109c8561
                                                                                            • Opcode Fuzzy Hash: ba89794c3459c8ef62f8d2b638cfeb3fa97279dad6acf4e4e471b538b34a741b
                                                                                            • Instruction Fuzzy Hash: B261BC75910207EFDB38DF28CD82BAABBA8FF84301F94416AF905C6185E774DA94CB50
                                                                                            Function 00A3B4B9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A3B5B1
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A3B5BB
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A3B5C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID:
                                                                                            • API String ID: 3906539128-0
                                                                                            • Opcode ID: 2aa71e7f863239ff97935967b3d033d78eb9f237daf79e8fe09b421e12df1544
                                                                                            • Instruction ID: f798371bfc615aa9641c8afb7514fc912958a97619a35e159ad6cf59b2bde73d
                                                                                            • Opcode Fuzzy Hash: 2aa71e7f863239ff97935967b3d033d78eb9f237daf79e8fe09b421e12df1544
                                                                                            • Instruction Fuzzy Hash: EE31C1B5911228ABCB21DF68D98978CBBB8BF48310F5042EAE40CA6251E7709B818F54
                                                                                            Function 00A46F3A Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?), ref: 00A47167
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionRaise
                                                                                            • String ID:
                                                                                            • API String ID: 3997070919-0
                                                                                            • Opcode ID: 2c688348d05cde4d6334acec2f92664b73e8913eb71b10c11384fe6653fbcb57
                                                                                            • Instruction ID: e347be15e7d26058c6ca3065364a77d0b0c0ef58d8e2294850d692c14fce5e24
                                                                                            • Opcode Fuzzy Hash: 2c688348d05cde4d6334acec2f92664b73e8913eb71b10c11384fe6653fbcb57
                                                                                            • Instruction Fuzzy Hash: 30B17D35614648DFD715CF28C48AB697BE0FF85364F258698E8D9CF2A1C336E981CB40
                                                                                            Function 00A34C8C Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A34CA2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FeaturePresentProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 2325560087-0
                                                                                            • Opcode ID: a488239cfde598fc21e7528d5d89746bb8c3286f437492f1f5cd4b546a412a36
                                                                                            • Instruction ID: 1b50ed0466562b7e72be4f50f3b8306a42ba74e77f0e6f25335b18caa4ca43c3
                                                                                            • Opcode Fuzzy Hash: a488239cfde598fc21e7528d5d89746bb8c3286f437492f1f5cd4b546a412a36
                                                                                            • Instruction Fuzzy Hash: DDA15CB1D21B05CBDB18CFA4D8966A9BBF1FB48315F28852AE415EB360D334A941CFD0
                                                                                            Function 00A436A9 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3F807: HeapAlloc.KERNEL32(00000008,?,00A331E1,?,00A3E921,00000001,00000364,00A331E1,00000003,000000FF,?,00A360C1,00A3186C,00A3186A,?), ref: 00A3F848
                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A4384A
                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00A4393E
                                                                                            • FindClose.KERNEL32(00000000), ref: 00A4397D
                                                                                            • FindClose.KERNEL32(00000000), ref: 00A439B0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                                            • String ID:
                                                                                            • API String ID: 2701053895-0
                                                                                            • Opcode ID: 8eff7345bd1f970c03fc3823cd684d0fd576178a391f405cd75892dbd103436a
                                                                                            • Instruction ID: 8eca3dded93311f3efc54c46bdfd12d98727fa8e4c344eea79b20cf1475c3742
                                                                                            • Opcode Fuzzy Hash: 8eff7345bd1f970c03fc3823cd684d0fd576178a391f405cd75892dbd103436a
                                                                                            • Instruction Fuzzy Hash: F3519ABB900119AFDF14EF789C85EBEB7B9DFC5304F244199F45893241EA308E429B20
                                                                                            Function 00A42FB1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A43005
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 3736152602-0
                                                                                            • Opcode ID: 3623ef7eb058970474399d7f0303a941f2281e29b077f891da088b125bc1b51e
                                                                                            • Instruction ID: f42bb682aa06d5f4a0726d55da7042c2c1681e15b7ac4a372fd5a442b30cbf7a
                                                                                            • Opcode Fuzzy Hash: 3623ef7eb058970474399d7f0303a941f2281e29b077f891da088b125bc1b51e
                                                                                            • Instruction Fuzzy Hash: 77218076601206ABDF28DB2ADD42ABB77A8EFC4711F10027AF901D6185EB74EE408B50
                                                                                            Function 00A430D1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A43125
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 3736152602-0
                                                                                            • Opcode ID: 18596f9f48ddead35fe93d676e27e4936a9156d5cc41379905cee3f6bf2a91b2
                                                                                            • Instruction ID: 271c251e371c1ff04d115f0f340ce22be78dcd9352378d7398617628173584df
                                                                                            • Opcode Fuzzy Hash: 18596f9f48ddead35fe93d676e27e4936a9156d5cc41379905cee3f6bf2a91b2
                                                                                            • Instruction Fuzzy Hash: 5F11C277A11216ABDF14EB68DD42ABA77A8EF85310F10027AF505D7281EB74EE019B90
                                                                                            Function 00A42C64 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • EnumSystemLocalesW.KERNEL32(00A42CFF,00000001,00000000,?,-00000050,?,00A42AEF,00000000,-00000002,00000000,?,00000055,?), ref: 00A42CD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2417226690-0
                                                                                            • Opcode ID: f25d161afac60c83639745c3d5aa71c3e2b71e5471f4ff2b9cbcd728ff92008a
                                                                                            • Instruction ID: bf1af5f4375f6d0855702de74d6d954b9903f2527c3750a10e5161ab12b0eb16
                                                                                            • Opcode Fuzzy Hash: f25d161afac60c83639745c3d5aa71c3e2b71e5471f4ff2b9cbcd728ff92008a
                                                                                            • Instruction Fuzzy Hash: C211C23B2007059FDB18AF39C8A16BABB92FFC0358B55482CE94687A40D771B942D740
                                                                                            Function 00A4327E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A42F1B,00000000,00000000,?), ref: 00A432AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 3736152602-0
                                                                                            • Opcode ID: 53254847c7fec33f7c7e2b00b5b38e8b3268982e6f1101bbdc5a135f6d504c28
                                                                                            • Instruction ID: 147a8a61bed7b21c4052d1976e28dc0816d0c3446438cd9b5b1037e6fb4cb738
                                                                                            • Opcode Fuzzy Hash: 53254847c7fec33f7c7e2b00b5b38e8b3268982e6f1101bbdc5a135f6d504c28
                                                                                            • Instruction Fuzzy Hash: 6901D63B600112BBDF189B64C807BFA3768EF90754F154529AC56A3180EAB1FF41C694
                                                                                            Function 00A42F52 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • EnumSystemLocalesW.KERNEL32(00A42FB1,00000001,?,?,-00000050,?,00A42AB7,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00A42F9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2417226690-0
                                                                                            • Opcode ID: d6c6da0d6c547d612c56c1a1518c74330d83c91f7eded06669bddc8907f0de0f
                                                                                            • Instruction ID: 29db2e354b320f11d8844db03659f895f9539671551a2a71bb4b6a3428f8a945
                                                                                            • Opcode Fuzzy Hash: d6c6da0d6c547d612c56c1a1518c74330d83c91f7eded06669bddc8907f0de0f
                                                                                            • Instruction Fuzzy Hash: 3BF0F63A2003046FDB149F799881B7A7BA1FFC0768F95842CF9454B680D7B1AC42C750
                                                                                            Function 00A3F717 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3B750: EnterCriticalSection.KERNEL32(-00023A67,?,00A38F5A,00000000,00A544D8,0000000C,00A38F13,?,?,00A3F83A,?,?,00A3E921,00000001,00000364,00A331E1), ref: 00A3B75F
                                                                                            • EnumSystemLocalesW.KERNEL32(00A3F70A,00000001,00A54928,0000000C,00A3F118,-00000050), ref: 00A3F74F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1272433827-0
                                                                                            • Opcode ID: d4dbcf90fc7bc2be5f6b54e4d1ee0c2c7a64ac8cfc7b37ffcff2811937d1ac81
                                                                                            • Instruction ID: 4bd2f26e8fb3089c9867aa20d9988916da6dc77280514d31e5db31165057eca5
                                                                                            • Opcode Fuzzy Hash: d4dbcf90fc7bc2be5f6b54e4d1ee0c2c7a64ac8cfc7b37ffcff2811937d1ac81
                                                                                            • Instruction Fuzzy Hash: E5F03772A14304EFD700EFA8E942B9D77B0FB48726F10452AF400DB2A0CB7959058F80
                                                                                            Function 00A43086 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • EnumSystemLocalesW.KERNEL32(00A430D1,00000001,?,?,?,00A42B11,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00A430BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2417226690-0
                                                                                            • Opcode ID: 33d966d2ce9014ccfc67dff7e34432f325816afa03ac54ae2c36804ecdce3b95
                                                                                            • Instruction ID: c8b228f5f74a5f278b3501ddb6431d5c4065546adfd14cef337b2e5046eacd83
                                                                                            • Opcode Fuzzy Hash: 33d966d2ce9014ccfc67dff7e34432f325816afa03ac54ae2c36804ecdce3b95
                                                                                            • Instruction Fuzzy Hash: 8BF0E53B700209A7CF08EF39D85566ABF94FFC1750F064458EA098B291C672AA82C790
                                                                                            Function 00A3F21C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00A3A4BC,?,20001004,00000000,00000002,?,?,00A393CE), ref: 00A3F250
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 2d7f4f3d24b624342aaebb47750c9426e6067cf1bf2d08cb21984736f8f031b3
                                                                                            • Instruction ID: c4b12585713236267efbce1aa22d0b0f8f18c3378d0e868b051e820d743fe122
                                                                                            • Opcode Fuzzy Hash: 2d7f4f3d24b624342aaebb47750c9426e6067cf1bf2d08cb21984736f8f031b3
                                                                                            • Instruction Fuzzy Hash: D5E04F76D10218FFCF126FA0DC05AEE7F25FF847A1F004420FD1565161CB718D21AA95
                                                                                            Function 00A35014 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00A35135), ref: 00A35019
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: ee94a31860f9415440436a7bbfadb52b65f87dda8c5d58f2b027e1ba40112912
                                                                                            • Instruction ID: 70214773c0d2bb0190c325fb5a96a66444b52d0c2a65ec7c642f0821c4c445ca
                                                                                            • Opcode Fuzzy Hash: ee94a31860f9415440436a7bbfadb52b65f87dda8c5d58f2b027e1ba40112912
                                                                                            • Instruction Fuzzy Hash:
                                                                                            Function 00A3FE2C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: HeapProcess
                                                                                            • String ID:
                                                                                            • API String ID: 54951025-0
                                                                                            • Opcode ID: bfd0a0a7cf8554cb97c0e963f6191ccb9d6b2be836404a1cfee0a51b8fff5437
                                                                                            • Instruction ID: 4d738841fad71920dea7fd3f247497bb8063ac406a69468ead25f77eee9a534d
                                                                                            • Opcode Fuzzy Hash: bfd0a0a7cf8554cb97c0e963f6191ccb9d6b2be836404a1cfee0a51b8fff5437
                                                                                            • Instruction Fuzzy Hash: C5A01270901300CB4740CF7569046083B9875402C23044014A000C1020D72084415F00
                                                                                            Function 00A31000 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f0e134041470e9fe284de6385fc1cd4d990d422bbc9f06d2e93a1de301e933c
                                                                                            • Instruction ID: 35acbf0795dc401913ea8fb6acdf251d79747ac678701367bb77e374d4024b89
                                                                                            • Opcode Fuzzy Hash: 5f0e134041470e9fe284de6385fc1cd4d990d422bbc9f06d2e93a1de301e933c
                                                                                            • Instruction Fuzzy Hash: C71149323185610797AC9F28ADE503B7B97D7C71A4B25927DE8268F6D2E533CC83C294
                                                                                            Function 00A4A222 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(00EEFE18,00EEFE18,00000000,7FFFFFFF,?,00A4A20D,00EEFE18,00EEFE18,00000000,00EEFE18,?,?,?,?,00EEFE18,00000000), ref: 00A4A2C8
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A4A383
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A4A412
                                                                                            • __freea.LIBCMT ref: 00A4A45D
                                                                                            • __freea.LIBCMT ref: 00A4A463
                                                                                            • __freea.LIBCMT ref: 00A4A499
                                                                                            • __freea.LIBCMT ref: 00A4A49F
                                                                                            • __freea.LIBCMT ref: 00A4A4AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16$Info
                                                                                            • String ID:
                                                                                            • API String ID: 127012223-0
                                                                                            • Opcode ID: b9615825a7d10d6b71d16e3e8464953bca7d4f6c53ca8ca4bcdddb4002c30358
                                                                                            • Instruction ID: 50474bbc6f56ac8646396bf24752b5c67265841b5fa4f15ce352197a04af6547
                                                                                            • Opcode Fuzzy Hash: b9615825a7d10d6b71d16e3e8464953bca7d4f6c53ca8ca4bcdddb4002c30358
                                                                                            • Instruction Fuzzy Hash: 64710B7AE402059BDF219FA4CD45BEF7BBA9FE5310F244055F904AB281E7B5DC408762
                                                                                            Function 00A354C5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A3550C
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A35538
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A35577
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A35594
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A355D3
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A355F0
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A35632
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A35655
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                            • String ID:
                                                                                            • API String ID: 2040435927-0
                                                                                            • Opcode ID: 3841b413877272000eb3f6da4f873c1a18e37e2409d7b3362cc0d0e1526957f3
                                                                                            • Instruction ID: e8df6e1eb66534cdddaeb6c0e242295024abf26a5a4b0cf48a0f5a39e34e07ae
                                                                                            • Opcode Fuzzy Hash: 3841b413877272000eb3f6da4f873c1a18e37e2409d7b3362cc0d0e1526957f3
                                                                                            • Instruction Fuzzy Hash: BF519172E00606AFEF209FB8CC46FBA7BBAEF80790F594425F905A6150D731DD118B90
                                                                                            Function 00A361E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A36217
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00A3621F
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A362A8
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00A362D3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A36328
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: f380553b7c01ebdaf6049ad25608e816263731a03584027a791230cbd7b820b7
                                                                                            • Instruction ID: 747edec0d50c29a3d518d976d6a3b9bcc08ec68398f312da59d32a8e17c022c8
                                                                                            • Opcode Fuzzy Hash: f380553b7c01ebdaf6049ad25608e816263731a03584027a791230cbd7b820b7
                                                                                            • Instruction Fuzzy Hash: BA418F34E00218ABCF10DFA8C885ADEBBB5FF49324F15C555F9189B392D771AA06CB91
                                                                                            Function 00A3F469 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(00000000,?,00A3F578,00A3186A,?,00000000,00A331E1,00A3186C,?,00A3F1F6,00000022,FlsSetValue,00A4DFE0,00A4DFE8,00A331E1), ref: 00A3F52A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID: api-ms-$ext-ms-
                                                                                            • API String ID: 3664257935-537541572
                                                                                            • Opcode ID: e76c3dd61ae6f929b1cf38d4197032f9c587e462863fff09c47465610e8776af
                                                                                            • Instruction ID: 050bd25531daedaa5f609857a28c1faf6d2fd30404c506762cae1b1391f3f110
                                                                                            • Opcode Fuzzy Hash: e76c3dd61ae6f929b1cf38d4197032f9c587e462863fff09c47465610e8776af
                                                                                            • Instruction Fuzzy Hash: 4521A576E12311AFCF21DFA5EC45A5B7768AB817A5F244131FD16A7290E730EE01C6D0
                                                                                            Function 00A3D2C0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,00A3D2B7,00A35FB7,00A35179), ref: 00A3D2CE
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A3D2DC
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A3D2F5
                                                                                            • SetLastError.KERNEL32(00000000,00A3D2B7,00A35FB7,00A35179), ref: 00A3D347
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: c23b975c9b26182ebcc09e162848bbe767eb26e2a16b39b1350dd843cba4754d
                                                                                            • Instruction ID: ba9c96b39cdf5139265ba1cdb6b49ce4fc66dfc8d984bc356880c025bfd57858
                                                                                            • Opcode Fuzzy Hash: c23b975c9b26182ebcc09e162848bbe767eb26e2a16b39b1350dd843cba4754d
                                                                                            • Instruction Fuzzy Hash: A6017B32A0E711DFE7256BF47DC686B2A94FF417B6F200329F130590E0EF119C029281
                                                                                            Function 00A3DB88 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00A3DCA7
                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00A3DF20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallUnexpectedtype_info::operator==
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 2673424686-393685449
                                                                                            • Opcode ID: d01afdf39097f4691087decbb4c53d2d201c698b933d77187b4a55a4e758207f
                                                                                            • Instruction ID: 5782ef8f235052db752ec50d92a82c88668f0becee8a64b488b130c83520eb98
                                                                                            • Opcode Fuzzy Hash: d01afdf39097f4691087decbb4c53d2d201c698b933d77187b4a55a4e758207f
                                                                                            • Instruction Fuzzy Hash: 2DB16871800209EFCF29DFA4E9819AEBBB5FF14310F24455AF8116B216D771EA61CF91
                                                                                            Function 00A38042 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • C:\Users\user\Desktop\drop1.exe, xrefs: 00A3805E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: C:\Users\user\Desktop\drop1.exe
                                                                                            • API String ID: 0-3875088153
                                                                                            • Opcode ID: 3d2be88024b31be7807458e25accf6a65352ea610bd93b554db748ec6d521f6d
                                                                                            • Instruction ID: 9f0f0121498f3c35e47f46e0ac93128ee22bb4cb69b4f969e07e3581bb054050
                                                                                            • Opcode Fuzzy Hash: 3d2be88024b31be7807458e25accf6a65352ea610bd93b554db748ec6d521f6d
                                                                                            • Instruction Fuzzy Hash: 5721FDB1200315AFDF24EF60CD8092BB7A8BF513A4F108629F86997651EF38EC0087A1
                                                                                            Function 00A38C55 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1742AD29,?,?,00000000,00A4B774,000000FF,?,00A38D16,00A38BFD,?,00A38DB2,00000000), ref: 00A38C8A
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A38C9C
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,00A4B774,000000FF,?,00A38D16,00A38BFD,?,00A38DB2,00000000), ref: 00A38CBE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 855b09d8358cb439d04e7fb7802d89e105a13c09abea7a94604d1c5e51502603
                                                                                            • Instruction ID: 087b17769f9ca60c3e0f3c564b7a13311e906400cf3888d104365ad6ffdf8d7b
                                                                                            • Opcode Fuzzy Hash: 855b09d8358cb439d04e7fb7802d89e105a13c09abea7a94604d1c5e51502603
                                                                                            • Instruction Fuzzy Hash: F6016772955755FFDB12CB94DC19FAEBBB8FB44B52F000525F811A22D0DBB89901CA90
                                                                                            Function 00A3FC3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A3FCC2
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A3FD8B
                                                                                            • __freea.LIBCMT ref: 00A3FDF2
                                                                                              • Part of subcall function 00A3E531: RtlAllocateHeap.NTDLL(00000000,00A331E1,00A3186A,?,00A360C1,00A3186C,00A3186A,?,?,?,00A33181,00A331E1,00A3186E,00A3186A,00A3186A,00A3186A), ref: 00A3E563
                                                                                            • __freea.LIBCMT ref: 00A3FE05
                                                                                            • __freea.LIBCMT ref: 00A3FE12
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1423051803-0
                                                                                            • Opcode ID: 5d95abd984e993738e1b62ff6cfdb7c11a0cea18d40d85c39c2e4fedf5c98e5b
                                                                                            • Instruction ID: f14fef02ba5ff69e1dfadad44568b95d1d35a7f50b30d5c155908c5c0368f42f
                                                                                            • Opcode Fuzzy Hash: 5d95abd984e993738e1b62ff6cfdb7c11a0cea18d40d85c39c2e4fedf5c98e5b
                                                                                            • Instruction Fuzzy Hash: 3951B472E10206AFDF209F65CD85EBF7AAAEF44750F290439FD04D6151EB34DC5086A0
                                                                                            Function 00A33010 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog3.LIBCMT ref: 00A33017
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A33022
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A33090
                                                                                              • Part of subcall function 00A32EE4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A32EFC
                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 00A3303D
                                                                                            • _Yarn.LIBCPMT ref: 00A33053
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                            • String ID:
                                                                                            • API String ID: 1088826258-0
                                                                                            • Opcode ID: 9577452f098d13db0bc822874a688b018fb8fb56e955ee1cbb5d6b52535d84a9
                                                                                            • Instruction ID: 3ae95f9ab77f0c6665cecf023646f263927f822b96c6cb187c6b23fb5085a10e
                                                                                            • Opcode Fuzzy Hash: 9577452f098d13db0bc822874a688b018fb8fb56e955ee1cbb5d6b52535d84a9
                                                                                            • Instruction Fuzzy Hash: B50178B6A002209BCB0AEFA0D956A7DBB61FF85381F184009F81257391DF34AE02CB91
                                                                                            Function 00A47E92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A47F2E,00000000,?,00A56E10,?,?,?,00A47E65,00000004,InitializeCriticalSectionEx,00A4E57C,00A4E584), ref: 00A47E9F
                                                                                            • GetLastError.KERNEL32(?,00A47F2E,00000000,?,00A56E10,?,?,?,00A47E65,00000004,InitializeCriticalSectionEx,00A4E57C,00A4E584,00000000,?,00A3E1DC), ref: 00A47EA9
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A47ED1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 3177248105-2084034818
                                                                                            • Opcode ID: e96bc1bce8638432cdd2797c68dbb22c5dd479faae9cc46537eb68555b29b496
                                                                                            • Instruction ID: fe5dad84ad8cd54406e3d1658182db8600ee311f48e48d57d411f7fbd8d77d0c
                                                                                            • Opcode Fuzzy Hash: e96bc1bce8638432cdd2797c68dbb22c5dd479faae9cc46537eb68555b29b496
                                                                                            • Instruction Fuzzy Hash: D7E01275284309B7DE119BA0DC06B593A59EB90BD6F104060FB0DB84E1D762995196C4
                                                                                            Function 00A4562D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleOutputCP.KERNEL32(1742AD29,00000000,00000000,?), ref: 00A45690
                                                                                              • Part of subcall function 00A3E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A3FDE8,?,00000000,-00000008), ref: 00A3E6A2
                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A458E2
                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A45928
                                                                                            • GetLastError.KERNEL32 ref: 00A459CB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                            • String ID:
                                                                                            • API String ID: 2112829910-0
                                                                                            • Opcode ID: 43e95401694e4de3f7809574677fa24bf4a7bd51b20fa0c503c5d1f7e23db669
                                                                                            • Instruction ID: 668c5f2b003fea2bea63c7e7292863202dc7c6fe376402ea3964ef784683cc74
                                                                                            • Opcode Fuzzy Hash: 43e95401694e4de3f7809574677fa24bf4a7bd51b20fa0c503c5d1f7e23db669
                                                                                            • Instruction Fuzzy Hash: 36D16AB9D04648DFCF15CFE8D8809ADBBB5FF89310F28452AE456EB352D630A946CB50
                                                                                            Function 00A3D8AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1740715915-0
                                                                                            • Opcode ID: 6eab244798cdce674f102622b0c0a37b094e50b0b2aa68b6d779e11c0e2c8984
                                                                                            • Instruction ID: f3ed3a4ae8302b330167f6a3677782f37415e5985adbc03826673ff09b5d21a9
                                                                                            • Opcode Fuzzy Hash: 6eab244798cdce674f102622b0c0a37b094e50b0b2aa68b6d779e11c0e2c8984
                                                                                            • Instruction Fuzzy Hash: 6A51EE72A04706EFDB299F24E942B6AB7B4FF05310F14452DF8429BA91E731ED80CB90
                                                                                            Function 00A43537 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A3FDE8,?,00000000,-00000008), ref: 00A3E6A2
                                                                                            • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A35757,00000000,00000000), ref: 00A4359B
                                                                                            • __dosmaperr.LIBCMT ref: 00A435A2
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00A435DC
                                                                                            • __dosmaperr.LIBCMT ref: 00A435E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1913693674-0
                                                                                            • Opcode ID: 851e799c3a6fa918862167c3db1a91b6cf52a7af5215d4dd379ad5e9ff07a94c
                                                                                            • Instruction ID: ce71d513ae536b8d2293d9e067360995f3eaad3a57ed83538a70be174309bdd9
                                                                                            • Opcode Fuzzy Hash: 851e799c3a6fa918862167c3db1a91b6cf52a7af5215d4dd379ad5e9ff07a94c
                                                                                            • Instruction Fuzzy Hash: C021D776600615AFDF20AF66998192EB7A8FF80364B108519F86997551EB30EF108B92
                                                                                            Function 00A4484F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,00A3B1C6,00000000,00A3B284,00A3B153,00A358B3,00A54458,00000014), ref: 00A44857
                                                                                              • Part of subcall function 00A3E641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A3FDE8,?,00000000,-00000008), ref: 00A3E6A2
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A4488F
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000), ref: 00A448AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 158306478-0
                                                                                            • Opcode ID: 727166b4172187f00dcc1be73fa72bdc175cdc8abc2147fcd6ba86e9ef3151de
                                                                                            • Instruction ID: 31568b7909ee7c73ebe68b5942f0620683d0ded97824de4f91e8c8f55afc31c2
                                                                                            • Opcode Fuzzy Hash: 727166b4172187f00dcc1be73fa72bdc175cdc8abc2147fcd6ba86e9ef3151de
                                                                                            • Instruction Fuzzy Hash: 0C1126FA502665BF6B11A7B69D8EDBF29ACDECD3D57200424F401D1141FB64CE029270
                                                                                            Function 00A3457B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog3.LIBCMT ref: 00A34582
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A3458C
                                                                                              • Part of subcall function 00A324C2: std::_Lockit::_Lockit.LIBCPMT ref: 00A324DE
                                                                                              • Part of subcall function 00A324C2: std::_Lockit::~_Lockit.LIBCPMT ref: 00A324F7
                                                                                            • codecvt.LIBCPMT ref: 00A345C6
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A345FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                            • String ID:
                                                                                            • API String ID: 3716348337-0
                                                                                            • Opcode ID: 10b6c5145aa3e47a18b8103eb747e02b5ef45c0e8831454801a8bed65f380975
                                                                                            • Instruction ID: bc7708e3172b81dc4b52407113c6546b0c92dcfa8d272f1bd03111d8ed1822c4
                                                                                            • Opcode Fuzzy Hash: 10b6c5145aa3e47a18b8103eb747e02b5ef45c0e8831454801a8bed65f380975
                                                                                            • Instruction Fuzzy Hash: E101F176D00215CBCF04EFA4DA267ADB7B1FF98710F240509F412AB291CF74AE028B91
                                                                                            Function 00A4A4E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000), ref: 00A4A4F7
                                                                                            • GetLastError.KERNEL32(?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000,?,?,?,00A45365,00000000), ref: 00A4A503
                                                                                              • Part of subcall function 00A4A554: CloseHandle.KERNEL32(FFFFFFFE,00A4A513,?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000,?,?), ref: 00A4A564
                                                                                            • ___initconout.LIBCMT ref: 00A4A513
                                                                                              • Part of subcall function 00A4A535: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A4A4D1,00A49AFC,?,?,00A45A1F,?,00000000,00000000,?), ref: 00A4A548
                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000,?), ref: 00A4A528
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                            • String ID:
                                                                                            • API String ID: 2744216297-0
                                                                                            • Opcode ID: 358ada223e29ca03530a5fe006f41a01bb6d6fca0ad03ee53f4279b800108208
                                                                                            • Instruction ID: fdd6ab4565c7d222531d5a6bf31cc5826248c27f3bd3c093128361bdcca15ebc
                                                                                            • Opcode Fuzzy Hash: 358ada223e29ca03530a5fe006f41a01bb6d6fca0ad03ee53f4279b800108208
                                                                                            • Instruction Fuzzy Hash: 50F01C3A450215BFCF229FD5ED08A9E3F26FBE83A2F004110FA0986120D63289219B92
                                                                                            Function 00A42117 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A3E783: GetLastError.KERNEL32(00000000,?,00A40AB9), ref: 00A3E787
                                                                                              • Part of subcall function 00A3E783: SetLastError.KERNEL32(00000000,?,?,00000028,00A3B9D2), ref: 00A3E829
                                                                                            • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00A39266,?,?,?,00000055,?,-00000050,?,?,?), ref: 00A421D6
                                                                                            • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00A39266,?,?,?,00000055,?,-00000050,?,?), ref: 00A4220D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CodePageValid
                                                                                            • String ID: utf8
                                                                                            • API String ID: 943130320-905460609
                                                                                            • Opcode ID: 811f78d9f3143a8b4b0e666f2629e55f723c4d958c743694f823f6cbce4a90c2
                                                                                            • Instruction ID: 0f3b77c9ca12bcb0046bcf8ffcd441dc6f65a5367e566fb27f91a05bb2b3c29f
                                                                                            • Opcode Fuzzy Hash: 811f78d9f3143a8b4b0e666f2629e55f723c4d958c743694f823f6cbce4a90c2
                                                                                            • Instruction Fuzzy Hash: A051E57D640301AADB25AB748D82BEB73B8FFC4741F940529FA05DB181FBB4E94087A1
                                                                                            Function 00A3DFAC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A3DEAD,?,?,00000000,00000000,00000000,?), ref: 00A3DFD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2118026453-2084237596
                                                                                            • Opcode ID: 6abd64fe5c3382cb1ccf269f95531dd7dd9b7bb1a8b47f52ef8bab2319a4b344
                                                                                            • Instruction ID: 52cc11e40a7dff0e743a3d44c255f9e545039e9215363b1cad3403fb7c6d7879
                                                                                            • Opcode Fuzzy Hash: 6abd64fe5c3382cb1ccf269f95531dd7dd9b7bb1a8b47f52ef8bab2319a4b344
                                                                                            • Instruction Fuzzy Hash: 31414A71900209EFCF2ADF98DD81AEEBBB5FF49304F188059FA05AB2A1D3759950DB50
                                                                                            Function 00A3D818 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00A3DA8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___except_validate_context_record
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 3493665558-3733052814
                                                                                            • Opcode ID: 99c1688028975ed4f87052a9b2389684a9501f03e76cffa95a77a838868fb823
                                                                                            • Instruction ID: 02680477053e899a494fa56df74c4c6eb3fa5f210dbc28999359f7cc2e377ad1
                                                                                            • Opcode Fuzzy Hash: 99c1688028975ed4f87052a9b2389684a9501f03e76cffa95a77a838868fb823
                                                                                            • Instruction Fuzzy Hash: 6931F636904358EFCF229F90ED409AABB65FF08365F19415AFC545A221C332DDA1DB91
                                                                                            Function 00A329D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AcquireSRWLockExclusive.KERNEL32(00A5648C,ios_base::badbit set,?,?,00A31C84,00A56478,00A31B17), ref: 00A329DF
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(00A5648C,?,?,00A31C84,00A56478,00A31B17), ref: 00A32A19
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1773934611.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1773917542.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773961576.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773977138.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1773993600.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774027182.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774042590.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1774055772.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$AcquireRelease
                                                                                            • String ID: ios_base::badbit set
                                                                                            • API String ID: 17069307-3882152299
                                                                                            • Opcode ID: 51961f5fdbd1ec50831a334b2c4e84fd925cc9ee222bc2f76d71c7f972d97007
                                                                                            • Instruction ID: 611b61a4ae31cf8ca58e947b8b55bc7471e28e6518669a42753853562edb73ce
                                                                                            • Opcode Fuzzy Hash: 51961f5fdbd1ec50831a334b2c4e84fd925cc9ee222bc2f76d71c7f972d97007
                                                                                            • Instruction Fuzzy Hash: 76F08C31900200DFCB20EF98E904B25BBB8FB857B6F14036EF9AA432A0C7312842CB51

                                                                                            Execution Graph

                                                                                            Execution Coverage:9.8%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:1.5%
                                                                                            Total number of Nodes:1750
                                                                                            Total number of Limit Nodes:86
                                                                                            execution_graph 59486 49c50a 59487 49c517 59486->59487 59491 49c52f 59486->59491 59543 4950d4 14 API calls __dosmaperr 59487->59543 59489 49c51c 59544 497d29 41 API calls __wsopen_s 59489->59544 59492 49c527 59491->59492 59493 49c58e 59491->59493 59545 49e8bd 14 API calls 2 library calls 59491->59545 59506 498cea 59493->59506 59496 49c5a7 59513 49edf5 59496->59513 59499 498cea __fread_nolock 41 API calls 59500 49c5e0 59499->59500 59500->59492 59501 498cea __fread_nolock 41 API calls 59500->59501 59502 49c5ee 59501->59502 59502->59492 59503 498cea __fread_nolock 41 API calls 59502->59503 59504 49c5fc 59503->59504 59505 498cea __fread_nolock 41 API calls 59504->59505 59505->59492 59507 498d0b 59506->59507 59508 498cf6 59506->59508 59507->59496 59546 4950d4 14 API calls __dosmaperr 59508->59546 59510 498cfb 59547 497d29 41 API calls __wsopen_s 59510->59547 59512 498d06 59512->59496 59514 49ee01 __FrameHandler3::FrameUnwindToState 59513->59514 59515 49ee09 59514->59515 59518 49ee24 59514->59518 59614 4950c1 14 API calls __dosmaperr 59515->59614 59517 49ee0e 59615 4950d4 14 API calls __dosmaperr 59517->59615 59520 49ee3b 59518->59520 59521 49ee76 59518->59521 59616 4950c1 14 API calls __dosmaperr 59520->59616 59523 49ee7f 59521->59523 59524 49ee94 59521->59524 59619 4950c1 14 API calls __dosmaperr 59523->59619 59548 4a2e7b EnterCriticalSection 59524->59548 59525 49ee40 59617 4950d4 14 API calls __dosmaperr 59525->59617 59529 49ee84 59620 4950d4 14 API calls __dosmaperr 59529->59620 59530 49ee9a 59533 49eeb9 59530->59533 59534 49eece 59530->59534 59531 49ee48 59618 497d29 41 API calls __wsopen_s 59531->59618 59621 4950d4 14 API calls __dosmaperr 59533->59621 59549 49ef0e 59534->59549 59538 49eec9 59623 49ef06 LeaveCriticalSection __wsopen_s 59538->59623 59539 49eebe 59622 4950c1 14 API calls __dosmaperr 59539->59622 59542 49c5af 59542->59492 59542->59499 59543->59489 59544->59492 59545->59493 59546->59510 59547->59512 59548->59530 59550 49ef38 59549->59550 59551 49ef20 59549->59551 59553 49f27a 59550->59553 59558 49ef7b 59550->59558 59633 4950c1 14 API calls __dosmaperr 59551->59633 59655 4950c1 14 API calls __dosmaperr 59553->59655 59554 49ef25 59634 4950d4 14 API calls __dosmaperr 59554->59634 59557 49f27f 59656 4950d4 14 API calls __dosmaperr 59557->59656 59560 49ef86 59558->59560 59561 49ef2d 59558->59561 59565 49efb6 59558->59565 59635 4950c1 14 API calls __dosmaperr 59560->59635 59561->59538 59562 49ef93 59657 497d29 41 API calls __wsopen_s 59562->59657 59564 49ef8b 59636 4950d4 14 API calls __dosmaperr 59564->59636 59568 49efcf 59565->59568 59569 49f00a 59565->59569 59570 49efdc 59565->59570 59568->59570 59574 49eff8 59568->59574 59640 49d15a 15 API calls 3 library calls 59569->59640 59637 4950c1 14 API calls __dosmaperr 59570->59637 59573 49efe1 59638 4950d4 14 API calls __dosmaperr 59573->59638 59624 4a652f 59574->59624 59575 49f01b 59641 49c0bd 59575->59641 59579 49efe8 59639 497d29 41 API calls __wsopen_s 59579->59639 59580 49f156 59583 49f1ca 59580->59583 59586 49f16f GetConsoleMode 59580->59586 59585 49f1ce ReadFile 59583->59585 59584 49c0bd ___free_lconv_mon 14 API calls 59587 49f02b 59584->59587 59588 49f242 GetLastError 59585->59588 59589 49f1e6 59585->59589 59586->59583 59590 49f180 59586->59590 59591 49f050 59587->59591 59592 49f035 59587->59592 59593 49f24f 59588->59593 59594 49f1a6 59588->59594 59589->59588 59595 49f1bf 59589->59595 59590->59585 59596 49f186 ReadConsoleW 59590->59596 59649 49f49f 43 API calls 2 library calls 59591->59649 59647 4950d4 14 API calls __dosmaperr 59592->59647 59653 4950d4 14 API calls __dosmaperr 59593->59653 59611 49eff3 __fread_nolock 59594->59611 59650 49507a 14 API calls __dosmaperr 59594->59650 59607 49f20b 59595->59607 59608 49f222 59595->59608 59595->59611 59596->59595 59597 49f1a0 GetLastError 59596->59597 59597->59594 59598 49c0bd ___free_lconv_mon 14 API calls 59598->59561 59603 49f03a 59648 4950c1 14 API calls __dosmaperr 59603->59648 59604 49f254 59654 4950c1 14 API calls __dosmaperr 59604->59654 59651 49ec20 46 API calls 3 library calls 59607->59651 59610 49f23b 59608->59610 59608->59611 59652 49ea66 44 API calls __fread_nolock 59610->59652 59611->59598 59613 49f240 59613->59611 59614->59517 59615->59542 59616->59525 59617->59531 59618->59542 59619->59529 59620->59531 59621->59539 59622->59538 59623->59542 59625 4a6549 59624->59625 59626 4a653c 59624->59626 59629 4a6555 59625->59629 59659 4950d4 14 API calls __dosmaperr 59625->59659 59658 4950d4 14 API calls __dosmaperr 59626->59658 59628 4a6541 59628->59580 59629->59580 59631 4a6576 59660 497d29 41 API calls __wsopen_s 59631->59660 59633->59554 59634->59561 59635->59564 59636->59562 59637->59573 59638->59579 59639->59611 59640->59575 59642 49c0c8 RtlFreeHeap 59641->59642 59646 49c0f2 59641->59646 59643 49c0dd GetLastError 59642->59643 59642->59646 59644 49c0ea __dosmaperr 59643->59644 59661 4950d4 14 API calls __dosmaperr 59644->59661 59646->59584 59647->59603 59648->59611 59649->59574 59650->59611 59651->59611 59652->59613 59653->59604 59654->59611 59655->59557 59656->59562 59657->59561 59658->59628 59659->59631 59660->59628 59661->59646 59662 486f20 GetCurrentHwProfileW 59663 487050 59662->59663 59664 486f94 59662->59664 59690 4517f0 59663->59690 59674 47a340 59664->59674 59667 486ffb 59685 44d060 59667->59685 59668 486fa2 59668->59667 59684 49054d 45 API calls 59668->59684 59671 48709c 59673 48704e 59705 4abbf5 59673->59705 59675 47a3b5 59674->59675 59676 47a394 59674->59676 59712 43fda0 59675->59712 59677 4abbf5 _ValidateLocalCookies 5 API calls 59676->59677 59678 47a426 59677->59678 59678->59668 59680 47a3e9 59717 47a430 43 API calls _ValidateLocalCookies 59680->59717 59682 47a3fa 59718 44cfd0 59682->59718 59684->59668 59686 44d08d 59685->59686 59687 44d0a8 std::ios_base::_Ios_base_dtor 59685->59687 59686->59687 59728 497d39 41 API calls 2 library calls 59686->59728 59687->59673 59691 4518bd 59690->59691 59692 451810 59690->59692 59693 4350b0 41 API calls 59691->59693 59694 451844 59692->59694 59697 451815 __Strxfrm 59692->59697 59700 451883 59692->59700 59701 45188c 59692->59701 59695 4518c2 59693->59695 59729 4abc08 59694->59729 59743 434f80 41 API calls 2 library calls 59695->59743 59697->59673 59699 451857 59699->59697 59744 497d39 41 API calls 2 library calls 59699->59744 59700->59694 59700->59695 59702 4abc08 std::_Facet_Register 41 API calls 59701->59702 59702->59697 59706 4abbfe IsProcessorFeaturePresent 59705->59706 59707 4abbfd 59705->59707 59709 4ac011 59706->59709 59707->59671 59769 4abfd4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 59709->59769 59711 4ac0f4 59711->59671 59713 43fe3f 59712->59713 59716 43fdbf __Strxfrm 59712->59716 59723 4350b0 59713->59723 59716->59680 59717->59682 59719 44cffd 59718->59719 59721 44d01e std::ios_base::_Ios_base_dtor 59718->59721 59719->59721 59727 497d39 41 API calls 2 library calls 59719->59727 59721->59676 59726 4b9061 41 API calls 2 library calls 59723->59726 59731 4abc0d 59729->59731 59732 4abc27 59731->59732 59734 4abc29 59731->59734 59745 497e9c 59731->59745 59761 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 59731->59761 59732->59699 59735 434f80 Concurrency::cancel_current_task 59734->59735 59737 4abc33 Concurrency::cancel_current_task 59734->59737 59752 4afa0c RaiseException 59735->59752 59762 4afa0c RaiseException 59737->59762 59738 434f9c 59753 4ad3de 59738->59753 59741 4acede 59743->59699 59750 49d15a _strftime 59745->59750 59746 49d198 59764 4950d4 14 API calls __dosmaperr 59746->59764 59747 49d183 RtlAllocateHeap 59749 49d196 59747->59749 59747->59750 59749->59731 59750->59746 59750->59747 59763 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 59750->59763 59752->59738 59754 4ad3eb 59753->59754 59760 434ff6 59753->59760 59755 497e9c ___std_exception_copy 15 API calls 59754->59755 59754->59760 59756 4ad408 59755->59756 59759 4ad418 59756->59759 59765 49826d 41 API calls 2 library calls 59756->59765 59766 497357 59759->59766 59760->59699 59761->59731 59762->59741 59763->59750 59764->59749 59765->59759 59767 49c0bd ___free_lconv_mon 14 API calls 59766->59767 59768 49736f 59767->59768 59768->59760 59769->59711 59770 459bad 59866 460ac0 59770->59866 59772 45a514 59994 4540f0 59772->59994 59774 44d060 41 API calls 59776 45a508 59774->59776 59775 45a523 59777 4abbf5 _ValidateLocalCookies 5 API calls 59775->59777 59778 44d060 41 API calls 59776->59778 59779 45a53d 59777->59779 59778->59772 59780 455090 43 API calls 59803 459bca 59780->59803 59781 459d7e 59882 455090 59781->59882 59782 459a9e 59785 455090 43 API calls 59782->59785 59783 45a060 59787 4517f0 41 API calls 59783->59787 59784 459fb4 59788 4517f0 41 API calls 59784->59788 59789 4599f3 59785->59789 59791 45a084 59787->59791 59792 459fd8 59788->59792 59804 4517f0 41 API calls 59789->59804 59796 4543f0 46 API calls 59791->59796 59909 4543f0 59792->59909 59793 459d92 59896 4632d0 59793->59896 59794 45a1b8 59795 4517f0 41 API calls 59794->59795 59800 45a1dc 59795->59800 59801 45a09c 59796->59801 59799 459da8 59805 455090 43 API calls 59799->59805 59806 4543f0 46 API calls 59800->59806 59807 459790 41 API calls 59801->59807 59803->59780 59803->59781 59803->59782 59803->59783 59803->59784 59808 45c700 41 API calls 59803->59808 59853 45a057 59803->59853 59810 45a47a 59804->59810 59812 459db8 59805->59812 59813 45a1f4 59806->59813 59814 45a0c1 59807->59814 59808->59803 59811 4543f0 46 API calls 59810->59811 59816 45a492 59811->59816 59817 459dc4 59812->59817 59818 45a10c 59812->59818 59819 459790 41 API calls 59813->59819 59820 454730 46 API calls 59814->59820 59822 459790 41 API calls 59816->59822 59824 455090 43 API calls 59817->59824 59823 4517f0 41 API calls 59818->59823 59825 45a219 59819->59825 59826 45a0d6 59820->59826 59828 45a4b7 59822->59828 59829 45a130 59823->59829 59824->59789 59830 454730 46 API calls 59825->59830 59831 45a590 41 API calls 59826->59831 59833 454730 46 API calls 59828->59833 59834 4543f0 46 API calls 59829->59834 59835 45a22e 59830->59835 59836 45a0e5 59831->59836 59838 45a4cc 59833->59838 59839 45a148 59834->59839 59840 45a590 41 API calls 59835->59840 59841 44d060 41 API calls 59836->59841 59844 45a590 41 API calls 59838->59844 59845 459790 41 API calls 59839->59845 59846 45a23d 59840->59846 59847 45a0f4 59841->59847 59842 44d060 41 API calls 59843 45a048 59842->59843 59989 438d50 59843->59989 59850 45a4db 59844->59850 59851 45a16d 59845->59851 59852 44d060 41 API calls 59846->59852 59848 438d50 14 API calls 59847->59848 59848->59853 59854 44d060 41 API calls 59850->59854 59855 454730 46 API calls 59851->59855 59856 45a24c 59852->59856 59853->59772 59853->59774 59857 45a4ea 59854->59857 59858 45a182 59855->59858 59859 438d50 14 API calls 59856->59859 59860 438d50 14 API calls 59857->59860 59861 45a590 41 API calls 59858->59861 59859->59853 59860->59853 59862 45a191 59861->59862 59863 44d060 41 API calls 59862->59863 59864 45a1a0 59863->59864 59865 438d50 14 API calls 59864->59865 59865->59853 59867 460b97 59866->59867 59868 460b0c 59866->59868 59870 460c12 59867->59870 59871 460b9f 59867->59871 59999 44d3b0 59868->59999 59872 44d3b0 41 API calls 59870->59872 59874 460bf0 59871->59874 59875 460bb0 59871->59875 59877 460c42 59872->59877 60032 468060 41 API calls 2 library calls 59874->60032 59879 44d3b0 41 API calls 59875->59879 59881 44d3b0 41 API calls 59877->59881 59878 44d3b0 41 API calls 59880 460b8d 59878->59880 59879->59880 59880->59803 59881->59880 59883 4550aa 59882->59883 59887 4550cb 59882->59887 60050 456790 59883->60050 59884 456790 43 API calls 59884->59887 59887->59884 59890 4550d2 59887->59890 59894 455124 59887->59894 59888 456790 43 API calls 59889 4550bd 59888->59889 59889->59890 59891 456790 43 API calls 59889->59891 59892 4abbf5 _ValidateLocalCookies 5 API calls 59890->59892 59891->59887 59893 4553ab 59892->59893 59893->59793 59893->59794 59894->59890 59895 456790 43 API calls 59894->59895 59895->59894 59897 46330e 59896->59897 59898 46336e 59897->59898 59899 46341a 59897->59899 59906 463342 59897->59906 59901 4abc08 std::_Facet_Register 41 API calls 59898->59901 60199 4351b0 41 API calls 59899->60199 59903 46338f 59901->59903 60160 44bad0 59903->60160 59905 4633ae 60176 44ca70 59905->60176 59906->59799 59908 4633c5 59908->59799 59910 4517f0 41 API calls 59909->59910 59911 454470 59910->59911 59912 4544b3 59911->59912 60209 457160 41 API calls 59911->60209 59914 4544c0 59912->59914 60215 4520f0 59912->60215 59919 4544ff 59914->59919 59923 454559 59914->59923 59915 454499 60210 44b9d0 59915->60210 59918 4544a7 59920 44d060 41 API calls 59918->59920 59921 454730 46 API calls 59919->59921 59920->59912 59922 45450f 59921->59922 60230 45a6d0 41 API calls 59922->60230 59923->59923 59927 4545bc 59923->59927 60231 4516d0 59923->60231 59925 454532 59926 44b9d0 41 API calls 59925->59926 59928 454541 59926->59928 59930 4520f0 41 API calls 59927->59930 59932 4545d2 __Strxfrm 59927->59932 59931 44d060 41 API calls 59928->59931 59930->59932 59933 45454d 59931->59933 60246 44b960 59932->60246 59936 44d060 41 API calls 59933->59936 59935 45460a 59937 44b9d0 41 API calls 59935->59937 59939 45462f 59936->59939 59937->59933 59938 45470c 59949 459790 59938->59949 59939->59938 59940 45469e 59939->59940 59941 4516d0 41 API calls 59939->59941 59942 4520f0 41 API calls 59940->59942 59943 4546b4 __Strxfrm 59940->59943 59941->59940 59942->59943 59944 44b960 41 API calls 59943->59944 59945 4546ef 59944->59945 59946 44b9d0 41 API calls 59945->59946 59947 4546fa 59946->59947 59948 44d060 41 API calls 59947->59948 59948->59938 59950 459817 59949->59950 59951 4517f0 41 API calls 59949->59951 60255 438b10 59950->60255 59951->59950 59954 4517f0 41 API calls 59955 459855 59954->59955 60274 438780 59955->60274 59960 44d060 41 API calls 59961 459894 59960->59961 59962 44d060 41 API calls 59961->59962 59963 4598a0 59962->59963 59964 44d060 41 API calls 59963->59964 59965 4598af 59964->59965 59966 44d060 41 API calls 59965->59966 59967 4598c9 59966->59967 60310 4386d0 59967->60310 59970 44d060 41 API calls 59971 45990a 59970->59971 59972 4abbf5 _ValidateLocalCookies 5 API calls 59971->59972 59973 459924 59972->59973 59974 454730 59973->59974 59975 454833 59974->59975 59978 4547c2 59974->59978 59976 4abbf5 _ValidateLocalCookies 5 API calls 59975->59976 59979 45484c 59976->59979 59978->59975 59981 44b960 41 API calls 59978->59981 60322 434bc0 46 API calls 59978->60322 60323 451e50 41 API calls 4 library calls 59978->60323 59982 45a590 59979->59982 59981->59978 59983 45a039 59982->59983 59984 45a5a8 59982->59984 59983->59842 60324 44d1a0 41 API calls 59984->60324 59986 45a5b3 60325 4afa0c RaiseException 59986->60325 59988 45a5c1 60326 4ad441 59989->60326 59992 4ad441 ___std_exception_destroy 14 API calls 59993 438db1 59992->59993 59993->59853 59995 45411b 59994->59995 59996 45413b std::ios_base::_Ios_base_dtor 59994->59996 59995->59996 60330 497d39 41 API calls 2 library calls 59995->60330 59996->59775 60000 44d3fb 59999->60000 60002 44d495 60000->60002 60003 44d43f 60000->60003 60005 44d5f6 60000->60005 60025 44d633 std::ios_base::_Ios_base_dtor 60000->60025 60001 4abbf5 _ValidateLocalCookies 5 API calls 60004 44d694 60001->60004 60006 44d69d 60002->60006 60007 44d4aa 60002->60007 60024 44d4b6 60002->60024 60003->60006 60008 44d463 60003->60008 60026 44d46f 60003->60026 60004->59878 60009 44d655 60005->60009 60010 44d660 60005->60010 60011 44d61a 60005->60011 60012 44d64a 60005->60012 60005->60025 60048 449730 41 API calls 60006->60048 60035 452540 41 API calls 2 library calls 60007->60035 60033 452540 41 API calls 2 library calls 60008->60033 60021 44d060 41 API calls 60009->60021 60041 454ec0 60010->60041 60039 452630 41 API calls std::ios_base::_Ios_base_dtor 60011->60039 60040 44de70 41 API calls std::ios_base::_Ios_base_dtor 60012->60040 60021->60025 60027 44d490 60024->60027 60036 451c60 41 API calls 60024->60036 60025->60001 60026->60027 60034 451c60 41 API calls 60026->60034 60028 44aa40 41 API calls 60027->60028 60029 451c60 41 API calls 60027->60029 60031 44d5e4 60027->60031 60037 452630 41 API calls std::ios_base::_Ios_base_dtor 60027->60037 60028->60027 60029->60027 60038 44de70 41 API calls std::ios_base::_Ios_base_dtor 60031->60038 60032->59880 60033->60026 60034->60026 60035->60024 60036->60024 60037->60027 60038->60005 60039->60025 60040->60025 60042 454eeb 60041->60042 60043 454f08 std::ios_base::_Ios_base_dtor 60041->60043 60042->60043 60049 497d39 41 API calls 2 library calls 60042->60049 60043->60025 60051 4567ac 60050->60051 60054 4567a6 60050->60054 60053 4567c0 60051->60053 60058 449e50 60051->60058 60052 4550af 60052->59887 60052->59888 60053->60054 60108 436640 60053->60108 60054->60052 60074 460310 60054->60074 60059 449e88 60058->60059 60061 449ef4 60059->60061 60062 449edc 60059->60062 60066 449e93 60059->60066 60060 4abbf5 _ValidateLocalCookies 5 API calls 60065 44a052 60060->60065 60064 494a65 43 API calls 60061->60064 60117 494a65 60062->60117 60070 449f2a __Strxfrm 60064->60070 60065->60053 60066->60060 60067 44a027 60068 44d060 41 API calls 60067->60068 60068->60066 60070->60067 60072 494a65 43 API calls 60070->60072 60073 44a06b 60070->60073 60137 451e50 41 API calls 4 library calls 60070->60137 60072->60070 60073->60067 60138 497466 43 API calls 4 library calls 60073->60138 60075 4604af 60074->60075 60076 46035f 60074->60076 60154 449730 41 API calls 60075->60154 60078 460379 60076->60078 60082 4603d4 60076->60082 60083 4603c4 60076->60083 60086 46038c __Strxfrm 60076->60086 60081 4abc08 std::_Facet_Register 41 API calls 60078->60081 60079 4604b4 60155 434f80 41 API calls 2 library calls 60079->60155 60081->60086 60084 4abc08 std::_Facet_Register 41 API calls 60082->60084 60083->60078 60083->60079 60084->60086 60094 460463 std::ios_base::_Ios_base_dtor 60086->60094 60156 497d39 41 API calls 2 library calls 60086->60156 60094->60052 60109 436662 60108->60109 60110 43665a 60108->60110 60109->60054 60112 436672 60110->60112 60157 4afa0c RaiseException 60110->60157 60158 436560 41 API calls 60112->60158 60114 4366a8 60159 4afa0c RaiseException 60114->60159 60116 4366b7 std::ios_base::_Ios_base_dtor 60116->60054 60118 494a71 __FrameHandler3::FrameUnwindToState 60117->60118 60119 494a7b 60118->60119 60120 494a93 60118->60120 60147 4950d4 14 API calls __dosmaperr 60119->60147 60139 494ce8 EnterCriticalSection 60120->60139 60123 494a80 60148 497d29 41 API calls __wsopen_s 60123->60148 60124 494a9e 60126 498cea __fread_nolock 41 API calls 60124->60126 60129 494ab6 60124->60129 60126->60129 60127 494b1e 60149 4950d4 14 API calls __dosmaperr 60127->60149 60128 494b46 60140 494a29 60128->60140 60129->60127 60129->60128 60132 494b4c 60151 494b76 LeaveCriticalSection __fread_nolock 60132->60151 60133 494b23 60150 497d29 41 API calls __wsopen_s 60133->60150 60136 494a8b 60136->60066 60137->60070 60138->60073 60139->60124 60141 494a35 60140->60141 60144 494a4a __fread_nolock 60140->60144 60152 4950d4 14 API calls __dosmaperr 60141->60152 60143 494a3a 60153 497d29 41 API calls __wsopen_s 60143->60153 60144->60132 60146 494a45 60146->60132 60147->60123 60148->60136 60149->60133 60150->60136 60151->60136 60152->60143 60153->60146 60155->60086 60157->60112 60158->60114 60159->60116 60161 44bafc 60160->60161 60162 44bbae 60161->60162 60167 44bb0d 60161->60167 60163 4350b0 41 API calls 60162->60163 60165 44bbb3 60163->60165 60164 44bb3a 60168 4abc08 std::_Facet_Register 41 API calls 60164->60168 60200 434f80 41 API calls 2 library calls 60165->60200 60167->60164 60170 44bb82 60167->60170 60171 44bb79 60167->60171 60172 44bb12 __Strxfrm 60167->60172 60169 44bb4d 60168->60169 60169->60172 60201 497d39 41 API calls 2 library calls 60169->60201 60174 4abc08 std::_Facet_Register 41 API calls 60170->60174 60171->60164 60171->60165 60172->59905 60174->60172 60177 44cc1d 60176->60177 60178 44cabf 60176->60178 60179 44cc2b 60177->60179 60190 44cacb 60177->60190 60178->60177 60180 44cb35 60178->60180 60181 44cac6 60178->60181 60182 44cacd 60178->60182 60183 44cb8d 60178->60183 60178->60190 60203 44ba90 60179->60203 60187 4abc08 std::_Facet_Register 41 API calls 60180->60187 60202 451310 41 API calls 2 library calls 60181->60202 60184 4abc08 std::_Facet_Register 41 API calls 60182->60184 60189 4abc08 std::_Facet_Register 41 API calls 60183->60189 60184->60190 60185 4abbf5 _ValidateLocalCookies 5 API calls 60191 44cb2c 60185->60191 60193 44cb44 60187->60193 60189->60190 60190->60185 60191->59908 60195 4517f0 41 API calls 60193->60195 60195->60190 60196 44cc4c 60208 4afa0c RaiseException 60196->60208 60198 44cc5d 60200->60169 60202->60190 60204 44bab3 60203->60204 60204->60204 60205 4517f0 41 API calls 60204->60205 60206 44bac5 60205->60206 60207 451b00 41 API calls _ValidateLocalCookies 60206->60207 60207->60196 60208->60198 60209->59915 60211 44b9e4 60210->60211 60212 4520f0 41 API calls 60211->60212 60214 44b9f4 __Strxfrm 60211->60214 60213 44ba36 60212->60213 60213->59918 60214->59918 60216 452238 60215->60216 60217 45211b 60215->60217 60218 4350b0 41 API calls 60216->60218 60222 452181 60217->60222 60223 45218e 60217->60223 60226 452130 60217->60226 60228 452140 __Strxfrm 60217->60228 60219 45223d 60218->60219 60251 434f80 41 API calls 2 library calls 60219->60251 60221 4abc08 std::_Facet_Register 41 API calls 60221->60228 60222->60219 60222->60226 60224 4abc08 std::_Facet_Register 41 API calls 60223->60224 60224->60228 60226->60221 60229 4521f6 std::ios_base::_Ios_base_dtor __Strxfrm 60228->60229 60252 497d39 41 API calls 2 library calls 60228->60252 60229->59914 60230->59925 60232 4517da 60231->60232 60236 4516f5 60231->60236 60233 4350b0 41 API calls 60232->60233 60234 4517df 60233->60234 60253 434f80 41 API calls 2 library calls 60234->60253 60238 451763 60236->60238 60239 45175a 60236->60239 60243 451709 60236->60243 60245 451719 __Strxfrm 60236->60245 60237 4abc08 std::_Facet_Register 41 API calls 60237->60245 60240 4abc08 std::_Facet_Register 41 API calls 60238->60240 60239->60234 60239->60243 60240->60245 60242 4517aa std::ios_base::_Ios_base_dtor __Strxfrm 60242->59927 60243->60237 60245->60242 60254 497d39 41 API calls 2 library calls 60245->60254 60247 44b970 60246->60247 60247->60247 60248 4520f0 41 API calls 60247->60248 60250 44b987 __Strxfrm 60247->60250 60249 44b9be 60248->60249 60249->59935 60250->59935 60251->60228 60253->60245 60315 4350c0 60255->60315 60258 4350c0 41 API calls 60259 438b7d 60258->60259 60260 438bce 60259->60260 60261 4516d0 41 API calls 60259->60261 60262 4520f0 41 API calls 60260->60262 60263 438bdd __Strxfrm 60260->60263 60261->60260 60262->60263 60264 44b9d0 41 API calls 60263->60264 60265 438c20 60264->60265 60266 4520f0 41 API calls 60265->60266 60267 438c2f __Strxfrm 60265->60267 60266->60267 60268 44b9d0 41 API calls 60267->60268 60269 438c74 60268->60269 60270 44d060 41 API calls 60269->60270 60271 438c9b 60270->60271 60272 44d060 41 API calls 60271->60272 60273 438ca7 60272->60273 60273->59954 60275 4387e1 60274->60275 60276 438869 60275->60276 60277 4517f0 41 API calls 60275->60277 60278 4388f8 60276->60278 60279 4516d0 41 API calls 60276->60279 60277->60276 60280 4520f0 41 API calls 60278->60280 60281 43890c __Strxfrm 60278->60281 60279->60278 60280->60281 60282 44b9d0 41 API calls 60281->60282 60283 43893d 60282->60283 60284 438947 60283->60284 60321 451e50 41 API calls 4 library calls 60283->60321 60286 44b9d0 41 API calls 60284->60286 60287 438977 60286->60287 60288 438986 60287->60288 60289 4520f0 41 API calls 60287->60289 60290 44d060 41 API calls 60288->60290 60289->60288 60291 4389dd 60290->60291 60292 4abbf5 _ValidateLocalCookies 5 API calls 60291->60292 60293 4389f6 60292->60293 60294 4582b0 60293->60294 60295 458351 60294->60295 60296 458341 60294->60296 60298 44b9d0 41 API calls 60295->60298 60297 4516d0 41 API calls 60296->60297 60297->60295 60299 45835e 60298->60299 60300 44b960 41 API calls 60299->60300 60301 45836a 60300->60301 60302 44b9d0 41 API calls 60301->60302 60303 458374 60302->60303 60304 44b960 41 API calls 60303->60304 60305 458380 60304->60305 60306 44b9d0 41 API calls 60305->60306 60307 45838a 60306->60307 60308 44b9d0 41 API calls 60307->60308 60309 458394 60308->60309 60309->59960 60311 4ad3de ___std_exception_copy 41 API calls 60310->60311 60312 43874a 60311->60312 60313 4abbf5 _ValidateLocalCookies 5 API calls 60312->60313 60314 438777 60313->60314 60314->59970 60316 435106 60315->60316 60316->60316 60317 435148 60316->60317 60318 4517f0 41 API calls 60316->60318 60319 4abbf5 _ValidateLocalCookies 5 API calls 60317->60319 60318->60317 60320 4351a4 60319->60320 60320->60258 60321->60284 60322->59978 60323->59978 60324->59986 60325->59988 60327 4ad44e 60326->60327 60328 438d9b 60326->60328 60329 497357 ___std_exception_copy 14 API calls 60327->60329 60328->59992 60329->60328 60331 455e8e 60332 456790 43 API calls 60331->60332 60333 455e95 60332->60333 60334 456045 60333->60334 60335 455f97 60333->60335 60336 455fd1 60333->60336 60337 455f23 60333->60337 60338 455f5d 60333->60338 60339 455eaf 60333->60339 60340 45607f 60333->60340 60341 455ee9 60333->60341 60342 45600b 60333->60342 60358 455e51 60333->60358 60349 455e4a 60334->60349 60388 451e50 41 API calls 4 library calls 60334->60388 60335->60349 60385 451e50 41 API calls 4 library calls 60335->60385 60336->60349 60386 451e50 41 API calls 4 library calls 60336->60386 60337->60349 60383 451e50 41 API calls 4 library calls 60337->60383 60338->60349 60384 451e50 41 API calls 4 library calls 60338->60384 60339->60349 60381 451e50 41 API calls 4 library calls 60339->60381 60389 456920 43 API calls _ValidateLocalCookies 60340->60389 60341->60349 60382 451e50 41 API calls 4 library calls 60341->60382 60342->60349 60387 451e50 41 API calls 4 library calls 60342->60387 60344 4abbf5 _ValidateLocalCookies 5 API calls 60348 456432 60344->60348 60356 456790 43 API calls 60349->60356 60354 456086 60357 456790 43 API calls 60354->60357 60354->60358 60378 4560c7 60354->60378 60356->60358 60361 4560a7 60357->60361 60358->60344 60359 45611c 60363 456131 60359->60363 60364 456180 60359->60364 60365 456159 60359->60365 60360 45610f 60391 456740 41 API calls 60360->60391 60361->60358 60366 456790 43 API calls 60361->60366 60397 456740 41 API calls 60363->60397 60395 456740 41 API calls 60364->60395 60392 456740 41 API calls 60365->60392 60367 4560b7 60366->60367 60367->60358 60390 456920 43 API calls _ValidateLocalCookies 60367->60390 60371 456167 60393 456740 41 API calls 60371->60393 60372 45618e 60396 456740 41 API calls 60372->60396 60373 4561b0 60398 456740 41 API calls 60373->60398 60378->60358 60378->60359 60378->60360 60379 456171 60394 456740 41 API calls 60379->60394 60381->60349 60382->60349 60383->60349 60384->60349 60385->60349 60386->60349 60387->60349 60388->60349 60389->60354 60390->60378 60391->60349 60392->60371 60393->60379 60394->60349 60395->60372 60396->60363 60397->60373 60398->60349 60399 48d6e6 60400 48d6ff 60399->60400 60419 48d6f3 60399->60419 60401 48d709 60400->60401 60409 48d898 60400->60409 60418 48d742 60401->60418 60444 44b8f0 60401->60444 60402 48d915 60406 48e1c0 46 API calls 60402->60406 60403 4abbf5 _ValidateLocalCookies 5 API calls 60405 48e0d0 60403->60405 60408 48d92a 60406->60408 60407 48e1c0 46 API calls 60407->60409 60411 48d6a0 5 API calls 60408->60411 60409->60402 60409->60407 60412 48d6a0 5 API calls 60409->60412 60410 48d7fa 60414 48e1c0 46 API calls 60410->60414 60411->60419 60412->60409 60415 48d83e 60414->60415 60417 48d6a0 5 API calls 60415->60417 60417->60419 60418->60410 60420 48e1c0 60418->60420 60440 48d6a0 60418->60440 60419->60403 60425 48e212 60420->60425 60430 48e3fa 60420->60430 60421 48e47a 60463 48e550 41 API calls 60421->60463 60424 48e485 60426 4350c0 41 API calls 60424->60426 60425->60421 60429 48e3f4 60425->60429 60450 48e0dc 60425->60450 60455 48e110 60425->60455 60460 434bc0 46 API calls 60425->60460 60427 48e499 60426->60427 60464 48ef40 41 API calls 60427->60464 60429->60430 60461 48e550 41 API calls 60429->60461 60430->60418 60431 48e474 60465 4511a0 41 API calls _ValidateLocalCookies 60431->60465 60434 48e464 60462 48f020 41 API calls 60434->60462 60435 48e4c0 60466 4afa0c RaiseException 60435->60466 60441 48d6df 60440->60441 60442 4abbf5 _ValidateLocalCookies 5 API calls 60441->60442 60443 48e0d0 60442->60443 60443->60418 60445 44b912 60444->60445 60446 44b8fe 60444->60446 60447 44b920 __fread_nolock 60445->60447 60467 451f90 60445->60467 60446->60418 60447->60418 60449 44b953 60449->60418 60451 48e103 60450->60451 60453 48e129 __Strxfrm 60450->60453 60452 4520f0 41 API calls 60451->60452 60451->60453 60454 48e15d 60452->60454 60453->60425 60454->60425 60456 48e150 60455->60456 60459 48e129 __Strxfrm 60455->60459 60457 4520f0 41 API calls 60456->60457 60458 48e15d 60457->60458 60458->60425 60459->60425 60460->60425 60461->60434 60462->60431 60463->60424 60464->60431 60465->60435 60468 4520d9 60467->60468 60472 451fb5 60467->60472 60470 4350b0 41 API calls 60468->60470 60469 451fca 60476 4abc08 std::_Facet_Register 41 API calls 60469->60476 60471 4520de 60470->60471 60482 434f80 41 API calls 2 library calls 60471->60482 60472->60469 60474 452028 60472->60474 60475 45201b 60472->60475 60480 451fda __fread_nolock __Strxfrm 60472->60480 60478 4abc08 std::_Facet_Register 41 API calls 60474->60478 60475->60469 60475->60471 60476->60480 60478->60480 60481 452097 std::ios_base::_Ios_base_dtor __fread_nolock __Strxfrm 60480->60481 60483 497d39 41 API calls 2 library calls 60480->60483 60481->60449 60482->60480 60484 48d95a 60485 48d976 60484->60485 60494 48d96a 60484->60494 60486 48d980 60485->60486 60495 48daad 60485->60495 60493 44b8f0 41 API calls 60486->60493 60497 48d9b9 60486->60497 60487 4abbf5 _ValidateLocalCookies 5 API calls 60491 48e0d0 60487->60491 60488 48daf5 60490 48d6a0 5 API calls 60488->60490 60489 48da31 60496 48d6a0 5 API calls 60489->60496 60490->60494 60492 48d6a0 5 API calls 60492->60495 60493->60497 60494->60487 60495->60488 60495->60492 60496->60494 60497->60489 60498 48d6a0 5 API calls 60497->60498 60498->60497 60499 49865a 60500 49866a 60499->60500 60501 49867d 60499->60501 60538 4950d4 14 API calls __dosmaperr 60500->60538 60503 49868f 60501->60503 60510 4986a2 60501->60510 60540 4950d4 14 API calls __dosmaperr 60503->60540 60504 49866f 60539 497d29 41 API calls __wsopen_s 60504->60539 60506 4986c2 60542 4950d4 14 API calls __dosmaperr 60506->60542 60507 4986d3 60530 4a1286 60507->60530 60509 498694 60541 497d29 41 API calls __wsopen_s 60509->60541 60510->60506 60510->60507 60516 4986ea 60517 4988e0 60516->60517 60550 4a06a5 60516->60550 60566 497d56 IsProcessorFeaturePresent 60517->60566 60520 4986fc 60520->60517 60557 4a06d1 60520->60557 60521 4988ea 60523 49870e 60523->60517 60524 498717 60523->60524 60525 49879c 60524->60525 60526 498738 60524->60526 60529 498679 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 60525->60529 60565 4a12e3 41 API calls 2 library calls 60525->60565 60526->60529 60564 4a12e3 41 API calls 2 library calls 60526->60564 60531 4a1292 __FrameHandler3::FrameUnwindToState 60530->60531 60532 4986d8 60531->60532 60570 49b2e1 EnterCriticalSection 60531->60570 60543 4a0679 60532->60543 60534 4a12a3 60535 4a12b7 60534->60535 60571 4a11ce 60534->60571 60583 4a12da LeaveCriticalSection std::_Lockit::~_Lockit 60535->60583 60538->60504 60539->60529 60540->60509 60541->60529 60542->60529 60544 4a069a 60543->60544 60545 4a0685 60543->60545 60544->60516 60699 4950d4 14 API calls __dosmaperr 60545->60699 60547 4a068a 60700 497d29 41 API calls __wsopen_s 60547->60700 60549 4a0695 60549->60516 60551 4a06b1 60550->60551 60552 4a06c6 60550->60552 60701 4950d4 14 API calls __dosmaperr 60551->60701 60552->60520 60554 4a06b6 60702 497d29 41 API calls __wsopen_s 60554->60702 60556 4a06c1 60556->60520 60558 4a06dd 60557->60558 60559 4a06f2 60557->60559 60703 4950d4 14 API calls __dosmaperr 60558->60703 60559->60523 60561 4a06e2 60704 497d29 41 API calls __wsopen_s 60561->60704 60563 4a06ed 60563->60523 60564->60529 60565->60529 60567 497d62 60566->60567 60705 497b2d 60567->60705 60570->60534 60584 4a0d24 60571->60584 60574 4a122a 60579 4a1227 60574->60579 60653 4a1074 60574->60653 60576 4a1221 60593 4a0de2 60576->60593 60578 49c0bd ___free_lconv_mon 14 API calls 60580 4a1235 60578->60580 60579->60578 60581 4abbf5 _ValidateLocalCookies 5 API calls 60580->60581 60582 4a1242 60581->60582 60582->60535 60583->60532 60585 4a0d43 _strftime 60584->60585 60590 4a0d4a 60585->60590 60685 49d15a 15 API calls 3 library calls 60585->60685 60587 4a0d6b 60588 49c0bd ___free_lconv_mon 14 API calls 60587->60588 60588->60590 60589 4a0d64 _strftime 60589->60587 60591 4a0d8d 60589->60591 60590->60574 60590->60576 60592 49c0bd ___free_lconv_mon 14 API calls 60591->60592 60592->60590 60594 4a0df2 _strftime 60593->60594 60595 4a06d1 _strftime 41 API calls 60594->60595 60596 4a0e13 60595->60596 60597 4a1067 60596->60597 60599 4a0679 _strftime 41 API calls 60596->60599 60598 497d56 __Getcoll 11 API calls 60597->60598 60600 4a1073 _strftime 60598->60600 60601 4a0e25 60599->60601 60605 4a06d1 _strftime 41 API calls 60600->60605 60601->60597 60603 4a0e9b 60601->60603 60686 49d15a 15 API calls 3 library calls 60601->60686 60603->60579 60604 4a0e8c 60606 4a0e93 60604->60606 60607 4a0ea1 60604->60607 60608 4a10a1 60605->60608 60609 49c0bd ___free_lconv_mon 14 API calls 60606->60609 60610 49c0bd ___free_lconv_mon 14 API calls 60607->60610 60611 4a11c3 60608->60611 60614 4a0679 _strftime 41 API calls 60608->60614 60609->60603 60613 4a0eac 60610->60613 60612 497d56 __Getcoll 11 API calls 60611->60612 60615 4a11cd 60612->60615 60687 4a4e67 41 API calls 2 library calls 60613->60687 60616 4a10b3 60614->60616 60618 4a0d24 _strftime 15 API calls 60615->60618 60616->60611 60617 4a06a5 _strftime 41 API calls 60616->60617 60620 4a10c5 60617->60620 60621 4a1207 60618->60621 60620->60611 60623 4a10ce 60620->60623 60624 4a122a 60621->60624 60628 4a1221 60621->60628 60622 4a0ed3 60622->60597 60635 4a0ede __fread_nolock 60622->60635 60625 49c0bd ___free_lconv_mon 14 API calls 60623->60625 60626 4a1227 60624->60626 60627 4a1074 _strftime 46 API calls 60624->60627 60629 4a10d9 GetTimeZoneInformation 60625->60629 60631 49c0bd ___free_lconv_mon 14 API calls 60626->60631 60627->60626 60630 4a0de2 _strftime 46 API calls 60628->60630 60636 4a119d _strftime 60629->60636 60639 4a10f5 __fread_nolock 60629->60639 60630->60626 60632 4a1235 60631->60632 60633 4abbf5 _ValidateLocalCookies 5 API calls 60632->60633 60634 4a1242 60633->60634 60634->60579 60688 4a0d9b 47 API calls 6 library calls 60635->60688 60636->60579 60638 4a0f23 60689 4949e3 42 API calls 2 library calls 60638->60689 60693 4a3e20 41 API calls 2 library calls 60639->60693 60642 4a1178 60694 4a1244 47 API calls 4 library calls 60642->60694 60644 4a1189 60695 4a1244 47 API calls 4 library calls 60644->60695 60645 4a0f57 60647 4a0fe9 60645->60647 60690 4949e3 42 API calls 2 library calls 60645->60690 60652 4a104b _strftime 60647->60652 60692 4a0d9b 47 API calls 6 library calls 60647->60692 60651 4a0f94 60651->60647 60691 4949e3 42 API calls 2 library calls 60651->60691 60652->60597 60654 4a1084 _strftime 60653->60654 60655 4a06d1 _strftime 41 API calls 60654->60655 60656 4a10a1 60655->60656 60657 4a11c3 60656->60657 60659 4a0679 _strftime 41 API calls 60656->60659 60658 497d56 __Getcoll 11 API calls 60657->60658 60660 4a11cd 60658->60660 60661 4a10b3 60659->60661 60663 4a0d24 _strftime 15 API calls 60660->60663 60661->60657 60662 4a06a5 _strftime 41 API calls 60661->60662 60664 4a10c5 60662->60664 60665 4a1207 60663->60665 60664->60657 60666 4a10ce 60664->60666 60667 4a122a 60665->60667 60671 4a1221 60665->60671 60668 49c0bd ___free_lconv_mon 14 API calls 60666->60668 60669 4a1227 60667->60669 60670 4a1074 _strftime 46 API calls 60667->60670 60672 4a10d9 GetTimeZoneInformation 60668->60672 60674 49c0bd ___free_lconv_mon 14 API calls 60669->60674 60670->60669 60673 4a0de2 _strftime 46 API calls 60671->60673 60678 4a119d _strftime 60672->60678 60679 4a10f5 __fread_nolock 60672->60679 60673->60669 60675 4a1235 60674->60675 60676 4abbf5 _ValidateLocalCookies 5 API calls 60675->60676 60677 4a1242 60676->60677 60677->60579 60678->60579 60696 4a3e20 41 API calls 2 library calls 60679->60696 60681 4a1178 60697 4a1244 47 API calls 4 library calls 60681->60697 60683 4a1189 60698 4a1244 47 API calls 4 library calls 60683->60698 60685->60589 60686->60604 60687->60622 60688->60638 60689->60645 60690->60651 60691->60647 60692->60652 60693->60642 60694->60644 60695->60636 60696->60681 60697->60683 60698->60678 60699->60547 60700->60549 60701->60554 60702->60556 60703->60561 60704->60563 60706 497b49 __fread_nolock __purecall 60705->60706 60707 497b75 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 60706->60707 60708 497c46 __purecall 60707->60708 60709 4abbf5 _ValidateLocalCookies 5 API calls 60708->60709 60710 497c64 GetCurrentProcess TerminateProcess 60709->60710 60710->60521 60711 4ac379 60712 4ac385 __FrameHandler3::FrameUnwindToState 60711->60712 60739 4abdc3 60712->60739 60714 4ac38c 60715 4ac4df 60714->60715 60726 4ac3b6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 60714->60726 60839 4ac6bf 4 API calls 2 library calls 60715->60839 60717 4ac4e6 60832 4a2a0e 60717->60832 60721 4ac4f4 60722 4ac3d5 60723 4ac456 60750 4ac7d4 60723->60750 60726->60722 60726->60723 60835 4a29e8 41 API calls 3 library calls 60726->60835 60740 4abdcc 60739->60740 60841 4aca4b IsProcessorFeaturePresent 60740->60841 60742 4abdd8 60842 4af9d6 10 API calls 2 library calls 60742->60842 60744 4abde1 60744->60714 60745 4abddd 60745->60744 60843 4ba4fc 60745->60843 60748 4abdf8 60748->60714 60906 4ade50 60750->60906 60753 4ac45c 60754 4ba53e 60753->60754 60908 4a3a7a 60754->60908 60756 4ac464 60759 47e240 GetCurrentProcess OpenProcessToken 60756->60759 60757 4ba547 60757->60756 60914 4bb09f 41 API calls 60757->60914 60760 47e2b4 GetTokenInformation 60759->60760 60761 47e2d8 60759->60761 60760->60761 60762 47e2f2 CloseHandle 60761->60762 60763 47e2f9 60761->60763 60762->60763 60764 47e337 60763->60764 60765 47e2fd 60763->60765 60917 48cb50 60764->60917 62042 481970 42 API calls 2 library calls 60765->62042 60768 47e308 62043 48aa80 61 API calls _ValidateLocalCookies 60768->62043 60770 48cb50 10 API calls 60772 47e34b 60770->60772 60927 47ecc0 60772->60927 60773 47e316 60774 47e328 ExitProcess 60773->60774 60777 44d060 41 API calls 60778 47e3fe OpenMutexA 60777->60778 60779 47e426 CreateMutexA 60778->60779 60780 47e41b ExitProcess 60778->60780 60931 479130 60779->60931 64701 4a2800 60832->64701 60835->60723 60839->60717 60840 4a29d2 41 API calls __purecall 60840->60721 60841->60742 60842->60745 60847 4bb0d0 60843->60847 60846 4af9f5 7 API calls 2 library calls 60846->60744 60848 4bb0e0 60847->60848 60849 4abdea 60847->60849 60848->60849 60852 49ae1f 60848->60852 60864 49ad6f 60848->60864 60849->60748 60849->60846 60853 49ae2b __FrameHandler3::FrameUnwindToState 60852->60853 60869 49b2e1 EnterCriticalSection 60853->60869 60855 49ae32 60870 4a2ddd 60855->60870 60857 49ae50 60884 49ae76 LeaveCriticalSection std::_Lockit::~_Lockit 60857->60884 60861 49ae61 60861->60848 60862 49ae4b 60863 49ad6f 2 API calls 60862->60863 60863->60857 60865 49ad76 60864->60865 60866 49adb9 GetStdHandle 60865->60866 60867 49ae1b 60865->60867 60868 49adcc GetFileType 60865->60868 60866->60865 60867->60848 60868->60865 60869->60855 60871 4a2de9 __FrameHandler3::FrameUnwindToState 60870->60871 60872 4a2df2 60871->60872 60873 4a2e13 60871->60873 60893 4950d4 14 API calls __dosmaperr 60872->60893 60885 49b2e1 EnterCriticalSection 60873->60885 60876 4a2df7 60894 497d29 41 API calls __wsopen_s 60876->60894 60878 49ae41 60878->60857 60883 49acb9 44 API calls 60878->60883 60881 4a2e4b 60895 4a2e72 LeaveCriticalSection std::_Lockit::~_Lockit 60881->60895 60882 4a2e1f 60882->60881 60886 4a2d2d 60882->60886 60883->60862 60884->60861 60885->60882 60896 49c6a4 60886->60896 60888 4a2d3f 60892 4a2d4c 60888->60892 60903 49cd70 6 API calls _unexpected 60888->60903 60889 49c0bd ___free_lconv_mon 14 API calls 60891 4a2da1 60889->60891 60891->60882 60892->60889 60893->60876 60894->60878 60895->60878 60897 49c6b1 _strftime 60896->60897 60898 49c6f1 60897->60898 60899 49c6dc RtlAllocateHeap 60897->60899 60904 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 60897->60904 60905 4950d4 14 API calls __dosmaperr 60898->60905 60899->60897 60901 49c6ef 60899->60901 60901->60888 60903->60888 60904->60897 60905->60901 60907 4ac7e7 GetStartupInfoW 60906->60907 60907->60753 60909 4a3a83 60908->60909 60913 4a3ab5 60908->60913 60915 499362 41 API calls 3 library calls 60909->60915 60911 4a3aa6 60916 4a3885 51 API calls 3 library calls 60911->60916 60913->60757 60914->60757 60915->60911 60916->60913 60918 48cbb0 60917->60918 60918->60918 60919 48cbbb GetCurrentProcess OpenProcessToken 60918->60919 60920 48cbd2 LookupPrivilegeValueW 60919->60920 60921 48cc1d 60919->60921 60920->60921 60922 48cbe9 AdjustTokenPrivileges 60920->60922 60923 48cc2d CloseHandle 60921->60923 60924 48cc37 60921->60924 60922->60921 60923->60924 60925 4abbf5 _ValidateLocalCookies 5 API calls 60924->60925 60926 47e341 60925->60926 60926->60770 60928 47ed00 60927->60928 62046 4740f0 60928->62046 60930 47e3ec 60930->60777 62052 478d40 60931->62052 60934 4517f0 41 API calls 60935 479249 60934->60935 60936 4517f0 41 API calls 60935->60936 60937 47930d 60936->60937 60938 4517f0 41 API calls 60937->60938 60939 4793d1 60938->60939 60940 4517f0 41 API calls 60939->60940 60941 479499 60940->60941 60942 4517f0 41 API calls 60941->60942 60943 47955d 60942->60943 60944 4517f0 41 API calls 60943->60944 60945 479621 60944->60945 60946 4517f0 41 API calls 60945->60946 60947 4796e9 60946->60947 60948 4517f0 41 API calls 60947->60948 60949 4797ad 60948->60949 60950 4517f0 41 API calls 60949->60950 60951 479871 60950->60951 60952 4517f0 41 API calls 60951->60952 60953 479939 60952->60953 62077 479ec0 60953->62077 60955 47996e 62103 44d7d0 60955->62103 60957 4799a2 62118 4738e0 60957->62118 60960 44ba90 41 API calls 60961 4799ed 60960->60961 62129 44eb90 60961->62129 60968 479a38 62167 44c960 60968->62167 60969 44c960 41 API calls 60969->60968 60971 479a70 60972 44d060 41 API calls 60971->60972 60973 479a7f 60972->60973 60974 44d060 41 API calls 60973->60974 60975 479a8e 60974->60975 60976 44eb90 41 API calls 60975->60976 60977 479a9b 60976->60977 62176 479c20 60977->62176 60980 44eb90 41 API calls 60981 479ab5 60980->60981 62185 479d70 60981->62185 62042->60768 62043->60773 62047 474178 62046->62047 62050 47410a __Strxfrm 62046->62050 62051 477640 44 API calls 5 library calls 62047->62051 62049 474186 62049->60930 62050->60930 62051->62049 62053 4517f0 41 API calls 62052->62053 62054 478dc8 __Strxfrm 62053->62054 62193 44fe10 62054->62193 62057 4517f0 41 API calls 62058 478ee8 62057->62058 62059 44fe10 41 API calls 62058->62059 62060 478efd 62059->62060 62061 44d060 41 API calls 62060->62061 62062 478f0c 62061->62062 62063 4517f0 41 API calls 62062->62063 62064 478f3c 62063->62064 62065 44fe10 41 API calls 62064->62065 62066 478f51 62065->62066 62067 44d060 41 API calls 62066->62067 62072 478f60 62067->62072 62068 44d060 41 API calls 62069 4790ef 62068->62069 62070 44d060 41 API calls 62069->62070 62071 4790fe 62070->62071 62073 44d060 41 API calls 62071->62073 62072->62068 62072->62072 62074 47910a 62073->62074 62075 4abbf5 _ValidateLocalCookies 5 API calls 62074->62075 62076 479127 62075->62076 62076->60934 62078 479ef7 62077->62078 62079 479fdc 62077->62079 62080 479f03 62078->62080 62081 47a0c0 62078->62081 62082 47a062 62079->62082 62083 47a001 62079->62083 62092 479f44 62080->62092 62095 479f84 std::ios_base::_Ios_base_dtor 62080->62095 62100 44d060 41 API calls 62080->62100 62215 449730 41 API calls 62081->62215 62091 47a094 62082->62091 62094 44d7d0 41 API calls 62082->62094 62090 47a03c 62083->62090 62096 44d7d0 41 API calls 62083->62096 62086 47a0c5 62216 497d39 41 API calls 2 library calls 62086->62216 62087 44d060 41 API calls 62087->62091 62088 47a053 62088->60955 62214 47a0d0 41 API calls _ValidateLocalCookies 62090->62214 62091->62087 62097 47a0b1 62091->62097 62092->62086 62092->62095 62094->62082 62198 454e60 62095->62198 62096->62083 62097->60955 62099 479fb1 62213 47a0d0 41 API calls _ValidateLocalCookies 62099->62213 62100->62080 62102 479fcd 62102->60955 62107 44d7ee __Strxfrm 62103->62107 62108 44d814 62103->62108 62104 44d8f4 62105 4350b0 41 API calls 62104->62105 62106 44d8f9 62105->62106 62220 434f80 41 API calls 2 library calls 62106->62220 62107->60957 62108->62104 62112 44d857 62108->62112 62113 44d88b 62108->62113 62116 44d84b __Strxfrm 62108->62116 62109 4abc08 std::_Facet_Register 41 API calls 62109->62116 62111 44d8fe 62112->62106 62112->62109 62114 4abc08 std::_Facet_Register 41 API calls 62113->62114 62114->62116 62117 44d8d6 std::ios_base::_Ios_base_dtor 62116->62117 62219 497d39 41 API calls 2 library calls 62116->62219 62117->60957 62119 44ca70 41 API calls 62118->62119 62120 473957 62119->62120 62221 4759f0 62120->62221 62125 44d060 41 API calls 62126 4739e6 62125->62126 62127 454ec0 41 API calls 62126->62127 62128 4739f2 62127->62128 62128->60960 62130 44ebf1 62129->62130 62130->62130 62131 4517f0 41 API calls 62130->62131 62132 44ec06 62131->62132 62445 44a980 62132->62445 62135 44f070 62136 44f13c 62135->62136 62137 44f0ef 62135->62137 62476 4510c0 41 API calls 62136->62476 62138 44f10a 62137->62138 62139 44d7d0 41 API calls 62137->62139 62146 44f180 62138->62146 62139->62138 62141 44f155 62477 4511a0 41 API calls _ValidateLocalCookies 62141->62477 62143 44f16a 62478 4afa0c RaiseException 62143->62478 62145 44f17b 62159 44f220 62146->62159 62147 44f31c 62148 44f3e6 62147->62148 62149 44f343 62147->62149 62492 44d7c0 41 API calls 62148->62492 62152 4517f0 41 API calls 62149->62152 62154 44f362 62152->62154 62153 4517f0 41 API calls 62153->62159 62155 44f373 62154->62155 62480 45ffe0 62154->62480 62158 44d060 41 API calls 62155->62158 62156 44d060 41 API calls 62156->62159 62160 44f3ba 62158->62160 62159->62147 62159->62148 62159->62153 62159->62156 62162 44bad0 41 API calls 62159->62162 62479 458940 41 API calls 62159->62479 62161 44d060 41 API calls 62160->62161 62163 44f3c6 62161->62163 62162->62159 62165 4abbf5 _ValidateLocalCookies 5 API calls 62163->62165 62166 44f3df 62165->62166 62166->60968 62166->60969 62168 44c9d8 std::ios_base::_Ios_base_dtor 62167->62168 62171 44c98d 62167->62171 62168->60971 62169 44d060 41 API calls 62169->62171 62170 44c9a2 62170->62168 62497 497d39 41 API calls 2 library calls 62170->62497 62171->62169 62171->62170 62178 479c53 62176->62178 62177 479aa2 62177->60980 62178->62177 62498 4510c0 41 API calls 62178->62498 62180 479d14 62499 4511a0 41 API calls _ValidateLocalCookies 62180->62499 62182 479d29 62500 4afa0c RaiseException 62182->62500 62184 479d3a 62186 479da3 62185->62186 62501 4510c0 41 API calls 62186->62501 62188 479e63 62502 4511a0 41 API calls _ValidateLocalCookies 62188->62502 62190 479e78 62503 4afa0c RaiseException 62190->62503 62192 479e89 62194 44b8f0 41 API calls 62193->62194 62196 44fea4 __Strxfrm 62194->62196 62195 44b8f0 41 API calls 62197 44ffad 62195->62197 62196->62195 62197->62057 62199 454eb2 62198->62199 62200 454e6d 62198->62200 62217 434f80 41 API calls 2 library calls 62199->62217 62201 454e77 62200->62201 62203 454ea5 62200->62203 62204 454e82 62200->62204 62201->62099 62207 4abc08 std::_Facet_Register 41 API calls 62203->62207 62204->62199 62206 454e89 62204->62206 62209 4abc08 std::_Facet_Register 41 API calls 62206->62209 62210 454eab 62207->62210 62211 454e8f 62209->62211 62210->62099 62212 454e98 62211->62212 62218 497d39 41 API calls 2 library calls 62211->62218 62212->62099 62213->62102 62214->62088 62217->62211 62220->62111 62223 475a5c 62221->62223 62303 494d10 62223->62303 62226 4739ba 62227 473b90 62226->62227 62228 473e7f 62227->62228 62231 473bec __fread_nolock 62227->62231 62440 476a20 46 API calls _ValidateLocalCookies 62228->62440 62230 473eca 62232 474190 44 API calls 62230->62232 62437 454180 41 API calls 62231->62437 62234 473eda 62232->62234 62235 474003 62234->62235 62237 4517f0 41 API calls 62234->62237 62238 474076 62235->62238 62241 44ca70 41 API calls 62235->62241 62236 473c61 62438 475df0 46 API calls _ValidateLocalCookies 62236->62438 62240 473f16 62237->62240 62243 4540f0 41 API calls 62238->62243 62244 4543f0 46 API calls 62240->62244 62245 474029 62241->62245 62242 473c76 62246 474190 44 API calls 62242->62246 62247 473e7a 62243->62247 62248 473f31 62244->62248 62249 44d3b0 41 API calls 62245->62249 62250 473c7e 62246->62250 62251 4abbf5 _ValidateLocalCookies 5 API calls 62247->62251 62252 459790 41 API calls 62248->62252 62249->62238 62253 473d96 62250->62253 62256 4517f0 41 API calls 62250->62256 62254 4739cd 62251->62254 62255 473f5f 62252->62255 62257 473df6 62253->62257 62258 473d9c 62253->62258 62254->62125 62261 454730 46 API calls 62255->62261 62262 473cae 62256->62262 62260 473e68 62257->62260 62264 44ca70 41 API calls 62257->62264 62259 44ca70 41 API calls 62258->62259 62263 473dbc 62259->62263 62439 453fe0 41 API calls 62260->62439 62265 473f7a 62261->62265 62267 4543f0 46 API calls 62262->62267 62273 44d3b0 41 API calls 62263->62273 62264->62263 62268 473f8c 62265->62268 62269 4740c9 62265->62269 62270 473cc6 62267->62270 62274 44d060 41 API calls 62268->62274 62443 44d1a0 41 API calls 62269->62443 62271 459790 41 API calls 62270->62271 62275 473cf4 62271->62275 62273->62260 62277 473f9b 62274->62277 62278 454730 46 API calls 62275->62278 62276 4740d5 62444 4afa0c RaiseException 62276->62444 62280 4ad441 ___std_exception_destroy 14 API calls 62277->62280 62281 473d10 62278->62281 62283 473fc5 62280->62283 62284 4740a7 62281->62284 62285 473d22 62281->62285 62282 4740e6 62286 4ad441 ___std_exception_destroy 14 API calls 62283->62286 62441 44d1a0 41 API calls 62284->62441 62287 44d060 41 API calls 62285->62287 62289 473fe2 62286->62289 62292 473d31 62287->62292 62291 44d060 41 API calls 62289->62291 62290 4740b8 62442 4afa0c RaiseException 62290->62442 62294 473ff4 62291->62294 62295 4ad441 ___std_exception_destroy 14 API calls 62292->62295 62296 44d060 41 API calls 62294->62296 62297 473d5b 62295->62297 62296->62235 62298 4ad441 ___std_exception_destroy 14 API calls 62297->62298 62299 473d78 62298->62299 62300 44d060 41 API calls 62299->62300 62301 473d8a 62300->62301 62302 44d060 41 API calls 62301->62302 62302->62253 62374 4992a7 GetLastError 62303->62374 62308 474190 62309 4741a9 62308->62309 62313 4741ec 62308->62313 62426 475760 41 API calls 62309->62426 62312 4741ae 62312->62313 62427 475760 41 API calls 62312->62427 62429 474460 41 API calls 62313->62429 62314 474243 62316 474389 62314->62316 62319 474286 62314->62319 62320 474324 62314->62320 62321 4742c2 62314->62321 62322 4742ae 62314->62322 62323 474349 62314->62323 62324 4742d6 62314->62324 62325 474375 62314->62325 62326 474272 62314->62326 62327 47435f 62314->62327 62328 47425e 62314->62328 62329 4742fb 62314->62329 62330 47429a 62314->62330 62340 4abbf5 _ValidateLocalCookies 5 API calls 62316->62340 62317 4741bc 62336 4741d1 62317->62336 62428 475760 41 API calls 62317->62428 62334 4abbf5 _ValidateLocalCookies 5 API calls 62319->62334 62434 4744f0 41 API calls 62320->62434 62341 4abbf5 _ValidateLocalCookies 5 API calls 62321->62341 62339 4abbf5 _ValidateLocalCookies 5 API calls 62322->62339 62435 474e30 41 API calls _ValidateLocalCookies 62323->62435 62432 4744f0 41 API calls 62324->62432 62338 4abbf5 _ValidateLocalCookies 5 API calls 62325->62338 62333 4abbf5 _ValidateLocalCookies 5 API calls 62326->62333 62436 4745a0 44 API calls 2 library calls 62327->62436 62331 4abbf5 _ValidateLocalCookies 5 API calls 62328->62331 62433 4744f0 41 API calls 62329->62433 62337 4abbf5 _ValidateLocalCookies 5 API calls 62330->62337 62346 47426e 62331->62346 62348 474282 62333->62348 62349 474296 62334->62349 62353 4abbf5 _ValidateLocalCookies 5 API calls 62336->62353 62352 4742aa 62337->62352 62354 474385 62338->62354 62355 4742be 62339->62355 62356 4743a0 62340->62356 62357 4742d2 62341->62357 62344 47421b 62344->62314 62344->62316 62430 474d00 41 API calls 62344->62430 62431 474460 41 API calls 62344->62431 62346->62226 62347 474350 62361 4abbf5 _ValidateLocalCookies 5 API calls 62347->62361 62348->62226 62349->62226 62350 474366 62362 4abbf5 _ValidateLocalCookies 5 API calls 62350->62362 62352->62226 62364 4741e8 62353->62364 62354->62226 62355->62226 62356->62226 62357->62226 62358 4742ec 62365 4abbf5 _ValidateLocalCookies 5 API calls 62358->62365 62359 474315 62366 4abbf5 _ValidateLocalCookies 5 API calls 62359->62366 62360 47433a 62368 4abbf5 _ValidateLocalCookies 5 API calls 62360->62368 62369 47435b 62361->62369 62370 474371 62362->62370 62363 4741ca 62363->62313 62363->62336 62364->62226 62371 4742f7 62365->62371 62372 474320 62366->62372 62373 474345 62368->62373 62369->62226 62370->62226 62371->62226 62372->62226 62373->62226 62375 4992bd 62374->62375 62376 4992c3 62374->62376 62405 49cbd8 6 API calls _unexpected 62375->62405 62380 4992c7 SetLastError 62376->62380 62406 49cc17 6 API calls _unexpected 62376->62406 62379 4992df 62379->62380 62382 49c6a4 _unexpected 14 API calls 62379->62382 62384 49935c 62380->62384 62385 494d1b 62380->62385 62383 4992f4 62382->62383 62386 49930d 62383->62386 62387 4992fc 62383->62387 62411 498ca6 62384->62411 62401 49b0ec 62385->62401 62408 49cc17 6 API calls _unexpected 62386->62408 62407 49cc17 6 API calls _unexpected 62387->62407 62392 49930a 62397 49c0bd ___free_lconv_mon 14 API calls 62392->62397 62393 499319 62394 49931d 62393->62394 62395 499334 62393->62395 62409 49cc17 6 API calls _unexpected 62394->62409 62410 4990d5 14 API calls _unexpected 62395->62410 62397->62380 62399 49933f 62400 49c0bd ___free_lconv_mon 14 API calls 62399->62400 62400->62380 62402 49b0ff 62401->62402 62403 475b5c 62401->62403 62402->62403 62425 4a342d 41 API calls 5 library calls 62402->62425 62403->62308 62405->62376 62406->62379 62407->62392 62408->62393 62409->62392 62410->62399 62422 4a2af6 EnterCriticalSection LeaveCriticalSection __purecall 62411->62422 62413 498cab 62414 498cb6 62413->62414 62423 4a2b3b 41 API calls 7 library calls 62413->62423 62416 498cc0 IsProcessorFeaturePresent 62414->62416 62417 498cdf 62414->62417 62418 498ccc 62416->62418 62424 4a29d2 41 API calls __purecall 62417->62424 62421 497b2d __purecall 8 API calls 62418->62421 62420 498ce9 62421->62417 62422->62413 62423->62414 62424->62420 62425->62403 62426->62312 62427->62317 62428->62363 62429->62344 62430->62344 62431->62344 62432->62358 62433->62359 62434->62360 62435->62347 62436->62350 62437->62236 62438->62242 62439->62247 62440->62230 62441->62290 62442->62269 62443->62276 62444->62282 62446 44a9b5 62445->62446 62447 44a9bd 62445->62447 62471 451310 41 API calls 2 library calls 62446->62471 62449 44a9c5 62447->62449 62450 44a9fe 62447->62450 62461 458110 62449->62461 62472 4513c0 41 API calls 62450->62472 62452 44a9d6 62453 44d060 41 API calls 62452->62453 62456 44a9e8 62453->62456 62455 44aa14 62473 4511a0 41 API calls _ValidateLocalCookies 62455->62473 62456->62135 62458 44aa26 62474 4afa0c RaiseException 62458->62474 62460 44aa37 62462 458164 62461->62462 62463 4581c4 62462->62463 62464 4582a0 62462->62464 62470 4581a4 62462->62470 62466 4abc08 std::_Facet_Register 41 API calls 62463->62466 62475 4351b0 41 API calls 62464->62475 62468 4581e5 62466->62468 62469 44ca70 41 API calls 62468->62469 62469->62470 62470->62452 62471->62447 62472->62455 62473->62458 62474->62460 62476->62141 62477->62143 62478->62145 62479->62159 62481 460107 62480->62481 62482 46004c 62480->62482 62481->62155 62496 449730 41 API calls 62481->62496 62485 454e60 41 API calls 62482->62485 62486 46008c 62485->62486 62487 4600cc 62486->62487 62493 45fb40 5 API calls _ValidateLocalCookies 62486->62493 62494 45fb40 5 API calls _ValidateLocalCookies 62487->62494 62490 4600ef 62495 45bea0 41 API calls std::ios_base::_Ios_base_dtor 62490->62495 62493->62487 62494->62490 62495->62481 62498->62180 62499->62182 62500->62184 62501->62188 62502->62190 62503->62192 64702 4a283f 64701->64702 64703 4a282d 64701->64703 64713 4a26b0 64702->64713 64728 4a28c8 GetModuleHandleW 64703->64728 64707 4a2832 64707->64702 64729 4a2923 GetModuleHandleExW 64707->64729 64708 4a287c 64708->60840 64714 4a26bc __FrameHandler3::FrameUnwindToState 64713->64714 64735 49b2e1 EnterCriticalSection 64714->64735 64716 4a26c6 64736 4a2718 64716->64736 64718 4a26d3 64740 4a26f1 64718->64740 64721 4a2897 64773 4a290a 64721->64773 64723 4a28a1 64724 4a28b5 64723->64724 64725 4a28a5 GetCurrentProcess TerminateProcess 64723->64725 64726 4a2923 __purecall 3 API calls 64724->64726 64725->64724 64727 4a28bd ExitProcess 64726->64727 64728->64707 64730 4a2962 GetProcAddress 64729->64730 64731 4a2983 64729->64731 64730->64731 64732 4a2976 64730->64732 64733 4a2989 FreeLibrary 64731->64733 64734 4a283e 64731->64734 64732->64731 64733->64734 64734->64702 64735->64716 64737 4a2724 __FrameHandler3::FrameUnwindToState __purecall 64736->64737 64739 4a2788 __purecall 64737->64739 64743 4a8d62 64737->64743 64739->64718 64772 49b329 LeaveCriticalSection 64740->64772 64742 4a26df 64742->64708 64742->64721 64744 4a8d6e __EH_prolog3 64743->64744 64747 4a8aba 64744->64747 64746 4a8d95 __purecall 64746->64739 64748 4a8ac6 __FrameHandler3::FrameUnwindToState 64747->64748 64755 49b2e1 EnterCriticalSection 64748->64755 64750 4a8ad4 64756 4a8c72 64750->64756 64754 4a8af2 64754->64746 64755->64750 64758 4a8ae1 64756->64758 64759 4a8c91 64756->64759 64757 4a8d1f 64757->64758 64760 49c0bd ___free_lconv_mon 14 API calls 64757->64760 64762 4a8b09 LeaveCriticalSection std::_Lockit::~_Lockit 64758->64762 64759->64757 64759->64758 64763 4cee50 64759->64763 64760->64758 64762->64754 64764 44d3b0 41 API calls 64763->64764 64765 4cee99 64764->64765 64766 44cfd0 41 API calls 64765->64766 64767 4ceeb2 64766->64767 64768 44cfd0 41 API calls 64767->64768 64769 4ceecb 64768->64769 64770 44cfd0 41 API calls 64769->64770 64771 4ceeea 64770->64771 64771->64759 64772->64742 64776 4a6ed5 5 API calls __purecall 64773->64776 64775 4a290f __purecall 64775->64723 64776->64775 64777 44a0b0 64778 44a0bc 64777->64778 64779 44a0c7 64778->64779 64781 449e50 43 API calls 64778->64781 64780 44a0d4 64781->64780 64782 470ef0 64783 4385b0 53 API calls 64782->64783 64784 470f74 64783->64784 64785 4385b0 53 API calls 64784->64785 64787 4717ff 64785->64787 64786 471c5b 64788 4abbf5 _ValidateLocalCookies 5 API calls 64786->64788 64787->64786 64790 44e320 41 API calls 64787->64790 64789 471c72 64788->64789 64791 471873 64790->64791 64792 436ee0 47 API calls 64791->64792 64793 47188f 64792->64793 64867 4735e0 64793->64867 64796 44d060 41 API calls 64797 4718b3 64796->64797 64798 44cfd0 41 API calls 64797->64798 64799 4718d9 64798->64799 64800 481830 125 API calls 64799->64800 64801 4718e7 64800->64801 64802 471c37 64801->64802 64804 44cd00 41 API calls 64801->64804 64803 471c49 64802->64803 64805 44d060 41 API calls 64802->64805 64807 44d060 41 API calls 64803->64807 64806 471908 64804->64806 64805->64803 64808 44d3b0 41 API calls 64806->64808 64807->64786 64809 47194e 64808->64809 64810 4abc08 std::_Facet_Register 41 API calls 64809->64810 64811 471964 64810->64811 64812 44bad0 41 API calls 64811->64812 64813 471984 64812->64813 64814 4517f0 41 API calls 64813->64814 64815 4719d0 64814->64815 64816 44a980 41 API calls 64815->64816 64817 4719e0 64816->64817 64818 44d3b0 41 API calls 64817->64818 64819 471a2f 64818->64819 64819->64802 64820 471c9c 64819->64820 64821 4368a0 RaiseException 64820->64821 64822 471ca1 64821->64822 64823 44e320 41 API calls 64822->64823 64824 471d45 64823->64824 64825 436ee0 47 API calls 64824->64825 64826 471d61 64825->64826 64827 44cfd0 41 API calls 64826->64827 64828 471d88 64827->64828 64829 44eaf0 44 API calls 64828->64829 64830 472133 64829->64830 64831 437150 41 API calls 64830->64831 64832 47214e 64831->64832 64833 44cfd0 41 API calls 64832->64833 64834 472161 64833->64834 64835 44ba90 41 API calls 64834->64835 64836 472348 64835->64836 64837 45d680 44 API calls 64836->64837 64838 47238c 64837->64838 64839 437150 41 API calls 64838->64839 64840 4723c3 64839->64840 64841 481110 125 API calls 64840->64841 64842 4723d7 64841->64842 64843 44cfd0 41 API calls 64842->64843 64844 4723ea 64843->64844 64845 44cfd0 41 API calls 64844->64845 64846 4723fd 64845->64846 64871 449510 52 API calls 64846->64871 64848 4727e0 64849 472dc5 64848->64849 64872 4384a0 64848->64872 64852 438f80 41 API calls 64849->64852 64854 472de3 64852->64854 64853 472e47 64856 4368a0 RaiseException 64853->64856 64855 44d060 41 API calls 64854->64855 64858 472def 64855->64858 64857 472e4c 64856->64857 64859 437c30 46 API calls 64857->64859 64860 44cfd0 41 API calls 64858->64860 64861 472e60 64859->64861 64862 472e02 64860->64862 64863 44d060 41 API calls 64862->64863 64864 472e29 64863->64864 64865 4abbf5 _ValidateLocalCookies 5 API calls 64864->64865 64866 472e40 64865->64866 64868 47361a 64867->64868 64869 4740f0 44 API calls 64868->64869 64870 4718a1 64869->64870 64870->64796 64871->64848 64873 4385b0 53 API calls 64872->64873 64874 4384bc 64873->64874 64875 4384dc 64874->64875 64876 4384f7 64874->64876 64877 4abbf5 _ValidateLocalCookies 5 API calls 64875->64877 64878 437c30 46 API calls 64876->64878 64879 4384ed 64877->64879 64880 438505 64878->64880 64879->64849 64879->64853 64881 4865d0 64912 47fd70 64881->64912 64884 48689b 64919 47fb50 64884->64919 64885 48666c 64890 44e320 41 API calls 64885->64890 64893 4866cf 64890->64893 64895 44cfd0 41 API calls 64893->64895 64897 486715 GetVolumeInformationW 64895->64897 64898 44cfd0 41 API calls 64897->64898 64900 486778 __fread_nolock 64898->64900 64899 48677c 64901 4abbf5 _ValidateLocalCookies 5 API calls 64899->64901 64900->64899 64926 47b120 52 API calls 64900->64926 64902 486894 64901->64902 64904 4867c5 64927 47b1e0 50 API calls 64904->64927 64906 4867fa 64907 448cc0 41 API calls 64906->64907 64908 48680c 64907->64908 64909 44d060 41 API calls 64908->64909 64910 48686c 64909->64910 64911 447920 41 API calls 64910->64911 64911->64899 64913 47fe28 64912->64913 64917 47fe0c 64912->64917 64913->64917 64932 451cf0 41 API calls 2 library calls 64913->64932 64918 47ff2c 64917->64918 64928 4b8517 GetCurrentDirectoryW 64917->64928 64933 451cf0 41 API calls 2 library calls 64917->64933 64918->64884 64918->64885 64920 44ba90 41 API calls 64919->64920 64921 47fb9d 64920->64921 64934 437450 41 API calls 64921->64934 64923 47fbb5 64935 4afa0c RaiseException 64923->64935 64925 47fbc6 64926->64904 64927->64906 64929 4b852d 64928->64929 64930 4b8536 GetLastError 64928->64930 64929->64930 64931 4b8532 64929->64931 64930->64931 64931->64917 64932->64917 64933->64917 64934->64923 64935->64925 64936 4bb697 64941 4bb3a9 64936->64941 64939 4bb6d6 64946 4bb3d7 64941->64946 64942 4bb527 64947 4bb532 64942->64947 64959 4950d4 14 API calls __dosmaperr 64942->64959 64944 4bb602 64960 497d29 41 API calls __wsopen_s 64944->64960 64946->64942 64956 4a92c0 42 API calls 2 library calls 64946->64956 64947->64939 64953 4bc8a4 64947->64953 64949 4bb58f 64949->64942 64957 4a92c0 42 API calls 2 library calls 64949->64957 64951 4bb5ad 64951->64942 64958 4a92c0 42 API calls 2 library calls 64951->64958 64961 4bbeff 64953->64961 64956->64949 64957->64951 64958->64942 64959->64944 64960->64947 64962 4bbf0b __FrameHandler3::FrameUnwindToState 64961->64962 64963 4bbf12 64962->64963 64966 4bbf3d 64962->64966 65018 4950d4 14 API calls __dosmaperr 64963->65018 64965 4bbf17 65019 497d29 41 API calls __wsopen_s 64965->65019 64972 4bc57a 64966->64972 64971 4bbf21 64971->64939 64973 4bc597 64972->64973 64974 4bc5ac 64973->64974 64975 4bc5c5 64973->64975 65035 4950c1 14 API calls __dosmaperr 64974->65035 65021 4a2f56 64975->65021 64979 4bc5b1 65036 4950d4 14 API calls __dosmaperr 64979->65036 64980 4bc5ea 65034 4bc233 CreateFileW 64980->65034 64981 4bc5d3 65037 4950c1 14 API calls __dosmaperr 64981->65037 64985 4bbf61 65020 4bbf94 LeaveCriticalSection __wsopen_s 64985->65020 64986 4bc5d8 65038 4950d4 14 API calls __dosmaperr 64986->65038 64988 4bc6a0 GetFileType 64989 4bc6ab GetLastError 64988->64989 64990 4bc6f2 64988->64990 65041 49507a 14 API calls __dosmaperr 64989->65041 65043 4a2e9e 15 API calls 2 library calls 64990->65043 64991 4bc675 GetLastError 65040 49507a 14 API calls __dosmaperr 64991->65040 64992 4bc623 64992->64988 64992->64991 65039 4bc233 CreateFileW 64992->65039 64996 4bc6b9 CloseHandle 64996->64979 64999 4bc6e2 64996->64999 64998 4bc668 64998->64988 64998->64991 65042 4950d4 14 API calls __dosmaperr 64999->65042 65000 4bc713 65002 4bc75f 65000->65002 65044 4bc442 75 API calls 3 library calls 65000->65044 65007 4bc766 65002->65007 65046 4bbfdd 75 API calls 4 library calls 65002->65046 65003 4bc6e7 65003->64979 65006 4bc794 65006->65007 65008 4bc7a2 65006->65008 65045 49c22b 44 API calls __wsopen_s 65007->65045 65008->64985 65010 4bc81e CloseHandle 65008->65010 65047 4bc233 CreateFileW 65010->65047 65012 4bc849 65013 4bc853 GetLastError 65012->65013 65017 4bc87f 65012->65017 65048 49507a 14 API calls __dosmaperr 65013->65048 65015 4bc85f 65049 4a3069 15 API calls 2 library calls 65015->65049 65017->64985 65018->64965 65019->64971 65020->64971 65022 4a2f62 __FrameHandler3::FrameUnwindToState 65021->65022 65050 49b2e1 EnterCriticalSection 65022->65050 65024 4a2fb0 65051 4a3060 65024->65051 65025 4a2f8e 65028 4a2d2d __wsopen_s 15 API calls 65025->65028 65026 4a2f69 65026->65024 65026->65025 65031 4a2ffd EnterCriticalSection 65026->65031 65030 4a2f93 65028->65030 65030->65024 65054 4a2e7b EnterCriticalSection 65030->65054 65031->65024 65032 4a300a LeaveCriticalSection 65031->65032 65032->65026 65034->64992 65035->64979 65036->64985 65037->64986 65038->64979 65039->64998 65040->64979 65041->64996 65042->65003 65043->65000 65044->65002 65045->64985 65046->65006 65047->65012 65048->65015 65049->65017 65050->65026 65055 49b329 LeaveCriticalSection 65051->65055 65053 4a2fd0 65053->64980 65053->64981 65054->65024 65055->65053 65056 48db16 65057 48db1e 65056->65057 65058 48e1c0 46 API calls 65057->65058 65059 48db2a 65058->65059 65060 4abbf5 _ValidateLocalCookies 5 API calls 65059->65060 65061 48e0d0 65060->65061

                                                                                            Executed Functions

                                                                                            Function 00485F00 Relevance: 31.7, APIs: 21, Instructions: 205windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00485F72
                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 00485F7C
                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00485F86
                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 00485F90
                                                                                            • GetDC.USER32(00000000), ref: 00485F9A
                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00485FAF
                                                                                            • GetDeviceCaps.GDI32(?,0000000A), ref: 00485FBB
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 00485FC5
                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00485FDA
                                                                                            • SelectObject.GDI32(?,00000000), ref: 00485FEE
                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,40CC0020), ref: 0048601D
                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 0048604F
                                                                                            • DeleteDC.GDI32(?), ref: 0048606E
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00486077
                                                                                            • DeleteObject.GDI32(?), ref: 00486083
                                                                                            • IStream_Size.SHLWAPI(?,?,?), ref: 004860F5
                                                                                            • IStream_Reset.SHLWAPI(?), ref: 00486104
                                                                                            • IStream_Read.SHLWAPI(?,00000000,?,?), ref: 0048611E
                                                                                            • DeleteDC.GDI32(?), ref: 00486175
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00486183
                                                                                            • DeleteObject.GDI32(?), ref: 0048618F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Delete$CreateMetricsObjectStream_System$CapsCompatibleDeviceRelease$BitmapCallbackDispatcherReadResetSelectSizeStreamUser
                                                                                            • String ID:
                                                                                            • API String ID: 2798906502-0
                                                                                            • Opcode ID: 99dc10b740a5f021b41c68854b237c0d4245f8800150c2945631f9edaba6f951
                                                                                            • Instruction ID: 1540f068b23de5c11a4fec01122546931e44dbb37a8a944e45ab45a1281bc334
                                                                                            • Opcode Fuzzy Hash: 99dc10b740a5f021b41c68854b237c0d4245f8800150c2945631f9edaba6f951
                                                                                            • Instruction Fuzzy Hash: F4812971C01218AFDB11EB64DC49BEDBBB8EF09314F1041AAE509B7291DB742E84CF99
                                                                                            Function 00488400 Relevance: 27.7, APIs: 5, Strings: 10, Instructions: 1461COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 37 488400-488efa call 486990 call 4868b0 call 486c50 call 4863f0 call 4864e0 call 488190 call 486250 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 GlobalMemoryStatusEx call 4bcea0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 156 488f01-488f06 37->156 156->156 157 488f08-48908f call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 485f00 156->157 170 489091 157->170 171 489093-4890ec call 44e890 call 44ed10 157->171 170->171 176 4890f0-4890f5 171->176 176->176 177 4890f7-48945b call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 GetDesktopWindow GetWindowRect call 47fa30 * 2 call 44e220 call 48f1f0 call 44d060 * 3 call 44ed10 176->177 208 489462-489467 177->208 208->208 209 489469-489590 call 4517f0 call 44a980 call 44d3b0 call 44d060 call 4517f0 call 44a980 call 497ec8 call 4988eb call 498c76 208->209 228 489597-48959c 209->228 228->228 229 48959e-4897c4 call 4517f0 call 44ed10 call 4517f0 call 44a980 call 44d3b0 call 44d060 call 4517f0 call 44a980 call 4ade50 GetModuleFileNameA 228->229 248 4897c7-4897cc 229->248 248->248 249 4897ce-48986b call 4517f0 call 44e890 call 44ed10 248->249 256 489870-489875 249->256 256->256 257 489877-489975 call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 call 487780 256->257 274 489979-489bdc call 44e890 call 44ed10 call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 call 44e890 call 44ed10 257->274 275 489977 257->275 298 489be0-489be5 274->298 275->274 298->298 299 489be7-489c9a call 4517f0 call 44a980 call 44d3b0 call 44d060 298->299 308 489ca0-489dcd call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 299->308 309 489dd2-489e7d call 4517f0 call 44a980 call 44ca70 call 4517f0 call 44a980 299->309 330 489e83-489f21 call 44d3b0 call 44d060 * 7 call 4abbf5 308->330 309->330
                                                                                            APIs
                                                                                              • Part of subcall function 00486990: EnumDisplayDevicesW.USER32(00000000,00000000,00000348,00000001), ref: 00486A68
                                                                                              • Part of subcall function 00486990: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000001), ref: 00486ABD
                                                                                              • Part of subcall function 004868B0: RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                                                                              • Part of subcall function 004863F0: GetUserNameW.ADVAPI32(?,?), ref: 00486464
                                                                                              • Part of subcall function 004864E0: GetComputerNameW.KERNEL32(?,?), ref: 00486554
                                                                                              • Part of subcall function 004517F0: Concurrency::cancel_current_task.LIBCPMT ref: 004518C2
                                                                                              • Part of subcall function 0044BAD0: Concurrency::cancel_current_task.LIBCPMT ref: 0044BBB3
                                                                                            • GlobalMemoryStatusEx.KERNEL32(?,00000003), ref: 00488A6C
                                                                                            • GetDesktopWindow.USER32 ref: 0048936A
                                                                                            • GetWindowRect.USER32(00000000), ref: 00489371
                                                                                            • _strftime.LIBCMT ref: 0048956B
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,system,00000006), ref: 0048979A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$Concurrency::cancel_current_taskDevicesDisplayEnumWindow$ComputerDesktopFileGlobalMemoryModuleRectStatusUserValue_strftime
                                                                                            • String ID: %d-%m-%Y, %H:%M:%S$>wfw$computer_name$cpu$gpu$ram$system$time$timezone$user_name
                                                                                            • API String ID: 3994675093-2215247992
                                                                                            • Opcode ID: 780eb4c071b8c58362fb5c4d0a213da67d6cb8a55b1d61346fd39ba53df65c40
                                                                                            • Instruction ID: 1ab1bce1cb2369babe93dc2c843a9f66333b387f055d73d8335e63cf3a34051b
                                                                                            • Opcode Fuzzy Hash: 780eb4c071b8c58362fb5c4d0a213da67d6cb8a55b1d61346fd39ba53df65c40
                                                                                            • Instruction Fuzzy Hash: FC037970C052A99BDB26DF28C8547DDBBB1AF19308F2482DEE44867242DB751F85CF92
                                                                                            Function 0047E240 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 199synchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,5A06260C), ref: 0047E2A3
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0047E2AA
                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,00000004), ref: 0047E2CE
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047E2F3
                                                                                            • ExitProcess.KERNEL32 ref: 0047E32D
                                                                                            • OpenMutexA.KERNEL32(001F0001,00000000,?), ref: 0047E411
                                                                                            • ExitProcess.KERNEL32 ref: 0047E420
                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0047E436
                                                                                            • ExitProcess.KERNEL32 ref: 0047E457
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$ExitMutex$CloseHandleOpenToken$CreateCurrentInformationRelease
                                                                                            • String ID: SeDebugPrivilege$SeImpersonatePrivilege
                                                                                            • API String ID: 1905835197-3768118664
                                                                                            • Opcode ID: 1304b057001cb0e859eaf618cd2e17930212c1f0f1b5904f04536edf5095bcb9
                                                                                            • Instruction ID: e600725b129d9e3f70f3f4d3925b8df88ff981f4a24a656009bcaac003b6a44b
                                                                                            • Opcode Fuzzy Hash: 1304b057001cb0e859eaf618cd2e17930212c1f0f1b5904f04536edf5095bcb9
                                                                                            • Instruction Fuzzy Hash: 80817F70D01258EFDB00EFE6D9457DDBBB4EF08308F10815EE51AA7281DB785A05DB69
                                                                                            Function 00446400 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 833libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 435 446400-44650e LoadLibraryA 436 446514-446a39 GetProcAddress * 6 435->436 437 44738b-447390 435->437 438 447385 436->438 439 446a3f-446a46 436->439 440 447392-447395 437->440 441 44739c-44739e 437->441 438->437 439->438 442 446a4c-446a53 439->442 440->441 443 4473a7-4473c4 call 4abbf5 441->443 444 4473a0-4473a1 FreeLibrary 441->444 442->438 445 446a59-446a60 442->445 444->443 445->438 448 446a66-446a68 445->448 448->438 450 446a6e-446a70 448->450 450->438 451 446a76-446a84 450->451 451->438 453 446a8a-446a95 451->453 453->438 454 446a9b-446a9d 453->454 455 446aa3-446aba 454->455 457 447366-44737f 455->457 458 446ac0-446ade 455->458 457->438 457->455 458->457 460 446ae4-446aed 458->460 461 447352-44735a 460->461 462 446af3-446b06 460->462 461->457 463 446b10-446b54 call 4abc08 462->463 467 446d5e-446d62 463->467 468 446b5a-446b5f 463->468 470 446f6e-446f9d 467->470 471 446d68-446d6d 467->471 468->467 469 446b65-446c5d call 47a340 468->469 479 446c60-446c65 469->479 477 4471c6-4471cd 470->477 478 446fa3-446fae 470->478 471->470 473 446d73-446e6b call 47a340 471->473 483 446e70-446e75 473->483 481 447302-447340 call 452630 call 4abfa3 477->481 482 4471d3-4472fc call 4517f0 call 44a980 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 46b040 call 44a850 call 44d3b0 477->482 484 446fb4-446fb9 478->484 485 4471bb-4471bd 478->485 479->479 486 446c67-446d58 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 479->486 481->463 510 447346-44734c 481->510 482->481 483->483 488 446e77-446f68 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 483->488 484->485 490 446fbf-4470ad call 47a340 484->490 485->477 492 4471bf 485->492 486->467 488->470 506 4470b7-4470bc 490->506 492->477 506->506 511 4470be-4471b5 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 506->511 510->461 511->485
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(?,5A06260C), ref: 004464FE
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0044664C
                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 0044678C
                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00446831
                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 004468D6
                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 0044697B
                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00446A27
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004473A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                                            • String ID: system$vault$!F
                                                                                            • API String ID: 2449869053-2452413646
                                                                                            • Opcode ID: e0fea6c89a0f53085211ecf823e563bfcd2fd38e707c4234fd3e69986002ee46
                                                                                            • Instruction ID: b3fd50756066dde9c2bcdca3b11f87412f5b17b86e41c1a20d378922be8368ac
                                                                                            • Opcode Fuzzy Hash: e0fea6c89a0f53085211ecf823e563bfcd2fd38e707c4234fd3e69986002ee46
                                                                                            • Instruction Fuzzy Hash: 2CA2DFB4D0426D8BDB25CFA8C884BEEBBB1BF59304F1081DAD948B7251DB385A85CF54
                                                                                            Function 00485840 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 364networkfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1601 485840-485a7a 1602 485a84-485a89 1601->1602 1602->1602 1603 485a8b-485ac7 call 4517f0 InternetOpenA 1602->1603 1606 485ac9-485aeb 1603->1606 1607 485af0-485b0f 1603->1607 1608 485e01-485e2f call 44d060 call 4abbf5 1606->1608 1609 485b11 1607->1609 1610 485b13-485b37 InternetOpenUrlA 1607->1610 1609->1610 1611 485b39-485b58 1610->1611 1612 485b5d-485b87 HttpQueryInfoW 1610->1612 1614 485df4-485df8 1611->1614 1615 485b89-485ba8 1612->1615 1616 485bad-485c15 call 4ade50 HttpQueryInfoW 1612->1616 1614->1608 1618 485de9-485dee InternetCloseHandle 1615->1618 1623 485c46-485c57 InternetQueryDataAvailable 1616->1623 1624 485c17-485c2a call 4949e3 1616->1624 1618->1614 1626 485d8a-485de4 call 44d060 1623->1626 1627 485c5d-485c5f 1623->1627 1624->1623 1633 485c2c-485c40 call 4516d0 1624->1633 1626->1618 1630 485c60-485c6b 1627->1630 1631 485d81 1630->1631 1632 485c71-485ce8 call 465e90 call 4ade50 InternetReadFile 1630->1632 1635 485d84 1631->1635 1641 485cee-485cf3 1632->1641 1642 485d73-485d7f call 454ec0 1632->1642 1633->1623 1635->1626 1644 485d70 1641->1644 1645 485cf5-485d05 1641->1645 1642->1635 1644->1642 1647 485d31-485d3e call 4520f0 1645->1647 1648 485d07-485d2f call 4ad8d0 1645->1648 1652 485d43-485d63 call 454ec0 InternetQueryDataAvailable 1647->1652 1648->1652 1652->1635 1655 485d65-485d6b 1652->1655 1655->1630
                                                                                            APIs
                                                                                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00485AB8
                                                                                            • InternetOpenUrlA.WININET(00000000,?,?,00000000,84880100,00000000), ref: 00485B23
                                                                                            • HttpQueryInfoW.WININET(00000000,00000013,?,?,00000000), ref: 00485B7C
                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00000040,00000000), ref: 00485C0D
                                                                                            • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 00485C4F
                                                                                            • InternetReadFile.WININET(00000000,00000000,?,0B911A77), ref: 00485CE0
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00485DEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Internet$Query$HttpInfoOpen$AvailableCloseDataFileHandleRead
                                                                                            • String ID: dk{u
                                                                                            • API String ID: 1359475806-1025949191
                                                                                            • Opcode ID: 27b0cd3a0b6fc00430f0ab845b11a26261cda9ec311c293bfde6673f79c1c1f5
                                                                                            • Instruction ID: 61ea4010c365d261526b7633df9a1f3866779007c1279ae13805143fd257e1b9
                                                                                            • Opcode Fuzzy Hash: 27b0cd3a0b6fc00430f0ab845b11a26261cda9ec311c293bfde6673f79c1c1f5
                                                                                            • Instruction Fuzzy Hash: 320203B0D057599BDB20CFA4C944BDDBBB5BF19304F20819AE848BB241EB746A84CF95
                                                                                            Function 004B8545 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1656 4b8545-4b857a 1657 4b858d-4b8596 1656->1657 1658 4b857c-4b8583 1656->1658 1660 4b8598-4b859b 1657->1660 1661 4b85b0-4b85b2 1657->1661 1658->1657 1659 4b8585-4b8588 1658->1659 1662 4b87a0-4b87ae call 4abbf5 1659->1662 1660->1661 1663 4b859d-4b85a4 1660->1663 1664 4b85b8-4b85bb 1661->1664 1665 4b879e 1661->1665 1666 4b85aa-4b85ad 1663->1666 1667 4b85a6-4b85a8 1663->1667 1668 4b85c1-4b85c4 1664->1668 1669 4b86b4-4b86e1 call 4b8827 1664->1669 1665->1662 1666->1661 1667->1661 1667->1666 1672 4b85d6-4b85e5 GetFileAttributesExW 1668->1672 1673 4b85c6-4b85cc 1668->1673 1680 4b86ea-4b86ed 1669->1680 1681 4b86e3-4b86e5 1669->1681 1677 4b864d-4b8668 1672->1677 1678 4b85e7-4b85f0 GetLastError 1672->1678 1673->1672 1676 4b85ce-4b85d0 1673->1676 1676->1669 1676->1672 1679 4b866e-4b8676 1677->1679 1678->1662 1682 4b85f6-4b8607 FindFirstFileW 1678->1682 1683 4b8678-4b867f 1679->1683 1684 4b8681-4b86a8 1679->1684 1686 4b86ef-4b8700 GetFileInformationByHandleEx 1680->1686 1687 4b875c-4b875f 1680->1687 1685 4b8794-4b879c call 4b830c 1681->1685 1688 4b8609-4b860f GetLastError 1682->1688 1689 4b8614-4b864b FindClose 1682->1689 1683->1684 1690 4b86ae 1683->1690 1684->1665 1684->1690 1685->1662 1694 4b870f-4b872a 1686->1694 1695 4b8702-4b870a GetLastError 1686->1695 1691 4b8789-4b878b 1687->1691 1692 4b8761-4b8772 GetFileInformationByHandleEx 1687->1692 1688->1662 1689->1679 1690->1669 1697 4b878d-4b878f 1691->1697 1698 4b8791-4b8793 1691->1698 1692->1695 1696 4b8774-4b8786 1692->1696 1694->1687 1700 4b872c-4b8732 1694->1700 1695->1685 1696->1691 1697->1685 1698->1685 1701 4b8755 1700->1701 1702 4b8734-4b8748 GetFileInformationByHandleEx 1700->1702 1703 4b8759 1701->1703 1702->1695 1704 4b874a-4b8753 1702->1704 1703->1687 1704->1703
                                                                                            APIs
                                                                                            • GetFileAttributesExW.KERNEL32(000000FF,00000000,?,00000001,?,?), ref: 004B85DD
                                                                                            • GetLastError.KERNEL32 ref: 004B85E7
                                                                                            • FindFirstFileW.KERNEL32(000000FF,?), ref: 004B85FE
                                                                                            • GetLastError.KERNEL32 ref: 004B8609
                                                                                            • FindClose.KERNEL32(00000000), ref: 004B8615
                                                                                            • ___std_fs_open_handle@16.LIBCPMT ref: 004B86CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                                                                                            • String ID:
                                                                                            • API String ID: 2340820627-0
                                                                                            • Opcode ID: 26e86fa6e15967cd6674ed6e37e588395ab66286ab2511015f361a3ca517eeda
                                                                                            • Instruction ID: b482ff722bd6c6e5562e69f300935f677b27db246a655513dfd80cbad8c50a56
                                                                                            • Opcode Fuzzy Hash: 26e86fa6e15967cd6674ed6e37e588395ab66286ab2511015f361a3ca517eeda
                                                                                            • Instruction Fuzzy Hash: 6271A174A01619AFCB60CF28DC84BEAB7B8BF15314F24466AE854E3380DF389D41CB65
                                                                                            Function 0048CB50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1944 48cb50-48cbae 1945 48cbb0-48cbb9 1944->1945 1945->1945 1946 48cbbb-48cbd0 GetCurrentProcess OpenProcessToken 1945->1946 1947 48cc1d 1946->1947 1948 48cbd2-48cbe7 LookupPrivilegeValueW 1946->1948 1949 48cc1f-48cc2b 1947->1949 1948->1947 1950 48cbe9-48cc1b AdjustTokenPrivileges 1948->1950 1951 48cc2d-48cc34 CloseHandle 1949->1951 1952 48cc37-48cc54 call 4abbf5 1949->1952 1950->1949 1951->1952
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028,5A06260C,5A06260C,00000000,00000000), ref: 0048CBC1
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0048CBC8
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0048CBDF
                                                                                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 0048CC10
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0048CC2E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                                            • String ID: SeDebugPrivilege
                                                                                            • API String ID: 3038321057-2896544425
                                                                                            • Opcode ID: 0de4daaceb39ec4f5814627b6f1dd40d7c5fb6c13739ccbd22e93afb17c114b7
                                                                                            • Instruction ID: c2b5bf8999928723eaabf61e86e1a0babf1022b92d12b441156265fc3f808218
                                                                                            • Opcode Fuzzy Hash: 0de4daaceb39ec4f5814627b6f1dd40d7c5fb6c13739ccbd22e93afb17c114b7
                                                                                            • Instruction Fuzzy Hash: 4631A471D01208AFDB10DFA5DD85BEEBBB8EB09710F14422BE911B7280DB745A44CBB5
                                                                                            Function 004473D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 301processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,5A06260C), ref: 0044741C
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00447468
                                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 004475CD
                                                                                            • CloseHandle.KERNEL32(?), ref: 004478D2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                            • String ID: [PID:
                                                                                            • API String ID: 420147892-2210602247
                                                                                            • Opcode ID: b80ddb96a06b86526d9d0c7726fb66be9f86ed69261ab88760f474c273869731
                                                                                            • Instruction ID: 3632983ffbfa210010dfb9a713b5006bf5dbac80d679a8e5b8b4f374b17b9b69
                                                                                            • Opcode Fuzzy Hash: b80ddb96a06b86526d9d0c7726fb66be9f86ed69261ab88760f474c273869731
                                                                                            • Instruction Fuzzy Hash: 0AE14770D112689BDB2ADF24CC807AEBBB9BF59304F1481D9E84867251DB346F89CF45
                                                                                            Function 004402D0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004403C0
                                                                                            • FindNextFileW.KERNELBASE(00000000,?), ref: 004406F2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFind$FirstNext
                                                                                            • String ID: content$filename
                                                                                            • API String ID: 1690352074-474635906
                                                                                            • Opcode ID: 3df7f202a6b99253f354de22ded639a46978a58fefe962044121c03344fab8ef
                                                                                            • Instruction ID: 3fd07a7a2c97014430c74f1e6d5836f1a3ad12268408335d8deab24a75892f91
                                                                                            • Opcode Fuzzy Hash: 3df7f202a6b99253f354de22ded639a46978a58fefe962044121c03344fab8ef
                                                                                            • Instruction Fuzzy Hash: 2BD1D430D01249DBEB15EB64CD457EEBBB4AF21308F1440AEE505A7292DB785F48CB96
                                                                                            Function 00485350 Relevance: 6.3, APIs: 4, Instructions: 316networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                                                                            • recv.WS2_32(?,00000001,00000000), ref: 004857E2
                                                                                            • closesocket.WS2_32(00000254), ref: 004857EE
                                                                                            • WSACleanup.WS2_32 ref: 004857F4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv$Cleanupclosesocket
                                                                                            • String ID:
                                                                                            • API String ID: 146070474-0
                                                                                            • Opcode ID: 9e36abc3380925dd93690334c8facdcdb208839f31d4ee637cc8ac082e786f44
                                                                                            • Instruction ID: ea48c0c3f42896101b1dfecbe024c21eb3956ad5c3a4809403442742827d540a
                                                                                            • Opcode Fuzzy Hash: 9e36abc3380925dd93690334c8facdcdb208839f31d4ee637cc8ac082e786f44
                                                                                            • Instruction Fuzzy Hash: 4CE19C70D01298DEDB14EB64CC49BDEBBB2BF14308F1041DAE449AB292DB745E88DF95
                                                                                            Function 00487780 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 515timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTimeZoneInformation.KERNEL32(?,5A06260C,00000000,000000BF), ref: 00487C87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InformationTimeZone
                                                                                            • String ID: @Zb=$[UTC
                                                                                            • API String ID: 565725191-730387550
                                                                                            • Opcode ID: ecc325c629874c76bfafec243e908c12f8c02a0cf1ea070a0f793f87ea8e073d
                                                                                            • Instruction ID: 6d71337f0f8cf227c7c56c381cd8fae4285dcd83216f0cb77706b7edbf0b928b
                                                                                            • Opcode Fuzzy Hash: ecc325c629874c76bfafec243e908c12f8c02a0cf1ea070a0f793f87ea8e073d
                                                                                            • Instruction Fuzzy Hash: E0520270D052688BDB25CF28CC947DDBBB1BF59304F1082DAD949AB281DB756B85CF84
                                                                                            Function 004A1074 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0049C0BD: RtlFreeHeap.NTDLL(00000000,00000000,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0D3
                                                                                              • Part of subcall function 0049C0BD: GetLastError.KERNEL32(?,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0DE
                                                                                            • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004A1227,00000000,00000000,00000000), ref: 004A10E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFreeHeapInformationLastTimeZone
                                                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                            • API String ID: 3335090040-239921721
                                                                                            • Opcode ID: cbda99af75327c4c820746f38f84b7f1daa917d9e057987815aac769d108124b
                                                                                            • Instruction ID: 53762b2ebd1cb462dfa51e434dc7c6f7f2cc61e8d19f93444a713380c049c16d
                                                                                            • Opcode Fuzzy Hash: cbda99af75327c4c820746f38f84b7f1daa917d9e057987815aac769d108124b
                                                                                            • Instruction Fuzzy Hash: 73410871C00224ABDB10AF76DC45A9F7BB8EF6A754F10415BF510EB2A1E7349D04DB98
                                                                                            Function 004B84C0 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindClose.KERNEL32(000000FF,?,004B84EE,00000001,?,?,00437D69,?,004BDC4D,00000001,?,?,?,5A06260C,00000001), ref: 004B84CC
                                                                                            • FindFirstFileExW.KERNEL32(000000FF,00000001,5A06260C,00000000,00000000,00000000,00000001,00000001,?,?,004B84EE,00000001,?,?,00437D69,?), ref: 004B84FB
                                                                                            • GetLastError.KERNEL32(?,004B84EE,00000001,?,?,00437D69,?,004BDC4D,00000001,?,?,?,5A06260C,00000001), ref: 004B850D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Find$CloseErrorFileFirstLast
                                                                                            • String ID:
                                                                                            • API String ID: 4020440971-0
                                                                                            • Opcode ID: 6891505d0e316c560b8af891ce29886cce9dd01a211028f8c8b4780eaf2fe176
                                                                                            • Instruction ID: a5a0d7868366c0cca89b591e166bcddb9b03d08ebbd2c2fb18ba3c3c76c3338f
                                                                                            • Opcode Fuzzy Hash: 6891505d0e316c560b8af891ce29886cce9dd01a211028f8c8b4780eaf2fe176
                                                                                            • Instruction Fuzzy Hash: 0AF03071001109BFDB216FA4EC08AAA7B9DEB14360B10862ABD28C55A0EA359961DB79
                                                                                            Function 004479C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 647COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00487290: RegOpenKeyExA.KERNEL32(80000001,0047F265,00000000,00020019,00000000,5A06260C,?,0051C288), ref: 0048735B
                                                                                              • Part of subcall function 00487290: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00487397
                                                                                              • Part of subcall function 004870B0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,5A06260C,0051C570,0051C2A0), ref: 00487182
                                                                                              • Part of subcall function 004870B0: RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004487A3
                                                                                              • Part of subcall function 004870B0: RegCloseKey.ADVAPI32(00000000), ref: 00487260
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Open$CloseEnumIos_base_dtorQueryValuestd::ios_base::_
                                                                                            • String ID: 0hC
                                                                                            • API String ID: 3553622603-2581318919
                                                                                            • Opcode ID: 180cd1d566063b3f4d1c722b0ef54c63ff5fa531a30de0cc59ed50824c8dd10f
                                                                                            • Instruction ID: d381e0b8d15ce89c3a027b92e8a5ae116750b180a2e65f5cba22683de7249f8f
                                                                                            • Opcode Fuzzy Hash: 180cd1d566063b3f4d1c722b0ef54c63ff5fa531a30de0cc59ed50824c8dd10f
                                                                                            • Instruction Fuzzy Hash: EA82CEB4E152688FEB25CF18C8957DDBBB0BF5A304F5082DAD98DA7241DB305A85CF81
                                                                                            Function 0047A610 Relevance: 3.1, APIs: 2, Instructions: 119encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0047A678
                                                                                            • LocalFree.KERNEL32(?,00000000), ref: 0047A70F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CryptDataFreeLocalUnprotect
                                                                                            • String ID:
                                                                                            • API String ID: 1561624719-0
                                                                                            • Opcode ID: 23f8f3dfd76d3946956684746ccb5c99c2b1de592e134c678ee3552ffd4f36d7
                                                                                            • Instruction ID: 0fc5e8941a16b16f9458543aa06cdc6e77fe0ca1878954e15eaf8ff6be4b297f
                                                                                            • Opcode Fuzzy Hash: 23f8f3dfd76d3946956684746ccb5c99c2b1de592e134c678ee3552ffd4f36d7
                                                                                            • Instruction Fuzzy Hash: 86518B70C00249EBEB00DFA5D845BDEFBB4FF54708F14821AE81477281D7B96A98CBA5
                                                                                            Function 00487550 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLogicalDriveStringsW.KERNEL32(00000104,?,5A06260C), ref: 00487605
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DriveLogicalStrings
                                                                                            • String ID:
                                                                                            • API String ID: 2022863570-0
                                                                                            • Opcode ID: af7986355f76353f56621d05ed0878166b8efb0a331a21fa16df84ccda1fe4cc
                                                                                            • Instruction ID: 0be71067b94349f3b163f10fc7865c9901b3f86c171c2f757c76e38bbf7f7ec5
                                                                                            • Opcode Fuzzy Hash: af7986355f76353f56621d05ed0878166b8efb0a331a21fa16df84ccda1fe4cc
                                                                                            • Instruction Fuzzy Hash: 3351BD70C05318DBDB20DF64D85979EB7B0EF18304F1082DED409A7291EBB86A88CB95
                                                                                            Function 004863F0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00486464
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: NameUser
                                                                                            • String ID:
                                                                                            • API String ID: 2645101109-0
                                                                                            • Opcode ID: f4ed9f5e37941df1e9ba9867385f1ec3f0cb7986d12087e88cefc21d8231c34a
                                                                                            • Instruction ID: 991b9e5c4f1dd7985d860474454b41f109cd49006b683c09ab2e27c6457cb47f
                                                                                            • Opcode Fuzzy Hash: f4ed9f5e37941df1e9ba9867385f1ec3f0cb7986d12087e88cefc21d8231c34a
                                                                                            • Instruction Fuzzy Hash: AF217FB0D043189BD721DF15C844B9ABBF4FB08714F0046AEE84997380DBB9A6849BE5
                                                                                            Function 00486C50 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: cores
                                                                                            • API String ID: 0-2370456839
                                                                                            • Opcode ID: 7caecc748150b05fedb2737b290fa2d10d67063e027dfbdfaad7aac65fe8cbf0
                                                                                            • Instruction ID: e3a9e89045bf121aadbf864e887aeb25ba0c58f762de233e8adf5c73134b1a6d
                                                                                            • Opcode Fuzzy Hash: 7caecc748150b05fedb2737b290fa2d10d67063e027dfbdfaad7aac65fe8cbf0
                                                                                            • Instruction Fuzzy Hash: 2B916871D003599BDB00CFA8C9547EEFBB4FF59304F14825AE404BB292EBB56A84CB91
                                                                                            Function 00480C80 Relevance: 19.8, APIs: 13, Instructions: 258windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 565 480c80-480cd2 call 4808f0 568 480d19 565->568 569 480cd4-480ce1 EnterCriticalSection 565->569 572 480d1e-480d3e call 4abbf5 568->572 570 480d41-480d58 LeaveCriticalSection GdipGetImageEncodersSize 569->570 571 480ce3-480d10 GdiplusStartup 569->571 570->568 573 480d5a-480d6e 570->573 571->570 574 480d12-480d13 LeaveCriticalSection 571->574 577 480d8a-480d91 573->577 578 480d70-480d77 call 480510 573->578 574->568 580 480f79-480f83 call 4805d0 577->580 581 480d97-480da5 call 497e9c 577->581 586 480d79-480d85 call 4ac9f0 578->586 587 480d87 578->587 590 480db5 581->590 591 480da7-480db2 581->591 592 480db8-480dbd 586->592 587->577 590->592 591->590 594 480dc9-480dd6 GdipGetImageEncoders 592->594 595 480dbf-480dc4 592->595 597 480f39-480f3e 594->597 598 480ddc-480de2 594->598 596 480f54-480f5d 595->596 601 480f5f 596->601 602 480f72-480f74 596->602 597->596 599 480e32 598->599 600 480de4-480ded 598->600 605 480e39-480e4a 599->605 603 480df0-480dfa 600->603 604 480f60-480f70 call 497357 601->604 602->572 606 480e00-480e04 603->606 604->602 608 480e50-480e54 605->608 609 480e1d-480e30 606->609 610 480e06-480e0f 606->610 612 480e6b-480e80 608->612 613 480e56-480e5f 608->613 609->599 609->603 610->606 616 480e11-480e1b 610->616 614 480ee1-480f22 GdipCreateBitmapFromHBITMAP GdipSaveImageToStream 612->614 615 480e82-480ed8 GdipCreateBitmapFromScan0 GdipSaveImageToStream 612->615 613->608 617 480e61-480e66 613->617 620 480f40-480f52 GdipDisposeImage 614->620 621 480f24 614->621 618 480eda-480edd 615->618 619 480edf 615->619 616->605 617->596 622 480f27-480f33 GdipDisposeImage 618->622 619->620 620->596 621->622 622->597
                                                                                            APIs
                                                                                              • Part of subcall function 004808F0: InitializeCriticalSectionEx.KERNEL32(0051C7AC,00000000,00000000), ref: 0048096F
                                                                                              • Part of subcall function 004808F0: GetLastError.KERNEL32 ref: 00480979
                                                                                            • EnterCriticalSection.KERNEL32(00000004,5A06260C,?,?), ref: 00480CD8
                                                                                            • GdiplusStartup.GDIPLUS(00000000,00000001,?), ref: 00480D08
                                                                                            • LeaveCriticalSection.KERNEL32(00000004), ref: 00480D13
                                                                                            • LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00480D42
                                                                                            • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00480D50
                                                                                            • __alloca_probe_16.LIBCMT ref: 00480D7E
                                                                                            • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00480DCE
                                                                                            • GdipCreateBitmapFromScan0.GDIPLUS(?,?,?,0026200A,?,?), ref: 00480EB3
                                                                                            • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 00480ED0
                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 00480F33
                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 00480F4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream__alloca_probe_16
                                                                                            • String ID:
                                                                                            • API String ID: 1308617310-0
                                                                                            • Opcode ID: db8e19989c3c8e354b887b54b5669c89f7a5afa25811b29cf81357a5f4059125
                                                                                            • Instruction ID: f4feccb951fe1b922ecb3dfaf5b8302156747445c0b76c240fb24b0f4f51c94e
                                                                                            • Opcode Fuzzy Hash: db8e19989c3c8e354b887b54b5669c89f7a5afa25811b29cf81357a5f4059125
                                                                                            • Instruction Fuzzy Hash: D1A165B1D10208DFDB50DFA4C984BAEBBF4FF49314F24452AE905A7340D778A949CBA9
                                                                                            Function 00481B10 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 293networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1454 481b10-481c8d call 485e30 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 WSAStartup 1473 481de1 1454->1473 1474 481c93-481ca6 socket 1454->1474 1477 481de5-481e14 call 44d060 call 4abbf5 1473->1477 1475 481ddb WSACleanup 1474->1475 1476 481cac-481cde htons 1474->1476 1475->1473 1478 481e34-481ea7 call 480f90 call 44cfd0 * 2 call 480f90 1476->1478 1479 481ce4-481ceb 1476->1479 1509 481eac-481efd call 44cfd0 * 2 1478->1509 1482 481ced-481cf1 1479->1482 1483 481cf3-481cf5 1479->1483 1486 481cf7-481cfc 1482->1486 1483->1486 1489 481d18-481d1e 1486->1489 1490 481cfe 1486->1490 1494 481d20 1489->1494 1495 481d22-481d36 call 473550 1489->1495 1493 481d00-481d0e call 498020 1490->1493 1505 481d10-481d13 1493->1505 1506 481d15 1493->1506 1494->1495 1502 481d38-481d44 1495->1502 1503 481d46-481d53 1495->1503 1507 481d55 1502->1507 1503->1507 1508 481d57-481d5c 1503->1508 1505->1493 1505->1506 1506->1489 1507->1508 1510 481d5e 1508->1510 1511 481d81-481d96 call 473550 1508->1511 1509->1477 1513 481d61-481d75 call 498020 1510->1513 1521 481d98 1511->1521 1522 481d9a-481dbe inet_pton connect 1511->1522 1525 481d7e 1513->1525 1526 481d77-481d7c 1513->1526 1521->1522 1523 481dc0-481dc9 1522->1523 1524 481e15-481e1b 1522->1524 1523->1479 1527 481dcf-481dd5 closesocket 1523->1527 1524->1478 1528 481e1d-481e24 1524->1528 1525->1511 1526->1513 1526->1525 1527->1475 1529 481e28-481e2f call 44d7d0 1528->1529 1530 481e26 1528->1530 1529->1478 1530->1529
                                                                                            APIs
                                                                                              • Part of subcall function 00485E30: GetUserGeoID.KERNEL32(00000010), ref: 00485E6C
                                                                                              • Part of subcall function 00485E30: GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00485E7E
                                                                                              • Part of subcall function 00485E30: GetGeoInfoA.KERNEL32(0000000F,00000004,?,00000000,00000000), ref: 00485ED6
                                                                                            • WSAStartup.WS2_32(00000202,00516D04), ref: 00481C85
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 00481C98
                                                                                            • htons.WS2_32(00000002), ref: 00481CBF
                                                                                            • inet_pton.WS2_32(00000002,00000000,00516E98), ref: 00481DA2
                                                                                            • connect.WS2_32(00516E94,00000010), ref: 00481DB5
                                                                                            • closesocket.WS2_32 ref: 00481DD5
                                                                                            • WSACleanup.WS2_32 ref: 00481DDB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
                                                                                            • String ID: NG$geo$system
                                                                                            • API String ID: 213021568-968879199
                                                                                            • Opcode ID: 3e51a562f8bb916ff5cdbc648a8933530491576e42c442edfc0125d67360bed5
                                                                                            • Instruction ID: a79096e42c26a1a604384fcb43a931ed9af1c00745f33276f8ffcea807cfd111
                                                                                            • Opcode Fuzzy Hash: 3e51a562f8bb916ff5cdbc648a8933530491576e42c442edfc0125d67360bed5
                                                                                            • Instruction Fuzzy Hash: 1DC1AE70D01248DBDB00EFA8C8457DEBBB5FF15308F14421BE854AB391EBB86A85CB95
                                                                                            Function 004BC57A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1532 4bc57a-4bc5aa call 4bc2c8 1535 4bc5ac-4bc5b7 call 4950c1 1532->1535 1536 4bc5c5-4bc5d1 call 4a2f56 1532->1536 1541 4bc5b9-4bc5c0 call 4950d4 1535->1541 1542 4bc5ea-4bc633 call 4bc233 1536->1542 1543 4bc5d3-4bc5e8 call 4950c1 call 4950d4 1536->1543 1550 4bc89f-4bc8a3 1541->1550 1552 4bc6a0-4bc6a9 GetFileType 1542->1552 1553 4bc635-4bc63e 1542->1553 1543->1541 1554 4bc6ab-4bc6dc GetLastError call 49507a CloseHandle 1552->1554 1555 4bc6f2-4bc6f5 1552->1555 1557 4bc640-4bc644 1553->1557 1558 4bc675-4bc69b GetLastError call 49507a 1553->1558 1554->1541 1571 4bc6e2-4bc6ed call 4950d4 1554->1571 1562 4bc6fe-4bc704 1555->1562 1563 4bc6f7-4bc6fc 1555->1563 1557->1558 1559 4bc646-4bc673 call 4bc233 1557->1559 1558->1541 1559->1552 1559->1558 1564 4bc708-4bc756 call 4a2e9e 1562->1564 1565 4bc706 1562->1565 1563->1564 1574 4bc758-4bc764 call 4bc442 1564->1574 1575 4bc775-4bc79d call 4bbfdd 1564->1575 1565->1564 1571->1541 1574->1575 1581 4bc766 1574->1581 1582 4bc79f-4bc7a0 1575->1582 1583 4bc7a2-4bc7e3 1575->1583 1586 4bc768-4bc770 call 49c22b 1581->1586 1582->1586 1584 4bc7e5-4bc7e9 1583->1584 1585 4bc804-4bc812 1583->1585 1584->1585 1587 4bc7eb-4bc7ff 1584->1587 1588 4bc818-4bc81c 1585->1588 1589 4bc89d 1585->1589 1586->1550 1587->1585 1588->1589 1591 4bc81e-4bc851 CloseHandle call 4bc233 1588->1591 1589->1550 1595 4bc853-4bc87f GetLastError call 49507a call 4a3069 1591->1595 1596 4bc885-4bc899 1591->1596 1595->1596 1596->1589
                                                                                            APIs
                                                                                              • Part of subcall function 004BC233: CreateFileW.KERNEL32(?,00000000,?,004BC623,?,?,00000000,?,004BC623,?,0000000C), ref: 004BC250
                                                                                            • GetLastError.KERNEL32 ref: 004BC68E
                                                                                            • __dosmaperr.LIBCMT ref: 004BC695
                                                                                            • GetFileType.KERNEL32(00000000), ref: 004BC6A1
                                                                                            • GetLastError.KERNEL32 ref: 004BC6AB
                                                                                            • __dosmaperr.LIBCMT ref: 004BC6B4
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004BC6D4
                                                                                            • CloseHandle.KERNEL32(004BB653), ref: 004BC821
                                                                                            • GetLastError.KERNEL32 ref: 004BC853
                                                                                            • __dosmaperr.LIBCMT ref: 004BC85A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                            • String ID: H
                                                                                            • API String ID: 4237864984-2852464175
                                                                                            • Opcode ID: 1092716943437c36cfa02252dfbb3b8d28f6a4b1d2fea1c18a37bf8b19ebdc4d
                                                                                            • Instruction ID: e4caf95108e2d56c13f9780512823c5111e6df0be3dd416bceb2684eca6e9c1f
                                                                                            • Opcode Fuzzy Hash: 1092716943437c36cfa02252dfbb3b8d28f6a4b1d2fea1c18a37bf8b19ebdc4d
                                                                                            • Instruction Fuzzy Hash: 65A13632A041549FCF19AF68DCD1BEE3BA1AB46314F14015FF8119F391CB798906CBA9
                                                                                            Function 00481110 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 526fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1752 481110-481191 call 4385b0 1755 4817e2-4817e4 1752->1755 1756 481197-48119f 1752->1756 1757 48181b-48188f call 437c30 call 481110 1755->1757 1758 4817e6-4817f1 1755->1758 1756->1758 1759 4811a5-4811fd call 4ade50 call 44ee20 1756->1759 1776 48191f-481927 1757->1776 1777 481895-4818aa call 44e890 1757->1777 1761 4817fb-48181a call 4abbf5 1758->1761 1771 481551-481589 call 466040 call 465f20 1759->1771 1772 481203-481209 1759->1772 1796 48158b-48159a call 4516d0 1771->1796 1797 4815a2-481625 call 466040 call 48fa10 1771->1797 1774 48120b 1772->1774 1775 48120d-48122d call 489f30 call 48a0a0 1772->1775 1774->1775 1799 4812f9-481312 GetFileSize 1775->1799 1800 481233-4812f4 call 44d060 call 44a340 call 4b94ea 1775->1800 1782 48192e-481939 1776->1782 1784 4818af-48191d call 44d060 1777->1784 1786 48193b-48193e call 44d060 1782->1786 1787 481943-481961 call 4abbf5 1782->1787 1784->1782 1786->1787 1802 48159f 1796->1802 1819 48163b-48164b call 48fab0 1797->1819 1820 481627-481639 1797->1820 1803 481328-48133a 1799->1803 1804 481314-481326 1799->1804 1800->1761 1802->1797 1808 481368-481375 call 451f90 1803->1808 1809 48133c-481366 call 4ade50 1803->1809 1807 48137a-4813ac SetFilePointer ReadFile 1804->1807 1815 48149f-481542 call 44d060 call 44a340 1807->1815 1816 4813b2-481490 call 44d060 call 44a340 1807->1816 1808->1807 1809->1807 1815->1771 1816->1815 1823 481650-48165a 1819->1823 1820->1823 1828 48165c-481680 1823->1828 1829 481682-481693 call 44d7d0 1823->1829 1833 481698-4816ce call 44d060 call 436640 call 44c7a0 1828->1833 1829->1833 1845 4816d3-4816d5 1833->1845 1846 481700-4817d3 call 44d060 call 44a340 1845->1846 1847 4816d7-4816fb call 436640 1845->1847 1846->1755 1847->1846
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004812EC
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000B8), ref: 004812FC
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00481388
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00516C10,00000000,00000000), ref: 004813A4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Ios_base_dtorPointerReadSizestd::ios_base::_
                                                                                            • String ID: 0hC$exists
                                                                                            • API String ID: 418202444-4085241440
                                                                                            • Opcode ID: 849f238cd3a392783c80e55f8389a1395318525961415ca9d71f5ff49262db28
                                                                                            • Instruction ID: 03b619e30c80654d4b10cf1501dd509fce63877f60a48615618d7203a258c35b
                                                                                            • Opcode Fuzzy Hash: 849f238cd3a392783c80e55f8389a1395318525961415ca9d71f5ff49262db28
                                                                                            • Instruction Fuzzy Hash: 3E425D70D01248DFDB10DFA9C9447DDBBF4BF19308F10819AE849A7291DB746A89CF95
                                                                                            Function 00453280 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 340COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00453446
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00453463
                                                                                              • Part of subcall function 004AFA0C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0043FE44,?,?,?,004B9080,0043FE44,00513AB0,?,0043FE44,?,?,0000000C,5A06260C), ref: 004AFA6C
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 004536B0
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 004536CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy$ExceptionRaise
                                                                                            • String ID: MC$value
                                                                                            • API String ID: 299339551-3840657116
                                                                                            • Opcode ID: 105946c5cbd8b82caa2ff389fd77db40c33b1abb7ad3302a948b5beaa238df8e
                                                                                            • Instruction ID: 0b049260404a019bd3923239173dd3b15bf9369a861e2bc94eedd162a5d5976f
                                                                                            • Opcode Fuzzy Hash: 105946c5cbd8b82caa2ff389fd77db40c33b1abb7ad3302a948b5beaa238df8e
                                                                                            • Instruction Fuzzy Hash: 1EF16B70C05298DEEB20DB65C954BDEFBB4AF19304F1481DED84963282E7746B88CF96
                                                                                            Function 0049EF0E Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2369 49ef0e-49ef1e 2370 49ef38-49ef3a 2369->2370 2371 49ef20-49ef33 call 4950c1 call 4950d4 2369->2371 2373 49f27a-49f287 call 4950c1 call 4950d4 2370->2373 2374 49ef40-49ef46 2370->2374 2387 49f292 2371->2387 2392 49f28d call 497d29 2373->2392 2374->2373 2377 49ef4c-49ef75 2374->2377 2377->2373 2380 49ef7b-49ef84 2377->2380 2383 49ef9e-49efa0 2380->2383 2384 49ef86-49ef99 call 4950c1 call 4950d4 2380->2384 2385 49f276-49f278 2383->2385 2386 49efa6-49efaa 2383->2386 2384->2392 2391 49f295-49f298 2385->2391 2386->2385 2390 49efb0-49efb4 2386->2390 2387->2391 2390->2384 2394 49efb6-49efcd 2390->2394 2392->2387 2397 49efcf-49efd2 2394->2397 2398 49f002-49f008 2394->2398 2400 49eff8-49f000 2397->2400 2401 49efd4-49efda 2397->2401 2402 49f00a-49f011 2398->2402 2403 49efdc-49eff3 call 4950c1 call 4950d4 call 497d29 2398->2403 2405 49f075-49f094 2400->2405 2401->2400 2401->2403 2406 49f013 2402->2406 2407 49f015-49f033 call 49d15a call 49c0bd * 2 2402->2407 2434 49f1ad 2403->2434 2408 49f09a-49f0a6 2405->2408 2409 49f150-49f159 call 4a652f 2405->2409 2406->2407 2438 49f050-49f073 call 49f49f 2407->2438 2439 49f035-49f04b call 4950d4 call 4950c1 2407->2439 2408->2409 2412 49f0ac-49f0ae 2408->2412 2423 49f15b-49f16d 2409->2423 2424 49f1ca 2409->2424 2412->2409 2416 49f0b4-49f0d5 2412->2416 2416->2409 2420 49f0d7-49f0ed 2416->2420 2420->2409 2425 49f0ef-49f0f1 2420->2425 2423->2424 2429 49f16f-49f17e GetConsoleMode 2423->2429 2427 49f1ce-49f1e4 ReadFile 2424->2427 2425->2409 2430 49f0f3-49f116 2425->2430 2432 49f242-49f24d GetLastError 2427->2432 2433 49f1e6-49f1ec 2427->2433 2429->2424 2435 49f180-49f184 2429->2435 2430->2409 2437 49f118-49f12e 2430->2437 2440 49f24f-49f261 call 4950d4 call 4950c1 2432->2440 2441 49f266-49f269 2432->2441 2433->2432 2442 49f1ee 2433->2442 2436 49f1b0-49f1ba call 49c0bd 2434->2436 2435->2427 2443 49f186-49f19e ReadConsoleW 2435->2443 2436->2391 2437->2409 2449 49f130-49f132 2437->2449 2438->2405 2439->2434 2440->2434 2446 49f26f-49f271 2441->2446 2447 49f1a6-49f1ac call 49507a 2441->2447 2453 49f1f1-49f203 2442->2453 2444 49f1bf-49f1c8 2443->2444 2445 49f1a0 GetLastError 2443->2445 2444->2453 2445->2447 2446->2436 2447->2434 2449->2409 2456 49f134-49f14b 2449->2456 2453->2436 2460 49f205-49f209 2453->2460 2456->2409 2464 49f20b-49f21b call 49ec20 2460->2464 2465 49f222-49f22f 2460->2465 2474 49f21e-49f220 2464->2474 2467 49f23b-49f240 call 49ea66 2465->2467 2468 49f231 call 49ed77 2465->2468 2475 49f236-49f239 2467->2475 2468->2475 2474->2436 2475->2474
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a11389edab33e3dfbab2a445fe6c4299cd53ba09190e4193bd27d35e7829d6b
                                                                                            • Instruction ID: af9c87e70908a1ee06dfbc346dd9d7a470d4d3b04964572cafa80a59c2292356
                                                                                            • Opcode Fuzzy Hash: 7a11389edab33e3dfbab2a445fe6c4299cd53ba09190e4193bd27d35e7829d6b
                                                                                            • Instruction Fuzzy Hash: ACB13274A04249EFEF11CF99C841BAE7FB1AF46304F14417AE5009B392C7B99D4ACB99
                                                                                            Function 0049865A Relevance: 9.3, APIs: 6, Instructions: 265COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2477 49865a-498668 2478 49866a-49867b call 4950d4 call 497d29 2477->2478 2479 49867d-49868d 2477->2479 2500 4986d0-4986d2 2478->2500 2481 49868f-4986a0 call 4950d4 call 497d29 2479->2481 2482 4986a2-4986a8 2479->2482 2503 4986cf 2481->2503 2483 4986aa 2482->2483 2484 4986b0-4986b6 2482->2484 2487 4986ac-4986ae 2483->2487 2488 4986c2-4986cc call 4950d4 2483->2488 2489 4986b8 2484->2489 2490 4986d3 call 4a1286 2484->2490 2487->2484 2487->2488 2504 4986ce 2488->2504 2489->2488 2493 4986ba-4986c0 2489->2493 2501 4986d8-4986ed call 4a0679 2490->2501 2493->2488 2493->2490 2506 4988e0-4988ea call 497d56 2501->2506 2507 4986f3-4986ff call 4a06a5 2501->2507 2503->2500 2504->2503 2507->2506 2512 498705-498711 call 4a06d1 2507->2512 2512->2506 2515 498717-49872c 2512->2515 2516 49879c-4987a7 call 4a097d 2515->2516 2517 49872e 2515->2517 2516->2504 2523 4987ad-4987b8 2516->2523 2519 498738-498754 call 4a097d 2517->2519 2520 498730-498736 2517->2520 2519->2504 2527 49875a-49875d 2519->2527 2520->2516 2520->2519 2525 4987ba-4987c3 call 4a12e3 2523->2525 2526 4987d4 2523->2526 2525->2526 2537 4987c5-4987d2 2525->2537 2529 4987d7-4987eb call 4ac930 2526->2529 2530 4988d9-4988db 2527->2530 2531 498763-49876c call 4a12e3 2527->2531 2538 4987f8-49881f call 4ac880 call 4ac930 2529->2538 2539 4987ed-4987f5 2529->2539 2530->2504 2531->2530 2540 498772-49878a call 4a097d 2531->2540 2537->2529 2548 49882d-498854 call 4ac880 call 4ac930 2538->2548 2549 498821-49882a 2538->2549 2539->2538 2540->2504 2545 498790-498797 2540->2545 2545->2530 2554 498862-498871 call 4ac880 2548->2554 2555 498856-49885f 2548->2555 2549->2548 2558 498899-4988b9 2554->2558 2559 498873 2554->2559 2555->2554 2562 4988bb-4988d4 2558->2562 2563 4988d6 2558->2563 2560 498879-49888d 2559->2560 2561 498875-498877 2559->2561 2560->2530 2561->2560 2564 49888f-498891 2561->2564 2562->2530 2563->2530 2564->2530 2565 498893 2564->2565 2565->2558 2566 498895-498897 2565->2566 2566->2530 2566->2558
                                                                                            APIs
                                                                                            • __allrem.LIBCMT ref: 004987E2
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004987FE
                                                                                            • __allrem.LIBCMT ref: 00498815
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498833
                                                                                            • __allrem.LIBCMT ref: 0049884A
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498868
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1992179935-0
                                                                                            • Opcode ID: 0bad0c18fe0cf381acad9996688c966a33eada49a23c210a765f4fa7ac2e53a6
                                                                                            • Instruction ID: bac2f8d64b4771d1480d5067db4f3a3676e567bfb19d99c183f063f20f68270c
                                                                                            • Opcode Fuzzy Hash: 0bad0c18fe0cf381acad9996688c966a33eada49a23c210a765f4fa7ac2e53a6
                                                                                            • Instruction Fuzzy Hash: A68107B26007069BDB20EA6DCC41B5B7BE9AF52364F24453FF111DB791EB78D9008B98
                                                                                            Function 004823F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 280COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID: 0$0hC$exists
                                                                                            • API String ID: 323602529-1229763112
                                                                                            • Opcode ID: f10948b3ed40f3b076f8b225239c75273635f3694046d4e0320974136430c3f1
                                                                                            • Instruction ID: 8ad686ceee80f5ac92384c61aa111afe13dce58c6585d204e44adfbc4e8d440e
                                                                                            • Opcode Fuzzy Hash: f10948b3ed40f3b076f8b225239c75273635f3694046d4e0320974136430c3f1
                                                                                            • Instruction Fuzzy Hash: 81D18070D0528CDAEB10DBA8CA45BDCBBF4AF19308F2440DDE4456B282DBB95F48DB56
                                                                                            Function 004865D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 230registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047FD70: ___std_fs_get_current_path@8.LIBCPMT ref: 0047FE92
                                                                                            • GetVolumeInformationW.KERNEL32(?,?,00000100,?,?,?,?,00000100,00000000,?,5A06260C,?,?), ref: 00486757
                                                                                            • RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                                                                            Strings
                                                                                            • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00486905
                                                                                            • ProductName, xrefs: 00486900
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InformationValueVolume___std_fs_get_current_path@8
                                                                                            • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                            • API String ID: 2814272438-1787575317
                                                                                            • Opcode ID: b1404d09f7114e8511fbbac145fb6ec7f4eb5f2e1f33eee02c53c21e1c4c82cd
                                                                                            • Instruction ID: 5513a57b40c567382305f19abecc614c7fb65df7785b10e0462d816fc7d7abf5
                                                                                            • Opcode Fuzzy Hash: b1404d09f7114e8511fbbac145fb6ec7f4eb5f2e1f33eee02c53c21e1c4c82cd
                                                                                            • Instruction Fuzzy Hash: DFA18BB1C012199BDB21DF55CD59BE9B7B4FF14304F1042EAE419A7281EB786B88CF94
                                                                                            Function 004A0DE2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004A1227,00000000,00000000,00000000), ref: 004A10E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InformationTimeZone
                                                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                            • API String ID: 565725191-239921721
                                                                                            • Opcode ID: 6d56e6c85ed9894342afe2715a6fa1724950ddd0880608aa6d3f753aba8a0eb9
                                                                                            • Instruction ID: d63cae11faca7fbaaedfd5ec0c01f193a5a5e64d1a9f5e85edff99bc4745f09f
                                                                                            • Opcode Fuzzy Hash: 6d56e6c85ed9894342afe2715a6fa1724950ddd0880608aa6d3f753aba8a0eb9
                                                                                            • Instruction Fuzzy Hash: D5C15872D00211ABDB20AB65CC02ABF7BB9EF76754F10405BF901EB291E7788E41D798
                                                                                            Function 00481F10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 282COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0045D680: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0045D726
                                                                                              • Part of subcall function 0045D680: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0045D750
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00482387
                                                                                              • Part of subcall function 0043E440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0043E4CF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtor___std_fs_convert_narrow_to_wide@20std::ios_base::_
                                                                                            • String ID: 0hC$exists
                                                                                            • API String ID: 1525435645-4085241440
                                                                                            • Opcode ID: 8ca7fd5849306998ec001e4bdecb4b4743a0745ed80b2030e0a7e1d66a3192b0
                                                                                            • Instruction ID: 349907f898d0770bf1c6c6bee16b757a414fbaa0545e2b95a55e182eb82389be
                                                                                            • Opcode Fuzzy Hash: 8ca7fd5849306998ec001e4bdecb4b4743a0745ed80b2030e0a7e1d66a3192b0
                                                                                            • Instruction Fuzzy Hash: 1ED19F70D0528CDAEB10DBA8CA45BDCBBF0AF19308F2480DDD4456B282D7B95F58DB56
                                                                                            Function 00438180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004381BC
                                                                                              • Part of subcall function 004B849F: FindNextFileW.KERNELBASE(?,00000001,?,00437D97,?,00000001,?,004BDC4D,00000001,?,?,?,5A06260C,00000001), ref: 004B84A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                                                                            • String ID: .$directory_iterator::operator++
                                                                                            • API String ID: 3878998205-1036657373
                                                                                            • Opcode ID: 42ea8ddbda2b7e0b12b5802c67e6a5f09428df7f782a6b2438fae6bd72fb2b67
                                                                                            • Instruction ID: 735a56af49808cf236c7d8626bd4983a1e4e1118483563b87a501f55d85a1d57
                                                                                            • Opcode Fuzzy Hash: 42ea8ddbda2b7e0b12b5802c67e6a5f09428df7f782a6b2438fae6bd72fb2b67
                                                                                            • Instruction Fuzzy Hash: C7318D70A047188BCF30DF59C8887ABF7B4EB49310F14429EE45997391DB395E85CA84
                                                                                            Function 004868B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                                                                            Strings
                                                                                            • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00486905
                                                                                            • ProductName, xrefs: 00486900
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                            • API String ID: 3702945584-1787575317
                                                                                            • Opcode ID: b1b14b774ef6c570b057e3b558ffe0deac3071ed0933685e6c950abb9736e9bf
                                                                                            • Instruction ID: c2d08890748770af0873008191db5a05c2fa34d27609d4939fc155a72502f57e
                                                                                            • Opcode Fuzzy Hash: b1b14b774ef6c570b057e3b558ffe0deac3071ed0933685e6c950abb9736e9bf
                                                                                            • Instruction Fuzzy Hash: 95218EB09003599BDB20DF54C805BEABBF8FF04704F10465EE845A7681DBB86A44CB95
                                                                                            Function 00487290 Relevance: 4.7, APIs: 3, Instructions: 178registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,0047F265,00000000,00020019,00000000,5A06260C,?,0051C288), ref: 0048735B
                                                                                            • RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00487397
                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0048751D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1332880857-0
                                                                                            • Opcode ID: f2df89f7ded2f01219635e19fa6094d0543fceec2d71050d0bf781645f1a3f7c
                                                                                            • Instruction ID: e90b3dd054a924dd9803ab5f17a38fc1c4cefb0d6438d00707aa441ccba3a8d8
                                                                                            • Opcode Fuzzy Hash: f2df89f7ded2f01219635e19fa6094d0543fceec2d71050d0bf781645f1a3f7c
                                                                                            • Instruction Fuzzy Hash: E3717FF0D012189FDB20DF24CD94B9DB7B4EB54304F1082DAEA19A7281D774AE88CF99
                                                                                            Function 004870B0 Relevance: 4.6, APIs: 3, Instructions: 115registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,5A06260C,0051C570,0051C2A0), ref: 00487182
                                                                                            • RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00487260
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: 57d060fa11377f52f079fc837384727404e649e1529402bdcb096a3e64267e6d
                                                                                            • Instruction ID: b9c4edd99e38da91ddb4c738108b0054469e00b62f6e0a688ac56e9026d709b2
                                                                                            • Opcode Fuzzy Hash: 57d060fa11377f52f079fc837384727404e649e1529402bdcb096a3e64267e6d
                                                                                            • Instruction Fuzzy Hash: 905130B0D042189BDB20DF15CD54B9AB7F8FF45708F5042DEE609A7281DB74AA88CF99
                                                                                            Function 004855F0 Relevance: 4.6, APIs: 3, Instructions: 99networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • recv.WS2_32(?,00000001,00000000), ref: 004857E2
                                                                                            • closesocket.WS2_32(00000254), ref: 004857EE
                                                                                            • WSACleanup.WS2_32 ref: 004857F4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Cleanupclosesocketrecv
                                                                                            • String ID:
                                                                                            • API String ID: 3447645871-0
                                                                                            • Opcode ID: a55422f294b4942afa1ff90dfbe741e21dd202ebe771de9cafeea328bec9a277
                                                                                            • Instruction ID: c065b03366e761df0b34e2ad76ec595a4b6e3bb6db0e63c2aea2bbb819f94b56
                                                                                            • Opcode Fuzzy Hash: a55422f294b4942afa1ff90dfbe741e21dd202ebe771de9cafeea328bec9a277
                                                                                            • Instruction Fuzzy Hash: 6C415830D11398CEEB14EB65CC59BDEBB71AF10308F1081DAE449672A2DB741E88DFA5
                                                                                            Function 00485E30 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserGeoID.KERNEL32(00000010), ref: 00485E6C
                                                                                            • GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00485E7E
                                                                                            • GetGeoInfoA.KERNEL32(0000000F,00000004,?,00000000,00000000), ref: 00485ED6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Info$User
                                                                                            • String ID:
                                                                                            • API String ID: 2017065092-0
                                                                                            • Opcode ID: 76db3dc4c87bbc6f384a5473c1c7e0f0467f6834ab8a05054a61e1c1351183cd
                                                                                            • Instruction ID: dee3d2b381a88aa75edb4726eebd2668ef991be1adfc48943d59dd3409b8a73b
                                                                                            • Opcode Fuzzy Hash: 76db3dc4c87bbc6f384a5473c1c7e0f0467f6834ab8a05054a61e1c1351183cd
                                                                                            • Instruction Fuzzy Hash: 60219D70A40305ABE730DF65DD09B5BBBF8EB44B14F104A1EF545AB6C0D7B9AA048BE4
                                                                                            Function 004A2897 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?,004A2891,00000016,0049036B,?,?,5A06260C,0049036B,?), ref: 004A28A8
                                                                                            • TerminateProcess.KERNEL32(00000000,?,004A2891,00000016,0049036B,?,?,5A06260C,0049036B,?), ref: 004A28AF
                                                                                            • ExitProcess.KERNEL32 ref: 004A28C1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 1703294689-0
                                                                                            • Opcode ID: c52b8aea0878e361db6f998eabd52a91712daacfbdb63a7d2bb12d779e64a9bf
                                                                                            • Instruction ID: 5f52cdf8944b70cf92df4f225d6e01553ce615c3954620652ef0a1f31c52b3c3
                                                                                            • Opcode Fuzzy Hash: c52b8aea0878e361db6f998eabd52a91712daacfbdb63a7d2bb12d779e64a9bf
                                                                                            • Instruction Fuzzy Hash: ACD09E71001108BBDF423F65ED0DB8E3F2AEF55745F044026B9095A131DB799995EB98
                                                                                            Function 0047EE90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047F1C0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,5A06260C), ref: 0047F211
                                                                                              • Part of subcall function 0047F1C0: RegCloseKey.ADVAPI32(00000000), ref: 0047F221
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047F194
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseIos_base_dtorOpenstd::ios_base::_
                                                                                            • String ID: 0hC
                                                                                            • API String ID: 1131316584-2581318919
                                                                                            • Opcode ID: 7cba46937cda891c258594ace6fbaf3fef31f328805038bc20a4f0a0119cf12a
                                                                                            • Instruction ID: cfb713b882ce29762410958d43b6c09695d359a02ab63b143eff75d03a191730
                                                                                            • Opcode Fuzzy Hash: 7cba46937cda891c258594ace6fbaf3fef31f328805038bc20a4f0a0119cf12a
                                                                                            • Instruction Fuzzy Hash: 59911674C00298CBDB20DF68C845BDDBBB0AB19314F1086EAD45977282DB746E88CF95
                                                                                            Function 00486F20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentHwProfileW.ADVAPI32(?), ref: 00486F86
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentProfile
                                                                                            • String ID: Unknown
                                                                                            • API String ID: 2104809126-1654365787
                                                                                            • Opcode ID: d6032fd6981b0caf5e4c49708838f9cebd9397818ef9a0e4cf965eded2abff42
                                                                                            • Instruction ID: 4cfd0b05124d6ad0cc2ed0fe670d1554fe3cca3eb32f1e14fa8b394e0e179909
                                                                                            • Opcode Fuzzy Hash: d6032fd6981b0caf5e4c49708838f9cebd9397818ef9a0e4cf965eded2abff42
                                                                                            • Instruction Fuzzy Hash: 74418B71D00258CBDB20DF69C8407DEFBF4EF49704F1082AAD899A7281D774AA88CF91
                                                                                            Function 004ABC08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 00434FF1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_copy
                                                                                            • String ID: MC
                                                                                            • API String ID: 2659868963-1829682832
                                                                                            • Opcode ID: a7a485d9c83800eb579eb1fbe217d44add95b41717c89af58e444174cff24a24
                                                                                            • Instruction ID: 040724f085c67d798f1d490f9b73413860191a50a7d7deb79defe6124e27c29a
                                                                                            • Opcode Fuzzy Hash: a7a485d9c83800eb579eb1fbe217d44add95b41717c89af58e444174cff24a24
                                                                                            • Instruction Fuzzy Hash: 3611EB71800308ABCB10DF58DC01B9AB7ACEB15724F10466FF81597780EB79A940CBD8
                                                                                            Function 00447920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0044799C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID: 0hC
                                                                                            • API String ID: 323602529-2581318919
                                                                                            • Opcode ID: 5129ab555f51bed53336c49a6076550c51d3d5e874f0d443237048deba2c8ea9
                                                                                            • Instruction ID: 8ca8b340eaa0dfe9bad33bee777e0704730a4b63aab2394a13b70ad755bbc225
                                                                                            • Opcode Fuzzy Hash: 5129ab555f51bed53336c49a6076550c51d3d5e874f0d443237048deba2c8ea9
                                                                                            • Instruction Fuzzy Hash: CD11ADB0840609DFDB10DF59C840A9DFBF8FB05328F208A6EE85197390EB74AA05CB80
                                                                                            Function 00460310 Relevance: 3.3, APIs: 2, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004604B4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 8b13a2037e7e0b03ddde8346a73a64acbab074baffae8b20c15079bbed3282a0
                                                                                            • Instruction ID: 66707b960993136107624c9d81ef05c918eca4bbb2b21c6d520a63eb0cd0cd41
                                                                                            • Opcode Fuzzy Hash: 8b13a2037e7e0b03ddde8346a73a64acbab074baffae8b20c15079bbed3282a0
                                                                                            • Instruction Fuzzy Hash: 04A191B1E002159FDB14DF68C981AAFBBB4EB49314F24422FE815E7385E738AD05CB95
                                                                                            Function 00437CB0 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00437D64
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00437D92
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                            • String ID:
                                                                                            • API String ID: 3016148460-0
                                                                                            • Opcode ID: 73963d7e42f46bada0bb91468d8e6c86860c6526e71e689b58131c2916953d37
                                                                                            • Instruction ID: c774fac7b26238caf8a18ea1cc9dfb162d547f418ec2e445b27f5ef4f4107e88
                                                                                            • Opcode Fuzzy Hash: 73963d7e42f46bada0bb91468d8e6c86860c6526e71e689b58131c2916953d37
                                                                                            • Instruction Fuzzy Hash: E841A0B1D04218DBCB34DF64C480AEEB7B4EF19324F00516BE851AB381EB789D44CB94
                                                                                            Function 00480F90 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SHGetKnownFolderPath.SHELL32(004E05C0,00000000,00000000,?,5A06260C,?,?), ref: 0048101E
                                                                                            • CoTaskMemFree.OLE32(?), ref: 004810DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FolderFreeKnownPathTask
                                                                                            • String ID:
                                                                                            • API String ID: 969438705-0
                                                                                            • Opcode ID: 72aa8b02f906d3fbe3ba85b36074818c76339de4eced8fbcc3b8c7e13541c268
                                                                                            • Instruction ID: 3e538bd659216d3e4857fbb8bc962106784e19cd0647cea7878622876b38b54a
                                                                                            • Opcode Fuzzy Hash: 72aa8b02f906d3fbe3ba85b36074818c76339de4eced8fbcc3b8c7e13541c268
                                                                                            • Instruction Fuzzy Hash: 4241ACB0D01748DBDB10CFA5C9457AEFBF4EF58314F20421EE811A7280EBB86A44CB94
                                                                                            Function 0047F1C0 Relevance: 3.1, APIs: 2, Instructions: 82registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,5A06260C), ref: 0047F211
                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0047F221
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 47109696-0
                                                                                            • Opcode ID: 53310d44514645ec7d69775a39ecbdcf721de23dfed265a4b960d742e8fdaebb
                                                                                            • Instruction ID: 54b3090d3cf4edc9b1beeea5084ab922e7ff7cf66e968ba670c482e571a875e7
                                                                                            • Opcode Fuzzy Hash: 53310d44514645ec7d69775a39ecbdcf721de23dfed265a4b960d742e8fdaebb
                                                                                            • Instruction Fuzzy Hash: 1021F675E002199BDB10EF95DC81BEFB7B4EB48714F14827EE819B7382EB399D048694
                                                                                            Function 0049AD6F Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0049ADBB
                                                                                            • GetFileType.KERNEL32(00000000), ref: 0049ADCD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileHandleType
                                                                                            • String ID:
                                                                                            • API String ID: 3000768030-0
                                                                                            • Opcode ID: 4f32fbaeb40bbd2ddea1473ad080d3a809991d13d49bec4850263f289b53d757
                                                                                            • Instruction ID: 9b806bec79c801feb13e2bd810877b0a9fec2b0519df56a68c4b4061daa9a1e0
                                                                                            • Opcode Fuzzy Hash: 4f32fbaeb40bbd2ddea1473ad080d3a809991d13d49bec4850263f289b53d757
                                                                                            • Instruction Fuzzy Hash: B611B7311047514ACF304A3E8C886677E96AB56331B39073FD4B687AF1C338D9A691CB
                                                                                            Function 0049F3BE Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0049F4F8,00000000,00000000,00000000,00000002,00000000), ref: 0049F3FA
                                                                                            • GetLastError.KERNEL32(00000000,?,0049F4F8,00000000,00000000,00000000,00000002,00000000,?,0049BE05,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0049F407
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastPointer
                                                                                            • String ID:
                                                                                            • API String ID: 2976181284-0
                                                                                            • Opcode ID: 80260035985e1c693c2aa0c1ce2b926f9b01d7339fcba6fc68b9113c9f56a2d4
                                                                                            • Instruction ID: e391caa542caa0dd86735aa216be2178a54a5bfb1c46ce41420e93566301b438
                                                                                            • Opcode Fuzzy Hash: 80260035985e1c693c2aa0c1ce2b926f9b01d7339fcba6fc68b9113c9f56a2d4
                                                                                            • Instruction Fuzzy Hash: 57012232614215AFCF058F69DC49D9E3F2AEF95324F24422AF811DB290E775EE41CB94
                                                                                            Function 0047E47D Relevance: 3.1, APIs: 2, Instructions: 51synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004473D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,5A06260C), ref: 0044741C
                                                                                              • Part of subcall function 004473D0: Process32FirstW.KERNEL32(00000000,?), ref: 00447468
                                                                                              • Part of subcall function 00445950: CredEnumerateA.ADVAPI32(00000000,00000000,?,?,5A06260C,00000000,?), ref: 004459B2
                                                                                              • Part of subcall function 00485350: recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
                                                                                            • String ID:
                                                                                            • API String ID: 420082584-0
                                                                                            • Opcode ID: 43ab8f6d0282bbd386fa8db408f8dbade1bdb5759a0961783a362487319a2d08
                                                                                            • Instruction ID: 21d12501465ffecb104f3396b5f4d487cf58cbb0265569f00e2db2d4d6eee1e0
                                                                                            • Opcode Fuzzy Hash: 43ab8f6d0282bbd386fa8db408f8dbade1bdb5759a0961783a362487319a2d08
                                                                                            • Instruction Fuzzy Hash: D9114C71806548EAEB00FBF7950639DB7A0AF0431CF10C59FE90623182DF7D1A0596AF
                                                                                            Function 0047E4C8 Relevance: 3.0, APIs: 2, Instructions: 40synchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00485350: recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleMutexReleaserecv
                                                                                            • String ID:
                                                                                            • API String ID: 2659716615-0
                                                                                            • Opcode ID: 0316209b74f7a510048f6aca9fcb45fc03c3e98c7b54836586b8f6f774e638a0
                                                                                            • Instruction ID: d8074609c4b6b56a118d8c4864159468ec2ce210cc92c7876c64f9fcb1cee0d4
                                                                                            • Opcode Fuzzy Hash: 0316209b74f7a510048f6aca9fcb45fc03c3e98c7b54836586b8f6f774e638a0
                                                                                            • Instruction Fuzzy Hash: CD017171806518DAE710FBE2D50679DB7A0AF0931CF50869FE90623282DF791A0187AE
                                                                                            Function 0049C0BD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0D3
                                                                                            • GetLastError.KERNEL32(?,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 485612231-0
                                                                                            • Opcode ID: 2c7be629525b77807a060ce78cd6937da288636f168411113672e5418cb75576
                                                                                            • Instruction ID: 589170845ab709ad3b3b60fb6adb52998bb4654d1de7eee66c817f55301082a8
                                                                                            • Opcode Fuzzy Hash: 2c7be629525b77807a060ce78cd6937da288636f168411113672e5418cb75576
                                                                                            • Instruction Fuzzy Hash: 9BE08631500614A7CF222BA1EC0D7893F58DB40355F104036F60897160DF398940CB88
                                                                                            Function 0048FAB0 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0048FCEA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 54dc556bc546888474d3f19e34a31102f3849cfd2e1ddc240e0765d6926b334a
                                                                                            • Instruction ID: 258a51d4530bdfdbcfb978a880514f411ab203130510da66870d02f2c2448e76
                                                                                            • Opcode Fuzzy Hash: 54dc556bc546888474d3f19e34a31102f3849cfd2e1ddc240e0765d6926b334a
                                                                                            • Instruction Fuzzy Hash: DB71F671A002088FCB24EF28C490B6E77A5BF15314F244A7FE865CB791D739EA49CB95
                                                                                            Function 0044AF90 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9135f7d9b5d1880a46c4ac02def5f1366672d51aadf79d8842421bd6ac20231f
                                                                                            • Instruction ID: 5047db877c7d9ae38b531aa0dda64427d2377832e7d6361d0852b000475400c5
                                                                                            • Opcode Fuzzy Hash: 9135f7d9b5d1880a46c4ac02def5f1366672d51aadf79d8842421bd6ac20231f
                                                                                            • Instruction Fuzzy Hash: F45180B5A0060ADFDB18CF28D480999FBB4FF4A320B5082AAE819C7B51D735ED55CBD4
                                                                                            Function 0049E314 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f4d1b25cda05e585bd14aeef0c776674eabbc591f49ad1024f01acac1088cae4
                                                                                            • Instruction ID: 7d9f16a24b0820fe6bfe4efb506255557b861a5981f24711c09fdeca13a2084c
                                                                                            • Opcode Fuzzy Hash: f4d1b25cda05e585bd14aeef0c776674eabbc591f49ad1024f01acac1088cae4
                                                                                            • Instruction Fuzzy Hash: 8751C470A00104EFDF14CF5ACC85AAE7FA5AF99324F28816AE8095B352D379DE41CB95
                                                                                            Function 00458550 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004586AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 9d0e38e8a100f06b44e5b2c958822f107f66b3500270d3682d1b991c4f050d55
                                                                                            • Instruction ID: 39eac46aceff4f274d7df031c3ad8bb7d561d247c585fc64f7f09dd83a036c2e
                                                                                            • Opcode Fuzzy Hash: 9d0e38e8a100f06b44e5b2c958822f107f66b3500270d3682d1b991c4f050d55
                                                                                            • Instruction Fuzzy Hash: E941A4B1E001159FDB04DFA8C841AAEBBB5EF48315F10422EE815F7386DB34AE09CB95
                                                                                            Function 004520F0 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0045223D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 8aafa409fbbe6252fd8d16ac1cef4b76429e1a26ed72850fe408f5c857c7a805
                                                                                            • Instruction ID: 543f2dd5f5f38f41d79c3b3e326d175c20dbca08f8aec97f7e4552ad9d8ce088
                                                                                            • Opcode Fuzzy Hash: 8aafa409fbbe6252fd8d16ac1cef4b76429e1a26ed72850fe408f5c857c7a805
                                                                                            • Instruction Fuzzy Hash: E1411272E001149BCB05EF68CD806AFB7A5EF56311F1402AFFC15EB302D6789E158B99
                                                                                            Function 00451F90 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004520DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: a14de396b08b32659630435c90f611bc18073001c29953638865ceda2285425b
                                                                                            • Instruction ID: 53fc907bca80d66a09b4c03435f3e8acb878ccb904669eb33cf36a05cbe64725
                                                                                            • Opcode Fuzzy Hash: a14de396b08b32659630435c90f611bc18073001c29953638865ceda2285425b
                                                                                            • Instruction Fuzzy Hash: E7414272D001049BCB15AF68CD806AEBBA5AF4A305F1002ABED15EB342D7749E158BD9
                                                                                            Function 0048F890 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0048F9FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: d2fccf6f5b3df297b65b13170b90e5c1872a490292f016b70dee3939b6e05f49
                                                                                            • Instruction ID: 91311e753e2fbbf9cdae31aef67f458025fa5287f257254b7d49e4ed808e7769
                                                                                            • Opcode Fuzzy Hash: d2fccf6f5b3df297b65b13170b90e5c1872a490292f016b70dee3939b6e05f49
                                                                                            • Instruction Fuzzy Hash: 4F41B3B2E005049FDB14EF68C985A6EBBA9EB49320F24473EE815D7385DB349D04CB95
                                                                                            Function 004516D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004517DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 4beab17cec18f8408a3d260484db6fe46066ad92ba7b493454d35fe0c2aa28c2
                                                                                            • Instruction ID: 65e916faade23ef3c336758c75d3ad3b55c144e32e026a5ec30b5c92d10e86c8
                                                                                            • Opcode Fuzzy Hash: 4beab17cec18f8408a3d260484db6fe46066ad92ba7b493454d35fe0c2aa28c2
                                                                                            • Instruction Fuzzy Hash: BB316772E001105BCB18EE6D9880A6FB7E9EB88312B24427FEC15D7352DA38DD0987D9
                                                                                            Function 0044D7D0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0044D8F9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 4a7e0aa971e9c18d460f3d63606fed0fdd4bc56cc13da704aad23d70c2080c39
                                                                                            • Instruction ID: 6687ec20b77dec97c90771c2cbe71989815263d1b8fcacfb2e06f2ee49a1853a
                                                                                            • Opcode Fuzzy Hash: 4a7e0aa971e9c18d460f3d63606fed0fdd4bc56cc13da704aad23d70c2080c39
                                                                                            • Instruction Fuzzy Hash: C3310A71E002045BE714AE6DD880A7EB7A4EF55324F24477FF865C7382D67899408759
                                                                                            Function 0044BAD0 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0044BBB3
                                                                                              • Part of subcall function 00434F80: ___std_exception_copy.LIBVCRUNTIME ref: 00434FF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task___std_exception_copy
                                                                                            • String ID:
                                                                                            • API String ID: 1979911387-0
                                                                                            • Opcode ID: 14553861a0e6d344c6703ce135879dfe8084568f0dbccc5b703b736294f01183
                                                                                            • Instruction ID: f8cf7cd3dcf405c094d14d4edd2427269fc308b55f739c6c677f8adad7f52d2f
                                                                                            • Opcode Fuzzy Hash: 14553861a0e6d344c6703ce135879dfe8084568f0dbccc5b703b736294f01183
                                                                                            • Instruction Fuzzy Hash: 902126B1E006059BE7149F25D48166AB7A4EF15324F20036FE8258BB91E739FE90C7D6
                                                                                            Function 004BB697 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __wsopen_s
                                                                                            • String ID:
                                                                                            • API String ID: 3347428461-0
                                                                                            • Opcode ID: c0068bc3e55a3d1622d6bbbbb6d136ac2493d2630b2467d4896e3e7752e83962
                                                                                            • Instruction ID: 7232828ef0ab4ea1277fc9c55e8108ad49929c9e06a984f5114aae078e858d40
                                                                                            • Opcode Fuzzy Hash: c0068bc3e55a3d1622d6bbbbb6d136ac2493d2630b2467d4896e3e7752e83962
                                                                                            • Instruction Fuzzy Hash: B9113671A0010AAFCB05DF58E9819CF7BF4EF88304F00405AF808AB311D770D9118BA4
                                                                                            Function 00482930 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • send.WS2_32(?,?,00000000), ref: 00482968
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: send
                                                                                            • String ID:
                                                                                            • API String ID: 2809346765-0
                                                                                            • Opcode ID: 2e230c4dbecb0c91bd7935fcc59657d459b7808623847299c78205d0fd7c7ba6
                                                                                            • Instruction ID: 15365ef676efcd120e403479619ae1d38f6ec3fc5171ce29fb9a7f72e5811cf6
                                                                                            • Opcode Fuzzy Hash: 2e230c4dbecb0c91bd7935fcc59657d459b7808623847299c78205d0fd7c7ba6
                                                                                            • Instruction Fuzzy Hash: 93F0B472302115AB83109A5DAD4096BF7DEDBCA7B0B2003A7FC2CC33E0E9618C0153D4
                                                                                            Function 0049C6A4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000008,0043FE48,00000001,?,00499445,00000001,00000364,00000001,00000006,000000FF,?,004AD408,0043FE4A,0043FE44,?), ref: 0049C6E5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 934b5854b3b2fba1ba84eb25d33e8f66ddb7b9c5617b0a1ffb822db2bfc3c07a
                                                                                            • Instruction ID: bf89d2d5fe5833ab0f4bff440cdb33f04d1e0b68cec02520bce29c64fa949510
                                                                                            • Opcode Fuzzy Hash: 934b5854b3b2fba1ba84eb25d33e8f66ddb7b9c5617b0a1ffb822db2bfc3c07a
                                                                                            • Instruction Fuzzy Hash: 82F0BE322852256BAF215B229D85B5B3F589B417E0F195037FC08EA290CE78EC008AEC
                                                                                            Function 00454E60 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00454EB2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 78740692b221e79a9762ccbd46d7f188a31b2ad2167c780b1c1497364ca8ea36
                                                                                            • Instruction ID: 7ed3afec28be053f9a77c7416a11cc0d573f769e31c405d3d1c7fe45b1d11b08
                                                                                            • Opcode Fuzzy Hash: 78740692b221e79a9762ccbd46d7f188a31b2ad2167c780b1c1497364ca8ea36
                                                                                            • Instruction Fuzzy Hash: D3F0E9B11002080AA628D7A1950796F77C89EA036DB44453FE9058FA53E73DEDD9825D
                                                                                            Function 004406AD Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindNextFileW.KERNELBASE(00000000,?), ref: 004406F2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileFindNext
                                                                                            • String ID:
                                                                                            • API String ID: 2029273394-0
                                                                                            • Opcode ID: df8edaa59d5e1f82e8cad7747c6b34272b3092e2e70faf3eef711e3f2ee9bc11
                                                                                            • Instruction ID: a1ffe5c8ce5f1f1a4397a2b9345f76ae3c812c30bf0ac5870f9d4861cf5b4c4e
                                                                                            • Opcode Fuzzy Hash: df8edaa59d5e1f82e8cad7747c6b34272b3092e2e70faf3eef711e3f2ee9bc11
                                                                                            • Instruction Fuzzy Hash: 95015631A0625DDFEB20DFA4D988BAEBBB4EF14314F2040DAD909A7282C7346E04DF55
                                                                                            Function 0049D15A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000001,0043FE44,?,004AD408,0043FE4A,0043FE44,?,?,?,00434C2F,0043FE48,0043FE48), ref: 0049D18C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 7ee9b205990c537f360d36ea94f63206e53d45b0dbf15067b0b63116574bd50f
                                                                                            • Instruction ID: de2ad87b2feeaf860c8dfd974d012cc9eb33a1afe18dd843800594eb24cb3dbb
                                                                                            • Opcode Fuzzy Hash: 7ee9b205990c537f360d36ea94f63206e53d45b0dbf15067b0b63116574bd50f
                                                                                            • Instruction Fuzzy Hash: 08E0E533A0132166EF212BA6AD02B5B3E48CB513A0F190137EC18962C4CB28DC0082ED
                                                                                            Function 004A8D62 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog3
                                                                                            • String ID:
                                                                                            • API String ID: 431132790-0
                                                                                            • Opcode ID: 3aba680758f6379cc1f0e69a772bc6cab6bd8c88bcc4b04971677c60b68784ff
                                                                                            • Instruction ID: f589969de9c028132caa70972cc51c37c6bf7195d426b38a2c2fae52dece88af
                                                                                            • Opcode Fuzzy Hash: 3aba680758f6379cc1f0e69a772bc6cab6bd8c88bcc4b04971677c60b68784ff
                                                                                            • Instruction Fuzzy Hash: 71E09A76C4020D9ADB40DFD5C486BEFB7BCAB14304F50406BA205E6181EB7857448BE5
                                                                                            Function 004BC233 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(?,00000000,?,004BC623,?,?,00000000,?,004BC623,?,0000000C), ref: 004BC250
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: dd275b77e4c8549b8163696f0af87788398892aa77d507c51891a1137c56f0af
                                                                                            • Instruction ID: c65ff2ef24fd0563ec255788cd93a1d7270b85fbbbb51eec7110af243f851585
                                                                                            • Opcode Fuzzy Hash: dd275b77e4c8549b8163696f0af87788398892aa77d507c51891a1137c56f0af
                                                                                            • Instruction Fuzzy Hash: 05D06C3200010DBBDF028F84EC06FDA3BAAFB48714F018010BA1866020C732E821ABA4
                                                                                            Function 004B9AE2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,?,00486DD6,?,?,?,5A06260C,?,?), ref: 004B9AEC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoNativeSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1721193555-0
                                                                                            • Opcode ID: 19af6f8f66515c3ad7801cfde8998948d5a7d817498514074e40bdf49eb42b08
                                                                                            • Instruction ID: f88b8e15ca571a688dc5d535dfb7cb0f1e1a76fd2fb5174ce8f8aecae7ce3306
                                                                                            • Opcode Fuzzy Hash: 19af6f8f66515c3ad7801cfde8998948d5a7d817498514074e40bdf49eb42b08
                                                                                            • Instruction Fuzzy Hash: 0EC09B7490610E97CF00E7E5D94D88E77FCA608204F4004A1D551E3140E770FD45C795

                                                                                            Non-executed Functions

                                                                                            Function 0048A0A0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 325nativelibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,NtDuplicateObject,5A06260C,?,?), ref: 0048A0F7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0048A0FE
                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000), ref: 0048A12A
                                                                                            • NtQuerySystemInformation.NTDLL ref: 0048A153
                                                                                            • NtQuerySystemInformation.NTDLL ref: 0048A178
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0048A1FD
                                                                                            • NtQueryObject.NTDLL ref: 0048A22B
                                                                                            • GetFinalPathNameByHandleA.KERNEL32(00000000,00000000,00000104,00000000,00000104,?,00000104,00000000), ref: 0048A315
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0048A3E6
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0048A441
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Handle$Query$CloseInformationProcessSystem$AddressCurrentFinalModuleNameObjectOpenPathProc
                                                                                            • String ID: File$NtDuplicateObject$ntdll.dll
                                                                                            • API String ID: 2729825427-3955674919
                                                                                            • Opcode ID: 8320b73641bfe2fd6a36d39389df1be313783445bc61d84dd6fe8aca722285e2
                                                                                            • Instruction ID: 0800680efb81c18e2f896ca5fb1c4f1751909ec1a20682d0b449f1ef79601e33
                                                                                            • Opcode Fuzzy Hash: 8320b73641bfe2fd6a36d39389df1be313783445bc61d84dd6fe8aca722285e2
                                                                                            • Instruction Fuzzy Hash: C3C1DE71D00218AFEF10EFA4DC45BAEBBB5FF44704F14452AE801A7281E7B9AD45CB96
                                                                                            Function 00477EE0 Relevance: 18.3, APIs: 12, Instructions: 289COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CoInitializeEx.OLE32(00000000,00000000,5A06260C,?,?), ref: 00477F5C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Initialize
                                                                                            • String ID:
                                                                                            • API String ID: 2538663250-0
                                                                                            • Opcode ID: eec43777c261d8a2dab22aea29dbdf31e886a527831d6dfb0425ac795999018e
                                                                                            • Instruction ID: d5989f67fd172e1006781f95ff6e7d6cbd1369fc69074948a5cb2319df95c689
                                                                                            • Opcode Fuzzy Hash: eec43777c261d8a2dab22aea29dbdf31e886a527831d6dfb0425ac795999018e
                                                                                            • Instruction Fuzzy Hash: 12D1F170D04288DBDB11CFA8D848BEDBBB0FF15314F14824AE508BB291DB796AC9DB55
                                                                                            Function 0047D2F0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 410COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004517F0: Concurrency::cancel_current_task.LIBCPMT ref: 004518C2
                                                                                              • Part of subcall function 0044DCC0: std::ios_base::_Addstd.LIBCPMT ref: 0044DDEF
                                                                                              • Part of subcall function 00436640: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004366E9
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047D95A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::ios_base::_$Ios_base_dtor$AddstdConcurrency::cancel_current_task
                                                                                            • String ID: .cmd$.exe$.ps1$.vbs$.G$0hC$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$open$runas
                                                                                            • API String ID: 2154145882-3307477358
                                                                                            • Opcode ID: 6595408e174a39f32e18d343271d234c9a7f1da95b1be23f008c122fddbd1b18
                                                                                            • Instruction ID: f5ba6b163c3a98fee3f853caf05b9595179ad2eb3f8f0c36a39513699dfd7300
                                                                                            • Opcode Fuzzy Hash: 6595408e174a39f32e18d343271d234c9a7f1da95b1be23f008c122fddbd1b18
                                                                                            • Instruction Fuzzy Hash: 6A122770D00268DFDB20DF64CD85BDEBBB4AF19304F1481EAE849A7282DB755A84CF95
                                                                                            Function 0048A710 Relevance: 15.2, APIs: 10, Instructions: 215stringmemorynativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAcquirePebLock.NTDLL(5A06260C,00000000,00000000), ref: 0048A766
                                                                                            • NtAllocateVirtualMemory.NTDLL ref: 0048A78F
                                                                                            • lstrcpyW.KERNEL32(?), ref: 0048A7C6
                                                                                            • lstrcatW.KERNEL32(?), ref: 0048A8CD
                                                                                            • NtAllocateVirtualMemory.NTDLL ref: 0048A904
                                                                                            • lstrcpyW.KERNEL32(?), ref: 0048AA0F
                                                                                            • RtlInitUnicodeString.NTDLL(-00000037), ref: 0048AA28
                                                                                            • RtlInitUnicodeString.NTDLL(-0000003F), ref: 0048AA37
                                                                                            • LdrEnumerateLoadedModules.NTDLL(00000000,Function_0008A6B0,00000000), ref: 0048AA44
                                                                                            • RtlReleasePebLock.NTDLL ref: 0048AA4A
                                                                                              • Part of subcall function 00480F90: SHGetKnownFolderPath.SHELL32(004E05C0,00000000,00000000,?,5A06260C,?,?), ref: 0048101E
                                                                                              • Part of subcall function 00480F90: CoTaskMemFree.OLE32(?), ref: 004810DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateInitLockMemoryStringUnicodeVirtuallstrcpy$AcquireEnumerateFolderFreeKnownLoadedModulesPathReleaseTasklstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 573923072-0
                                                                                            • Opcode ID: 9f0bc586ea1a7da28060736a8c13b163a192ecd6657979f9a74a2ad2d362be03
                                                                                            • Instruction ID: 1d72f842e61e5ce7feef92d17fc1071c4f69874d6174494518bfda03acdacd70
                                                                                            • Opcode Fuzzy Hash: 9f0bc586ea1a7da28060736a8c13b163a192ecd6657979f9a74a2ad2d362be03
                                                                                            • Instruction Fuzzy Hash: D6B190B4D05268EFDB14CFA9D885A9DBBB5FF08314F10822AE825A7361DB346946CF44
                                                                                            Function 0047AE80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000,00000001,?,0047AF9D,?,?,5A06260C), ref: 0047AE91
                                                                                            • BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0047AEAB
                                                                                            • BCryptGenerateSymmetricKey.BCRYPT(?,?,00000000,00000000,?,?,00000000), ref: 0047AECF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                                                                            • String ID: AES$ChainingMode$ChainingModeGCM
                                                                                            • API String ID: 1692524283-1213888626
                                                                                            • Opcode ID: b81ac72cefcce56172d4d4bf7609f9087b605a60a83836cd33b6e41b4b4cf51e
                                                                                            • Instruction ID: 8d127e15825cd86a398cba4dadb085fb92217d3de15f733cf2195ed64ba2db48
                                                                                            • Opcode Fuzzy Hash: b81ac72cefcce56172d4d4bf7609f9087b605a60a83836cd33b6e41b4b4cf51e
                                                                                            • Instruction Fuzzy Hash: 1CF03031381710BBE7309E65AC4AFDB7BA8FB44F10F10492AFA41DA1D0D7A0F8559B5A
                                                                                            Function 0046B620 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 331COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B7DA
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B81E
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B924
                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B970
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_fs_directory_iterator_advance@8
                                                                                            • String ID: .
                                                                                            • API String ID: 2610647541-248832578
                                                                                            • Opcode ID: 2e775b534ccb48514fa1d19158a196e6f147d360d3fd40777325cb8899fa8bdc
                                                                                            • Instruction ID: 99e23c5b304899c8ab8714ce46d423df57297e0934c6bc539a0dfe6d7ec6f1b4
                                                                                            • Opcode Fuzzy Hash: 2e775b534ccb48514fa1d19158a196e6f147d360d3fd40777325cb8899fa8bdc
                                                                                            • Instruction Fuzzy Hash: 77C1BF75A016269FCB20DF18C8847AAB3B5FF44314F14829AD915D7390EB39AD85CFC6
                                                                                            Function 00A43178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00A42B49,?,00000000), ref: 00A43211
                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00A42B49,?,00000000), ref: 00A4323A
                                                                                            • GetACP.KERNEL32(?,?,00A42B49,?,00000000), ref: 00A4324F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 2299586839-711371036
                                                                                            • Opcode ID: 9ed6ee8dc8d25704b1d7263d6bdf93c44f2695e15696a3f032909470795970f4
                                                                                            • Instruction ID: d49d8a8879afe810d7751735bd993aaf06a6f69b8197ed2baf00ccd78099f4b7
                                                                                            • Opcode Fuzzy Hash: 9ed6ee8dc8d25704b1d7263d6bdf93c44f2695e15696a3f032909470795970f4
                                                                                            • Instruction Fuzzy Hash: 0221AC3B600101EADF348F68E905BEB73A6BFE4B51B268624E90AD7110E772DF41D350
                                                                                            Function 004A6109 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004A61A2
                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004A61CB
                                                                                            • GetACP.KERNEL32 ref: 004A61E0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 2299586839-711371036
                                                                                            • Opcode ID: 83dfd683b9c94d176d38183288480b868ca78ec3c44069a2c66a1e4373e54840
                                                                                            • Instruction ID: 02a1f9ff6d074017cf30d732e6d651dacf3b6180dce544ba7b26bbdffeda2481
                                                                                            • Opcode Fuzzy Hash: 83dfd683b9c94d176d38183288480b868ca78ec3c44069a2c66a1e4373e54840
                                                                                            • Instruction Fuzzy Hash: 14217731B00101A6DB348F54C901A9BBBA7EB76B54B5F8466E909D7302EB36DE41C358
                                                                                            Function 00A42A13 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserDefaultLCID.KERNEL32 ref: 00A42B1B
                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00A42B59
                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00A42B6C
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00A42BB4
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00A42BCF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Locale$InfoValid$CodeDefaultPageUser
                                                                                            • String ID:
                                                                                            • API String ID: 3475089800-0
                                                                                            • Opcode ID: 5f8576cc40f2f856cf334241ed765f2661259ec3b98ecceb1b0590a86fbf1c7e
                                                                                            • Instruction ID: 2cebb25d7463f3634f39af6a6a6aa76e843fd3dbde9a79f0f32dd0ad6eecd653
                                                                                            • Opcode Fuzzy Hash: 5f8576cc40f2f856cf334241ed765f2661259ec3b98ecceb1b0590a86fbf1c7e
                                                                                            • Instruction Fuzzy Hash: FE517D76A00215AFDF21DFA4CC85BAE77B8FF94740F854469F900EB190EBB09A45CB61
                                                                                            Function 004A62E5 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004992A7: GetLastError.KERNEL32(00000000,?,004A2D01), ref: 004992AB
                                                                                              • Part of subcall function 004992A7: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 0049934D
                                                                                            • GetUserDefaultLCID.KERNEL32 ref: 004A63ED
                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 004A642B
                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 004A643E
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004A6486
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004A64A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                            • String ID:
                                                                                            • API String ID: 415426439-0
                                                                                            • Opcode ID: 478fc60fa90a9ec9e197162e05efa7e840982a7b058c794a341e424fb9183a7c
                                                                                            • Instruction ID: c25bf07a23f3a9ec008bfe0b344d9b34e57977eb2ee5f51d57588e3c0d66081e
                                                                                            • Opcode Fuzzy Hash: 478fc60fa90a9ec9e197162e05efa7e840982a7b058c794a341e424fb9183a7c
                                                                                            • Instruction Fuzzy Hash: B351C031A00205ABDF10DFA5CC41AAF77B8BF2A700F09446BF905EB2C0D778D9058B68
                                                                                            Function 00A31614 Relevance: 7.7, APIs: 5, Instructions: 171fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A31098: _strlen.LIBCMT ref: 00A310F9
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00A31685
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A316AB
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A316BA
                                                                                            • _strlen.LIBCMT ref: 00A31705
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A31805
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFileHandle_strlen$ReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 1490117831-0
                                                                                            • Opcode ID: 116069594b6fc95415f3dcd476c2b37170055dde59227a07d4f1e578bc125763
                                                                                            • Instruction ID: 2e38e665e5b47aa0eedbf0a5f945e2f571f6a7968a065f1aae7265b06cbbbeda
                                                                                            • Opcode Fuzzy Hash: 116069594b6fc95415f3dcd476c2b37170055dde59227a07d4f1e578bc125763
                                                                                            • Instruction Fuzzy Hash: 4251FEB29043009BD700EF24DC85B2EBBE5FF88354F154A2DF88997252EB34E9458B62
                                                                                            Function 00497B2D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00497C25
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00497C2F
                                                                                            • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000001), ref: 00497C3C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID: /LC
                                                                                            • API String ID: 3906539128-2135541996
                                                                                            • Opcode ID: ba9b98a76fbca1403476e1f0242b14846ec85a4183b9da3279bb0f6910b30b28
                                                                                            • Instruction ID: bfbf58602b6ed5b9f74246d621f9e13e9ead8f3e4535d75d7aa199c35e3273ea
                                                                                            • Opcode Fuzzy Hash: ba9b98a76fbca1403476e1f0242b14846ec85a4183b9da3279bb0f6910b30b28
                                                                                            • Instruction Fuzzy Hash: 3231D274901229ABCB21DF65DC8878DBBB8BF18710F5041EAE40CA7250E7349F858F48
                                                                                            Function 00493800 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4ea11f6e400efd71b53824ee55fa65b6dac5785e4ad25e6ab9d2c54b6af7400f
                                                                                            • Instruction ID: d1eb0eda3f30262f0aa428ac7e9151949e9d9ef7bd25f7153de96db8ebdefec9
                                                                                            • Opcode Fuzzy Hash: 4ea11f6e400efd71b53824ee55fa65b6dac5785e4ad25e6ab9d2c54b6af7400f
                                                                                            • Instruction Fuzzy Hash: DB023C71E002199BDF14CFA9C9806AEFBF1FF89315F24826AE519E7341D735AE018B94
                                                                                            Function 00498574 Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0049859D
                                                                                            • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 004985B1
                                                                                            • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00498602
                                                                                            • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00498617
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocInfoProtectQuerySystem
                                                                                            • String ID:
                                                                                            • API String ID: 3562403962-0
                                                                                            • Opcode ID: 4e29c64980591c23c9d6474b97963c5f1eeeaad4aec7d0b9861b07a888b65890
                                                                                            • Instruction ID: 57c86550534b148c15952eeeaf39776b02a492ab104de77fe61266457f658886
                                                                                            • Opcode Fuzzy Hash: 4e29c64980591c23c9d6474b97963c5f1eeeaad4aec7d0b9861b07a888b65890
                                                                                            • Instruction Fuzzy Hash: 91217C72E00119ABCF20DFA9DD85AEFBBB8EF45754F05017AE905E7140EA349D04C794
                                                                                            Function 00A35020 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A3502C
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00A350F8
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A35111
                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00A3511B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 254469556-0
                                                                                            • Opcode ID: 1768d5ac103420a924d1a2497add70d71a90f1434368e2737eb0c63f64da00ca
                                                                                            • Instruction ID: 4953d4b3119afa4e89db6d2a5ecc32b39971cca95b1f42260a7eef8620979f4b
                                                                                            • Opcode Fuzzy Hash: 1768d5ac103420a924d1a2497add70d71a90f1434368e2737eb0c63f64da00ca
                                                                                            • Instruction Fuzzy Hash: 173114B5D053289BDF21EFA4D9497CDBBB8BF08340F1041AAE40DAB250EB719B858F44
                                                                                            Function 004AC6BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004AC6CB
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 004AC797
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004AC7B0
                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 004AC7BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 254469556-0
                                                                                            • Opcode ID: 1a5f2cb74b25642d18f707c0b6da8939d9b46288bf323feffe580c9d32bdbba1
                                                                                            • Instruction ID: 70dc3419eb2b6db1900c7bd06373213fcab329736da06f39ceabfcfe7a7444e5
                                                                                            • Opcode Fuzzy Hash: 1a5f2cb74b25642d18f707c0b6da8939d9b46288bf323feffe580c9d32bdbba1
                                                                                            • Instruction Fuzzy Hash: E1314A75C012189BDF21DF61DC897CEBBB8BF18700F1041AAE40DAB250E7759A84CF48
                                                                                            Function 0043D4A0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 725COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: content$filename
                                                                                            • API String ID: 0-474635906
                                                                                            • Opcode ID: b66f7423e610c841824d5b72251d930196416b83facb86d1c8f8609f3cb58a8b
                                                                                            • Instruction ID: d087ffba84baf14db51f89a037efaf3a0efd4671473d6540ebf1f333b1c0f3d3
                                                                                            • Opcode Fuzzy Hash: b66f7423e610c841824d5b72251d930196416b83facb86d1c8f8609f3cb58a8b
                                                                                            • Instruction Fuzzy Hash: 5392EEB0C052AC9BDB66DF68D9857DDBBB4AF18308F1441DAE80CA7252EB741B84CF45
                                                                                            Function 004B824D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,00435B2A,?,?), ref: 004B8261
                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000,?,?,00435B2A,?,?), ref: 004B8288
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FormatInfoLocaleMessage
                                                                                            • String ID: !x-sys-default-locale
                                                                                            • API String ID: 4235545615-2729719199
                                                                                            • Opcode ID: 84205eb8d4b061531bed3096fe064d3d6fd842fcad4d2f7a7c64ada32d2dc388
                                                                                            • Instruction ID: 4f66f40a8a4f046c7b0032d4e1a4b833dd41128cf422eed9181fa496fdef01a0
                                                                                            • Opcode Fuzzy Hash: 84205eb8d4b061531bed3096fe064d3d6fd842fcad4d2f7a7c64ada32d2dc388
                                                                                            • Instruction Fuzzy Hash: 1AF030B5511108FFEF089BD5DC0EEEB77ACEB09394F10416AB501D6150E6B0AE00D778
                                                                                            Function 00A3123B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptContextAddRef.ADVAPI32(00000000,00000000,00000000), ref: 00A312C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextCrypt
                                                                                            • String ID: [+]
                                                                                            • API String ID: 3075001677-4228040803
                                                                                            • Opcode ID: 2f755d89029a6b5e1b040ecaff60019269738b6030ad02bdcef24161bb0436a0
                                                                                            • Instruction ID: 29ff27674052fe35efbbc13f7f1f392d897bca75ae7c9326b9f6ecf994580a08
                                                                                            • Opcode Fuzzy Hash: 2f755d89029a6b5e1b040ecaff60019269738b6030ad02bdcef24161bb0436a0
                                                                                            • Instruction Fuzzy Hash: 2331093150C3804FD716AB74A8997EBBBD0BFBD318F18097DE8C987243D1615446CB62
                                                                                            Function 0047AAE0 Relevance: 3.2, APIs: 2, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a5cc1d22bd71ddba461825bf1e5a719f52907f0f441b03632678b65b188f3f2
                                                                                            • Instruction ID: 33f7787d24f7b6ada88b2ec4e837cc4b10ca5ac34968b166931d9a07c874724e
                                                                                            • Opcode Fuzzy Hash: 7a5cc1d22bd71ddba461825bf1e5a719f52907f0f441b03632678b65b188f3f2
                                                                                            • Instruction Fuzzy Hash: 21B1A170D04249DFDB10CFA4C884BEEBBB5FF89304F20825AD505AB381D778A984CB96
                                                                                            Function 00440B60 Relevance: 3.1, APIs: 2, Instructions: 137encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000001,?), ref: 00440BFA
                                                                                            • LocalFree.KERNEL32(?,00000000), ref: 00440C8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CryptDataFreeLocalUnprotect
                                                                                            • String ID:
                                                                                            • API String ID: 1561624719-0
                                                                                            • Opcode ID: 691253dd090d0692abb79b75d9c07df8674f2c8687ba40f9476d8420fea36caa
                                                                                            • Instruction ID: f58a043fe36a424058588bce6ee5e9d112fd586f94ce921f9f6943f9dc7e0036
                                                                                            • Opcode Fuzzy Hash: 691253dd090d0692abb79b75d9c07df8674f2c8687ba40f9476d8420fea36caa
                                                                                            • Instruction Fuzzy Hash: 68517E70D00249DBEB00CFA9C8457DEFBB4FF14308F14821AE8547B281D7B96A48CBA5
                                                                                            Function 0047A950 Relevance: 3.1, APIs: 2, Instructions: 119encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptProtectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0047A9B8
                                                                                            • LocalFree.KERNEL32(?,00000000), ref: 0047AA4F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CryptDataFreeLocalProtect
                                                                                            • String ID:
                                                                                            • API String ID: 2714945720-0
                                                                                            • Opcode ID: 1650d13529f5b5e644ab9d1fc943a2e59ee628ce821009b7a4047a2a1a045cf0
                                                                                            • Instruction ID: 6fc12887242d51354b1d4be44c56afc8010d77d5c64fcd5971483ececb25fb38
                                                                                            • Opcode Fuzzy Hash: 1650d13529f5b5e644ab9d1fc943a2e59ee628ce821009b7a4047a2a1a045cf0
                                                                                            • Instruction Fuzzy Hash: 7351BF70D00249EBEB00CFA5D945BDEFBB4FF54308F10821AE81077281D7B96A58CBA5
                                                                                            Function 0047AE10 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,5A06260C,?,?,?,004CB69D,000000FF), ref: 0047AE4A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AlgorithmCloseCryptProvider
                                                                                            • String ID:
                                                                                            • API String ID: 3378198380-0
                                                                                            • Opcode ID: ba7b4d00b8746e9ab6913010367bb35a0b16d4da032a75110d36ee2580577608
                                                                                            • Instruction ID: 7a92f9e53ad6301b38de286dc83f6de03fbb372fed7888f050c821ed69dc0e63
                                                                                            • Opcode Fuzzy Hash: ba7b4d00b8746e9ab6913010367bb35a0b16d4da032a75110d36ee2580577608
                                                                                            • Instruction Fuzzy Hash: B1F06D71A44618ABD720CF58DC05B9AB7F8EB04B20F10476FE821A37C0D779A9008B94
                                                                                            Function 00477B00 Relevance: 31.7, APIs: 21, Instructions: 230processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,5A06260C,?,?), ref: 00477B54
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00477BB9
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00477BE0
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00477BFD
                                                                                            • OpenProcessToken.ADVAPI32(00000000,0000000E,?), ref: 00477C2A
                                                                                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00477C4D
                                                                                            • GetLastError.KERNEL32 ref: 00477C5B
                                                                                            • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00477C9C
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00477CA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00477CAF
                                                                                            • CloseHandle.KERNEL32(?), ref: 00477E29
                                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 00477E39
                                                                                            • CloseHandle.KERNEL32(?), ref: 00477E62
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00477E65
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00477E84
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$Process32Token$InformationNextOpenProcess$CreateErrorFirstLastSnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 1236848392-0
                                                                                            • Opcode ID: 8196f859269c8a2d89c48d56fc566d1cdbd904d5535603d3da99df98a23cf43e
                                                                                            • Instruction ID: 454ab3ae29a80d327a78c61064fadb2005c2365cc5293efb4604dbbba27fe465
                                                                                            • Opcode Fuzzy Hash: 8196f859269c8a2d89c48d56fc566d1cdbd904d5535603d3da99df98a23cf43e
                                                                                            • Instruction Fuzzy Hash: F6A15B709052189FDF219F24DC89BAEBBB8EF44700F5441EAE90CA2250EB359E84DF59
                                                                                            Function 0044E020 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0044E070
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0044E092
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0044E0BA
                                                                                            • std::_Facet_Register.LIBCPMT ref: 0044E1D0
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0044E1FA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                            • String ID: cC$`aC$p]C
                                                                                            • API String ID: 459529453-2177106863
                                                                                            • Opcode ID: a449d14724036c8b5d7dcc6e3f8f606a5f6c47b464cfe817b38abf7381c673d4
                                                                                            • Instruction ID: 1ff138599dd9b712ad814e44402e9ca08be03e0a2a2e3ebe43d51928b08ed38c
                                                                                            • Opcode Fuzzy Hash: a449d14724036c8b5d7dcc6e3f8f606a5f6c47b464cfe817b38abf7381c673d4
                                                                                            • Instruction Fuzzy Hash: 99518BB0D00259DBEB10CF99C8457AEBBB4FB18314F24815ED811AB381DB79AA44CBA5
                                                                                            Function 004AAEF3 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,004AA85F), ref: 004AAF0C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: DecodePointer
                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                            • API String ID: 3527080286-3064271455
                                                                                            • Opcode ID: 74ba9069d7c1eb0fdfb04e1fac74ca4f81e2e7f03cc06b4bb9d653b05ebe1574
                                                                                            • Instruction ID: 58aec3622616389bffb488f30e5ac45d5b57ecd31d6a71103e59991c775c814d
                                                                                            • Opcode Fuzzy Hash: 74ba9069d7c1eb0fdfb04e1fac74ca4f81e2e7f03cc06b4bb9d653b05ebe1574
                                                                                            • Instruction Fuzzy Hash: BE516C7090860ACFCF148F58D9481AFBFB0FB66300F558187E4A1A6355C7BD8966CB9A
                                                                                            Function 00452250 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0045228D
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004522AF
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004522D7
                                                                                            • __Getcoll.LIBCPMT ref: 0045239F
                                                                                            • std::_Facet_Register.LIBCPMT ref: 004523EB
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00452415
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                            • String ID: `aC$p]C
                                                                                            • API String ID: 1184649410-1363152631
                                                                                            • Opcode ID: bcac19400a142c5d17f9bc7acd982912d16d1a9c65db466b0de63643df1b93e3
                                                                                            • Instruction ID: 568a7e1164ae6cef3cf0599e82aad122ccc02b6897634e5ab4797aad8f19cd87
                                                                                            • Opcode Fuzzy Hash: bcac19400a142c5d17f9bc7acd982912d16d1a9c65db466b0de63643df1b93e3
                                                                                            • Instruction Fuzzy Hash: 49518B70800208DFDB01DF95C9457DEBBB4FF55318F24815ED805AB282DBB9AE49CBA9
                                                                                            Function 00450EF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00450F2D
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00450F4F
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00450F77
                                                                                            • std::_Facet_Register.LIBCPMT ref: 00451071
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0045109B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                            • String ID: PbC$`aC$p]C
                                                                                            • API String ID: 459529453-2418293346
                                                                                            • Opcode ID: c487c9fa1e9afb87366c1b148d14351f87e6f3e89ddbdc8a1e0c3778002b8b72
                                                                                            • Instruction ID: e392c769357d74c7cb0e8da2cb70d10442ea48cde3856dc7faeb71697ce32a0a
                                                                                            • Opcode Fuzzy Hash: c487c9fa1e9afb87366c1b148d14351f87e6f3e89ddbdc8a1e0c3778002b8b72
                                                                                            • Instruction Fuzzy Hash: 9A519E71900249DFDF20CF99C5417AEBBB0FB14318F24845ED805AB382D7B9AE49CB95
                                                                                            Function 004AFE4C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 004AFF6B
                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 004B0079
                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 004B01E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                            • String ID: <fM$csm$csm$csm
                                                                                            • API String ID: 1206542248-3599101812
                                                                                            • Opcode ID: aaac5c7749a7aa866996bcb2d51d73d9b1fe5293335fd4c63eebf0a3ecf9d180
                                                                                            • Instruction ID: 5ce913a956d0af8773c3ee17d9b542f15401108c10c26080aa375b564815456b
                                                                                            • Opcode Fuzzy Hash: aaac5c7749a7aa866996bcb2d51d73d9b1fe5293335fd4c63eebf0a3ecf9d180
                                                                                            • Instruction Fuzzy Hash: DBB19B71800209EFCF18DFA5C8809EFB7B5FF25315B10816BE8056B212D779DA15CBA9
                                                                                            Function 0047CF70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0047D113
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0047D118
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0047D11D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID: `aC$false$p]C$true
                                                                                            • API String ID: 118556049-4224333681
                                                                                            • Opcode ID: 226f2742ad4bb82513da97dc0ea37b247d6440e1a842af39628b989b3fbf377a
                                                                                            • Instruction ID: 10a02a47a4876ff195f080d04569540bf2a908c30d6efafbe52ebceab6b25fd0
                                                                                            • Opcode Fuzzy Hash: 226f2742ad4bb82513da97dc0ea37b247d6440e1a842af39628b989b3fbf377a
                                                                                            • Instruction Fuzzy Hash: 73510871910745DBDB20DF65C801B9EBBF4EF04718F20862FE815A7781E7BAAA04CB95
                                                                                            Function 0047C6C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0047C6FD
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0047C71F
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0047C747
                                                                                            • std::_Facet_Register.LIBCPMT ref: 0047C834
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0047C85E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                            • String ID: `aC$p]C
                                                                                            • API String ID: 459529453-1363152631
                                                                                            • Opcode ID: e866effaa90865aaaa30be5826de822518346297a390443dd29a39b403041da2
                                                                                            • Instruction ID: 399bbb442a0c6c40ac274560e971594f6ebfe9651e6100c107b7a0aaef0602e2
                                                                                            • Opcode Fuzzy Hash: e866effaa90865aaaa30be5826de822518346297a390443dd29a39b403041da2
                                                                                            • Instruction Fuzzy Hash: 2C517A71900249DFDB15CF99C580BEEBBB4EB15318F24805ED409AB381DB79AE09CF95
                                                                                            Function 0047D190 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99networkfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • InternetOpenW.WININET(File Downloader,00000001,00000000,00000000,00000000), ref: 0047D22D
                                                                                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 0047D256
                                                                                            • InternetReadFile.WININET(00000000,?,00001000,00000000), ref: 0047D27C
                                                                                            • InternetReadFile.WININET(00000000,?,00001000,00000000), ref: 0047D2B2
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047D2B9
                                                                                            • InternetCloseHandle.WININET(?), ref: 0047D2C5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Internet$CloseFileHandleOpenRead
                                                                                            • String ID: File Downloader
                                                                                            • API String ID: 4038090926-3631955488
                                                                                            • Opcode ID: 811208fdf33a36e9be3e42b468326af56e319a1deb0617af28b90d4cff8a8570
                                                                                            • Instruction ID: 638e9360adee8abd238f5bb9f06079602c51a7af3a4d5d450420b7b82b1eb562
                                                                                            • Opcode Fuzzy Hash: 811208fdf33a36e9be3e42b468326af56e319a1deb0617af28b90d4cff8a8570
                                                                                            • Instruction Fuzzy Hash: 5B318370A01655ABD730CF55CC45BEAB7B8EF44700F1041AAF549E7290DBB8AE84DFA8
                                                                                            Function 00A4A222 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16$Info
                                                                                            • String ID:
                                                                                            • API String ID: 127012223-0
                                                                                            • Opcode ID: d33247f74f328ecbfc3c7d07e6dc1eefba42e9fa168c9a7b6d43e5e5d589b150
                                                                                            • Instruction ID: 50474bbc6f56ac8646396bf24752b5c67265841b5fa4f15ce352197a04af6547
                                                                                            • Opcode Fuzzy Hash: d33247f74f328ecbfc3c7d07e6dc1eefba42e9fa168c9a7b6d43e5e5d589b150
                                                                                            • Instruction Fuzzy Hash: 64710B7AE402059BDF219FA4CD45BEF7BBA9FE5310F244055F904AB281E7B5DC408762
                                                                                            Function 004B9D99 Relevance: 12.2, APIs: 8, Instructions: 225COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 004B9E24
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004B9EB0
                                                                                            • __alloca_probe_16.LIBCMT ref: 004B9EDA
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004B9F1B
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004B9F37
                                                                                            • __alloca_probe_16.LIBCMT ref: 004B9F5D
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004B9F9A
                                                                                            • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004B9FB7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                                            • String ID:
                                                                                            • API String ID: 3603178046-0
                                                                                            • Opcode ID: 3ce074e6bcc7f87e0e4de1f7dc2ca851322fbe0f14b3b5897e042b4e817243f3
                                                                                            • Instruction ID: 05f54580d30f9e3720c8b3961695daa3f0f937b9c5610d8c2bd80885558d9d7b
                                                                                            • Opcode Fuzzy Hash: 3ce074e6bcc7f87e0e4de1f7dc2ca851322fbe0f14b3b5897e042b4e817243f3
                                                                                            • Instruction Fuzzy Hash: 7871AE3290021AABDF219F65CC85BFF7BB9AF05724F18405BEA04E6291D7398C40C7B9
                                                                                            Function 00A354C5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A3550C
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A35538
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A35577
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A35594
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A355D3
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A355F0
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A35632
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A35655
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                            • String ID:
                                                                                            • API String ID: 2040435927-0
                                                                                            • Opcode ID: a2b27fabeef5acb7b9a8ae4aced18095b61f1f3b18c7a35b1fe1784743b972b3
                                                                                            • Instruction ID: e8df6e1eb66534cdddaeb6c0e242295024abf26a5a4b0cf48a0f5a39e34e07ae
                                                                                            • Opcode Fuzzy Hash: a2b27fabeef5acb7b9a8ae4aced18095b61f1f3b18c7a35b1fe1784743b972b3
                                                                                            • Instruction Fuzzy Hash: BF519172E00606AFEF209FB8CC46FBA7BBAEF80790F594425F905A6150D731DD118B90
                                                                                            Function 004B9AF7 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004B9B40
                                                                                            • __alloca_probe_16.LIBCMT ref: 004B9B6C
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004B9BAB
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B9BC8
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004B9C07
                                                                                            • __alloca_probe_16.LIBCMT ref: 004B9C24
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B9C66
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004B9C89
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                            • String ID:
                                                                                            • API String ID: 2040435927-0
                                                                                            • Opcode ID: 127654da753590042b08ac6595405d01716cfec311436dda6d72091204f46cc9
                                                                                            • Instruction ID: 0cb7a2a667138b596a59e049b57baa22d652deda395932da07ab0cb8239329c9
                                                                                            • Opcode Fuzzy Hash: 127654da753590042b08ac6595405d01716cfec311436dda6d72091204f46cc9
                                                                                            • Instruction Fuzzy Hash: A151BF7250020AABEF219F65CC44FEB7FB9EF50740F24412AFA05A6260D7399C11CB68
                                                                                            Function 00489F30 Relevance: 12.1, APIs: 8, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 00489F4B
                                                                                            • GetProcessId.KERNEL32(00000000), ref: 00489F52
                                                                                            • RmStartSession.RSTRTMGR(?,00000041,?), ref: 00489F76
                                                                                            • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000), ref: 00489F91
                                                                                            • RmGetList.RSTRTMGR(?,?,?,00000003,?), ref: 00489FD4
                                                                                            • RmGetList.RSTRTMGR(?,?,?,00000000,?), ref: 0048A020
                                                                                            • RmEndSession.RSTRTMGR(?), ref: 0048A04A
                                                                                            • RmEndSession.RSTRTMGR(?), ref: 0048A07A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Session$ListProcess$CurrentRegisterResourcesStart
                                                                                            • String ID:
                                                                                            • API String ID: 3299295986-0
                                                                                            • Opcode ID: c8fc720c6df2cefa911e5ab8bfb66f499295b1f9aa4f52cb019436ebaefd8700
                                                                                            • Instruction ID: 0c548674b0cea8079c7009f79d794e669f8d4684f59b10cf2f6688a8c9d6d6ed
                                                                                            • Opcode Fuzzy Hash: c8fc720c6df2cefa911e5ab8bfb66f499295b1f9aa4f52cb019436ebaefd8700
                                                                                            • Instruction Fuzzy Hash: A7417971E011589BEF10AFE4DC44AEEBBBCEB45300F14412BE902EB254EB7A9C058B95
                                                                                            Function 00473B90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 333COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00473D56
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00473D73
                                                                                              • Part of subcall function 004AFA0C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0043FE44,?,?,?,004B9080,0043FE44,00513AB0,?,0043FE44,?,?,0000000C,5A06260C), ref: 004AFA6C
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00473FC0
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00473FDD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy$ExceptionRaise
                                                                                            • String ID: MC$value
                                                                                            • API String ID: 299339551-3840657116
                                                                                            • Opcode ID: fad894e6791b73173a90b46eb5f7d570fcfb30b2d17f717ef1dd9171332bf87e
                                                                                            • Instruction ID: 838f8dd16b3ea7f4eeb45613560c02c2ef3b01355b1a5592379bf0a45a67ceab
                                                                                            • Opcode Fuzzy Hash: fad894e6791b73173a90b46eb5f7d570fcfb30b2d17f717ef1dd9171332bf87e
                                                                                            • Instruction Fuzzy Hash: 31F15A70C05298DEEB20DB65C954BDEFBB4AF19304F1482DAD44963282E7746B88CF96
                                                                                            Function 00A361E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A36217
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00A3621F
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A362A8
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00A362D3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00A36328
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: f380553b7c01ebdaf6049ad25608e816263731a03584027a791230cbd7b820b7
                                                                                            • Instruction ID: 747edec0d50c29a3d518d976d6a3b9bcc08ec68398f312da59d32a8e17c022c8
                                                                                            • Opcode Fuzzy Hash: f380553b7c01ebdaf6049ad25608e816263731a03584027a791230cbd7b820b7
                                                                                            • Instruction Fuzzy Hash: BA418F34E00218ABCF10DFA8C885ADEBBB5FF49324F15C555F9189B392D771AA06CB91
                                                                                            Function 004AD600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004AD637
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 004AD63F
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004AD6C8
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004AD6F3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004AD748
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: 255d3a1bd88e468a9ea08ee1f7f85cdc8f29e10e22a0162dea8eb7e65443c785
                                                                                            • Instruction ID: fca86a332ffc7d642b39a5fdc798139505592cae81a3a9a41e25a428a24f43dc
                                                                                            • Opcode Fuzzy Hash: 255d3a1bd88e468a9ea08ee1f7f85cdc8f29e10e22a0162dea8eb7e65443c785
                                                                                            • Instruction Fuzzy Hash: 2741D834E002089BCF10DF69C880A9E7BB5BF66318F14815BE81A5B752D739EA01CF95
                                                                                            Function 00A3F469 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(00000000,?,00A3F578,00A3186A,?,00000000,00A331E1,00A3186C,?,00A3F1F6,00000022,FlsSetValue,00A4DFE0,00A4DFE8,00A331E1), ref: 00A3F52A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID: api-ms-$ext-ms-
                                                                                            • API String ID: 3664257935-537541572
                                                                                            • Opcode ID: e76c3dd61ae6f929b1cf38d4197032f9c587e462863fff09c47465610e8776af
                                                                                            • Instruction ID: 050bd25531daedaa5f609857a28c1faf6d2fd30404c506762cae1b1391f3f110
                                                                                            • Opcode Fuzzy Hash: e76c3dd61ae6f929b1cf38d4197032f9c587e462863fff09c47465610e8776af
                                                                                            • Instruction Fuzzy Hash: 4521A576E12311AFCF21DFA5EC45A5B7768AB817A5F244131FD16A7290E730EE01C6D0
                                                                                            Function 0049C8FA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(00000000,?,0049CA09,0043FE48,00434C2F,00000000,00000001,0043FE4A,?,0049CC33,00000022,FlsSetValue,004D294C,FlsSetValue,00000001), ref: 0049C9BB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID: api-ms-$ext-ms-
                                                                                            • API String ID: 3664257935-537541572
                                                                                            • Opcode ID: 7c1f6f25a6eeb0dcc1b48f853c441653626ec7c6eb0710202be6e4b6adacda37
                                                                                            • Instruction ID: 9ca0f964f7470424b5d3057a4191f763ac6aa624da693043a33dcdca32e519f2
                                                                                            • Opcode Fuzzy Hash: 7c1f6f25a6eeb0dcc1b48f853c441653626ec7c6eb0710202be6e4b6adacda37
                                                                                            • Instruction Fuzzy Hash: A621E7B2A01211ABDF219B25ECC0B5F3B69AB527A4F250237E905A7390D738ED01C6DD
                                                                                            Function 00436640 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004366E9
                                                                                              • Part of subcall function 004AFA0C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0043FE44,?,?,?,004B9080,0043FE44,00513AB0,?,0043FE44,?,?,0000000C,5A06260C), ref: 004AFA6C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                                                                            • String ID: (>Q$0hC$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 1903096808-798308736
                                                                                            • Opcode ID: 0ed2678322210cc8cc3a07b91dadb1e30d188d3d66194e55af3b44069607d8cc
                                                                                            • Instruction ID: 0e9c3b5a5aba75944b05d252eccadd5948fd44e578ec9c0118fa22ff265feac2
                                                                                            • Opcode Fuzzy Hash: 0ed2678322210cc8cc3a07b91dadb1e30d188d3d66194e55af3b44069607d8cc
                                                                                            • Instruction Fuzzy Hash: 4E1122B29046487BD710DB59DC02FAA7398EB09754F04862FFD58872C1EB3DA90487AA
                                                                                            Function 0049D57F Relevance: 9.3, APIs: 6, Instructions: 329COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8a850e4bd8366f6602f7f439948ddd996ec0ba155590deffeea4e3919eff859f
                                                                                            • Instruction ID: c45b587b2b6024bbc8d631f61cfde13028adc071dc65d72902c8bf59655bd6a7
                                                                                            • Opcode Fuzzy Hash: 8a850e4bd8366f6602f7f439948ddd996ec0ba155590deffeea4e3919eff859f
                                                                                            • Instruction Fuzzy Hash: 64B13572D00255AFDF11DF64CC81BAA7FA5EF55310F1441BBE454AB382D2789D01C7A9
                                                                                            Function 004A2113 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 370COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                            • String ID: a/p$am/pm
                                                                                            • API String ID: 3509577899-3206640213
                                                                                            • Opcode ID: 35938f08404c0012c28b8581547da92bcaa7faac22c368983132e0e6ea66d68e
                                                                                            • Instruction ID: 1d0f90a389a6ddb01c6eee3cfed114d4cdbff39c5c4e16d1e763b1923b69fac5
                                                                                            • Opcode Fuzzy Hash: 35938f08404c0012c28b8581547da92bcaa7faac22c368983132e0e6ea66d68e
                                                                                            • Instruction Fuzzy Hash: 32C1BF35904212AADB298F6CCA947BB77B0FF2B300F14405BE905AB750D3BD9D42EB59
                                                                                            Function 0047CCA0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0047CCD6
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0047CCF9
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0047CD21
                                                                                            • std::_Facet_Register.LIBCPMT ref: 0047CD9A
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0047CDC4
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0047CDE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                            • String ID:
                                                                                            • API String ID: 2081738530-0
                                                                                            • Opcode ID: 28da64327ea27554a00a06c9e40525b24cdd21d51c36f3309ffdeb549bf855e5
                                                                                            • Instruction ID: 5e0d328f53af4ec2248f8036dfe48c657d56e4526373956cc4eb9e978e4c29ea
                                                                                            • Opcode Fuzzy Hash: 28da64327ea27554a00a06c9e40525b24cdd21d51c36f3309ffdeb549bf855e5
                                                                                            • Instruction Fuzzy Hash: FE419A71800219CFCB21CF98C980BEFBBB4EB15714F14856ED80A67381D738AE04CBA5
                                                                                            Function 00A3D2C0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,00A3D2B7,00A35FB7,00A35179), ref: 00A3D2CE
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A3D2DC
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A3D2F5
                                                                                            • SetLastError.KERNEL32(00000000,00A3D2B7,00A35FB7,00A35179), ref: 00A3D347
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: c23b975c9b26182ebcc09e162848bbe767eb26e2a16b39b1350dd843cba4754d
                                                                                            • Instruction ID: ba9c96b39cdf5139265ba1cdb6b49ce4fc66dfc8d984bc356880c025bfd57858
                                                                                            • Opcode Fuzzy Hash: c23b975c9b26182ebcc09e162848bbe767eb26e2a16b39b1350dd843cba4754d
                                                                                            • Instruction Fuzzy Hash: A6017B32A0E711DFE7256BF47DC686B2A94FF417B6F200329F130590E0EF119C029281
                                                                                            Function 004AFADE Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,004AFAD5,004AF923,004AC85A), ref: 004AFAEC
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004AFAFA
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004AFB13
                                                                                            • SetLastError.KERNEL32(00000000,004AFAD5,004AF923,004AC85A), ref: 004AFB65
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: 0a9cead03a1cbea0f2d00e28f649f33043dad87cbbba68afa2d7a2a72df1b0e0
                                                                                            • Instruction ID: 5c97271c99781371f32c50c56a2d0a191a69233ae1c55058bab721689d3f3b0d
                                                                                            • Opcode Fuzzy Hash: 0a9cead03a1cbea0f2d00e28f649f33043dad87cbbba68afa2d7a2a72df1b0e0
                                                                                            • Instruction Fuzzy Hash: 9001F9321093119E9A2417F5AC559972A65EB23379B24463FF514951E0FB1A5C0CA16C
                                                                                            Function 00480AC0 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteObject.GDI32(?), ref: 00480B31
                                                                                            • EnterCriticalSection.KERNEL32(00000004,5A06260C,?,?,?,?,004C21C0,000000FF,?,00480A9B), ref: 00480B42
                                                                                            • EnterCriticalSection.KERNEL32(00000004,?,?,?,?,004C21C0,000000FF,?,00480A9B), ref: 00480B4F
                                                                                            • GdiplusShutdown.GDIPLUS(00000000,?,?,?,?,004C21C0,000000FF,?,00480A9B), ref: 00480B5C
                                                                                            • LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,004C21C0,000000FF,?,00480A9B), ref: 00480B69
                                                                                            • LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,004C21C0,000000FF,?,00480A9B), ref: 00480B70
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                                                                            • String ID:
                                                                                            • API String ID: 4268643673-0
                                                                                            • Opcode ID: ab380d08308f5f7294dc0c8834127c13781bff22419dd726a23e31aeb0b35f9a
                                                                                            • Instruction ID: a49544f5ea7446c9cfb95f09875386710a40740b290a3353e41ff902735902d1
                                                                                            • Opcode Fuzzy Hash: ab380d08308f5f7294dc0c8834127c13781bff22419dd726a23e31aeb0b35f9a
                                                                                            • Instruction Fuzzy Hash: 8B117FB15002009FD3209F58D848B1A7BF8FF05728F20475EE4258B2D1C77AD806CB94
                                                                                            Function 00A3DB88 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00A3DCA7
                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00A3DF20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallUnexpectedtype_info::operator==
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 2673424686-393685449
                                                                                            • Opcode ID: d01afdf39097f4691087decbb4c53d2d201c698b933d77187b4a55a4e758207f
                                                                                            • Instruction ID: 5782ef8f235052db752ec50d92a82c88668f0becee8a64b488b130c83520eb98
                                                                                            • Opcode Fuzzy Hash: d01afdf39097f4691087decbb4c53d2d201c698b933d77187b4a55a4e758207f
                                                                                            • Instruction Fuzzy Hash: 2DB16871800209EFCF29DFA4E9819AEBBB5FF14310F24455AF8116B216D771EA61CF91
                                                                                            Function 004A2923 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5A06260C,00000001,?,00000000,004CEBA0,000000FF,?,004A28BD,?,?,004A2891,00000016), ref: 004A2958
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004A296A
                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,004CEBA0,000000FF,?,004A28BD,?,?,004A2891,00000016), ref: 004A298C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: bb5db20903b210e56e17606efd33f47167f5dac7559f5cad6f576f47fa7b3a02
                                                                                            • Instruction ID: 4a39d6f0df0723e62e133a2fe4a12dc63d6bfdc81165c834358a2709fa0273f6
                                                                                            • Opcode Fuzzy Hash: bb5db20903b210e56e17606efd33f47167f5dac7559f5cad6f576f47fa7b3a02
                                                                                            • Instruction Fuzzy Hash: DA01A271A10625AFCB118F54DC05FAFBBBCFB04B10F044627E812A2790DBB89900DA98
                                                                                            Function 00A38C57 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,?,00A4B774,000000FF), ref: 00A38C8A
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A38C9C
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00A4B774,000000FF), ref: 00A38CBE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: d73cb7c46e4dc8d49919f682af7c42b70ce7d286cc7b5bb66232d787f4c8ffbe
                                                                                            • Instruction ID: fca8900166438bfd2f4b6ffaff07219161e954a051c2b2f67259b0805cdc7dee
                                                                                            • Opcode Fuzzy Hash: d73cb7c46e4dc8d49919f682af7c42b70ce7d286cc7b5bb66232d787f4c8ffbe
                                                                                            • Instruction Fuzzy Hash: DA016772955755FFDB12CB94DC15BAEB7B8FB44B52F000525F811A22D0DBB89901CA90
                                                                                            Function 004B82A1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,5A06260C,?,?,004CEC14,000000FF,?,004B87C4,00000105,?,00000000,?,?,?,0047FCE3), ref: 004B82C9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004B82D5
                                                                                            • GetTempPathW.KERNEL32(?,?,004CEC14,000000FF,?,004B87C4,00000105,?,00000000,?,?,?,0047FCE3,?,00000105,?), ref: 004B82F5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModulePathProcTemp
                                                                                            • String ID: GetTempPath2W$kernel32.dll
                                                                                            • API String ID: 775647363-1846531799
                                                                                            • Opcode ID: f1cf7476179f5a48e5f157bd4a6fca76b08ed530dfc52bf4d8c2badd71eabe8a
                                                                                            • Instruction ID: 490c9918516094a75be01d3e1b1e27de5ce3fa518d230e70400d3a931493a6c9
                                                                                            • Opcode Fuzzy Hash: f1cf7476179f5a48e5f157bd4a6fca76b08ed530dfc52bf4d8c2badd71eabe8a
                                                                                            • Instruction Fuzzy Hash: C2F03A36A44654EFCB159F54EC05F9A7BA8FB09B60F008127EC16937A0DB79A800CB98
                                                                                            Function 00A3FC3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A3FCC2
                                                                                            • __alloca_probe_16.LIBCMT ref: 00A3FD8B
                                                                                            • __freea.LIBCMT ref: 00A3FDF2
                                                                                              • Part of subcall function 00A3E531: HeapAlloc.KERNEL32(00000000,00A331E1,00A3186A,?,00A360C1,00A3186C,00A3186A,?,?,?,00A33181,00A331E1,00A3186E,00A3186A,00A3186A,00A3186A), ref: 00A3E563
                                                                                            • __freea.LIBCMT ref: 00A3FE05
                                                                                            • __freea.LIBCMT ref: 00A3FE12
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1096550386-0
                                                                                            • Opcode ID: e6275f77eb610dd8db295b25670cd2af98070920688af4192d270c095ee039d7
                                                                                            • Instruction ID: f14fef02ba5ff69e1dfadad44568b95d1d35a7f50b30d5c155908c5c0368f42f
                                                                                            • Opcode Fuzzy Hash: e6275f77eb610dd8db295b25670cd2af98070920688af4192d270c095ee039d7
                                                                                            • Instruction Fuzzy Hash: 3951B472E10206AFDF209F65CD85EBF7AAAEF44750F290439FD04D6151EB34DC5086A0
                                                                                            Function 0049AEB4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __alloca_probe_16.LIBCMT ref: 0049AF39
                                                                                            • __alloca_probe_16.LIBCMT ref: 0049B002
                                                                                            • __freea.LIBCMT ref: 0049B069
                                                                                              • Part of subcall function 0049D15A: RtlAllocateHeap.NTDLL(00000000,00000001,0043FE44,?,004AD408,0043FE4A,0043FE44,?,?,?,00434C2F,0043FE48,0043FE48), ref: 0049D18C
                                                                                            • __freea.LIBCMT ref: 0049B07C
                                                                                            • __freea.LIBCMT ref: 0049B089
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1423051803-0
                                                                                            • Opcode ID: 1cf292f1027faf516ea3b58fb1ffeacfcc17b82ad5c767b33ec64858519d3555
                                                                                            • Instruction ID: c461f83b43c969d084823d86eb7d78e4c690f12dee5ba4d22df99f96e1ee22eb
                                                                                            • Opcode Fuzzy Hash: 1cf292f1027faf516ea3b58fb1ffeacfcc17b82ad5c767b33ec64858519d3555
                                                                                            • Instruction Fuzzy Hash: 4C510072600206AFEF209F65AD81EBB7EA9EF84314F15013EFC54D6241EB39DC5086E8
                                                                                            Function 00A33010 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog3.LIBCMT ref: 00A33017
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A33022
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A33090
                                                                                              • Part of subcall function 00A32EE4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A32EFC
                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 00A3303D
                                                                                            • _Yarn.LIBCPMT ref: 00A33053
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                            • String ID:
                                                                                            • API String ID: 1088826258-0
                                                                                            • Opcode ID: 15c5d44ade13658ac67750766bb4020311a32c912138a158488f109f6912e4d5
                                                                                            • Instruction ID: 3ae95f9ab77f0c6665cecf023646f263927f822b96c6cb187c6b23fb5085a10e
                                                                                            • Opcode Fuzzy Hash: 15c5d44ade13658ac67750766bb4020311a32c912138a158488f109f6912e4d5
                                                                                            • Instruction Fuzzy Hash: B50178B6A002209BCB0AEFA0D956A7DBB61FF85381F184009F81257391DF34AE02CB91
                                                                                            Function 004B9258 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog3.LIBCMT ref: 004B925F
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004B926A
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004B92D8
                                                                                              • Part of subcall function 004B93BB: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004B93D3
                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 004B9285
                                                                                            • _Yarn.LIBCPMT ref: 004B929B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                            • String ID:
                                                                                            • API String ID: 1088826258-0
                                                                                            • Opcode ID: 9529708b05f48a18c841b776fc683316fa11b0247fd455af3d56381143c4ee67
                                                                                            • Instruction ID: d57bef6452a6d9f87b7c1f6c81a415e25ff1084f0ba862d3ffc406506ccaed08
                                                                                            • Opcode Fuzzy Hash: 9529708b05f48a18c841b776fc683316fa11b0247fd455af3d56381143c4ee67
                                                                                            • Instruction Fuzzy Hash: 2101BC75A002149BDB09EF21E881ABE3BA5BF95714B18400EE90157381CF78AE42DBE9
                                                                                            Function 00A47E92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A47F2E,00000000,?,00A56E10,?,?,?,00A47E65,00000004,InitializeCriticalSectionEx,00A4E57C,00A4E584), ref: 00A47E9F
                                                                                            • GetLastError.KERNEL32(?,00A47F2E,00000000,?,00A56E10,?,?,?,00A47E65,00000004,InitializeCriticalSectionEx,00A4E57C,00A4E584,00000000,?,00A3E1DC), ref: 00A47EA9
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A47ED1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 3177248105-2084034818
                                                                                            • Opcode ID: e96bc1bce8638432cdd2797c68dbb22c5dd479faae9cc46537eb68555b29b496
                                                                                            • Instruction ID: fe5dad84ad8cd54406e3d1658182db8600ee311f48e48d57d411f7fbd8d77d0c
                                                                                            • Opcode Fuzzy Hash: e96bc1bce8638432cdd2797c68dbb22c5dd479faae9cc46537eb68555b29b496
                                                                                            • Instruction Fuzzy Hash: D7E01275284309B7DE119BA0DC06B593A59EB90BD6F104060FB0DB84E1D762995196C4
                                                                                            Function 004B0B2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004B0ADF,00000000,?,0051BBA8,?,?,?,004B0C82,00000004,InitializeCriticalSectionEx,004D70E4,004D70EC), ref: 004B0B3B
                                                                                            • GetLastError.KERNEL32(?,004B0ADF,00000000,?,0051BBA8,?,?,?,004B0C82,00000004,InitializeCriticalSectionEx,004D70E4,004D70EC,00000000,?,004B0A39), ref: 004B0B45
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004B0B6D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 3177248105-2084034818
                                                                                            • Opcode ID: e73f2d59ed71ffe050e3980c02a90d09a2b8a6f7f1eeff266cde429a2dd4b4c8
                                                                                            • Instruction ID: d85af749d3a2776d246a861fdd0c76bc3b777c55ee5f54f02c25fa514b149693
                                                                                            • Opcode Fuzzy Hash: e73f2d59ed71ffe050e3980c02a90d09a2b8a6f7f1eeff266cde429a2dd4b4c8
                                                                                            • Instruction Fuzzy Hash: 25E04F30284305B7EF221BA1EC0AF5E3B55AB11B49F144032F90CA91E1EBA6A910859C
                                                                                            Function 0047F2C0 Relevance: 6.5, APIs: 4, Instructions: 457registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0051C570,00000000,00020019,00000000,?,?,?,5A06260C,?,0051C2A0), ref: 0047F4D0
                                                                                            • RegQueryValueExA.ADVAPI32(00000000,0051C2A0,00000000,000F003F,?,00000400,?,?,?,5A06260C,?,0051C2A0), ref: 0047F506
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,5A06260C,?,0051C2A0), ref: 0047F5A4
                                                                                            • SysFreeString.OLEAUT32 ref: 0047FA14
                                                                                              • Part of subcall function 0047A610: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0047A678
                                                                                              • Part of subcall function 0047A610: LocalFree.KERNEL32(?,00000000), ref: 0047A70F
                                                                                              • Part of subcall function 004870B0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,5A06260C,0051C570,0051C2A0), ref: 00487182
                                                                                              • Part of subcall function 004870B0: RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FreeOpenQueryValue$CloseCryptDataLocalStringUnprotect
                                                                                            • String ID:
                                                                                            • API String ID: 2380017125-0
                                                                                            • Opcode ID: a0dbc40c373a09faf996666854544e2477bb30bde40116881ca4199e3a88db32
                                                                                            • Instruction ID: 56cbdaf4eb2024de0fd4bd59dbcd72090a4e5b75bdf23aa4f75e7a392944198d
                                                                                            • Opcode Fuzzy Hash: a0dbc40c373a09faf996666854544e2477bb30bde40116881ca4199e3a88db32
                                                                                            • Instruction Fuzzy Hash: 24122BF0E002689BDB24DF24CC5479DB7B5AF44318F1086EAD64DA7282DB346E88CF59
                                                                                            Function 0049B476 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleOutputCP.KERNEL32(5A06260C,00000000,00000000,00000000), ref: 0049B4D9
                                                                                              • Part of subcall function 004A1489: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0049B05F,?,00000000,-00000008), ref: 004A14EA
                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0049B72B
                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0049B771
                                                                                            • GetLastError.KERNEL32 ref: 0049B814
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                            • String ID:
                                                                                            • API String ID: 2112829910-0
                                                                                            • Opcode ID: aef57a059a08420b8d5dfae5096d35553b8056bffb0ce8bb8e63412c3f54050f
                                                                                            • Instruction ID: 17746d06032e39ca1db24970b21defb679d9c3d722e4804f7fdb3bafa319cb4d
                                                                                            • Opcode Fuzzy Hash: aef57a059a08420b8d5dfae5096d35553b8056bffb0ce8bb8e63412c3f54050f
                                                                                            • Instruction Fuzzy Hash: 15D17A75D002489FCF05CFE9E980AEDBBB5EF49314F18816AE425EB351D734A906CB94
                                                                                            Function 00478300 Relevance: 6.3, APIs: 4, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00477B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,5A06260C,?,?), ref: 00477B54
                                                                                              • Part of subcall function 00477B00: Process32FirstW.KERNEL32(00000000,?), ref: 00477BB9
                                                                                              • Part of subcall function 00477B00: CloseHandle.KERNEL32(00000000), ref: 00477E84
                                                                                            • ImpersonateLoggedOnUser.ADVAPI32(00000000,5A06260C,?,00000000), ref: 00478391
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFirstHandleImpersonateLoggedProcess32SnapshotToolhelp32User
                                                                                            • String ID:
                                                                                            • API String ID: 1507787261-0
                                                                                            • Opcode ID: ebec02cd2df44e7bd4fb65aecaaffec3bb885a70c3ad5895e8640ffefb46c4a4
                                                                                            • Instruction ID: e502c6a69380433c55fd31efa36561dbf437e01bd72b95285a5588c942f2c0dc
                                                                                            • Opcode Fuzzy Hash: ebec02cd2df44e7bd4fb65aecaaffec3bb885a70c3ad5895e8640ffefb46c4a4
                                                                                            • Instruction Fuzzy Hash: F5F17070C0428DDEEB15DBA4C8587DDBBB0AF15308F24819ED04977292DB785F88DBA6
                                                                                            Function 0048A490 Relevance: 6.2, APIs: 4, Instructions: 195COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32(5A06260C), ref: 0048A4E4
                                                                                            • FreeEnvironmentStringsW.KERNEL32(?), ref: 0048A685
                                                                                            • RtlInitUnicodeString.NTDLL(?), ref: 0048A6D9
                                                                                            • RtlInitUnicodeString.NTDLL(?,00000000), ref: 0048A6E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EnvironmentInitStringStringsUnicode$Free
                                                                                            • String ID:
                                                                                            • API String ID: 2488768755-0
                                                                                            • Opcode ID: 0d066fd5a037e956643cd3d92a9a96980abf0cb91633621b3d58d647d7d5a7ef
                                                                                            • Instruction ID: 1a99e4392def1b605416f46e3147960cb17592dd8275db88d5f878599104deaf
                                                                                            • Opcode Fuzzy Hash: 0d066fd5a037e956643cd3d92a9a96980abf0cb91633621b3d58d647d7d5a7ef
                                                                                            • Instruction Fuzzy Hash: 6471AAB1C10219EBDB00DF98C884B9EFBF8FF18304F14461BE815A3250E7B8A995CB95
                                                                                            Function 00A3D8AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1740715915-0
                                                                                            • Opcode ID: d3cfccc1ce970c2bd9bef05a09b3d1aba552f33fa25d9b4547b30637db8e8951
                                                                                            • Instruction ID: f3ed3a4ae8302b330167f6a3677782f37415e5985adbc03826673ff09b5d21a9
                                                                                            • Opcode Fuzzy Hash: d3cfccc1ce970c2bd9bef05a09b3d1aba552f33fa25d9b4547b30637db8e8951
                                                                                            • Instruction Fuzzy Hash: 6A51EE72A04706EFDB299F24E942B6AB7B4FF05310F14452DF8429BA91E731ED80CB90
                                                                                            Function 004AFBF5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1740715915-0
                                                                                            • Opcode ID: e71c71c21820e5819a4508bd04d803321a7ecaf8570da358721e6539f5a36dac
                                                                                            • Instruction ID: 33b3d652e50ecda4e79a0ecf225597f03c3ffd3297545ef1ce997a4b46d38663
                                                                                            • Opcode Fuzzy Hash: e71c71c21820e5819a4508bd04d803321a7ecaf8570da358721e6539f5a36dac
                                                                                            • Instruction Fuzzy Hash: AF51D0B150020A9FEB269FD1D881BAA77A4FF62718F10003EEC434B291D739E849C798
                                                                                            Function 004A077A Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 00fa7b59af023eaaf071b224feea6c80f4edf5776798c8ca34953c892f2afd27
                                                                                            • Instruction ID: 6bad779769d7c9384c33fcc5b288381071ef860472916b423066c301ca7f7ee1
                                                                                            • Opcode Fuzzy Hash: 00fa7b59af023eaaf071b224feea6c80f4edf5776798c8ca34953c892f2afd27
                                                                                            • Instruction Fuzzy Hash: D141E675A00704AFDB24AF39CC41B6BBBA9EB99714F20452FF101DB781D77DA9418B88
                                                                                            Function 00A43537 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00A438DD,?,?,?,00000000), ref: 00A4359B
                                                                                            • __dosmaperr.LIBCMT ref: 00A435A2
                                                                                            • GetLastError.KERNEL32(00A438DD,?,?,?,?,00000000,00000000,?,00A438DD,?,?,?,00000000), ref: 00A435DC
                                                                                            • __dosmaperr.LIBCMT ref: 00A435E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr
                                                                                            • String ID:
                                                                                            • API String ID: 1659562826-0
                                                                                            • Opcode ID: cf03ca27da2b8891a82855511c7cc6013faabb7ada80e5abc134b81a1db8daca
                                                                                            • Instruction ID: ce71d513ae536b8d2293d9e067360995f3eaad3a57ed83538a70be174309bdd9
                                                                                            • Opcode Fuzzy Hash: cf03ca27da2b8891a82855511c7cc6013faabb7ada80e5abc134b81a1db8daca
                                                                                            • Instruction Fuzzy Hash: C021D776600615AFDF20AF66998192EB7A8FF80364B108519F86997551EB30EF108B92
                                                                                            Function 004BA942 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004A1489: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0049B05F,?,00000000,-00000008), ref: 004A14EA
                                                                                            • GetLastError.KERNEL32 ref: 004BA9A6
                                                                                            • __dosmaperr.LIBCMT ref: 004BA9AD
                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 004BA9E7
                                                                                            • __dosmaperr.LIBCMT ref: 004BA9EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1913693674-0
                                                                                            • Opcode ID: 51edd5c4e5c25a430a3840a704f497c195c233776ddb3170bc40658ab91a4e1f
                                                                                            • Instruction ID: cdbbd9429668cd5750c88df838a7d8834fbfbf28e86e5927cf8d45539b4e27df
                                                                                            • Opcode Fuzzy Hash: 51edd5c4e5c25a430a3840a704f497c195c233776ddb3170bc40658ab91a4e1f
                                                                                            • Instruction Fuzzy Hash: 7A21C871600605AF8F21AF66CC809ABBBADFF44368711492FF91597210D739EC60D7BA
                                                                                            Function 00A38042 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 98986187d09d293acd77fa410492d44921eccbc45f4098698f3821294ec6bfbf
                                                                                            • Instruction ID: 9f0f0121498f3c35e47f46e0ac93128ee22bb4cb69b4f969e07e3581bb054050
                                                                                            • Opcode Fuzzy Hash: 98986187d09d293acd77fa410492d44921eccbc45f4098698f3821294ec6bfbf
                                                                                            • Instruction Fuzzy Hash: 5721FDB1200315AFDF24EF60CD8092BB7A8BF513A4F108629F86997651EF38EC0087A1
                                                                                            Function 004989A8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 29faf50d70bb4521c0c7912d0192e47e6614307814943c5259d0fead7ff358f5
                                                                                            • Instruction ID: 5e5224636d54f024fd63f309ffc809bb58d9736df3a284f1f4315f29edb86acb
                                                                                            • Opcode Fuzzy Hash: 29faf50d70bb4521c0c7912d0192e47e6614307814943c5259d0fead7ff358f5
                                                                                            • Instruction Fuzzy Hash: F321A171600205AFCF21EF6ADC4496B7FA9AF42368720453FF91597251EF38ED008799
                                                                                            Function 00A4484F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,00A3B1C6,00000000,00A3B284,00A3B153,00A358B3,00A54458,00000014), ref: 00A44857
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A4488F
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000), ref: 00A448AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$Free
                                                                                            • String ID:
                                                                                            • API String ID: 3328510275-0
                                                                                            • Opcode ID: c6e41c80b08dbd3a0a76a6367d8e39fd7fa64cb564b76ce670e3317302f4d759
                                                                                            • Instruction ID: 31568b7909ee7c73ebe68b5942f0620683d0ded97824de4f91e8c8f55afc31c2
                                                                                            • Opcode Fuzzy Hash: c6e41c80b08dbd3a0a76a6367d8e39fd7fa64cb564b76ce670e3317302f4d759
                                                                                            • Instruction Fuzzy Hash: 0C1126FA502665BF6B11A7B69D8EDBF29ACDECD3D57200424F401D1141FB64CE029270
                                                                                            Function 004AB379 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 004AB381
                                                                                              • Part of subcall function 004A1489: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0049B05F,?,00000000,-00000008), ref: 004A14EA
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004AB3B9
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004AB3D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 158306478-0
                                                                                            • Opcode ID: eda48c8db903e939db4646882944d141a3a2cfedfc9bf96b1ab6e55aecfc3d90
                                                                                            • Instruction ID: 352b9fd8ff6adfd48aa864b65f723ba5a946c2f7c3dd1541d1c3166fed4ac287
                                                                                            • Opcode Fuzzy Hash: eda48c8db903e939db4646882944d141a3a2cfedfc9bf96b1ab6e55aecfc3d90
                                                                                            • Instruction Fuzzy Hash: B21156B19015157E7A1167B65C8AD6F6A5CDE5A398B10403BF801D1203EB7D9D0245BA
                                                                                            Function 00A3457B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __EH_prolog3.LIBCMT ref: 00A34582
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A3458C
                                                                                              • Part of subcall function 00A324C2: std::_Lockit::_Lockit.LIBCPMT ref: 00A324DE
                                                                                              • Part of subcall function 00A324C2: std::_Lockit::~_Lockit.LIBCPMT ref: 00A324F7
                                                                                            • codecvt.LIBCPMT ref: 00A345C6
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A345FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                            • String ID:
                                                                                            • API String ID: 3716348337-0
                                                                                            • Opcode ID: d1f7fdf5699efd5719d9ca27d19b29eaa7c5482221312f42caa3117be3aa4eef
                                                                                            • Instruction ID: bc7708e3172b81dc4b52407113c6546b0c92dcfa8d272f1bd03111d8ed1822c4
                                                                                            • Opcode Fuzzy Hash: d1f7fdf5699efd5719d9ca27d19b29eaa7c5482221312f42caa3117be3aa4eef
                                                                                            • Instruction Fuzzy Hash: E101F176D00215CBCF04EFA4DA267ADB7B1FF98710F240509F412AB291CF74AE028B91
                                                                                            Function 004B8430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000400,5A06260C,00000000,00000000,00000000,00000000,00000000,00000001,?,?,0044E5F3,?,?,00000000,00000000), ref: 004B844D
                                                                                            • GetLastError.KERNEL32(?,?,0044E5F3,?,?,00000000,00000000,00000000,5A06260C,00000001), ref: 004B8459
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,5A06260C,00000000,00000000,00000000,00000000,00000000,?,?,0044E5F3,?,?,00000000,00000000,00000000), ref: 004B847F
                                                                                            • GetLastError.KERNEL32(?,?,0044E5F3,?,?,00000000,00000000,00000000,5A06260C,00000001), ref: 004B848B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharErrorLastMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 203985260-0
                                                                                            • Opcode ID: b17853a5fac4461212df69502fdb333749a3d57a63655a8d7d2491092ae6608b
                                                                                            • Instruction ID: 6b90caf3a67b14ffb57c64759c70b961d31bb881305e702148557666a2de5e43
                                                                                            • Opcode Fuzzy Hash: b17853a5fac4461212df69502fdb333749a3d57a63655a8d7d2491092ae6608b
                                                                                            • Instruction Fuzzy Hash: FB01BF36601156BFCF224F95DC08E9F3F7AEBD9791F118029FA0556220DA31C922EBA5
                                                                                            Function 00A4A4E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000), ref: 00A4A4F7
                                                                                            • GetLastError.KERNEL32(?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000,?,?,?,00A45365,00000000), ref: 00A4A503
                                                                                            • ___initconout.LIBCMT ref: 00A4A513
                                                                                              • Part of subcall function 00A4A535: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A4A4D1,00A49AFC,?,?,00A45A1F,?,00000000,00000000,?), ref: 00A4A548
                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00A49B0F,00000000,00000001,00000000,?,?,00A45A1F,?,00000000,00000000,?), ref: 00A4A528
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleWrite$CreateErrorFileLast___initconout
                                                                                            • String ID:
                                                                                            • API String ID: 3431868840-0
                                                                                            • Opcode ID: 358ada223e29ca03530a5fe006f41a01bb6d6fca0ad03ee53f4279b800108208
                                                                                            • Instruction ID: fdd6ab4565c7d222531d5a6bf31cc5826248c27f3bd3c093128361bdcca15ebc
                                                                                            • Opcode Fuzzy Hash: 358ada223e29ca03530a5fe006f41a01bb6d6fca0ad03ee53f4279b800108208
                                                                                            • Instruction Fuzzy Hash: 50F01C3A450215BFCF229FD5ED08A9E3F26FBE83A2F004110FA0986120D63289219B92
                                                                                            Function 004A95E5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000), ref: 004A95FC
                                                                                            • GetLastError.KERNEL32(?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000,00000000,?,0049BE42,?), ref: 004A9608
                                                                                              • Part of subcall function 004A95CE: CloseHandle.KERNEL32(FFFFFFFE,004A9618,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000,00000000), ref: 004A95DE
                                                                                            • ___initconout.LIBCMT ref: 004A9618
                                                                                              • Part of subcall function 004A9590: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004A95BF,004A6707,00000000,?,0049B868,00000000,00000000,00000000,00000000), ref: 004A95A3
                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000), ref: 004A962D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                            • String ID:
                                                                                            • API String ID: 2744216297-0
                                                                                            • Opcode ID: 798d55b3f7968c96ef430ebc1f18d2e2465c9867b2c7648d7be43d295ef59026
                                                                                            • Instruction ID: 8abc0c58445a332f8c6052495b9482a66327941653e6e46fd38a52645a0d97bb
                                                                                            • Opcode Fuzzy Hash: 798d55b3f7968c96ef430ebc1f18d2e2465c9867b2c7648d7be43d295ef59026
                                                                                            • Instruction Fuzzy Hash: DCF01237441215BBCF521F91DC09ACE3F66EF19364F024426FA2C86120C6368D60DB94
                                                                                            Function 00A359A7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A359B9
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00A359C8
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00A359D1
                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00A359DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: aa099a6cb5d468291ee548edd8d402f2da9df7f2c6a8bdd8c2039e5d1ddc9a4f
                                                                                            • Instruction ID: 53d43602da9e60bc3695949c969fee92042a7199cbb4c7deb5d775830b2e0f5d
                                                                                            • Opcode Fuzzy Hash: aa099a6cb5d468291ee548edd8d402f2da9df7f2c6a8bdd8c2039e5d1ddc9a4f
                                                                                            • Instruction Fuzzy Hash: 3AF0AF71D1120CEBCF00DBF4C94998EFBF4FF5C241B918996A412E7110E670AB458F50
                                                                                            Function 00A3DFAC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A3DEAD,?,?,00000000,00000000,00000000,?), ref: 00A3DFD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2118026453-2084237596
                                                                                            • Opcode ID: 6abd64fe5c3382cb1ccf269f95531dd7dd9b7bb1a8b47f52ef8bab2319a4b344
                                                                                            • Instruction ID: 52cc11e40a7dff0e743a3d44c255f9e545039e9215363b1cad3403fb7c6d7879
                                                                                            • Opcode Fuzzy Hash: 6abd64fe5c3382cb1ccf269f95531dd7dd9b7bb1a8b47f52ef8bab2319a4b344
                                                                                            • Instruction Fuzzy Hash: 31414A71900209EFCF2ADF98DD81AEEBBB5FF49304F188059FA05AB2A1D3759950DB50
                                                                                            Function 00453E10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00453EF4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID: `aC$p]C
                                                                                            • API String ID: 118556049-1363152631
                                                                                            • Opcode ID: 15b0531adf7878dcd052dc043384283fbe7e7e749bd6b518c848f3481f58b70e
                                                                                            • Instruction ID: 7ffd0bf130dfa3baccabcf7c02000b8885a72f27ff8372dee48aba471c76e642
                                                                                            • Opcode Fuzzy Hash: 15b0531adf7878dcd052dc043384283fbe7e7e749bd6b518c848f3481f58b70e
                                                                                            • Instruction Fuzzy Hash: 2B4114B1D002089BCB24DF58C841BAFBBF4EF45354F10426FEC2597382E7799A148B95
                                                                                            Function 004B01F1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 004B0216
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2118026453-2084237596
                                                                                            • Opcode ID: f6a5424a3b0add0d67cdb7a4433499b834c2692f3a3c89efa9c8eec31821c917
                                                                                            • Instruction ID: 70788f387beb527cb8114cdc5e5f216b8ccff70d73c61da87df7ae4bd57bd2ae
                                                                                            • Opcode Fuzzy Hash: f6a5424a3b0add0d67cdb7a4433499b834c2692f3a3c89efa9c8eec31821c917
                                                                                            • Instruction Fuzzy Hash: EE415871900209AFCF16CF98CD85AEEBBB5FF48305F18809AFA0567211D3399950DB68
                                                                                            Function 00A3D818 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00A3DA8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___except_validate_context_record
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 3493665558-3733052814
                                                                                            • Opcode ID: 99c1688028975ed4f87052a9b2389684a9501f03e76cffa95a77a838868fb823
                                                                                            • Instruction ID: 02680477053e899a494fa56df74c4c6eb3fa5f210dbc28999359f7cc2e377ad1
                                                                                            • Opcode Fuzzy Hash: 99c1688028975ed4f87052a9b2389684a9501f03e76cffa95a77a838868fb823
                                                                                            • Instruction Fuzzy Hash: 6931F636904358EFCF229F90ED409AABB65FF08365F19415AFC545A221C332DDA1DB91
                                                                                            Function 00435DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00435DCB
                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00435E2E
                                                                                              • Part of subcall function 004B9356: _Yarn.LIBCPMT ref: 004B9375
                                                                                              • Part of subcall function 004B9356: _Yarn.LIBCPMT ref: 004B9399
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                            • String ID: bad locale name
                                                                                            • API String ID: 1908188788-1405518554
                                                                                            • Opcode ID: 4f591d35f3d0401d16c29d601d846a696ee7aa1707a5175f538b14ce155db12b
                                                                                            • Instruction ID: 3ec4c6a4a97d0462a05707b65000259191fcf5f6abdba4908dc577763c239046
                                                                                            • Opcode Fuzzy Hash: 4f591d35f3d0401d16c29d601d846a696ee7aa1707a5175f538b14ce155db12b
                                                                                            • Instruction Fuzzy Hash: 3B210570805784DFD320CF69C90478BBFF4AF15714F14868ED48597781D3B9AA04CBA5
                                                                                            Function 0047DD40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047DDD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID: .G$0hC
                                                                                            • API String ID: 323602529-633007509
                                                                                            • Opcode ID: fa7f0577eed2ee249957cc315ff075d2cc7a9cf360a169e300ae923cf5853acc
                                                                                            • Instruction ID: def2e33cd38b5e824c816681f9ae39c6530dfa40910c99229239c839cc9e5e1b
                                                                                            • Opcode Fuzzy Hash: fa7f0577eed2ee249957cc315ff075d2cc7a9cf360a169e300ae923cf5853acc
                                                                                            • Instruction Fuzzy Hash: 9B21AE74940245DFD720CF1AC844B99FBF8FF05324F148A6EE85597391D775A904CB84
                                                                                            Function 0044BEB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 0044BEF3
                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 0044BF26
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_copy
                                                                                            • String ID: MC
                                                                                            • API String ID: 2659868963-1829682832
                                                                                            • Opcode ID: ab36d56284830d128f6cf4340ca16e134d89125db0bb4639ace7817866229729
                                                                                            • Instruction ID: 159077f32092c3bc03b4ae882dbf743a881f4ebbd8d79b989d6de070d85d5faa
                                                                                            • Opcode Fuzzy Hash: ab36d56284830d128f6cf4340ca16e134d89125db0bb4639ace7817866229729
                                                                                            • Instruction Fuzzy Hash: 4E112EB5900649EFCB11CF59C980B86FBE8FF19320F10C66BE815A7640E7B4A944CBA4
                                                                                            Function 004827A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0048285D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID: 0$0hC
                                                                                            • API String ID: 323602529-784950247
                                                                                            • Opcode ID: 622b40fb6d894d5aa1115991de8c2c5b589d84d9705eb3b065fc2cec7fc6fad0
                                                                                            • Instruction ID: dd26a1c23eadb7639fef0861fdc2b6c05f84c76fd28c7669f454e47aafc92c53
                                                                                            • Opcode Fuzzy Hash: 622b40fb6d894d5aa1115991de8c2c5b589d84d9705eb3b065fc2cec7fc6fad0
                                                                                            • Instruction Fuzzy Hash: FC21F074905298CFCB10CF98C6887DCBBF0AB09308F2480EAD949A7381D775AE58CF55
                                                                                            Function 00A451E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00A44EF9: EnterCriticalSection.KERNEL32(?,?,00A45538,?,00A54AC8,00000014,00A3BC67,00000000,00000000,?,00000000,?,?,00000000), ref: 00A44F14
                                                                                            • FlushFileBuffers.KERNEL32(00000000,00A54AA8,0000000C,00A451C9,?,00000000,?,00000000,?,00000000,?,00000000,00A3BE37,?,?,?), ref: 00A4522A
                                                                                            • GetLastError.KERNEL32 ref: 00A45234
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                                                            • String ID: O;
                                                                                            • API String ID: 4109680722-584789618
                                                                                            • Opcode ID: f5ff68bf2c9563ab040d1874a9bf21e729055d3a0e69da7e5ee9cb0c51b5c3dd
                                                                                            • Instruction ID: aec5a5e21317a8cd296f6e9b765be4c5bdd3e99dfedccbc5df48a1c317373a99
                                                                                            • Opcode Fuzzy Hash: f5ff68bf2c9563ab040d1874a9bf21e729055d3a0e69da7e5ee9cb0c51b5c3dd
                                                                                            • Instruction Fuzzy Hash: 65019276A007109FCB14EFA8E90579D77A4AF89761F14421BF411AB3A2DBB49902CB90
                                                                                            Function 0047D9C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047DA4F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID: .G$0hC
                                                                                            • API String ID: 323602529-633007509
                                                                                            • Opcode ID: d1051db2cb1cfc94d531bfa9645f70c65f72b0c573f779327227424f90c0fd69
                                                                                            • Instruction ID: 8e7f9f1aa37db0bf33048e17fc0a06a73726813013154025c8e8923a4ade326e
                                                                                            • Opcode Fuzzy Hash: d1051db2cb1cfc94d531bfa9645f70c65f72b0c573f779327227424f90c0fd69
                                                                                            • Instruction Fuzzy Hash: 121149B4940744CFDB21CF49C984A99BBF8FB09324F108A5EE89697391D775AA44CF80
                                                                                            Function 00438A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438A46
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438A5C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy
                                                                                            • String ID: MC
                                                                                            • API String ID: 4194217158-1829682832
                                                                                            • Opcode ID: 36b679e11db0edd653e0a2647b8e85e069932705a2a35767823b219f623ddd02
                                                                                            • Instruction ID: 2156576f1eef92af9ffbb3102a1cf8c86cd110feba5e05fe60ab6789c6c907d6
                                                                                            • Opcode Fuzzy Hash: 36b679e11db0edd653e0a2647b8e85e069932705a2a35767823b219f623ddd02
                                                                                            • Instruction Fuzzy Hash: 5A01B5B1C44318EBC710DF58DD01B8ABBE8EB1A714F10466FE811E3780E779A60487A5
                                                                                            Function 00438CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438D06
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438D1C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy
                                                                                            • String ID: MC
                                                                                            • API String ID: 4194217158-1829682832
                                                                                            • Opcode ID: d7eaf932c4118910232a5250f95a2e385d092f5df7cd9ec96b40b31c7f1f2a93
                                                                                            • Instruction ID: 34d925613d03c46ca24c24dcd021453886a1a957fa2bd66f6c30760aa6902abf
                                                                                            • Opcode Fuzzy Hash: d7eaf932c4118910232a5250f95a2e385d092f5df7cd9ec96b40b31c7f1f2a93
                                                                                            • Instruction Fuzzy Hash: 050192B1C443189BC711DF58DD05B89BBE8EB1A714F14466FE811A3780E7B9A60487A5
                                                                                            Function 00438DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438E16
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438E2C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy
                                                                                            • String ID: MC
                                                                                            • API String ID: 4194217158-1829682832
                                                                                            • Opcode ID: dd0c4f4c0c82000e457c7f44c182c4aade15206cd65931e5a6e762cfa9f818e5
                                                                                            • Instruction ID: 81858840e3503bfd15470ad0d796ddf3043ff6da9bec83e018f38d9446b02dde
                                                                                            • Opcode Fuzzy Hash: dd0c4f4c0c82000e457c7f44c182c4aade15206cd65931e5a6e762cfa9f818e5
                                                                                            • Instruction Fuzzy Hash: 4A01D2B1C442089FC710DF58DD01B8ABBE8EB1A714F10426FE811E3780E7B9A60487A5
                                                                                            Function 00438A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438AD6
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438AEC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy
                                                                                            • String ID: MC
                                                                                            • API String ID: 4194217158-1829682832
                                                                                            • Opcode ID: 54ef2c628f25b7a2a23f3ae652ac74171c9fd81bd4396ab0a0f6fcd8ada00686
                                                                                            • Instruction ID: 14708e90e5e2dd6187806a9d8007313cf644032e1f72ff90a2cf062a52645627
                                                                                            • Opcode Fuzzy Hash: 54ef2c628f25b7a2a23f3ae652ac74171c9fd81bd4396ab0a0f6fcd8ada00686
                                                                                            • Instruction Fuzzy Hash: AD0131B1C54658DFC710DF98D901B8ABBF8EB09724F10466BE815E3780E779A6048BA5
                                                                                            Function 00438D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438D96
                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00438DAC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ___std_exception_destroy
                                                                                            • String ID: MC
                                                                                            • API String ID: 4194217158-1829682832
                                                                                            • Opcode ID: 2a7c72095c6804fc0da1c178a4919001dd8fbeb9815b62e3a8e22e5ece97145b
                                                                                            • Instruction ID: 57808b7f7ef1f41f2f9046275374ae6f4c4975ec05ee0e2f2319a2ec8c3047b8
                                                                                            • Opcode Fuzzy Hash: 2a7c72095c6804fc0da1c178a4919001dd8fbeb9815b62e3a8e22e5ece97145b
                                                                                            • Instruction Fuzzy Hash: BB0136B1C44658DFC710DF98D901B89BBF8EB09714F10466FE815E3780E77566048B65
                                                                                            Function 00A329D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AcquireSRWLockExclusive.KERNEL32(00A5648C,ios_base::badbit set,?,?,00A31C84,00A56478,00A31B17), ref: 00A329DF
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(00A5648C,?,?,00A31C84,00A56478,00A31B17), ref: 00A32A19
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979568826.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                            • Associated: 00000002.00000002.1979550299.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979590062.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979609661.0000000000A55000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979627356.0000000000A58000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979644659.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.1979661972.0000000000A5D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_a30000_drop1.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$AcquireRelease
                                                                                            • String ID: ios_base::badbit set
                                                                                            • API String ID: 17069307-3882152299
                                                                                            • Opcode ID: 51961f5fdbd1ec50831a334b2c4e84fd925cc9ee222bc2f76d71c7f972d97007
                                                                                            • Instruction ID: 611b61a4ae31cf8ca58e947b8b55bc7471e28e6518669a42753853562edb73ce
                                                                                            • Opcode Fuzzy Hash: 51961f5fdbd1ec50831a334b2c4e84fd925cc9ee222bc2f76d71c7f972d97007
                                                                                            • Instruction Fuzzy Hash: 76F08C31900200DFCB20EF98E904B25BBB8FB857B6F14036EF9AA432A0C7312842CB51
                                                                                            Function 004BA04D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004805F0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,5A06260C,00000000,004BCF70,000000FF,?,?,00513FC8), ref: 00480617
                                                                                              • Part of subcall function 004805F0: GetLastError.KERNEL32(?,00000000,00000000,5A06260C,00000000,004BCF70,000000FF,?,?,00513FC8), ref: 00480621
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00434B5D), ref: 004BA080
                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00434B5D), ref: 004BA08F
                                                                                            Strings
                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004BA08A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1979476158.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_drop1.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                            • API String ID: 3511171328-631824599
                                                                                            • Opcode ID: c51739a2d2ef137336e9adc3b97a1d747fb81e18f3053d9a6155fde0035c1d30
                                                                                            • Instruction ID: d36ccacf6001ae6edc25a42526d65594664b7a1234a3e60676ee06f56b9b42c5
                                                                                            • Opcode Fuzzy Hash: c51739a2d2ef137336e9adc3b97a1d747fb81e18f3053d9a6155fde0035c1d30
                                                                                            • Instruction Fuzzy Hash: 64E065701007018FD330AF3AD40C3467BE0AB14304F00882FD945C7750E7B9D4088B66