Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
ENDEV.exe

Overview

General Information

Sample Name:ENDEV.exe
Analysis ID:1330698
MD5:a1950243a73b32f619fdf441bc1d9992
SHA1:e8f3be1fc95d8019c24067c061985fc583c71c29
SHA256:62f1fefe3599869bdafb14b9d86681b7107f1b1caf419258a4e767bdd1554969
Infos:

Detection

RedLine
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • ENDEV.exe (PID: 6988 cmdline: C:\Users\user\Desktop\ENDEV.exe MD5: A1950243A73B32F619FDF441BC1D9992)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ENDEV.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    ENDEV.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.ENDEV.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0.0.ENDEV.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1e9d0:$s5: delete[]
      • 0x1de88:$s6: constructor or from DllMain.
      0.2.ENDEV.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0.2.ENDEV.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        • AV Detection
        • Compliance
        • System Summary
        • Data Obfuscation
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • Anti Debugging
        • Language, Device and Operating System Detection
        • Stealing of Sensitive Information
        • Remote Access Functionality

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: ENDEV.exeAvira: detected
        Source: ENDEV.exeReversingLabs: Detection: 81%
        Source: ENDEV.exeJoe Sandbox ML: detected
        Source: ENDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: Binary string: ENDEV.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ENDEV.pdbX source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: _.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmp

        System Summary

        barindex
        Source: ENDEV.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: ENDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: ENDEV.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: ENDEV.exe, 00000000.00000003.1663827433.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1663738355.0000000000624000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00408C600_2_00408C60
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040DC110_2_0040DC11
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00407C3F0_2_00407C3F
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00418CCC0_2_00418CCC
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00406CA00_2_00406CA0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004028B00_2_004028B0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0041A4BE0_2_0041A4BE
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00408C600_2_00408C60
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004182440_2_00418244
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004016500_2_00401650
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402F200_2_00402F20
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004193C40_2_004193C4
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004187880_2_00418788
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402F890_2_00402F89
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402B900_2_00402B90
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004073A00_2_004073A0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0224D4E80_2_0224D4E8
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_02240DA00_2_02240DA0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_02240D900_2_02240D90
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A0DC00_2_058A0DC0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A04F00_2_058A04F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A01A80_2_058A01A8
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: String function: 0040E1D8 appears 43 times
        Source: ENDEV.exeReversingLabs: Detection: 81%
        Source: ENDEV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ENDEV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCommand line argument: 08A0_2_00413780
        Source: C:\Users\user\Desktop\ENDEV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDEV.exe.logJump to behavior
        Source: classification engineClassification label: mal84.troj.evad.winEXE@1/1@0/0
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: ENDEV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: ENDEV.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ENDEV.pdbX source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: _.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.2550f08.4.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.35fd990.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: ENDEV.exeStatic PE information: real checksum: 0x23bfb should be: 0x3abdc
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_022450E9 push esi; ret 0_2_022450EF
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.2550f08.4.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.35fd990.5.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * From Win32_NetworkAdapter
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;0&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;0&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;1&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;2&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;2&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;3&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;3&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;4&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;4&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;5&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;5&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;6&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;6&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;7&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;7&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;8&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;8&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;9&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;9&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-14561
        Source: C:\Users\user\Desktop\ENDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
        Source: C:\Users\user\Desktop\ENDEV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
        Source: C:\Users\user\Desktop\ENDEV.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: GetLocaleInfoA,0_2_00417A20
        Source: C:\Users\user\Desktop\ENDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: ENDEV.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: ENDEV.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Windows Management Instrumentation        		Path InterceptionPath Interception1
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts2
        Command and Scripting Interpreter        		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory13
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts2
        Native API        		Logon Script (Windows)Logon Script (Windows)121
        Virtualization/Sandbox Evasion        		Security Account Manager121
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Deobfuscate/Decode Files or Information        		NTDS1
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets23
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Software Packing        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1330698 Sample: ENDEV.exe Startdate: 23/10/2023 Architecture: WINDOWS Score: 84 8 Malicious sample detected (through community Yara rule) 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 ENDEV.exe 1 2->5         started        process3 signatures4 16 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 5->16

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ENDEV.exe82%ReversingLabsWin32.Spyware.RedLine
        ENDEV.exe100%AviraHEUR/AGEN.1305930
        ENDEV.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:38.0.0 Ammolite
        Analysis ID:1330698
        Start date and time:2023-10-23 17:32:38 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 3m 34s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:ENDEV.exe
        Detection:MAL
        Classification:mal84.troj.evad.winEXE@1/1@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 86%
        • Number of executed functions: 21
        • Number of non-executed functions: 28
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: ENDEV.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDEV.exe.log

        Download File
        Process:C:\Users\user\Desktop\ENDEV.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):538
        Entropy (8bit):5.363668998804157
        Encrypted:false
        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAWzAbDLI4MNldKZav:MLUE4K5E4KjsXE4qdKm
        MD5:EBB5E836C19A30547119AA21D0BC35B8
        SHA1:7A5C9F1F614A5B060B04EE9DAA9A8DB618D8FBE8
        SHA-256:09144C81EF370EED482032BE30BAF27EBC4868DBAF20F2E8418B3FFE8C8E5E9F
        SHA-512:0404CEEC029D7C50B49A0E8C292D3F9DA55D92037538D1F72F5F82EFF997B05084BACBE8B87A2E6261D66143678755DA755F985D5EBA2B7948D621FD69B77D19
        Malicious:false
        Reputation:low
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.206847476409503
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:ENDEV.exe
        File size:189'952 bytes
        MD5:a1950243a73b32f619fdf441bc1d9992
        SHA1:e8f3be1fc95d8019c24067c061985fc583c71c29
        SHA256:62f1fefe3599869bdafb14b9d86681b7107f1b1caf419258a4e767bdd1554969
        SHA512:19350ccb1bfbb7122407027af58fc6894737b6c565d24fb9e134614f26b967ebe5960e463a1e9dcaa2dd61198c16804de9f53fa39b8f3d621488a248babe737b
        SSDEEP:3072:SDKW1LgppLRHMY0TBfJvjcTp5XPHe/h6LQrLAxE/H:SDKW1Lgbdl0TBBvjc/f6sLQoxEP
        TLSH:B504AD2175C1C2B3C4B6113045E6CB7A5A7A3071077A95D7B7EC2BBA6E213E1A3362CD
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................v.v.....PE..L...t..P..........#........

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x40cd2f
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        DLL Characteristics:TERMINAL_SERVER_AWARE
        Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:0
        File Version Major:5
        File Version Minor:0
        Subsystem Version Major:5
        Subsystem Version Minor:0
        Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8
        Instruction
        call 00007F3BA163CC86h
        jmp 00007F3BA1636E49h
        mov edi, edi
        push ebp
        mov ebp, esp
        sub esp, 20h
        mov eax, dword ptr [ebp+08h]
        push esi
        push edi
        push 00000008h
        pop ecx
        mov esi, 0041F058h
        lea edi, dword ptr [ebp-20h]
        rep movsd
        mov dword ptr [ebp-08h], eax
        mov eax, dword ptr [ebp+0Ch]
        pop edi
        mov dword ptr [ebp-04h], eax
        pop esi
        test eax, eax
        je 00007F3BA1636FAEh
        test byte ptr [eax], 00000008h
        je 00007F3BA1636FA9h
        mov dword ptr [ebp-0Ch], 01994000h
        lea eax, dword ptr [ebp-0Ch]
        push eax
        push dword ptr [ebp-10h]
        push dword ptr [ebp-1Ch]
        push dword ptr [ebp-20h]
        call dword ptr [0041B000h]
        leave
        retn 0008h
        ret
        mov eax, 00413563h
        mov dword ptr [004228E4h], eax
        mov dword ptr [004228E8h], 00412C4Ah
        mov dword ptr [004228ECh], 00412BFEh
        mov dword ptr [004228F0h], 00412C37h
        mov dword ptr [004228F4h], 00412BA0h
        mov dword ptr [004228F8h], eax
        mov dword ptr [004228FCh], 004134DBh
        mov dword ptr [00422900h], 00412BBCh
        mov dword ptr [00422904h], 00412B1Eh
        mov dword ptr [00422908h], 00412AABh
        ret
        mov edi, edi
        push ebp
        mov ebp, esp
        call 00007F3BA1636F3Bh
        call 00007F3BA163D7C0h
        cmp dword ptr [ebp+00h], 00000000h
        Programming Language:
        • [ASM] VS2008 build 21022
        • [IMP] VS2005 build 50727
        • [C++] VS2008 build 21022
        • [ C ] VS2008 build 21022
        • [LNK] VS2008 build 21022
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000xc530.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x197180x19800False0.5789675245098039data6.748605573476326IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x1b0000x6db40x6e00False0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x220000x30c00x1600False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x260000xc5300xc600False0.982717803030303data7.978485885448707IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_RCDATA0x261240xbf11data1.0004293337149632
        RT_RCDATA0x320380x20data1.34375
        RT_VERSION0x320580x2ecdata0.4358288770053476
        RT_MANIFEST0x323440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
        DLLImport
        KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
        ole32.dllOleInitialize
        OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        0246s020406080100

        Click to jump to process

        Memory Usage

        0246s0.00510152025MB

        Click to jump to process

        High Level Behavior Distribution

        • File
        • Registry

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:17:33:27
        Start date:23/10/2023
        Path:C:\Users\user\Desktop\ENDEV.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\ENDEV.exe
        Imagebase:0x400000
        File size:189'952 bytes
        MD5 hash:A1950243A73B32F619FDF441BC1D9992
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low
        Has exited:true
        Show Windows behavior

        File Activities

        Show Windows behavior

        Section Activities

        Show Windows behavior

        Registry Activities

        Show Windows behavior

        COM Activities

        Show Windows behavior

        Mutex Activities

        Show Windows behavior

        Process Activities

        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Process Token Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Disassembly

        Execution Graph

        Execution Coverage

        Dynamic/Packed Code Coverage

        Signature Coverage

        Execution Coverage:6%
        Dynamic/Decrypted Code Coverage:1.3%
        Signature Coverage:5.5%
        Total number of Nodes:1244
        Total number of Limit Nodes:48
        Show Legend
        Hide Nodes/Edges
        execution_graph 14500 22498a0 14501 22498e0 FindCloseChangeNotification 14500->14501 14503 2249911 14501->14503 14504 2240d90 14505 2240d5f 14504->14505 14507 2240d9f 14504->14507 14506 2240d37 14505->14506 14510 2241c25 14505->14510 14513 2244c4f 14505->14513 14516 2249620 14510->14516 14515 2249620 VirtualProtect 14513->14515 14514 2244c71 14515->14514 14518 2249633 14516->14518 14520 22496d0 14518->14520 14521 2249718 VirtualProtect 14520->14521 14523 2241c49 14521->14523 14524 40cbf7 14525 40cc08 14524->14525 14559 40d534 HeapCreate 14525->14559 14528 40cc46 14561 41087e GetModuleHandleW 14528->14561 14532 40cc57 __RTC_Initialize 14595 411a15 14532->14595 14533 40cbb4 _fast_error_exit 63 API calls 14533->14532 14535 40cc66 14536 40cc72 GetCommandLineA 14535->14536 14732 40e79a 14535->14732 14610 412892 14536->14610 14543 40cc97 14646 41255f 14543->14646 14544 40e79a __amsg_exit 63 API calls 14544->14543 14547 40cca8 14661 40e859 14547->14661 14548 40e79a __amsg_exit 63 API calls 14548->14547 14550 40ccb0 14551 40ccbb 14550->14551 14552 40e79a __amsg_exit 63 API calls 14550->14552 14667 4019f0 OleInitialize 14551->14667 14552->14551 14554 40ccd8 14555 40ccea 14554->14555 14721 40ea0a 14554->14721 14739 40ea36 14555->14739 14558 40ccef __ioinit 14560 40cc3a 14559->14560 14560->14528 14724 40cbb4 14560->14724 14562 410892 14561->14562 14563 410899 14561->14563 14742 40e76a 14562->14742 14565 410a01 14563->14565 14566 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14563->14566 14801 410598 14565->14801 14568 4108ec TlsAlloc 14566->14568 14571 40cc4c 14568->14571 14572 41093a TlsSetValue 14568->14572 14571->14532 14571->14533 14572->14571 14573 41094b 14572->14573 14746 40ea54 14573->14746 14578 41046e __encode_pointer 6 API calls 14579 41096b 14578->14579 14580 41046e __encode_pointer 6 API calls 14579->14580 14581 41097b 14580->14581 14582 41046e __encode_pointer 6 API calls 14581->14582 14583 41098b 14582->14583 14763 40d564 14583->14763 14590 4104e9 __decode_pointer 6 API calls 14591 4109df 14590->14591 14591->14565 14592 4109e6 14591->14592 14783 4105d5 14592->14783 14594 4109ee GetCurrentThreadId 14594->14571 15108 40e1d8 14595->15108 14597 411a21 GetStartupInfoA 14598 411cba __calloc_crt 63 API calls 14597->14598 14604 411a42 14598->14604 14599 411c60 __ioinit 14599->14535 14600 411bdd GetStdHandle 14605 411ba7 14600->14605 14601 411c42 SetHandleCount 14601->14599 14602 411cba __calloc_crt 63 API calls 14602->14604 14603 411bef GetFileType 14603->14605 14604->14599 14604->14602 14604->14605 14607 411b2a 14604->14607 14605->14599 14605->14600 14605->14601 14605->14603 14608 41389c __ioinit InitializeCriticalSectionAndSpinCount 14605->14608 14606 411b53 GetFileType 14606->14607 14607->14599 14607->14605 14607->14606 14609 41389c __ioinit InitializeCriticalSectionAndSpinCount 14607->14609 14608->14605 14609->14607 14611 4128b0 GetEnvironmentStringsW 14610->14611 14612 4128cf 14610->14612 14613 4128c4 GetLastError 14611->14613 14614 4128b8 14611->14614 14612->14614 14615 412968 14612->14615 14613->14612 14616 4128eb GetEnvironmentStringsW 14614->14616 14621 4128fa WideCharToMultiByte 14614->14621 14617 412971 GetEnvironmentStrings 14615->14617 14618 40cc82 14615->14618 14616->14618 14616->14621 14617->14618 14620 412981 14617->14620 14635 4127d7 14618->14635 14620->14620 14624 411c75 __malloc_crt 63 API calls 14620->14624 14622 41295d FreeEnvironmentStringsW 14621->14622 14623 41292e 14621->14623 14622->14618 14625 411c75 __malloc_crt 63 API calls 14623->14625 14626 41299b 14624->14626 14627 412934 14625->14627 14628 4129a2 FreeEnvironmentStringsA 14626->14628 14629 4129ae _memcpy_s 14626->14629 14627->14622 14630 41293c WideCharToMultiByte 14627->14630 14628->14618 14633 4129b8 FreeEnvironmentStringsA 14629->14633 14631 412956 14630->14631 14632 41294e 14630->14632 14631->14622 14634 40b6b5 __setenvp 63 API calls 14632->14634 14633->14618 14634->14631 14636 4127f1 GetModuleFileNameA 14635->14636 14637 4127ec 14635->14637 14639 412818 14636->14639 15115 41446b 14637->15115 15109 41263d 14639->15109 14641 40cc8c 14641->14543 14641->14544 14643 411c75 __malloc_crt 63 API calls 14644 41285a 14643->14644 14644->14641 14645 41263d _parse_cmdline 73 API calls 14644->14645 14645->14641 14647 412568 14646->14647 14648 41256d _strlen 14646->14648 14650 41446b ___initmbctable 107 API calls 14647->14650 14649 40cc9d 14648->14649 14651 411cba __calloc_crt 63 API calls 14648->14651 14649->14547 14649->14548 14650->14648 14656 4125a2 _strlen 14651->14656 14652 412600 14653 40b6b5 __setenvp 63 API calls 14652->14653 14653->14649 14654 411cba __calloc_crt 63 API calls 14654->14656 14655 412626 14657 40b6b5 __setenvp 63 API calls 14655->14657 14656->14649 14656->14652 14656->14654 14656->14655 14658 40ef42 _strcpy_s 63 API calls 14656->14658 14659 4125e7 14656->14659 14657->14649 14658->14656 14659->14656 14660 40e61c __invoke_watson 10 API calls 14659->14660 14660->14659 14662 40e867 __IsNonwritableInCurrentImage 14661->14662 15526 413586 14662->15526 14664 40e885 __initterm_e 14666 40e8a4 __IsNonwritableInCurrentImage __initterm 14664->14666 15530 40d2bd 14664->15530 14666->14550 14668 401ab9 14667->14668 15630 40b99e 14668->15630 14670 401abf 14671 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 14670->14671 14697 402467 14670->14697 14672 401dc3 FindCloseChangeNotification GetModuleHandleA 14671->14672 14679 401c55 14671->14679 15643 401650 14672->15643 14674 401e8b FindResourceA LoadResource LockResource SizeofResource 14675 40b84d _malloc 63 API calls 14674->14675 14676 401ebf 14675->14676 15645 40af66 14676->15645 14678 401c9c CloseHandle 14678->14554 14679->14678 14684 401cf9 Module32Next 14679->14684 14680 401ecb _memset 14681 401efc SizeofResource 14680->14681 14682 401f1c 14681->14682 14683 401f5f 14681->14683 14682->14683 15683 401560 14682->15683 14686 401f92 _memset 14683->14686 14687 401560 __VEC_memcpy 14683->14687 14684->14672 14693 401d0f 14684->14693 14688 401fa2 FreeResource 14686->14688 14687->14686 14689 40b84d _malloc 63 API calls 14688->14689 14690 401fbb SizeofResource 14689->14690 14691 401fe5 _memset 14690->14691 14692 4020aa LoadLibraryA 14691->14692 14694 401650 14692->14694 14693->14678 14696 401dad Module32Next 14693->14696 14695 40216c GetProcAddress 14694->14695 14695->14697 14698 4021aa 14695->14698 14696->14672 14696->14693 14697->14554 14698->14697 15657 4018f0 14698->15657 14700 40243f 14700->14697 14701 40b6b5 __setenvp 63 API calls 14700->14701 14701->14697 14702 4021f1 14702->14700 15669 401870 14702->15669 14704 402269 VariantInit 14705 401870 76 API calls 14704->14705 14706 40228b VariantInit 14705->14706 14707 4022a7 14706->14707 14708 4022d9 SafeArrayCreate SafeArrayAccessData 14707->14708 15674 40b350 14708->15674 14711 40232c 14712 402354 SafeArrayDestroy 14711->14712 14720 40235b 14711->14720 14712->14720 14713 402392 SafeArrayCreateVector 14714 4023a4 14713->14714 14715 4023bc VariantClear VariantClear 14714->14715 15676 4019a0 14715->15676 14718 40242e 14719 4019a0 66 API calls 14718->14719 14719->14700 14720->14713 15940 40e8de 14721->15940 14723 40ea1b 14723->14555 14725 40cbc2 14724->14725 14726 40cbc7 14724->14726 14727 40ec4d __FF_MSGBANNER 63 API calls 14725->14727 14728 40eaa2 __NMSG_WRITE 63 API calls 14726->14728 14727->14726 14729 40cbcf 14728->14729 14730 40e7ee _fast_error_exit 4 API calls 14729->14730 14731 40cbd9 14730->14731 14731->14528 14733 40ec4d __FF_MSGBANNER 63 API calls 14732->14733 14734 40e7a4 14733->14734 14735 40eaa2 __NMSG_WRITE 63 API calls 14734->14735 14736 40e7ac 14735->14736 14737 4104e9 __decode_pointer 6 API calls 14736->14737 14738 40cc71 14737->14738 14738->14536 14740 40e8de _doexit 63 API calls 14739->14740 14741 40ea41 14740->14741 14741->14558 14743 40e775 Sleep GetModuleHandleW 14742->14743 14744 40e793 14743->14744 14745 40e797 14743->14745 14744->14743 14744->14745 14745->14563 14807 4104e0 14746->14807 14748 40ea5c __init_pointers __initp_misc_winsig 14810 41393d 14748->14810 14751 41046e __encode_pointer 6 API calls 14752 40ea98 14751->14752 14753 41046e TlsGetValue 14752->14753 14754 4104a7 GetModuleHandleW 14753->14754 14755 410486 14753->14755 14757 4104c2 GetProcAddress 14754->14757 14758 4104b7 14754->14758 14755->14754 14756 410490 TlsGetValue 14755->14756 14762 41049b 14756->14762 14759 41049f 14757->14759 14760 40e76a __crt_waiting_on_module_handle 2 API calls 14758->14760 14759->14578 14761 4104bd 14760->14761 14761->14757 14761->14759 14762->14754 14762->14759 14764 40d56f 14763->14764 14766 40d59d 14764->14766 14813 41389c 14764->14813 14766->14565 14767 4104e9 TlsGetValue 14766->14767 14768 410501 14767->14768 14769 410522 GetModuleHandleW 14767->14769 14768->14769 14770 41050b TlsGetValue 14768->14770 14771 410532 14769->14771 14772 41053d GetProcAddress 14769->14772 14774 410516 14770->14774 14773 40e76a __crt_waiting_on_module_handle 2 API calls 14771->14773 14776 41051a 14772->14776 14775 410538 14773->14775 14774->14769 14774->14776 14775->14772 14775->14776 14776->14565 14777 411cba 14776->14777 14780 411cc3 14777->14780 14779 4109c5 14779->14565 14779->14590 14780->14779 14781 411ce1 Sleep 14780->14781 14818 40e231 14780->14818 14782 411cf6 14781->14782 14782->14779 14782->14780 15087 40e1d8 14783->15087 14785 4105e1 GetModuleHandleW 14786 4105f1 14785->14786 14787 4105f7 14785->14787 14788 40e76a __crt_waiting_on_module_handle 2 API calls 14786->14788 14789 410633 14787->14789 14790 41060f GetProcAddress GetProcAddress 14787->14790 14788->14787 14791 40d6e0 __lock 59 API calls 14789->14791 14790->14789 14792 410652 InterlockedIncrement 14791->14792 15088 4106aa 14792->15088 14795 40d6e0 __lock 59 API calls 14796 410673 14795->14796 15091 4145d2 InterlockedIncrement 14796->15091 14798 410691 15103 4106b3 14798->15103 14800 41069e __ioinit 14800->14594 14802 4105a2 14801->14802 14803 4105ae 14801->14803 14804 4104e9 __decode_pointer 6 API calls 14802->14804 14805 4105d0 14803->14805 14806 4105c2 TlsFree 14803->14806 14804->14803 14805->14805 14806->14805 14808 41046e __encode_pointer 6 API calls 14807->14808 14809 4104e7 14808->14809 14809->14748 14811 41046e __encode_pointer 6 API calls 14810->14811 14812 40ea8e 14811->14812 14812->14751 14817 40e1d8 14813->14817 14815 4138a8 InitializeCriticalSectionAndSpinCount 14816 4138ec __ioinit 14815->14816 14816->14764 14817->14815 14819 40e23d __ioinit 14818->14819 14820 40e255 14819->14820 14828 40e274 _memset 14819->14828 14831 40bfc1 14820->14831 14824 40e2e6 RtlAllocateHeap 14824->14828 14825 40e26a __ioinit 14825->14780 14828->14824 14828->14825 14837 40d6e0 14828->14837 14844 40def2 14828->14844 14850 40e32d 14828->14850 14853 40d2e3 14828->14853 14856 4106bc GetLastError 14831->14856 14833 40bfc6 14834 40e744 14833->14834 14835 4104e9 __decode_pointer 6 API calls 14834->14835 14836 40e754 __invoke_watson 14835->14836 14838 40d6f5 14837->14838 14839 40d708 EnterCriticalSection 14837->14839 14881 40d61d 14838->14881 14839->14828 14841 40d6fb 14841->14839 14842 40e79a __amsg_exit 62 API calls 14841->14842 14843 40d707 14842->14843 14843->14839 14847 40df20 14844->14847 14845 40dfb9 14849 40dfc2 14845->14849 15082 40db09 14845->15082 14847->14845 14847->14849 15075 40da59 14847->15075 14849->14828 15086 40d606 LeaveCriticalSection 14850->15086 14852 40e334 14852->14828 14854 4104e9 __decode_pointer 6 API calls 14853->14854 14855 40d2f3 14854->14855 14855->14828 14870 410564 TlsGetValue 14856->14870 14859 410729 SetLastError 14859->14833 14860 411cba __calloc_crt 60 API calls 14861 4106e7 14860->14861 14861->14859 14862 4104e9 __decode_pointer 6 API calls 14861->14862 14863 410701 14862->14863 14864 410720 14863->14864 14865 410708 14863->14865 14875 40b6b5 14864->14875 14866 4105d5 __initptd 60 API calls 14865->14866 14868 410710 GetCurrentThreadId 14866->14868 14868->14859 14869 410726 14869->14859 14871 410594 14870->14871 14872 410579 14870->14872 14871->14859 14871->14860 14873 4104e9 __decode_pointer 6 API calls 14872->14873 14874 410584 TlsSetValue 14873->14874 14874->14871 14876 40b6c1 __ioinit 14875->14876 14877 40b73d __ioinit 14876->14877 14878 40b714 HeapFree 14876->14878 14877->14869 14878->14877 14879 40b727 14878->14879 14880 40bfc1 __mbsnbcmp_l 62 API calls 14879->14880 14880->14877 14882 40d629 __ioinit 14881->14882 14896 40d64f 14882->14896 14907 40ec4d 14882->14907 14888 40d65f __ioinit 14888->14841 14890 40d680 14894 40d6e0 __lock 63 API calls 14890->14894 14891 40d671 14893 40bfc1 __mbsnbcmp_l 63 API calls 14891->14893 14893->14888 14895 40d687 14894->14895 14897 40d6bb 14895->14897 14898 40d68f 14895->14898 14896->14888 14953 411c75 14896->14953 14900 40b6b5 __setenvp 63 API calls 14897->14900 14899 41389c __ioinit InitializeCriticalSectionAndSpinCount 14898->14899 14901 40d69a 14899->14901 14902 40d6ac 14900->14902 14901->14902 14903 40b6b5 __setenvp 63 API calls 14901->14903 14959 40d6d7 14902->14959 14905 40d6a6 14903->14905 14906 40bfc1 __mbsnbcmp_l 63 API calls 14905->14906 14906->14902 14962 413d5b 14907->14962 14910 40ec61 14912 40eaa2 __NMSG_WRITE 63 API calls 14910->14912 14915 40d63e 14910->14915 14911 413d5b __set_error_mode 63 API calls 14911->14910 14913 40ec79 14912->14913 14914 40eaa2 __NMSG_WRITE 63 API calls 14913->14914 14914->14915 14916 40eaa2 14915->14916 14917 40eab6 14916->14917 14918 40d645 14917->14918 14919 413d5b __set_error_mode 60 API calls 14917->14919 14950 40e7ee 14918->14950 14920 40ead8 14919->14920 14921 40ec16 GetStdHandle 14920->14921 14923 413d5b __set_error_mode 60 API calls 14920->14923 14921->14918 14922 40ec24 _strlen 14921->14922 14922->14918 14926 40ec3d WriteFile 14922->14926 14924 40eae9 14923->14924 14924->14921 14925 40eafb 14924->14925 14925->14918 14968 40ef42 14925->14968 14926->14918 14929 40eb31 GetModuleFileNameA 14931 40eb4f 14929->14931 14935 40eb72 _strlen 14929->14935 14933 40ef42 _strcpy_s 60 API calls 14931->14933 14934 40eb5f 14933->14934 14934->14935 14937 40e61c __invoke_watson 10 API calls 14934->14937 14936 40ebb5 14935->14936 14984 411da6 14935->14984 14993 413ce7 14936->14993 14937->14935 14942 40ebd9 14944 413ce7 _strcat_s 60 API calls 14942->14944 14943 40e61c __invoke_watson 10 API calls 14943->14942 14945 40ebed 14944->14945 14947 40ebfe 14945->14947 14948 40e61c __invoke_watson 10 API calls 14945->14948 14946 40e61c __invoke_watson 10 API calls 14946->14936 15002 413b7e 14947->15002 14948->14947 15040 40e7c3 GetModuleHandleW 14950->15040 14955 411c7e 14953->14955 14956 40d66a 14955->14956 14957 411c95 Sleep 14955->14957 15044 40b84d 14955->15044 14956->14890 14956->14891 14958 411caa 14957->14958 14958->14955 14958->14956 15074 40d606 LeaveCriticalSection 14959->15074 14961 40d6de 14961->14888 14963 413d6a 14962->14963 14964 40bfc1 __mbsnbcmp_l 63 API calls 14963->14964 14967 40ec54 14963->14967 14965 413d8d 14964->14965 14966 40e744 __mbsnbcmp_l 6 API calls 14965->14966 14966->14967 14967->14910 14967->14911 14969 40ef53 14968->14969 14970 40ef5a 14968->14970 14969->14970 14974 40ef80 14969->14974 14971 40bfc1 __mbsnbcmp_l 63 API calls 14970->14971 14976 40ef5f 14971->14976 14972 40e744 __mbsnbcmp_l 6 API calls 14973 40eb1d 14972->14973 14973->14929 14977 40e61c 14973->14977 14974->14973 14975 40bfc1 __mbsnbcmp_l 63 API calls 14974->14975 14975->14976 14976->14972 15029 40ba30 14977->15029 14979 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14980 40e725 GetCurrentProcess TerminateProcess 14979->14980 14981 40e719 __invoke_watson 14979->14981 15031 40ce09 14980->15031 14981->14980 14983 40e742 14983->14929 14985 411db8 14984->14985 14988 411dbc 14985->14988 14990 40eba2 14985->14990 14991 411e02 14985->14991 14986 40bfc1 __mbsnbcmp_l 63 API calls 14987 411dd8 14986->14987 14989 40e744 __mbsnbcmp_l 6 API calls 14987->14989 14988->14986 14988->14990 14989->14990 14990->14936 14990->14946 14991->14990 14992 40bfc1 __mbsnbcmp_l 63 API calls 14991->14992 14992->14987 14996 413cff 14993->14996 14997 413cf8 14993->14997 14994 40bfc1 __mbsnbcmp_l 63 API calls 14995 413d04 14994->14995 14998 40e744 __mbsnbcmp_l 6 API calls 14995->14998 14996->14994 14997->14996 15000 413d33 14997->15000 14999 40ebc8 14998->14999 14999->14942 14999->14943 15000->14999 15001 40bfc1 __mbsnbcmp_l 63 API calls 15000->15001 15001->14995 15003 4104e0 _raise 6 API calls 15002->15003 15004 413b8e 15003->15004 15005 413ba1 LoadLibraryA 15004->15005 15007 413c29 15004->15007 15006 413bb6 GetProcAddress 15005->15006 15016 413ccb 15005->15016 15008 413bcc 15006->15008 15006->15016 15011 4104e9 __decode_pointer 6 API calls 15007->15011 15024 413c53 15007->15024 15012 41046e __encode_pointer 6 API calls 15008->15012 15009 4104e9 __decode_pointer 6 API calls 15009->15016 15010 4104e9 __decode_pointer 6 API calls 15021 413c96 15010->15021 15013 413c46 15011->15013 15014 413bd2 GetProcAddress 15012->15014 15017 4104e9 __decode_pointer 6 API calls 15013->15017 15015 41046e __encode_pointer 6 API calls 15014->15015 15018 413be7 GetProcAddress 15015->15018 15016->14918 15017->15024 15019 41046e __encode_pointer 6 API calls 15018->15019 15020 413bfc GetProcAddress 15019->15020 15022 41046e __encode_pointer 6 API calls 15020->15022 15023 4104e9 __decode_pointer 6 API calls 15021->15023 15026 413c7e 15021->15026 15025 413c11 15022->15025 15023->15026 15024->15010 15024->15026 15025->15007 15027 413c1b GetProcAddress 15025->15027 15026->15009 15028 41046e __encode_pointer 6 API calls 15027->15028 15028->15007 15030 40ba3c __VEC_memzero 15029->15030 15030->14979 15032 40ce11 15031->15032 15033 40ce13 IsDebuggerPresent 15031->15033 15032->14983 15039 4138fc 15033->15039 15036 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 15037 41372b GetCurrentProcess TerminateProcess 15036->15037 15038 413723 __invoke_watson 15036->15038 15037->14983 15038->15037 15039->15036 15041 40e7d7 GetProcAddress 15040->15041 15042 40e7ec ExitProcess 15040->15042 15041->15042 15043 40e7e7 CorExitProcess 15041->15043 15043->15042 15045 40b900 15044->15045 15051 40b85f 15044->15051 15046 40d2e3 __calloc_impl 6 API calls 15045->15046 15048 40b906 15046->15048 15047 40b870 15050 40ec4d __FF_MSGBANNER 62 API calls 15047->15050 15047->15051 15053 40eaa2 __NMSG_WRITE 62 API calls 15047->15053 15055 40e7ee _fast_error_exit 4 API calls 15047->15055 15049 40bfc1 __mbsnbcmp_l 62 API calls 15048->15049 15056 40b8f8 15049->15056 15050->15047 15051->15047 15054 40b8bc RtlAllocateHeap 15051->15054 15051->15056 15057 40b8ec 15051->15057 15058 40d2e3 __calloc_impl 6 API calls 15051->15058 15060 40b8f1 15051->15060 15062 40b7fe 15051->15062 15053->15047 15054->15051 15055->15047 15056->14955 15059 40bfc1 __mbsnbcmp_l 62 API calls 15057->15059 15058->15051 15059->15060 15061 40bfc1 __mbsnbcmp_l 62 API calls 15060->15061 15061->15056 15063 40b80a __ioinit 15062->15063 15064 40d6e0 __lock 63 API calls 15063->15064 15065 40b83b __ioinit 15063->15065 15066 40b820 15064->15066 15065->15051 15067 40def2 ___sbh_alloc_block 5 API calls 15066->15067 15068 40b82b 15067->15068 15070 40b844 15068->15070 15073 40d606 LeaveCriticalSection 15070->15073 15072 40b84b 15072->15065 15073->15072 15074->14961 15076 40daa0 HeapAlloc 15075->15076 15077 40da6c HeapReAlloc 15075->15077 15078 40dac3 VirtualAlloc 15076->15078 15081 40da8a 15076->15081 15079 40da8e 15077->15079 15077->15081 15080 40dadd HeapFree 15078->15080 15078->15081 15079->15076 15080->15081 15081->14845 15083 40db20 VirtualAlloc 15082->15083 15085 40db67 15083->15085 15085->14849 15086->14852 15087->14785 15106 40d606 LeaveCriticalSection 15088->15106 15090 41066c 15090->14795 15092 4145f0 InterlockedIncrement 15091->15092 15093 4145f3 15091->15093 15092->15093 15094 414600 15093->15094 15095 4145fd InterlockedIncrement 15093->15095 15096 41460a InterlockedIncrement 15094->15096 15097 41460d 15094->15097 15095->15094 15096->15097 15098 414617 InterlockedIncrement 15097->15098 15100 41461a 15097->15100 15098->15100 15099 414633 InterlockedIncrement 15099->15100 15100->15099 15101 414643 InterlockedIncrement 15100->15101 15102 41464e InterlockedIncrement 15100->15102 15101->15100 15102->14798 15107 40d606 LeaveCriticalSection 15103->15107 15105 4106ba 15105->14800 15106->15090 15107->15105 15108->14597 15111 41265c 15109->15111 15113 4126c9 15111->15113 15119 416836 15111->15119 15112 4127c7 15112->14641 15112->14643 15113->15112 15114 416836 73 API calls _parse_cmdline 15113->15114 15114->15113 15116 414474 15115->15116 15117 41447b 15115->15117 15341 4142d1 15116->15341 15117->14636 15122 4167e3 15119->15122 15125 40ec86 15122->15125 15126 40ec99 15125->15126 15132 40ece6 15125->15132 15133 410735 15126->15133 15129 40ecc6 15129->15132 15153 413fcc 15129->15153 15132->15111 15134 4106bc __getptd_noexit 63 API calls 15133->15134 15135 41073d 15134->15135 15136 40e79a __amsg_exit 63 API calls 15135->15136 15137 40ec9e 15135->15137 15136->15137 15137->15129 15138 414738 15137->15138 15139 414744 __ioinit 15138->15139 15140 410735 __getptd 63 API calls 15139->15140 15141 414749 15140->15141 15142 414777 15141->15142 15144 41475b 15141->15144 15143 40d6e0 __lock 63 API calls 15142->15143 15145 41477e 15143->15145 15146 410735 __getptd 63 API calls 15144->15146 15169 4146fa 15145->15169 15148 414760 15146->15148 15150 41476e __ioinit 15148->15150 15152 40e79a __amsg_exit 63 API calls 15148->15152 15150->15129 15152->15150 15154 413fd8 __ioinit 15153->15154 15155 410735 __getptd 63 API calls 15154->15155 15156 413fdd 15155->15156 15157 40d6e0 __lock 63 API calls 15156->15157 15166 413fef 15156->15166 15158 41400d 15157->15158 15159 414056 15158->15159 15160 414024 InterlockedDecrement 15158->15160 15161 41403e InterlockedIncrement 15158->15161 15337 414067 15159->15337 15160->15161 15165 41402f 15160->15165 15161->15159 15163 40e79a __amsg_exit 63 API calls 15164 413ffd __ioinit 15163->15164 15164->15132 15165->15161 15167 40b6b5 __setenvp 63 API calls 15165->15167 15166->15163 15166->15164 15168 41403d 15167->15168 15168->15161 15170 4146fe 15169->15170 15176 414730 15169->15176 15171 4145d2 ___addlocaleref 8 API calls 15170->15171 15170->15176 15172 414711 15171->15172 15172->15176 15180 414661 15172->15180 15177 4147a2 15176->15177 15336 40d606 LeaveCriticalSection 15177->15336 15179 4147a9 15179->15148 15181 414672 InterlockedDecrement 15180->15181 15182 4146f5 15180->15182 15183 414687 InterlockedDecrement 15181->15183 15184 41468a 15181->15184 15182->15176 15194 414489 15182->15194 15183->15184 15185 414694 InterlockedDecrement 15184->15185 15186 414697 15184->15186 15185->15186 15187 4146a1 InterlockedDecrement 15186->15187 15188 4146a4 15186->15188 15187->15188 15189 4146ae InterlockedDecrement 15188->15189 15191 4146b1 15188->15191 15189->15191 15190 4146ca InterlockedDecrement 15190->15191 15191->15190 15192 4146da InterlockedDecrement 15191->15192 15193 4146e5 InterlockedDecrement 15191->15193 15192->15191 15193->15182 15195 41450d 15194->15195 15199 4144a0 15194->15199 15196 41455a 15195->15196 15197 40b6b5 __setenvp 63 API calls 15195->15197 15205 414581 15196->15205 15248 417667 15196->15248 15201 41452e 15197->15201 15198 4144d4 15203 4144f5 15198->15203 15211 40b6b5 __setenvp 63 API calls 15198->15211 15199->15195 15199->15198 15209 40b6b5 __setenvp 63 API calls 15199->15209 15204 40b6b5 __setenvp 63 API calls 15201->15204 15207 40b6b5 __setenvp 63 API calls 15203->15207 15206 414541 15204->15206 15208 4145c6 15205->15208 15212 40b6b5 63 API calls __setenvp 15205->15212 15213 40b6b5 __setenvp 63 API calls 15206->15213 15214 414502 15207->15214 15215 40b6b5 __setenvp 63 API calls 15208->15215 15216 4144c9 15209->15216 15210 40b6b5 __setenvp 63 API calls 15210->15205 15217 4144ea 15211->15217 15212->15205 15218 41454f 15213->15218 15219 40b6b5 __setenvp 63 API calls 15214->15219 15220 4145cc 15215->15220 15224 417841 15216->15224 15240 4177fc 15217->15240 15223 40b6b5 __setenvp 63 API calls 15218->15223 15219->15195 15220->15176 15223->15196 15225 4178cb 15224->15225 15226 41784e 15224->15226 15225->15198 15227 41785f 15226->15227 15228 40b6b5 __setenvp 63 API calls 15226->15228 15229 417871 15227->15229 15230 40b6b5 __setenvp 63 API calls 15227->15230 15228->15227 15231 417883 15229->15231 15232 40b6b5 __setenvp 63 API calls 15229->15232 15230->15229 15233 417895 15231->15233 15235 40b6b5 __setenvp 63 API calls 15231->15235 15232->15231 15234 4178a7 15233->15234 15236 40b6b5 __setenvp 63 API calls 15233->15236 15237 4178b9 15234->15237 15238 40b6b5 __setenvp 63 API calls 15234->15238 15235->15233 15236->15234 15237->15225 15239 40b6b5 __setenvp 63 API calls 15237->15239 15238->15237 15239->15225 15241 417809 15240->15241 15247 41783d 15240->15247 15242 40b6b5 __setenvp 63 API calls 15241->15242 15245 417819 15241->15245 15242->15245 15243 40b6b5 __setenvp 63 API calls 15244 41782b 15243->15244 15246 40b6b5 __setenvp 63 API calls 15244->15246 15244->15247 15245->15243 15245->15244 15246->15247 15247->15203 15249 41457a 15248->15249 15250 417678 15248->15250 15249->15210 15251 40b6b5 __setenvp 63 API calls 15250->15251 15252 417680 15251->15252 15253 40b6b5 __setenvp 63 API calls 15252->15253 15254 417688 15253->15254 15255 40b6b5 __setenvp 63 API calls 15254->15255 15256 417690 15255->15256 15257 40b6b5 __setenvp 63 API calls 15256->15257 15258 417698 15257->15258 15259 40b6b5 __setenvp 63 API calls 15258->15259 15260 4176a0 15259->15260 15261 40b6b5 __setenvp 63 API calls 15260->15261 15262 4176a8 15261->15262 15263 40b6b5 __setenvp 63 API calls 15262->15263 15264 4176af 15263->15264 15265 40b6b5 __setenvp 63 API calls 15264->15265 15266 4176b7 15265->15266 15267 40b6b5 __setenvp 63 API calls 15266->15267 15268 4176bf 15267->15268 15269 40b6b5 __setenvp 63 API calls 15268->15269 15270 4176c7 15269->15270 15271 40b6b5 __setenvp 63 API calls 15270->15271 15272 4176cf 15271->15272 15273 40b6b5 __setenvp 63 API calls 15272->15273 15274 4176d7 15273->15274 15275 40b6b5 __setenvp 63 API calls 15274->15275 15276 4176df 15275->15276 15277 40b6b5 __setenvp 63 API calls 15276->15277 15278 4176e7 15277->15278 15279 40b6b5 __setenvp 63 API calls 15278->15279 15280 4176ef 15279->15280 15281 40b6b5 __setenvp 63 API calls 15280->15281 15282 4176f7 15281->15282 15283 40b6b5 __setenvp 63 API calls 15282->15283 15284 417702 15283->15284 15285 40b6b5 __setenvp 63 API calls 15284->15285 15286 41770a 15285->15286 15287 40b6b5 __setenvp 63 API calls 15286->15287 15288 417712 15287->15288 15289 40b6b5 __setenvp 63 API calls 15288->15289 15290 41771a 15289->15290 15291 40b6b5 __setenvp 63 API calls 15290->15291 15292 417722 15291->15292 15293 40b6b5 __setenvp 63 API calls 15292->15293 15294 41772a 15293->15294 15295 40b6b5 __setenvp 63 API calls 15294->15295 15296 417732 15295->15296 15297 40b6b5 __setenvp 63 API calls 15296->15297 15298 41773a 15297->15298 15299 40b6b5 __setenvp 63 API calls 15298->15299 15300 417742 15299->15300 15301 40b6b5 __setenvp 63 API calls 15300->15301 15302 41774a 15301->15302 15303 40b6b5 __setenvp 63 API calls 15302->15303 15304 417752 15303->15304 15305 40b6b5 __setenvp 63 API calls 15304->15305 15306 41775a 15305->15306 15307 40b6b5 __setenvp 63 API calls 15306->15307 15308 417762 15307->15308 15309 40b6b5 __setenvp 63 API calls 15308->15309 15310 41776a 15309->15310 15311 40b6b5 __setenvp 63 API calls 15310->15311 15312 417772 15311->15312 15313 40b6b5 __setenvp 63 API calls 15312->15313 15314 41777a 15313->15314 15315 40b6b5 __setenvp 63 API calls 15314->15315 15316 417788 15315->15316 15317 40b6b5 __setenvp 63 API calls 15316->15317 15318 417793 15317->15318 15319 40b6b5 __setenvp 63 API calls 15318->15319 15320 41779e 15319->15320 15321 40b6b5 __setenvp 63 API calls 15320->15321 15322 4177a9 15321->15322 15323 40b6b5 __setenvp 63 API calls 15322->15323 15324 4177b4 15323->15324 15325 40b6b5 __setenvp 63 API calls 15324->15325 15326 4177bf 15325->15326 15327 40b6b5 __setenvp 63 API calls 15326->15327 15328 4177ca 15327->15328 15329 40b6b5 __setenvp 63 API calls 15328->15329 15330 4177d5 15329->15330 15331 40b6b5 __setenvp 63 API calls 15330->15331 15332 4177e0 15331->15332 15333 40b6b5 __setenvp 63 API calls 15332->15333 15334 4177eb 15333->15334 15335 40b6b5 __setenvp 63 API calls 15334->15335 15335->15249 15336->15179 15340 40d606 LeaveCriticalSection 15337->15340 15339 41406e 15339->15166 15340->15339 15342 4142dd __ioinit 15341->15342 15343 410735 __getptd 63 API calls 15342->15343 15344 4142e6 15343->15344 15345 413fcc _LocaleUpdate::_LocaleUpdate 65 API calls 15344->15345 15346 4142f0 15345->15346 15372 414070 15346->15372 15349 411c75 __malloc_crt 63 API calls 15351 414311 15349->15351 15350 414430 __ioinit 15350->15117 15351->15350 15379 4140ec 15351->15379 15354 414341 InterlockedDecrement 15356 414351 15354->15356 15357 414362 InterlockedIncrement 15354->15357 15355 41443d 15355->15350 15359 414450 15355->15359 15361 40b6b5 __setenvp 63 API calls 15355->15361 15356->15357 15360 40b6b5 __setenvp 63 API calls 15356->15360 15357->15350 15358 414378 15357->15358 15358->15350 15364 40d6e0 __lock 63 API calls 15358->15364 15362 40bfc1 __mbsnbcmp_l 63 API calls 15359->15362 15363 414361 15360->15363 15361->15359 15362->15350 15363->15357 15366 41438c InterlockedDecrement 15364->15366 15367 414408 15366->15367 15368 41441b InterlockedIncrement 15366->15368 15367->15368 15370 40b6b5 __setenvp 63 API calls 15367->15370 15389 414432 15368->15389 15371 41441a 15370->15371 15371->15368 15373 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15372->15373 15374 414084 15373->15374 15375 4140ad 15374->15375 15376 41408f GetOEMCP 15374->15376 15377 4140b2 GetACP 15375->15377 15378 41409f 15375->15378 15376->15378 15377->15378 15378->15349 15378->15350 15380 414070 getSystemCP 75 API calls 15379->15380 15381 41410c 15380->15381 15382 414117 setSBCS 15381->15382 15384 41415b IsValidCodePage 15381->15384 15388 414180 _memset __setmbcp_nolock 15381->15388 15383 40ce09 __invoke_watson 5 API calls 15382->15383 15385 4142cf 15383->15385 15384->15382 15386 41416d GetCPInfo 15384->15386 15385->15354 15385->15355 15386->15382 15386->15388 15392 413e39 GetCPInfo 15388->15392 15525 40d606 LeaveCriticalSection 15389->15525 15391 414439 15391->15350 15394 413e6d _memset 15392->15394 15401 413f1f 15392->15401 15402 417625 15394->15402 15397 40ce09 __invoke_watson 5 API calls 15399 413fca 15397->15399 15399->15388 15400 417426 ___crtLCMapStringA 98 API calls 15400->15401 15401->15397 15403 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15402->15403 15404 417638 15403->15404 15412 41746b 15404->15412 15407 417426 15408 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15407->15408 15409 417439 15408->15409 15478 417081 15409->15478 15413 4174b7 15412->15413 15414 41748c GetStringTypeW 15412->15414 15415 41759e 15413->15415 15416 4174a4 15413->15416 15414->15416 15417 4174ac GetLastError 15414->15417 15440 417a20 GetLocaleInfoA 15415->15440 15418 4174f0 MultiByteToWideChar 15416->15418 15435 417598 15416->15435 15417->15413 15425 41751d 15418->15425 15418->15435 15421 417532 _memset ___convertcp 15427 41756b MultiByteToWideChar 15421->15427 15421->15435 15422 40ce09 __invoke_watson 5 API calls 15423 413eda 15422->15423 15423->15407 15424 4175ef GetStringTypeA 15428 41760a 15424->15428 15424->15435 15425->15421 15429 40b84d _malloc 63 API calls 15425->15429 15431 417581 GetStringTypeW 15427->15431 15432 417592 15427->15432 15433 40b6b5 __setenvp 63 API calls 15428->15433 15429->15421 15431->15432 15436 4147ae 15432->15436 15433->15435 15435->15422 15437 4147ba 15436->15437 15439 4147cb 15436->15439 15438 40b6b5 __setenvp 63 API calls 15437->15438 15437->15439 15438->15439 15439->15435 15441 417a53 15440->15441 15443 417a4e 15440->15443 15471 416f54 15441->15471 15444 40ce09 __invoke_watson 5 API calls 15443->15444 15445 4175c2 15444->15445 15445->15424 15445->15435 15446 417a69 15445->15446 15447 417aa9 GetCPInfo 15446->15447 15451 417b33 15446->15451 15448 417ac0 15447->15448 15449 417b1e MultiByteToWideChar 15447->15449 15448->15449 15452 417ac6 GetCPInfo 15448->15452 15449->15451 15455 417ad9 _strlen 15449->15455 15450 40ce09 __invoke_watson 5 API calls 15453 4175e3 15450->15453 15451->15450 15452->15449 15454 417ad3 15452->15454 15453->15424 15453->15435 15454->15449 15454->15455 15456 40b84d _malloc 63 API calls 15455->15456 15458 417b0b _memset ___convertcp 15455->15458 15456->15458 15457 417b68 MultiByteToWideChar 15459 417b80 15457->15459 15460 417b9f 15457->15460 15458->15451 15458->15457 15462 417ba4 15459->15462 15463 417b87 WideCharToMultiByte 15459->15463 15461 4147ae __freea 63 API calls 15460->15461 15461->15451 15464 417bc3 15462->15464 15465 417baf WideCharToMultiByte 15462->15465 15463->15460 15466 411cba __calloc_crt 63 API calls 15464->15466 15465->15460 15465->15464 15467 417bcb 15466->15467 15467->15460 15468 417bd4 WideCharToMultiByte 15467->15468 15468->15460 15469 417be6 15468->15469 15470 40b6b5 __setenvp 63 API calls 15469->15470 15470->15460 15474 41a354 15471->15474 15475 41a36d 15474->15475 15476 41a125 strtoxl 87 API calls 15475->15476 15477 416f65 15476->15477 15477->15443 15479 4170a2 LCMapStringW 15478->15479 15482 4170bd 15478->15482 15480 4170c5 GetLastError 15479->15480 15479->15482 15480->15482 15481 4172bb 15485 417a20 ___ansicp 87 API calls 15481->15485 15482->15481 15483 417117 15482->15483 15484 417130 MultiByteToWideChar 15483->15484 15508 4172b2 15483->15508 15494 41715d 15484->15494 15484->15508 15486 4172e3 15485->15486 15489 4173d7 LCMapStringA 15486->15489 15490 4172fc 15486->15490 15486->15508 15487 40ce09 __invoke_watson 5 API calls 15488 413efa 15487->15488 15488->15400 15491 417333 15489->15491 15492 417a69 ___convertcp 70 API calls 15490->15492 15495 4173fe 15491->15495 15500 40b6b5 __setenvp 63 API calls 15491->15500 15497 41730e 15492->15497 15493 4171ae MultiByteToWideChar 15498 4171c7 LCMapStringW 15493->15498 15499 4172a9 15493->15499 15496 40b84d _malloc 63 API calls 15494->15496 15504 417176 ___convertcp 15494->15504 15506 40b6b5 __setenvp 63 API calls 15495->15506 15495->15508 15496->15504 15501 417318 LCMapStringA 15497->15501 15497->15508 15498->15499 15503 4171e8 15498->15503 15502 4147ae __freea 63 API calls 15499->15502 15500->15495 15501->15491 15510 41733a 15501->15510 15502->15508 15505 4171f1 15503->15505 15509 41721a 15503->15509 15504->15493 15504->15508 15505->15499 15507 417203 LCMapStringW 15505->15507 15506->15508 15507->15499 15508->15487 15515 417235 ___convertcp 15509->15515 15517 40b84d _malloc 63 API calls 15509->15517 15512 40b84d _malloc 63 API calls 15510->15512 15516 41734b _memset ___convertcp 15510->15516 15511 417269 LCMapStringW 15513 417281 WideCharToMultiByte 15511->15513 15514 4172a3 15511->15514 15512->15516 15513->15514 15518 4147ae __freea 63 API calls 15514->15518 15515->15499 15515->15511 15516->15491 15519 417389 LCMapStringA 15516->15519 15517->15515 15518->15499 15521 4173a5 15519->15521 15522 4173a9 15519->15522 15524 4147ae __freea 63 API calls 15521->15524 15523 417a69 ___convertcp 70 API calls 15522->15523 15523->15521 15524->15491 15525->15391 15527 41358c 15526->15527 15528 41046e __encode_pointer 6 API calls 15527->15528 15529 4135a4 15527->15529 15528->15527 15529->14664 15533 40d281 15530->15533 15532 40d2ca 15532->14666 15534 40d28d __ioinit 15533->15534 15541 40e806 15534->15541 15540 40d2ae __ioinit 15540->15532 15542 40d6e0 __lock 63 API calls 15541->15542 15543 40d292 15542->15543 15544 40d196 15543->15544 15545 4104e9 __decode_pointer 6 API calls 15544->15545 15546 40d1aa 15545->15546 15547 4104e9 __decode_pointer 6 API calls 15546->15547 15548 40d1ba 15547->15548 15556 40d23d 15548->15556 15564 40e56a 15548->15564 15550 40d1d8 15554 40d1fc 15550->15554 15560 40d224 15550->15560 15577 411d06 15550->15577 15551 41046e __encode_pointer 6 API calls 15552 40d232 15551->15552 15555 41046e __encode_pointer 6 API calls 15552->15555 15554->15556 15557 411d06 __realloc_crt 73 API calls 15554->15557 15558 40d212 15554->15558 15555->15556 15561 40d2b7 15556->15561 15557->15558 15558->15556 15559 41046e __encode_pointer 6 API calls 15558->15559 15559->15560 15560->15551 15626 40e80f 15561->15626 15565 40e576 __ioinit 15564->15565 15566 40e5a3 15565->15566 15567 40e586 15565->15567 15569 40e5e4 HeapSize 15566->15569 15571 40d6e0 __lock 63 API calls 15566->15571 15568 40bfc1 __mbsnbcmp_l 63 API calls 15567->15568 15570 40e58b 15568->15570 15573 40e59b __ioinit 15569->15573 15572 40e744 __mbsnbcmp_l 6 API calls 15570->15572 15574 40e5b3 ___sbh_find_block 15571->15574 15572->15573 15573->15550 15582 40e604 15574->15582 15581 411d0f 15577->15581 15579 411d4e 15579->15554 15580 411d2f Sleep 15580->15581 15581->15579 15581->15580 15586 40e34f 15581->15586 15585 40d606 LeaveCriticalSection 15582->15585 15584 40e5df 15584->15569 15584->15573 15585->15584 15587 40e35b __ioinit 15586->15587 15588 40e370 15587->15588 15589 40e362 15587->15589 15591 40e383 15588->15591 15592 40e377 15588->15592 15590 40b84d _malloc 63 API calls 15589->15590 15607 40e36a __dosmaperr __ioinit 15590->15607 15599 40e4f5 15591->15599 15621 40e390 _memcpy_s ___sbh_resize_block ___sbh_find_block 15591->15621 15593 40b6b5 __setenvp 63 API calls 15592->15593 15593->15607 15594 40e528 15595 40d2e3 __calloc_impl 6 API calls 15594->15595 15598 40e52e 15595->15598 15596 40d6e0 __lock 63 API calls 15596->15621 15597 40e4fa HeapReAlloc 15597->15599 15597->15607 15600 40bfc1 __mbsnbcmp_l 63 API calls 15598->15600 15599->15594 15599->15597 15601 40e54c 15599->15601 15602 40d2e3 __calloc_impl 6 API calls 15599->15602 15604 40e542 15599->15604 15600->15607 15603 40bfc1 __mbsnbcmp_l 63 API calls 15601->15603 15601->15607 15602->15599 15605 40e555 GetLastError 15603->15605 15608 40bfc1 __mbsnbcmp_l 63 API calls 15604->15608 15605->15607 15607->15581 15610 40e4c3 15608->15610 15609 40e41b HeapAlloc 15609->15621 15610->15607 15612 40e4c8 GetLastError 15610->15612 15611 40e470 HeapReAlloc 15611->15621 15612->15607 15613 40def2 ___sbh_alloc_block 5 API calls 15613->15621 15614 40e4db 15614->15607 15617 40bfc1 __mbsnbcmp_l 63 API calls 15614->15617 15615 40d2e3 __calloc_impl 6 API calls 15615->15621 15616 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 15616->15621 15619 40e4e8 15617->15619 15618 40e4be 15620 40bfc1 __mbsnbcmp_l 63 API calls 15618->15620 15619->15605 15619->15607 15620->15610 15621->15594 15621->15596 15621->15607 15621->15609 15621->15611 15621->15613 15621->15614 15621->15615 15621->15616 15621->15618 15622 40e493 15621->15622 15625 40d606 LeaveCriticalSection 15622->15625 15624 40e49a 15624->15621 15625->15624 15629 40d606 LeaveCriticalSection 15626->15629 15628 40d2bc 15628->15540 15629->15628 15633 40b9aa __ioinit _strnlen 15630->15633 15631 40b9b8 15632 40bfc1 __mbsnbcmp_l 63 API calls 15631->15632 15634 40b9bd 15632->15634 15633->15631 15635 40b9ec 15633->15635 15636 40e744 __mbsnbcmp_l 6 API calls 15634->15636 15637 40d6e0 __lock 63 API calls 15635->15637 15641 40b9cd __ioinit 15636->15641 15638 40b9f3 15637->15638 15687 40b917 15638->15687 15641->14670 15644 4017cc _memcpy_s 15643->15644 15644->14674 15647 40af70 15645->15647 15646 40b84d _malloc 63 API calls 15646->15647 15647->15646 15648 40af8a 15647->15648 15649 40d2e3 __calloc_impl 6 API calls 15647->15649 15652 40af8c std::bad_alloc::bad_alloc 15647->15652 15648->14680 15649->15647 15650 40afb2 15901 40af49 15650->15901 15652->15650 15654 40d2bd __cinit 74 API calls 15652->15654 15654->15650 15656 40afca 15658 401903 lstrlenA 15657->15658 15659 4018fc 15657->15659 15913 4017e0 15658->15913 15659->14702 15662 401940 GetLastError 15664 40194b MultiByteToWideChar 15662->15664 15665 40198d 15662->15665 15663 401996 15663->14702 15666 4017e0 73 API calls 15664->15666 15665->15663 15921 401030 GetLastError 15665->15921 15667 401970 MultiByteToWideChar 15666->15667 15667->15665 15670 40af66 75 API calls 15669->15670 15671 40187c 15670->15671 15672 401885 SysAllocString 15671->15672 15673 4018a4 15671->15673 15672->15673 15673->14704 15675 40231a SafeArrayUnaccessData 15674->15675 15675->14711 15677 4019aa InterlockedDecrement 15676->15677 15682 4019df VariantClear 15676->15682 15678 4019b8 15677->15678 15677->15682 15679 4019c2 SysFreeString 15678->15679 15680 4019c9 15678->15680 15678->15682 15679->15680 15930 40aec0 15680->15930 15682->14718 15684 401571 15683->15684 15686 401582 15683->15686 15936 40afe0 15684->15936 15686->14682 15688 40b930 15687->15688 15690 40b92c 15687->15690 15688->15690 15691 40b942 _strlen 15688->15691 15696 40eeab 15688->15696 15693 40ba18 15690->15693 15691->15690 15706 40edfb 15691->15706 15900 40d606 LeaveCriticalSection 15693->15900 15695 40ba1f 15695->15641 15703 40ef2b 15696->15703 15704 40eec6 15696->15704 15697 40eecc WideCharToMultiByte 15697->15703 15697->15704 15698 411cba __calloc_crt 63 API calls 15698->15704 15699 40eeef WideCharToMultiByte 15700 40ef37 15699->15700 15699->15704 15702 40b6b5 __setenvp 63 API calls 15700->15702 15702->15703 15703->15691 15704->15697 15704->15698 15704->15699 15704->15703 15705 40b6b5 __setenvp 63 API calls 15704->15705 15709 414d44 15704->15709 15705->15704 15801 40ed0d 15706->15801 15710 414d76 15709->15710 15711 414d59 15709->15711 15713 414dd4 15710->15713 15755 417e7e 15710->15755 15712 40bfc1 __mbsnbcmp_l 63 API calls 15711->15712 15714 414d5e 15712->15714 15715 40bfc1 __mbsnbcmp_l 63 API calls 15713->15715 15717 40e744 __mbsnbcmp_l 6 API calls 15714->15717 15744 414d6e 15715->15744 15717->15744 15719 414db5 15720 414e12 15719->15720 15722 414de7 15719->15722 15723 414dcb 15719->15723 15720->15744 15766 414c98 15720->15766 15727 411c75 __malloc_crt 63 API calls 15722->15727 15722->15744 15725 40eeab ___wtomb_environ 120 API calls 15723->15725 15728 414dd0 15725->15728 15730 414df7 15727->15730 15728->15713 15728->15720 15729 414e8f 15731 414f7a 15729->15731 15736 414e98 15729->15736 15730->15720 15735 411c75 __malloc_crt 63 API calls 15730->15735 15730->15744 15733 40b6b5 __setenvp 63 API calls 15731->15733 15732 414e41 15734 40b6b5 __setenvp 63 API calls 15732->15734 15733->15744 15738 414e4b 15734->15738 15735->15720 15737 411d54 __recalloc_crt 74 API calls 15736->15737 15736->15744 15740 414e51 _strlen 15737->15740 15738->15740 15770 411d54 15738->15770 15739 414f5e 15742 40b6b5 __setenvp 63 API calls 15739->15742 15739->15744 15740->15739 15743 411cba __calloc_crt 63 API calls 15740->15743 15740->15744 15742->15744 15745 414efb _strlen 15743->15745 15744->15704 15745->15739 15746 40ef42 _strcpy_s 63 API calls 15745->15746 15747 414f14 15746->15747 15748 414f28 SetEnvironmentVariableA 15747->15748 15749 40e61c __invoke_watson 10 API calls 15747->15749 15750 414f49 15748->15750 15751 414f52 15748->15751 15753 414f25 15749->15753 15754 40bfc1 __mbsnbcmp_l 63 API calls 15750->15754 15752 40b6b5 __setenvp 63 API calls 15751->15752 15752->15739 15753->15748 15754->15751 15775 417dc2 15755->15775 15757 414d89 15757->15713 15757->15719 15758 414cea 15757->15758 15759 414d3b 15758->15759 15760 414cfb 15758->15760 15759->15719 15761 411cba __calloc_crt 63 API calls 15760->15761 15762 414d12 15761->15762 15763 414d24 15762->15763 15764 40e79a __amsg_exit 63 API calls 15762->15764 15763->15759 15782 417d6d 15763->15782 15764->15763 15767 414ca6 15766->15767 15768 40edfb __fassign 107 API calls 15767->15768 15769 414ccd 15767->15769 15768->15767 15769->15729 15769->15732 15774 411d5d 15770->15774 15772 411da0 15772->15740 15773 411d81 Sleep 15773->15774 15774->15772 15774->15773 15790 40b783 15774->15790 15776 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15775->15776 15777 417dd6 15776->15777 15778 40bfc1 __mbsnbcmp_l 63 API calls 15777->15778 15780 417df4 __mbschr_l 15777->15780 15779 417de4 15778->15779 15781 40e744 __mbsnbcmp_l 6 API calls 15779->15781 15780->15757 15781->15780 15783 417d7e _strlen 15782->15783 15789 417d7a 15782->15789 15784 40b84d _malloc 63 API calls 15783->15784 15785 417d91 15784->15785 15786 40ef42 _strcpy_s 63 API calls 15785->15786 15785->15789 15787 417da3 15786->15787 15788 40e61c __invoke_watson 10 API calls 15787->15788 15787->15789 15788->15789 15789->15763 15791 40b792 15790->15791 15792 40b7ba 15790->15792 15791->15792 15793 40b79e 15791->15793 15794 40b7cf 15792->15794 15796 40e56a __msize 64 API calls 15792->15796 15795 40bfc1 __mbsnbcmp_l 63 API calls 15793->15795 15797 40e34f _realloc 72 API calls 15794->15797 15798 40b7a3 15795->15798 15796->15794 15800 40b7b3 _memset 15797->15800 15799 40e744 __mbsnbcmp_l 6 API calls 15798->15799 15799->15800 15800->15774 15802 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15801->15802 15803 40ed21 15802->15803 15804 40ed42 15803->15804 15806 40ed75 15803->15806 15818 40ed2a 15803->15818 15805 40bfc1 __mbsnbcmp_l 63 API calls 15804->15805 15809 40ed47 15805->15809 15807 40ed99 15806->15807 15808 40ed7f 15806->15808 15811 40eda1 15807->15811 15812 40edb5 15807->15812 15810 40bfc1 __mbsnbcmp_l 63 API calls 15808->15810 15813 40e744 __mbsnbcmp_l 6 API calls 15809->15813 15814 40ed84 15810->15814 15819 414b9e 15811->15819 15839 414b5c 15812->15839 15813->15818 15817 40e744 __mbsnbcmp_l 6 API calls 15814->15817 15817->15818 15818->15691 15820 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15819->15820 15821 414bb2 15820->15821 15822 414bd3 15821->15822 15824 414c06 15821->15824 15838 414bbb 15821->15838 15823 40bfc1 __mbsnbcmp_l 63 API calls 15822->15823 15825 414bd8 15823->15825 15826 414c10 15824->15826 15827 414c2a 15824->15827 15828 40e744 __mbsnbcmp_l 6 API calls 15825->15828 15829 40bfc1 __mbsnbcmp_l 63 API calls 15826->15829 15830 414c34 15827->15830 15831 414c49 15827->15831 15828->15838 15833 414c15 15829->15833 15844 417c1d 15830->15844 15832 414b5c ___crtCompareStringA 96 API calls 15831->15832 15835 414c63 15832->15835 15836 40e744 __mbsnbcmp_l 6 API calls 15833->15836 15837 40bfc1 __mbsnbcmp_l 63 API calls 15835->15837 15835->15838 15836->15838 15837->15838 15838->15818 15840 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15839->15840 15841 414b6f 15840->15841 15860 4147ec 15841->15860 15845 417c33 15844->15845 15855 417c58 ___ascii_strnicmp 15844->15855 15846 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15845->15846 15847 417c3e 15846->15847 15848 417c43 15847->15848 15850 417c78 15847->15850 15849 40bfc1 __mbsnbcmp_l 63 API calls 15848->15849 15851 417c48 15849->15851 15852 417c82 15850->15852 15859 417caa 15850->15859 15853 40e744 __mbsnbcmp_l 6 API calls 15851->15853 15854 40bfc1 __mbsnbcmp_l 63 API calls 15852->15854 15853->15855 15856 417c87 15854->15856 15855->15838 15857 40e744 __mbsnbcmp_l 6 API calls 15856->15857 15857->15855 15858 4168fc 98 API calls __tolower_l 15858->15859 15859->15855 15859->15858 15861 414818 CompareStringW 15860->15861 15865 41482f strncnt 15860->15865 15862 41483b GetLastError 15861->15862 15861->15865 15862->15865 15863 40ce09 __invoke_watson 5 API calls 15866 414b5a 15863->15866 15864 414a95 15867 417a20 ___ansicp 87 API calls 15864->15867 15865->15864 15868 4148a4 15865->15868 15881 414881 15865->15881 15866->15818 15869 414abb 15867->15869 15870 414962 MultiByteToWideChar 15868->15870 15873 4148e6 GetCPInfo 15868->15873 15868->15881 15871 414b1c CompareStringA 15869->15871 15874 417a69 ___convertcp 70 API calls 15869->15874 15869->15881 15880 414982 15870->15880 15870->15881 15872 414b3a 15871->15872 15871->15881 15875 40b6b5 __setenvp 63 API calls 15872->15875 15876 4148f7 15873->15876 15873->15881 15877 414ae0 15874->15877 15878 414b40 15875->15878 15876->15870 15876->15881 15877->15881 15885 417a69 ___convertcp 70 API calls 15877->15885 15883 40b6b5 __setenvp 63 API calls 15878->15883 15879 4149d9 MultiByteToWideChar 15884 4149f2 MultiByteToWideChar 15879->15884 15899 414a83 15879->15899 15882 40b84d _malloc 63 API calls 15880->15882 15891 41499f ___convertcp 15880->15891 15881->15863 15882->15891 15883->15881 15888 414a09 15884->15888 15884->15899 15886 414b01 15885->15886 15889 414b16 15886->15889 15890 414b0a 15886->15890 15887 4147ae __freea 63 API calls 15887->15881 15894 40b84d _malloc 63 API calls 15888->15894 15898 414a1f ___convertcp 15888->15898 15889->15871 15892 40b6b5 __setenvp 63 API calls 15890->15892 15891->15879 15891->15881 15892->15881 15893 414a53 MultiByteToWideChar 15895 414a66 CompareStringW 15893->15895 15896 414a7d 15893->15896 15894->15898 15895->15896 15897 4147ae __freea 63 API calls 15896->15897 15897->15899 15898->15893 15898->15899 15899->15887 15900->15695 15907 40d0f5 15901->15907 15904 40cd39 15905 40cd62 15904->15905 15906 40cd6e RaiseException 15904->15906 15905->15906 15906->15656 15908 40af59 15907->15908 15909 40d115 _strlen 15907->15909 15908->15904 15909->15908 15910 40b84d _malloc 63 API calls 15909->15910 15911 40d128 15910->15911 15911->15908 15912 40ef42 _strcpy_s 63 API calls 15911->15912 15912->15908 15914 4017e9 15913->15914 15917 40b783 __recalloc 73 API calls 15914->15917 15918 40182d 15914->15918 15920 401844 15914->15920 15915 40b6b5 __setenvp 63 API calls 15915->15920 15917->15918 15918->15915 15918->15920 15919 40186d MultiByteToWideChar 15919->15662 15919->15663 15920->15919 15923 40b743 15920->15923 15922 40103a 15921->15922 15924 40e231 __calloc_impl 63 API calls 15923->15924 15925 40b75d 15924->15925 15926 40bfc1 __mbsnbcmp_l 63 API calls 15925->15926 15929 40b779 15925->15929 15927 40b770 15926->15927 15928 40bfc1 __mbsnbcmp_l 63 API calls 15927->15928 15927->15929 15928->15929 15929->15920 15931 40b6b5 __ioinit 15930->15931 15932 40b73d __ioinit 15931->15932 15933 40b714 HeapFree 15931->15933 15932->15682 15933->15932 15934 40b727 15933->15934 15935 40bfc1 __mbsnbcmp_l 63 API calls 15934->15935 15935->15932 15937 40aff8 15936->15937 15938 40b027 15937->15938 15939 40b01f __VEC_memcpy 15937->15939 15938->15686 15939->15938 15941 40e8ea __ioinit 15940->15941 15942 40d6e0 __lock 63 API calls 15941->15942 15943 40e8f1 15942->15943 15944 40e9ba __initterm 15943->15944 15945 40e91d 15943->15945 15959 40e9f5 15944->15959 15947 4104e9 __decode_pointer 6 API calls 15945->15947 15949 40e928 15947->15949 15951 40e9aa __initterm 15949->15951 15953 4104e9 __decode_pointer 6 API calls 15949->15953 15950 40e9f2 __ioinit 15950->14723 15951->15944 15957 40e93d 15953->15957 15954 40e9e9 15955 40e7ee _fast_error_exit 4 API calls 15954->15955 15955->15950 15956 4104e0 6 API calls _raise 15956->15957 15957->15951 15957->15956 15958 4104e9 6 API calls __decode_pointer 15957->15958 15958->15957 15960 40e9d6 15959->15960 15961 40e9fb 15959->15961 15960->15950 15963 40d606 LeaveCriticalSection 15960->15963 15964 40d606 LeaveCriticalSection 15961->15964 15963->15954 15964->15960

        Executed Functions

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 25 401c85-401c8d 19->25 20->21 22 401cb0-401cce call 401650 21->22 23 401c9c-401caf CloseHandle 21->23 32 401cd0-401cd4 22->32 25->14 25->20 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 38 401f1c-401f2f 31->38 39 401f5f-401f69 31->39 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 42 401cf5-401cf7 35->42 40 401cda-401ce0 36->40 41 401cec-401cee 36->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->35 46 401ce2-401cea 40->46 41->42 42->23 47 401cf9-401d09 Module32Next 42->47 43->39 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->49 50 401f77-401f8d call 401560 44->50 45->44 46->32 46->41 47->7 51 401d0f 47->51 49->5 86 4021aa-4021c0 49->86 50->49 55 401d10-401d2e call 401650 51->55 60 401d30-401d34 55->60 62 401d50-401d52 60->62 63 401d36-401d38 60->63 67 401d55-401d57 62->67 65 401d3a-401d40 63->65 66 401d4c-401d4e 63->66 65->62 70 401d42-401d4a 65->70 66->67 67->23 71 401d5d-401d7b call 401650 67->71 70->60 70->66 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 81 401da5-401da7 79->81 83 401d8a-401d90 80->83 84 401d9c-401d9e 80->84 81->23 85 401dad-401dbd Module32Next 81->85 83->79 87 401d92-401d9a 83->87 84->81 85->7 85->55 89 4021c6-4021ca 86->89 90 40246a-402470 86->90 87->77 87->84 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 94 402482-402487 93->94 94->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 57d006 122->154 155 40234e call 57d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 57d006 135->152 153 402390 call 57d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
        APIs
        • OleInitialize.OLE32(00000000), ref: 004019FD
        • _getenv.LIBCMT ref: 00401ABA
        • GetCurrentProcessId.KERNEL32 ref: 00401ACD
        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
        • Module32First.KERNEL32 ref: 00401C48
        • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
        • Module32Next.KERNEL32(00000000,?), ref: 00401D02
        • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
        • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
        • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
        • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
        • LockResource.KERNEL32(00000000), ref: 00401EA7
        • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
        • _malloc.LIBCMT ref: 00401EBA
        • _memset.LIBCMT ref: 00401EDD
        • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
        • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
        • API String ID: 2366190142-2962942730
        • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
        • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
        • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
        • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 340 2240d90-2240d9d 341 2240d5f-2240d75 340->341 342 2240d9f-2241013 340->342 345 2240d37-2240d5c 341->345 346 2240d77-2240d79 341->346 379 2240d7b call 2241495 346->379 380 2240d7b call 2241c25 346->380 381 2240d7b call 2243827 346->381 382 2240d7b call 2243a1c 346->382 383 2240d7b call 22461fc 346->383 384 2240d7b call 2244c4f 346->384 385 2240d7b call 2242eb8 346->385 349 2240d81-2240d88 379->349 380->349 381->349 382->349 383->349 384->349 385->349
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1675947630.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2240000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: 4'^q$4'^q
        • API String ID: 0-2697143702
        • Opcode ID: 198d983842b58e99e7751c4dc8951b4404df3f0896b581dc950255fc25fa4cb9
        • Instruction ID: 1b42cf3de1ea75f653687ce5c3aea421975ffe8d057d4e355b357413004eff19
        • Opcode Fuzzy Hash: 198d983842b58e99e7751c4dc8951b4404df3f0896b581dc950255fc25fa4cb9
        • Instruction Fuzzy Hash: BB617F78A012458FD70DEF7AE84068A7BE3FBC5304B04C879C0489B279EB79994A9B50
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 464 58a04f0-58a0556 466 58a0558-58a0563 464->466 467 58a05a0-58a05a2 464->467 466->467 469 58a0565-58a0571 466->469 468 58a05a4-58a05bd 467->468 475 58a0609-58a060b 468->475 476 58a05bf-58a05cb 468->476 470 58a0573-58a057d 469->470 471 58a0594-58a059e 469->471 473 58a057f 470->473 474 58a0581-58a0590 470->474 471->468 473->474 474->474 477 58a0592 474->477 478 58a060d-58a0665 475->478 476->475 479 58a05cd-58a05d9 476->479 477->471 488 58a06af-58a06b1 478->488 489 58a0667-58a0672 478->489 480 58a05db-58a05e5 479->480 481 58a05fc-58a0607 479->481 482 58a05e9-58a05f8 480->482 483 58a05e7 480->483 481->478 482->482 485 58a05fa 482->485 483->482 485->481 491 58a06b3-58a06cb 488->491 489->488 490 58a0674-58a0680 489->490 492 58a0682-58a068c 490->492 493 58a06a3-58a06ad 490->493 498 58a06cd-58a06d8 491->498 499 58a0715-58a0717 491->499 494 58a068e 492->494 495 58a0690-58a069f 492->495 493->491 494->495 495->495 497 58a06a1 495->497 497->493 498->499 501 58a06da-58a06e6 498->501 500 58a0719-58a076a 499->500 509 58a0770-58a077e 500->509 502 58a06e8-58a06f2 501->502 503 58a0709-58a0713 501->503 505 58a06f6-58a0705 502->505 506 58a06f4 502->506 503->500 505->505 507 58a0707 505->507 506->505 507->503 510 58a0780-58a0786 509->510 511 58a0787-58a07e7 509->511 510->511 518 58a07e9-58a07ed 511->518 519 58a07f7-58a07fb 511->519 518->519 520 58a07ef 518->520 521 58a080b-58a080f 519->521 522 58a07fd-58a0801 519->522 520->519 524 58a081f-58a0823 521->524 525 58a0811-58a0815 521->525 522->521 523 58a0803 522->523 523->521 527 58a0833-58a0837 524->527 528 58a0825-58a0829 524->528 525->524 526 58a0817 525->526 526->524 530 58a0839-58a083d 527->530 531 58a0847-58a084b 527->531 528->527 529 58a082b 528->529 529->527 530->531 532 58a083f 530->532 533 58a085b-58a085f 531->533 534 58a084d-58a0851 531->534 532->531 536 58a086f 533->536 537 58a0861-58a0865 533->537 534->533 535 58a0853 534->535 535->533 539 58a0870 536->539 537->536 538 58a0867 537->538 538->536 539->539
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: \Vl
        • API String ID: 0-682378881
        • Opcode ID: 05359ca393f2f5e8ec61f01eac1415cc0c4b65a5dae4bf15ad12417f4059776a
        • Instruction ID: 3d505160c7cd449ae9e59ac6b83bbcfc92717ce21a73a745cd2236000db5ba7b
        • Opcode Fuzzy Hash: 05359ca393f2f5e8ec61f01eac1415cc0c4b65a5dae4bf15ad12417f4059776a
        • Instruction Fuzzy Hash: 7AB14B71E04209DFEB14CFA9C8897AEBBF2BF88304F148129D855E7294EB749845CF91
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f82db01adc98480ae00e30882f5dae892f5ee49a0ded75ebfb24a92935fa9857
        • Instruction ID: 9fc5ad3a6dff4165b9b43504add1e3989d70ef51dcbba004a72d1c66c3b9b6d0
        • Opcode Fuzzy Hash: f82db01adc98480ae00e30882f5dae892f5ee49a0ded75ebfb24a92935fa9857
        • Instruction Fuzzy Hash: D7B15E71E04209CFEB10CFA9D8897ADBBF2BF88314F148529E855E7294EB749C55CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 156 40cbf7-40cc06 157 40cc08-40cc14 156->157 158 40cc2f 156->158 157->158 159 40cc16-40cc1d 157->159 160 40cc33-40cc3d call 40d534 158->160 159->158 161 40cc1f-40cc2d 159->161 164 40cc47-40cc4e call 41087e 160->164 165 40cc3f-40cc46 call 40cbb4 160->165 161->160 170 40cc50-40cc57 call 40cbb4 164->170 171 40cc58-40cc68 call 4129c9 call 411a15 164->171 165->164 170->171 178 40cc72-40cc8e GetCommandLineA call 412892 call 4127d7 171->178 179 40cc6a-40cc71 call 40e79a 171->179 186 40cc90-40cc97 call 40e79a 178->186 187 40cc98-40cc9f call 41255f 178->187 179->178 186->187 192 40cca1-40cca8 call 40e79a 187->192 193 40cca9-40ccb3 call 40e859 187->193 192->193 198 40ccb5-40ccbb call 40e79a 193->198 199 40ccbc-40cce2 call 4019f0 193->199 198->199 204 40cce4-40cce5 call 40ea0a 199->204 205 40ccea-40cd2e call 40ea36 call 40e21d 199->205 204->205
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
        • String ID:
        • API String ID: 2598563909-0
        • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
        • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
        • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
        • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 212 4018f0-4018fa 213 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 212->213 214 4018fc-401900 212->214 217 401940-401949 GetLastError 213->217 218 401996-40199a 213->218 219 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 217->219 220 40198d-40198f 217->220 219->220 220->218 222 401991 call 401030 220->222 222->218
        APIs
        • lstrlenA.KERNEL32(?), ref: 00401906
        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
        • GetLastError.KERNEL32 ref: 00401940
        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: ByteCharMultiWide$ErrorLastlstrlen
        • String ID:
        • API String ID: 3322701435-0
        • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
        • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
        • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
        • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 225 40af66-40af6e 226 40af7d-40af88 call 40b84d 225->226 229 40af70-40af7b call 40d2e3 226->229 230 40af8a-40af8b 226->230 229->226 233 40af8c-40af98 229->233 234 40afb3-40afca call 40af49 call 40cd39 233->234 235 40af9a-40afb2 call 40aefc call 40d2bd 233->235 235->234
        APIs
        • _malloc.LIBCMT ref: 0040AF80
          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
        • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
          • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
        • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
        • __CxxThrowException@8.LIBCMT ref: 0040AFC5
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
        • String ID:
        • API String ID: 1411284514-0
        • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
        • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
        • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
        • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 244 40e7ee-40e7f6 call 40e7c3 246 40e7fb-40e7ff ExitProcess 244->246
        APIs
        • ___crtCorExitProcess.LIBCMT ref: 0040E7F6
          • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
          • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
          • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
        • ExitProcess.KERNEL32 ref: 0040E7FF
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: ExitProcess$AddressHandleModuleProc___crt
        • String ID:
        • API String ID: 2427264223-0
        • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
        • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
        • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
        • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 247 58a0b38-58a0bc4 250 58a0c0e-58a0c10 247->250 251 58a0bc6-58a0bd1 247->251 253 58a0c12-58a0c2a 250->253 251->250 252 58a0bd3-58a0bdf 251->252 254 58a0c02-58a0c0c 252->254 255 58a0be1-58a0beb 252->255 259 58a0c2c-58a0c37 253->259 260 58a0c74-58a0c76 253->260 254->253 257 58a0bef-58a0bfe 255->257 258 58a0bed 255->258 257->257 261 58a0c00 257->261 258->257 259->260 263 58a0c39-58a0c45 259->263 262 58a0c78-58a0cbd 260->262 261->254 271 58a0cc3-58a0cd1 262->271 264 58a0c68-58a0c72 263->264 265 58a0c47-58a0c51 263->265 264->262 266 58a0c53 265->266 267 58a0c55-58a0c64 265->267 266->267 267->267 269 58a0c66 267->269 269->264 272 58a0cda-58a0d37 271->272 273 58a0cd3-58a0cd9 271->273 280 58a0d39-58a0d3d 272->280 281 58a0d47-58a0d4b 272->281 273->272 280->281 282 58a0d3f 280->282 283 58a0d5b-58a0d5f 281->283 284 58a0d4d-58a0d51 281->284 282->281 286 58a0d6f-58a0d73 283->286 287 58a0d61-58a0d65 283->287 284->283 285 58a0d53 284->285 285->283 289 58a0d83 286->289 290 58a0d75-58a0d79 286->290 287->286 288 58a0d67 287->288 288->286 292 58a0d84 289->292 290->289 291 58a0d7b 290->291 291->289 292->292
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: \Vl$\Vl
        • API String ID: 0-415357090
        • Opcode ID: 42e8a79e529230d92f6b5afbd05e43fa49feb5f3657db4e9e4358e52af809771
        • Instruction ID: dde90efcfeee62d99e7578ce61395f78aba3f0d577ad400d72453f7f72778aba
        • Opcode Fuzzy Hash: 42e8a79e529230d92f6b5afbd05e43fa49feb5f3657db4e9e4358e52af809771
        • Instruction Fuzzy Hash: 07715F72E00249DFEB14CFA9C8857ADBBF2BF88314F148129D815E7254EB749845CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 293 58a0b2d-58a0bc4 297 58a0c0e-58a0c10 293->297 298 58a0bc6-58a0bd1 293->298 300 58a0c12-58a0c2a 297->300 298->297 299 58a0bd3-58a0bdf 298->299 301 58a0c02-58a0c0c 299->301 302 58a0be1-58a0beb 299->302 306 58a0c2c-58a0c37 300->306 307 58a0c74-58a0c76 300->307 301->300 304 58a0bef-58a0bfe 302->304 305 58a0bed 302->305 304->304 308 58a0c00 304->308 305->304 306->307 310 58a0c39-58a0c45 306->310 309 58a0c78-58a0c8a 307->309 308->301 317 58a0c91-58a0cbd 309->317 311 58a0c68-58a0c72 310->311 312 58a0c47-58a0c51 310->312 311->309 313 58a0c53 312->313 314 58a0c55-58a0c64 312->314 313->314 314->314 316 58a0c66 314->316 316->311 318 58a0cc3-58a0cd1 317->318 319 58a0cda-58a0d37 318->319 320 58a0cd3-58a0cd9 318->320 327 58a0d39-58a0d3d 319->327 328 58a0d47-58a0d4b 319->328 320->319 327->328 329 58a0d3f 327->329 330 58a0d5b-58a0d5f 328->330 331 58a0d4d-58a0d51 328->331 329->328 333 58a0d6f-58a0d73 330->333 334 58a0d61-58a0d65 330->334 331->330 332 58a0d53 331->332 332->330 336 58a0d83 333->336 337 58a0d75-58a0d79 333->337 334->333 335 58a0d67 334->335 335->333 339 58a0d84 336->339 337->336 338 58a0d7b 337->338 338->336 339->339
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: \Vl$\Vl
        • API String ID: 0-415357090
        • Opcode ID: 635fba5c076c42a63cec1afa9de5b324e5d8efc4e7ab6fe18836387db5d942f6
        • Instruction ID: ed586271612f27551e9a879e9f649de0c5bc3dd3b35040b8a7705330a9629a47
        • Opcode Fuzzy Hash: 635fba5c076c42a63cec1afa9de5b324e5d8efc4e7ab6fe18836387db5d942f6
        • Instruction Fuzzy Hash: 99715EB2D04249DFEB10CFA8C8897ADBBF2BF48314F148129E819E7254EB749845CF91
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 436 22496d0-2249751 VirtualProtect 439 2249753-2249759 436->439 440 224975a-224977f 436->440 439->440
        APIs
        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02249744
        Memory Dump Source
        • Source File: 00000000.00000002.1675947630.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2240000_ENDEV.jbxd
        Similarity
        • API ID: ProtectVirtual
        • String ID:
        • API String ID: 544645111-0
        • Opcode ID: 82edc37f8c2843e95afaea2b8ab35c5cd887a8c8cf5768d0db678e2299220040
        • Instruction ID: fd8c0b4b80969fdd092c2041ac1cbe5edf5169edaa8a4389a4262ac58b548289
        • Opcode Fuzzy Hash: 82edc37f8c2843e95afaea2b8ab35c5cd887a8c8cf5768d0db678e2299220040
        • Instruction Fuzzy Hash: CA1106B1D002499FCB14DFAAC584ADFFBF4EF88324F10842AD459A7250CB75A944CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 444 22498a0-224990f FindCloseChangeNotification 447 2249911-2249917 444->447 448 2249918-224993d 444->448 447->448
        APIs
        • FindCloseChangeNotification.KERNELBASE ref: 02249902
        Memory Dump Source
        • Source File: 00000000.00000002.1675947630.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2240000_ENDEV.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 391e9e0acf36e8dc6bc21f33f464e859950ecfbc496d9d185f7a41f38ff9f60d
        • Instruction ID: 7047fbd4fdc8318e5ae3efac29c7c615cf877f6923cd501493cddd296ffaec1e
        • Opcode Fuzzy Hash: 391e9e0acf36e8dc6bc21f33f464e859950ecfbc496d9d185f7a41f38ff9f60d
        • Instruction Fuzzy Hash: 981128B19002498BDB24DFAAC4457DFFBF4AB88324F208419D459A7250CB75A984CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 452 401870-401883 call 40af66 455 4018b2 452->455 456 401885-4018a2 SysAllocString 452->456 457 4018b4-4018b8 455->457 456->457 458 4018a4-4018a6 456->458 460 4018c4-4018c9 457->460 461 4018ba-4018bf call 40ad90 457->461 458->457 459 4018a8-4018ad call 40ad90 458->459 459->455 461->460
        APIs
          • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
        • SysAllocString.OLEAUT32 ref: 00401898
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: AllocString_malloc
        • String ID:
        • API String ID: 959018026-0
        • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
        • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
        • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
        • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 540 58a04e4-58a0556 543 58a0558-58a0563 540->543 544 58a05a0-58a05a2 540->544 543->544 546 58a0565-58a0571 543->546 545 58a05a4-58a05bd 544->545 552 58a0609-58a060b 545->552 553 58a05bf-58a05cb 545->553 547 58a0573-58a057d 546->547 548 58a0594-58a059e 546->548 550 58a057f 547->550 551 58a0581-58a0590 547->551 548->545 550->551 551->551 554 58a0592 551->554 555 58a060d-58a0623 552->555 553->552 556 58a05cd-58a05d9 553->556 554->548 563 58a062d-58a0648 555->563 557 58a05db-58a05e5 556->557 558 58a05fc-58a0607 556->558 559 58a05e9-58a05f8 557->559 560 58a05e7 557->560 558->555 559->559 562 58a05fa 559->562 560->559 562->558 564 58a0652-58a0665 563->564 565 58a06af-58a06b1 564->565 566 58a0667-58a0672 564->566 568 58a06b3-58a06cb 565->568 566->565 567 58a0674-58a0680 566->567 569 58a0682-58a068c 567->569 570 58a06a3-58a06ad 567->570 575 58a06cd-58a06d8 568->575 576 58a0715-58a0717 568->576 571 58a068e 569->571 572 58a0690-58a069f 569->572 570->568 571->572 572->572 574 58a06a1 572->574 574->570 575->576 578 58a06da-58a06e6 575->578 577 58a0719-58a072b 576->577 585 58a0732-58a076a 577->585 579 58a06e8-58a06f2 578->579 580 58a0709-58a0713 578->580 582 58a06f6-58a0705 579->582 583 58a06f4 579->583 580->577 582->582 584 58a0707 582->584 583->582 584->580 586 58a0770-58a077e 585->586 587 58a0780-58a0786 586->587 588 58a0787-58a07e7 586->588 587->588 595 58a07e9-58a07ed 588->595 596 58a07f7-58a07fb 588->596 595->596 597 58a07ef 595->597 598 58a080b-58a080f 596->598 599 58a07fd-58a0801 596->599 597->596 601 58a081f-58a0823 598->601 602 58a0811-58a0815 598->602 599->598 600 58a0803 599->600 600->598 604 58a0833-58a0837 601->604 605 58a0825-58a0829 601->605 602->601 603 58a0817 602->603 603->601 607 58a0839-58a083d 604->607 608 58a0847-58a084b 604->608 605->604 606 58a082b 605->606 606->604 607->608 609 58a083f 607->609 610 58a085b-58a085f 608->610 611 58a084d-58a0851 608->611 609->608 613 58a086f 610->613 614 58a0861-58a0865 610->614 611->610 612 58a0853 611->612 612->610 616 58a0870 613->616 614->613 615 58a0867 614->615 615->613 616->616
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: \Vl
        • API String ID: 0-682378881
        • Opcode ID: a7e348e20a374f6b812185effde2fd9322f2999b0649e1128e44f4f2bef400bc
        • Instruction ID: c858320cf6fa46bc3ece419ca18e9fb22201ea6c3dae509b6e121593a731614d
        • Opcode Fuzzy Hash: a7e348e20a374f6b812185effde2fd9322f2999b0649e1128e44f4f2bef400bc
        • Instruction Fuzzy Hash: 9DB14C71E04209DFEB10CFA9C88979EBBF2BF88314F148129E855E7254EB749845CF95
        Uniqueness

        Uniqueness Score: -1.00%

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 617 40d534-40d556 HeapCreate 618 40d558-40d559 617->618 619 40d55a-40d563 617->619
        APIs
        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
        • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
        • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
        • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • _doexit.LIBCMT ref: 0040EA16
          • Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
          • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
          • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
          • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
          • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
          • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
          • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
          • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __decode_pointer$__initterm$__lock_doexit
        • String ID:
        • API String ID: 1597249276-0
        • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
        • Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
        • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
        • Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3711acb8a2080f7ca4c2029911497dda533a54a113f733b76d926ac59a420f74
        • Instruction ID: 9a496b63c775d6afb0808264dc110ce27f69f499e449edac9a3fcd528e7ae5b0
        • Opcode Fuzzy Hash: 3711acb8a2080f7ca4c2029911497dda533a54a113f733b76d926ac59a420f74
        • Instruction Fuzzy Hash: 25A15D71E04209CFEB10CFA9D8897ADBBF2BF48314F148129E855E7294EB749C95CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1674186731.000000000057D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0057D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_57d000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 25b808ac86aa3f0c06a9153977da9deef860adf6a672171fcac3d83461e5901c
        • Instruction ID: de19076a641f1e363b1d1f974d367eb01cc5226d9412bf620d57e1ccc184d5fe
        • Opcode Fuzzy Hash: 25b808ac86aa3f0c06a9153977da9deef860adf6a672171fcac3d83461e5901c
        • Instruction Fuzzy Hash: 97014C6140E3C09ED7128B259C98B52BFB4EF53224F1DC0DBD8888F1A3D2699C49C772
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1674186731.000000000057D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0057D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_57d000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4cb7befb9a929b9dfec5d0cecfc63ea9af8be89df1e09d611be99306bd6dd77e
        • Instruction ID: cd9e798a57629e54d371cb91a3bb0038261b076636b568e17c6948db067d4b18
        • Opcode Fuzzy Hash: 4cb7befb9a929b9dfec5d0cecfc63ea9af8be89df1e09d611be99306bd6dd77e
        • Instruction Fuzzy Hash: BB01A7714083409EE7108E26D988767BFB8FF55364F18C529ED4C4A146E2799C45D6B1
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c8ddf66a0c69c3d1d3244b015168f0ded4d2bbe89e5fe63985e12804e0a1417f
        • Instruction ID: b6751884f928f1dabdc9b7cc080f1cb39b90cd2c8f7cf63504015df18efe460f
        • Opcode Fuzzy Hash: c8ddf66a0c69c3d1d3244b015168f0ded4d2bbe89e5fe63985e12804e0a1417f
        • Instruction Fuzzy Hash: 6FE06D71E002188FCB44EFB894017AEB7F5AB49314F9100BAD909EB344EE318E41CBC1
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5e9fb1e228631b24db181fbe20d2935279cd6d2f156212e988eb203ce50f385f
        • Instruction ID: 1b2b3d6f8647a38b25ea1bce49c1de84eb5211c0d845372de7467834fc95eeb0
        • Opcode Fuzzy Hash: 5e9fb1e228631b24db181fbe20d2935279cd6d2f156212e988eb203ce50f385f
        • Instruction Fuzzy Hash: E2F0A731E01310CBD704EB78E402A9E7BE5A749324F9902A9E555DB7D4EF358942CB80
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        APIs
        • IsDebuggerPresent.KERNEL32 ref: 004136F4
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
        • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
        • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
        • TerminateProcess.KERNEL32(00000000), ref: 00413737
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
        • String ID:
        • API String ID: 2579439406-0
        • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
        • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
        • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
        • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
        Uniqueness

        Uniqueness Score: -1.00%

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: @$@$PA
        • API String ID: 0-3039612711
        • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
        • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
        • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
        • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
        Uniqueness

        Uniqueness Score: -1.00%

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1675947630.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2240000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: 4'^q$4'^q
        • API String ID: 0-2697143702
        • Opcode ID: e04da9565e560ee9e9b04f6763df0592ce7ea141867a2b26129bd4d120d202bc
        • Instruction ID: 6e812eed22ca0a8b5419fb700fb38420cd9b256e325c8b60986b7eb701f80a1b
        • Opcode Fuzzy Hash: e04da9565e560ee9e9b04f6763df0592ce7ea141867a2b26129bd4d120d202bc
        • Instruction Fuzzy Hash: 53516478A016458FD70CEF7AE94065A7BE3FBC5304F04D439C0489B279EF74594A9B50
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • GetProcessHeap.KERNEL32 ref: 0040ADD0
        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: Heap$FreeProcess
        • String ID:
        • API String ID: 3859560861-0
        • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
        • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
        • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
        • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
        • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
        • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
        • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
        Uniqueness

        Uniqueness Score: -1.00%

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1679363987.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_58a0000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID: \Vl
        • API String ID: 0-682378881
        • Opcode ID: 7a65e999b7795e59de16ea27fd2b47334b44639d5cd0cf92e17ecc3549d1243f
        • Instruction ID: 08f4fde9841ec9a0a98ca974c40d7cb623f3815b799c973656a569aa82777f63
        • Opcode Fuzzy Hash: 7a65e999b7795e59de16ea27fd2b47334b44639d5cd0cf92e17ecc3549d1243f
        • Instruction Fuzzy Hash: EE915C71E00209DFEB10CFA9C9997ADBBF2BF88314F148129D859E7254EB749C45CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
        • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
        • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
        • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
        • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
        • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
        • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
        • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
        • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
        • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1675947630.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2240000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a4df1eec9633b9a4695b93d00bc57584bc15a576b77caa05d51bbfa4c9d3020b
        • Instruction ID: 6681b155d999af6c5e93074ef007873e40f24dff7dc30c9d934816fd0dd982cc
        • Opcode Fuzzy Hash: a4df1eec9633b9a4695b93d00bc57584bc15a576b77caa05d51bbfa4c9d3020b
        • Instruction Fuzzy Hash: 30C13C71E105298BCB15CFE8C9806ADFBB2FF88304F548669D455EB20ADB34A946CF90
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
        • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
        • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
        • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
        • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
        • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
        • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
        • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
        • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
        • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
        • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
        • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
        • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
        Uniqueness

        Uniqueness Score: -1.00%

        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
        • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
        • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
        • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
        • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,022D18C0), ref: 004170C5
        • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
        • _malloc.LIBCMT ref: 0041718A
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
        • _malloc.LIBCMT ref: 0041724C
        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
        • __freea.LIBCMT ref: 004172A4
        • __freea.LIBCMT ref: 004172AD
        • ___ansicp.LIBCMT ref: 004172DE
        • ___convertcp.LIBCMT ref: 00417309
        • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
        • _malloc.LIBCMT ref: 00417362
        • _memset.LIBCMT ref: 00417384
        • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
        • ___convertcp.LIBCMT ref: 004173BA
        • __freea.LIBCMT ref: 004173CF
        • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
        • String ID:
        • API String ID: 3809854901-0
        • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
        • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
        • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
        • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • _malloc.LIBCMT ref: 004057DE
          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
        • _malloc.LIBCMT ref: 00405842
        • _malloc.LIBCMT ref: 00405906
        • _malloc.LIBCMT ref: 00405930
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: _malloc$AllocateHeap
        • String ID: 1.2.3
        • API String ID: 680241177-2310465506
        • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
        • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
        • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
        • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
        • String ID:
        • API String ID: 3886058894-0
        • Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
        • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
        • Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
        • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • __lock_file.LIBCMT ref: 0040C6C8
        • __fileno.LIBCMT ref: 0040C6D6
        • __fileno.LIBCMT ref: 0040C6E2
        • __fileno.LIBCMT ref: 0040C6EE
        • __fileno.LIBCMT ref: 0040C6FE
          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
        • String ID: 'B
        • API String ID: 2805327698-2787509829
        • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
        • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
        • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
        • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • __getptd.LIBCMT ref: 00414744
          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
        • __getptd.LIBCMT ref: 0041475B
        • __amsg_exit.LIBCMT ref: 00414769
        • __lock.LIBCMT ref: 00414779
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
        • String ID: @.B
        • API String ID: 3521780317-470711618
        • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
        • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
        • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
        • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • __getptd.LIBCMT ref: 00413FD8
          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
        • __amsg_exit.LIBCMT ref: 00413FF8
        • __lock.LIBCMT ref: 00414008
        • InterlockedDecrement.KERNEL32(?), ref: 00414025
        • InterlockedIncrement.KERNEL32(022D1660), ref: 00414050
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
        • String ID:
        • API String ID: 4271482742-0
        • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
        • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
        • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
        • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __calloc_crt
        • String ID: P$B$`$B
        • API String ID: 3494438863-235554963
        • Opcode ID: e56331e4616de171219dccd971e0455493e892fc76003f67a58995f67ba85e27
        • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
        • Opcode Fuzzy Hash: e56331e4616de171219dccd971e0455493e892fc76003f67a58995f67ba85e27
        • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: IsProcessorFeaturePresent$KERNEL32
        • API String ID: 1646373207-3105848591
        • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
        • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
        • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
        • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • ___addlocaleref.LIBCMT ref: 0041470C
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
          • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
        • ___removelocaleref.LIBCMT ref: 00414717
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
          • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
        • ___freetlocinfo.LIBCMT ref: 0041472B
          • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
          • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
          • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
        • String ID: @.B
        • API String ID: 467427115-470711618
        • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
        • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
        • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
        • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • __fileno.LIBCMT ref: 0040C77C
        • __locking.LIBCMT ref: 0040C791
          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __decode_pointer__fileno__getptd_noexit__locking
        • String ID:
        • API String ID: 2395185920-0
        • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
        • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
        • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
        • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: _fseek_malloc_memset
        • String ID:
        • API String ID: 208892515-0
        • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
        • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
        • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
        • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
        • __isleadbyte_l.LIBCMT ref: 00415307
        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
        • String ID:
        • API String ID: 3058430110-0
        • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
        • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
        • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
        • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
        Uniqueness

        Uniqueness Score: -1.00%

        APIs
        • __cftof_l.LIBCMT ref: 00413501
          • Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352
        • __cftog_l.LIBCMT ref: 00413527
        • __cftoe_l.LIBCMT ref: 00413559
        Memory Dump Source
        • Source File: 00000000.00000002.1673446249.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1673386363.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673480309.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1673517062.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ENDEV.jbxd
        Similarity
        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
        • String ID:
        • API String ID: 3016257755-0
        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
        • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
        • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
        Uniqueness

        Uniqueness Score: -1.00%