Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
csvde.exe

Overview

General Information

Sample name:csvde.exe
Analysis ID:1433551
MD5:b6f12d39edbfe3b33952be4329064b35
SHA1:5e1eac3596e5a1902d799b687d6009c1f3da0466
SHA256:164a74c996769c9cfc99715e881dca9ca042a05f1d655afebe7ff74dbedf415d
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • csvde.exe (PID: 572 cmdline: "C:\Users\user\Desktop\csvde.exe" MD5: B6F12D39EDBFE3B33952BE4329064B35)
    • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Compliance
  • System Summary
  • Data Obfuscation
  • Malware Analysis System Evasion
  • Anti Debugging
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: csvde.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: csvde.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: csvde.pdb source: csvde.exe
Source: Binary string: csvde.pdb"w source: csvde.exe
Source: csvde.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean2.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\csvde.exeCode function: 0_2_00591F36 FormatMessageW,GetLastError,wprintf,_iob,fwprintf,fwprintf,_wfopen,fputwc,fwprintf,0_2_00591F36
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: csvde.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\csvde.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\csvde.exe "C:\Users\user\Desktop\csvde.exe"
Source: C:\Users\user\Desktop\csvde.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\csvde.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\csvde.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\csvde.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\user\Desktop\csvde.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\Desktop\csvde.exeSection loaded: netutils.dllJump to behavior
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: csvde.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: csvde.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: csvde.pdb source: csvde.exe
Source: Binary string: csvde.pdb"w source: csvde.exe
Source: C:\Users\user\Desktop\csvde.exeCode function: 0_2_00597709 push ecx; ret 0_2_0059771C
Source: C:\Users\user\Desktop\csvde.exeAPI coverage: 4.8 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\csvde.exeCode function: 0_2_0059758B SetUnhandledExceptionFilter,0_2_0059758B
Source: C:\Users\user\Desktop\csvde.exeCode function: 0_2_005974A1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005974A1
Source: C:\Users\user\Desktop\csvde.exeCode function: 0_2_00597811 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00597811

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1433551 Sample: csvde.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 2 5 csvde.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
csvde.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1433551
Start date and time:2024-04-29 18:36:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:csvde.exe
Detection:CLEAN
Classification:clean2.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 26
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: csvde.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.338736008697938
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:csvde.exe
File size:35'840 bytes
MD5:b6f12d39edbfe3b33952be4329064b35
SHA1:5e1eac3596e5a1902d799b687d6009c1f3da0466
SHA256:164a74c996769c9cfc99715e881dca9ca042a05f1d655afebe7ff74dbedf415d
SHA512:023e19f82055c596c766ed8c3751f8030e49eeb4189556633ea7e41a1449bc530d19cb5872c19f9f8e607092a3a9dfbe63bf6275b33e4e41e97b71c870564c52
SSDEEP:768:flxXyi6DRqVhjtor+tP2mR9ZlDw/UYwtXM+VuR6ppSGNWSxKXJT:fvyhSjtN2mR9I8Ywt8+uvGNz0XJT
TLSH:90F24B01A988A039E4B215F1216D772109FAE9203F0797CFB3151EEA6E65FD4A7343DE
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,.~.M.-.M.-.M.-.5(-.M.-.5>-.M.-.5.-.M.-.M.-&M.-.59-.M.-.5)-.M.-.5,-.M.-Rich.M.-........PE..L......L.................v.........

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x100746f
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x4CE795E3 [Sat Nov 20 09:33:23 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:e5cc9c3d2a4b695d53766ae4af7b8583
Instruction
call 00007F8E2CE9B122h
jmp 00007F8E2CE9AB48h
int3
int3
int3
int3
int3
jmp dword ptr [01001198h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [0100119Ch]
int3
int3
int3
int3
int3
int3
jmp dword ptr [010011A0h]
int3
int3
int3
int3
int3
cmp ecx, dword ptr [01009114h]
jne 00007F8E2CE9AD85h
retn 0000h
jmp 00007F8E2CE9B17Bh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, FFFFF000h
cmp ecx, eax
jc 00007F8E2CE9AD8Ch
mov eax, ecx
pop ecx
xchg eax, esp
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
ret
sub eax, 00001000h
test dword ptr [eax], eax
jmp 00007F8E2CE9AD6Bh
int3
int3
int3
int3
int3
jmp dword ptr [010011A8h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [010011A4h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [0100117Ch]
int3
int3
int3
int3
int3
int3
jmp dword ptr [01001178h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [01001174h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [0100116Ch]
int3
int3
int3
int3
Programming Language:
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [LNK] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x7cdc0x78.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x7b8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000x67c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x19280x40.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2700xa8
IMAGE_DIRECTORY_ENTRY_IAT0x10000x1fc.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x757c0x760060c80aef52378ca3bdfb5cb3398bb72aFalse0.5711731991525424data6.390332221051257IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x90000x5080x2005bcd7fca69dde00a885e3403af538037False0.31640625data2.4033209161401516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xa0000x7b80x800feedd3a9e42c51bce6c493dcc6d1dbf2False0.46484375data4.306613290347634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xb0000x7a80x800c1d69c25430e5691a764022faaeac0a9False0.72314453125data5.943444218824421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xa6f00xc8dataEnglishUnited States0.545
RT_VERSION0xa3800x370dataEnglishUnited States0.47045454545454546
RT_MANIFEST0xa0f00x28cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5337423312883436
DLLImport
KERNEL32.dllReadConsoleW, SetConsoleMode, GetConsoleMode, GetStdHandle, WriteFile, WideCharToMultiByte, GetConsoleOutputCP, WriteConsoleW, GetFileType, GetLastError, FormatMessageW, SetThreadUILanguage, RegisterApplicationRestart, GetCommandLineW, DeleteFileW, GetTempFileNameW, GetTempPathW, InterlockedExchange, RaiseException, LocalFree, LocalAlloc, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedCompareExchange, Sleep
msvcrt.dll_except_handler4_common, ?terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, fgetws, wcsncat_s, _itow, feof, fread, ferror, fwrite, iswupper, towlower, fgetwc, _wcslwr, memset, memcpy, swprintf_s, fputws, fwscanf, _memicmp, isspace, wprintf, putchar, ??3@YAXPAX@Z, ??2@YAPAXI@Z, _vsnwprintf_s, wcscpy_s, wcscat_s, wcsstr, setlocale, fclose, _toupper, _wtoi, _wcsicmp, vfwprintf, fwprintf, _wfopen, fputwc, _iob, _controlfp
WLDAP32.dll
NETAPI32.dllDsRoleGetPrimaryDomainInformation, DsGetDcNameW, DsRoleFreeMemory, NetApiBufferFree
ntdll.dllRtlEnumerateGenericTable, RtlDeleteElementGenericTable, RtlInitializeGenericTable, RtlLookupElementGenericTable, RtlInsertElementGenericTable, RtlIsGenericTableEmpty

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

0246810s020406080100

Click to jump to process

Memory Usage

0246810sMB

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:18:37:08
Start date:29/04/2024
Path:C:\Users\user\Desktop\csvde.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\csvde.exe"
Imagebase:0x590000
File size:35'840 bytes
MD5 hash:B6F12D39EDBFE3B33952BE4329064B35
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:18:37:08
Start date:29/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:4%
Dynamic/Decrypted Code Coverage:56.8%
Signature Coverage:2.2%
Total number of Nodes:1148
Total number of Limit Nodes:3
Show Legend
Hide Nodes/Edges
execution_graph 4160 597369 4161 59737e _exit 4160->4161 4162 597385 4160->4162 4161->4162 4163 59738d _cexit 4162->4163 4164 597393 _pre_c_init 4162->4164 4163->4164 4165 59758b SetUnhandledExceptionFilter 4166 5973aa 4167 5973b8 4166->4167 4175 5977d2 GetModuleHandleA 4167->4175 4169 597415 __set_app_type __p__fmode __p__commode 4170 59744d _pre_c_init 4169->4170 4171 597462 4170->4171 4172 597456 __setusermatherr 4170->4172 4177 59774c _controlfp 4171->4177 4172->4171 4174 597467 4176 5977e3 _pre_c_init 4175->4176 4176->4169 4177->4174 4178 596e6d 4181 597a5b LocalFree 4178->4181 4180 596e7a 4181->4180 2843 59723c 2845 597248 _pre_c_init 2843->2845 2844 59725e InterlockedCompareExchange 2844->2845 2846 59726f 2844->2846 2845->2844 2845->2846 2847 597277 Sleep 2845->2847 2848 597290 _amsg_exit 2846->2848 2851 59729a __initterm_e 2846->2851 2847->2844 2848->2851 2849 5972f9 2852 5972fe InterlockedExchange 2849->2852 2853 597306 2849->2853 2850 5972de _initterm 2850->2849 2851->2849 2851->2850 2856 5972be _pre_c_init 2851->2856 2852->2853 2860 5928b5 7 API calls 2853->2860 2857 59734e exit _XcptFilter 2858 597385 2857->2858 2858->2856 2859 59738d _cexit 2858->2859 2859->2856 2966 5919b5 2860->2966 2862 59292f SetThreadUILanguage 2967 5921bc 2862->2967 2864 592947 2866 59295d 2864->2866 2867 592aa3 2864->2867 2949 592986 2864->2949 2865 592e1f 2870 592e64 2865->2870 3307 597a5b LocalFree 2865->3307 3062 59686e 2866->3062 3076 597abd 2867->3076 2873 592e77 2870->2873 3308 597a5b LocalFree 2870->3308 2875 592e86 2873->2875 3309 597a5b LocalFree 2873->3309 2879 592e99 2875->2879 3310 597a5b LocalFree 2875->3310 2882 592ea8 fclose 2879->2882 2883 592eac 2879->2883 2880 597abd 2 API calls 2884 592a52 2880->2884 2882->2883 2886 592eb9 2883->2886 2887 592eb5 fclose 2883->2887 2888 592a74 _wfopen 2884->2888 2889 592af6 2884->2889 2884->2949 2891 592ece 2886->2891 2892 592ec1 #13 2886->2892 2887->2886 2893 592a90 2888->2893 2894 592ad4 fputwc 2888->2894 2906 592b28 2889->2906 3082 591c1d DsRoleGetPrimaryDomainInformation 2889->3082 3048 591a23 2891->3048 2892->2891 2896 591f36 23 API calls 2893->2896 2894->2889 2894->2949 2896->2949 2897 5964ce 4 API calls 2901 5929b2 2897->2901 2908 5964ce 4 API calls 2901->2908 2901->2949 2902 591f36 23 API calls 2907 592c09 #170 2902->2907 2904 592ee9 2904->2857 2904->2858 2905 592b6d 2909 591f36 23 API calls 2905->2909 2919 591f36 23 API calls 2906->2919 2950 592bc7 2906->2950 2910 592c2a 2907->2910 2911 592c65 #14 #14 2907->2911 2914 5929c8 2908->2914 2909->2949 2915 591f36 23 API calls 2910->2915 2912 592ca0 2911->2912 2913 592dc6 2911->2913 2916 592d7a 2912->2916 2917 592cad 2912->2917 2918 591f36 23 API calls 2913->2918 2914->2949 3073 5964a7 2914->3073 2915->2949 2922 591f36 23 API calls 2916->2922 2921 591f36 23 API calls 2917->2921 2924 592dce #73 2918->2924 2920 592b98 2919->2920 3094 591cd9 GetStdHandle GetConsoleMode 2920->3094 2926 592cbc #216 2921->2926 2927 592d8e #73 2922->2927 2929 592deb #118 2924->2929 2948 592d0f 2924->2948 2932 592cd8 2926->2932 2926->2948 2933 592dba #118 2927->2933 2927->2948 2930 592df5 2929->2930 2934 591f36 23 API calls 2930->2934 2939 592d6b 2932->2939 2940 592ce1 #14 #216 2932->2940 2933->2930 2934->2949 2935 592bbb 3100 597c0f 2935->3100 2936 592c3d 2942 591f36 23 API calls 2936->2942 2937 592e01 3233 595aaa 2937->3233 2938 592d61 3106 594775 memset memset 2938->3106 2947 592d6e #118 2939->2947 2940->2947 2940->2948 2941 59686e 2 API calls 2943 5929f1 2941->2943 2942->2949 2943->2949 2953 5964ce 4 API calls 2943->2953 2947->2930 2948->2937 2948->2938 2948->2948 2949->2865 3029 591f36 2949->3029 2950->2902 2951 592e06 2954 592e0c 2951->2954 2955 592e24 2951->2955 2956 592a08 2953->2956 3293 59209f 2954->3293 2961 591f36 23 API calls 2955->2961 2956->2949 2959 5964ce 4 API calls 2956->2959 2962 592a1e 2959->2962 2960 591f36 23 API calls 2960->2865 2961->2949 2962->2949 2963 5964ce 4 API calls 2962->2963 2964 592a38 2963->2964 2964->2949 2965 5964a7 2 API calls 2964->2965 2965->2884 2966->2862 2968 592201 2967->2968 2984 5921f5 2967->2984 2971 592242 2968->2971 2972 592237 _toupper 2968->2972 2975 592691 2968->2975 3014 59227f 2968->3014 2969 592713 2977 592731 2969->2977 2980 591f36 23 API calls 2969->2980 2970 5921ab 23 API calls 2974 592806 2970->2974 2971->2975 2979 59225b 2971->2979 2992 592317 2971->2992 2972->2971 2973 591f36 23 API calls 2973->2969 2976 5974a1 4 API calls 2974->2976 2981 591f36 23 API calls 2975->2981 2978 592816 2976->2978 2982 592745 2977->2982 2985 591f36 23 API calls 2977->2985 2978->2864 2988 59236a 2979->2988 2991 5922b7 2979->2991 2979->2992 2993 5924c6 2979->2993 2994 5923a8 _wcsicmp 2979->2994 2997 59242a 2979->2997 2999 59250e 2979->2999 2979->3014 2980->2977 2981->2984 2983 592759 2982->2983 2987 591f36 23 API calls 2982->2987 2990 591f36 23 API calls 2983->2990 2995 59276d 2983->2995 2984->2970 2984->2974 2985->2982 2986 591f36 23 API calls 2986->2984 2987->2983 3311 5921ab 2988->3311 2990->2995 2991->2992 3002 5922c9 _wtoi 2991->3002 2992->2986 3322 591b6b 2993->3322 2994->3014 2998 591f36 23 API calls 2995->2998 3001 592781 2995->3001 2996 592689 2996->2864 3009 597abd 2 API calls 2997->3009 2998->3001 3010 591b6b 3 API calls 2999->3010 3000 592795 3003 5927a9 3000->3003 3006 591f36 23 API calls 3000->3006 3001->3000 3005 591f36 23 API calls 3001->3005 3013 5922dc 3002->3013 3002->3014 3007 5927bd 3003->3007 3011 591f36 23 API calls 3003->3011 3005->3000 3006->3003 3007->2984 3015 591f36 23 API calls 3007->3015 3012 592455 3009->3012 3010->3014 3011->3007 3314 591a6a 3012->3314 3013->2992 3013->3014 3014->2969 3014->2973 3014->2984 3014->2996 3014->3014 3015->2984 3018 597abd 2 API calls 3019 59246c 3018->3019 3320 597a5b LocalFree 3019->3320 3021 59247f 3022 597abd 2 API calls 3021->3022 3023 592497 3022->3023 3024 591a6a 2 API calls 3023->3024 3025 5924a8 3024->3025 3026 597abd 2 API calls 3025->3026 3027 5924ae 3026->3027 3321 597a5b LocalFree 3027->3321 3338 5974c0 3029->3338 3032 591f8b GetLastError 3042 59205a 3032->3042 3033 591f96 3034 591fbd wprintf 3033->3034 3035 591fcf 3033->3035 3039 591fe4 3033->3039 3034->3035 3340 591f18 3035->3340 3036 5974a1 4 API calls 3038 592098 3036->3038 3038->2865 3040 591fff fwprintf 3039->3040 3041 592010 3039->3041 3039->3042 3040->3041 3041->3042 3043 59207b fwprintf 3041->3043 3044 592035 _wfopen 3041->3044 3042->3036 3043->3042 3045 592051 3044->3045 3046 592063 fputwc 3044->3046 3047 591f36 16 API calls 3045->3047 3046->3042 3046->3043 3047->3042 3049 591a39 3048->3049 3050 591a33 3048->3050 3052 591a46 3049->3052 3356 597a5b LocalFree 3049->3356 3355 597a5b LocalFree 3050->3355 3053 591a53 3052->3053 3357 597a5b LocalFree 3052->3357 3056 591a60 3053->3056 3358 597a5b LocalFree 3053->3358 3058 5974a1 3056->3058 3059 5974a9 3058->3059 3060 5974ac SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3058->3060 3059->2904 3060->2904 3359 59655c 3062->3359 3066 59297a 3066->2949 3067 5964ce 3066->3067 3069 5964e3 3067->3069 3068 59653a wcscat_s 3072 59299b 3068->3072 3069->3068 3365 597a77 3069->3365 3072->2897 3072->2949 3074 597abd 2 API calls 3073->3074 3075 5929e0 3074->3075 3075->2941 3075->2949 3077 597ace 3076->3077 3081 592aad 3076->3081 3077->3081 3373 597a42 LocalAlloc 3077->3373 3079 597b12 3080 597b18 wcscpy_s 3079->3080 3079->3081 3080->3081 3081->2880 3081->2949 3085 591c46 3082->3085 3091 591cae 3082->3091 3083 591cbe 3086 591ccd 3083->3086 3087 591cc5 NetApiBufferFree 3083->3087 3084 591cb6 DsRoleFreeMemory 3084->3083 3088 591c5f DsGetDcNameW 3085->3088 3089 591c70 DsGetDcNameW 3085->3089 3085->3091 3086->2905 3086->2906 3087->3086 3092 591c91 3088->3092 3090 591c85 DsGetDcNameW 3089->3090 3089->3092 3090->3092 3091->3083 3091->3084 3092->3091 3093 597abd 2 API calls 3092->3093 3093->3091 3095 591d0c GetStdHandle SetConsoleMode 3094->3095 3096 591da2 3094->3096 3097 591d1e GetStdHandle ReadConsoleW 3095->3097 3096->2935 3096->2936 3099 591d39 3097->3099 3098 591d7e GetStdHandle SetConsoleMode putchar 3098->3096 3099->3097 3099->3098 3102 597c20 3100->3102 3101 597c77 3101->2950 3102->3101 3374 597bdf 3102->3374 3105 597c64 wcscpy_s 3105->3101 3107 594819 3106->3107 3108 591f36 23 API calls 3107->3108 3109 594871 3108->3109 3110 591f36 23 API calls 3109->3110 3111 59487a 3110->3111 3380 596eb6 3111->3380 3113 594951 3114 594ed9 3113->3114 3115 594ed0 DeleteFileW 3113->3115 3117 594eeb 3114->3117 3118 594ee2 DeleteFileW 3114->3118 3115->3114 3616 596b92 3117->3616 3118->3117 3121 594f2d 3122 594f46 3121->3122 3655 597a5b LocalFree 3121->3655 3128 594f4e #191 3122->3128 3129 594f62 3122->3129 3123 5948f4 3130 594911 3123->3130 3138 591f36 23 API calls 3123->3138 3124 594f27 3654 597a5b LocalFree 3124->3654 3128->3129 3134 594f6a #41 3129->3134 3166 594f7d 3129->3166 3132 594931 GetTempPathW 3130->3132 3140 591f36 23 API calls 3130->3140 3131 594ef0 3131->3121 3131->3124 3653 597a5b LocalFree 3131->3653 3135 594948 3132->3135 3136 59495d GetTempFileNameW 3132->3136 3133 591f36 23 API calls 3133->3123 3134->3166 3142 591f36 23 API calls 3135->3142 3136->3135 3143 59497b _wfopen 3136->3143 3137 594fcc 3141 595011 3137->3141 3148 594ff8 RtlEnumerateGenericTable 3137->3148 3138->3130 3147 59492c 3140->3147 3151 595023 3141->3151 3660 597a5b LocalFree 3141->3660 3142->3113 3149 59499a 3143->3149 3150 5949b3 3143->3150 3144 594fbb RtlEnumerateGenericTable 3145 594fc1 3144->3145 3146 594f97 RtlDeleteElementGenericTable 3144->3146 3657 597a5b LocalFree 3145->3657 3656 597a5b LocalFree 3146->3656 3147->3132 3153 594fdc RtlDeleteElementGenericTable 3148->3153 3154 595006 3148->3154 3165 591f36 23 API calls 3149->3165 3158 5949bc GetTempPathW 3150->3158 3159 594a3e 3150->3159 3157 5974a1 4 API calls 3151->3157 3658 597a5b LocalFree 3153->3658 3659 597a5b LocalFree 3154->3659 3167 592d66 3157->3167 3160 5949ce 3158->3160 3161 5949e3 GetTempFileNameW 3158->3161 3485 597a42 LocalAlloc 3159->3485 3168 591f36 23 API calls 3160->3168 3161->3149 3169 594a05 _wfopen 3161->3169 3171 5949a3 3165->3171 3166->3137 3166->3144 3167->2951 3168->3171 3169->3159 3172 594a24 3169->3172 3170 594a45 3173 594a5e RtlInitializeGenericTable 3170->3173 3200 594a2d 3170->3200 3171->3113 3176 594eb4 fclose 3171->3176 3174 591f36 23 API calls 3172->3174 3486 597a42 LocalAlloc 3173->3486 3174->3200 3176->3113 3177 594e9f fclose 3177->3171 3178 594a7f 3179 594aa1 #206 3178->3179 3180 594cd0 #208 3178->3180 3178->3200 3181 594ae9 3179->3181 3182 594ad2 #16 3179->3182 3183 594cf9 #118 3180->3183 3184 594d23 3180->3184 3186 594c88 3181->3186 3187 594b05 #135 3181->3187 3194 591f36 23 API calls 3181->3194 3196 594c69 #41 3181->3196 3197 594b6d #179 3181->3197 3181->3200 3206 594bdf #147 3181->3206 3209 59209f 28 API calls 3181->3209 3211 594bcf #224 3181->3211 3215 594c01 #26 3181->3215 3216 594bf4 #147 3181->3216 3231 594c4e #27 3181->3231 3487 5942ee 3181->3487 3185 591f36 23 API calls 3182->3185 3188 591f36 23 API calls 3183->3188 3189 591f36 23 API calls 3184->3189 3185->3181 3204 591f36 23 API calls 3186->3204 3220 594cb7 3186->3220 3187->3181 3190 594d0a 3188->3190 3191 594d2c 3189->3191 3195 5966fd 31 API calls 3190->3195 3198 59209f 28 API calls 3191->3198 3192 594dcc 3201 594e34 fclose 3192->3201 3202 594dd4 fclose 3192->3202 3193 594db6 3199 591f36 23 API calls 3193->3199 3194->3181 3195->3200 3196->3181 3196->3186 3197->3181 3203 594d38 3198->3203 3199->3200 3200->3171 3200->3177 3207 594e51 fclose 3201->3207 3208 594e60 3201->3208 3202->3201 3210 594def _wfopen 3202->3210 3557 591ad7 3203->3557 3205 594caa 3204->3205 3543 5966fd #12 3205->3543 3206->3181 3207->3208 3217 591f36 23 API calls 3208->3217 3209->3181 3210->3172 3218 594e11 3210->3218 3211->3181 3215->3181 3216->3215 3221 594e69 3217->3221 3560 596661 feof 3218->3560 3219 594d5a 3219->3200 3223 5942ee 88 API calls 3219->3223 3230 594d93 #27 3219->3230 3220->3192 3220->3193 3220->3200 3569 593497 3221->3569 3223->3219 3227 594e7b 3227->3200 3232 591f36 23 API calls 3227->3232 3228 594e27 3229 591f36 23 API calls 3228->3229 3229->3200 3230->3219 3230->3220 3231->3181 3232->3200 3234 591f36 23 API calls 3233->3234 3235 595ad8 3234->3235 3236 595b20 _wfopen 3235->3236 3237 595aec _wfopen 3235->3237 3239 595b51 3236->3239 3243 595bd8 ??2@YAPAXI 3236->3243 3238 595afb fgetwc 3237->3238 3237->3239 3241 595b0c 3238->3241 3242 595b10 fclose 3238->3242 3244 591f36 23 API calls 3239->3244 3241->3242 3242->3236 3246 595be4 3243->3246 3245 595b5a 3244->3245 3247 591f36 23 API calls 3245->3247 3246->3245 3873 595f11 3246->3873 3249 595b6d 3247->3249 3261 595b83 3249->3261 3854 5951bd 3249->3854 3251 595bae 3254 595bbd 3251->3254 3255 595bb3 fclose 3251->3255 3253 595ba6 3860 597a5b LocalFree 3253->3860 3861 595490 3254->3861 3255->3254 3256 595c0c 3256->3245 3879 5951e3 3256->3879 3257 595c58 3257->3245 3899 595436 3257->3899 3261->3251 3261->3253 3859 597a5b LocalFree 3261->3859 3267 591f36 23 API calls 3268 595c84 3267->3268 3269 59209f 28 API calls 3268->3269 3270 595c90 3269->3270 3271 591ad7 wprintf 3270->3271 3272 595c98 3271->3272 3903 59579d 3272->3903 3274 595dcf 3275 595dd7 3274->3275 3277 591f36 23 API calls 3274->3277 3275->3245 3279 595e23 3275->3279 3276 59209f 28 API calls 3289 595cae 3276->3289 3277->3275 3279->3249 3281 591f36 23 API calls 3279->3281 3281->3249 3282 595060 28 API calls 3282->3289 3283 595ddb #118 3284 591f36 23 API calls 3283->3284 3285 595def 3284->3285 3287 5966fd 31 API calls 3285->3287 3286 595d6a #157 3286->3289 3287->3275 3288 595490 LocalFree 3288->3289 3289->3274 3289->3276 3289->3282 3289->3283 3289->3286 3289->3288 3290 59579d 51 API calls 3289->3290 3291 591f36 23 API calls 3289->3291 3292 591ad7 wprintf 3289->3292 3927 595060 3289->3927 3290->3289 3291->3289 3292->3289 3298 5920ad 3293->3298 3294 5920ce wprintf 3295 5920e0 3294->3295 3296 591dae 16 API calls 3295->3296 3297 5920f5 3296->3297 3299 59216d 3297->3299 3300 592111 vfwprintf 3297->3300 3301 592123 3297->3301 3298->3294 3298->3295 3298->3297 3299->2960 3300->3301 3301->3299 3302 592190 vfwprintf 3301->3302 3303 592148 _wfopen 3301->3303 3302->3299 3304 592178 fputwc 3303->3304 3305 592164 3303->3305 3304->3299 3304->3302 3306 591f36 23 API calls 3305->3306 3306->3299 3307->2870 3308->2873 3309->2875 3310->2879 3312 591f36 23 API calls 3311->3312 3313 5921b4 3312->3313 3313->3014 3315 591a7b 3314->3315 3316 591a77 3314->3316 3317 591a85 isspace 3315->3317 3318 591a9a 3315->3318 3316->3018 3317->3315 3317->3318 3318->3316 3319 591ab3 isspace 3318->3319 3319->3316 3319->3318 3320->3021 3321->3014 3323 591b89 3322->3323 3326 591bbf 3323->3326 3330 597a42 LocalAlloc 3323->3330 3325 591bb9 3325->3326 3331 591af9 3325->3331 3326->3014 3328 591bdb 3328->3326 3329 591af9 2 API calls 3328->3329 3329->3328 3330->3325 3334 591b0a 3331->3334 3332 591b4f 3336 591a6a 2 API calls 3332->3336 3333 591b2f 3335 591a6a 2 API calls 3333->3335 3334->3332 3334->3333 3337 591b39 3334->3337 3335->3337 3336->3337 3337->3328 3339 591f45 FormatMessageW 3338->3339 3339->3032 3339->3033 3343 591dae 3340->3343 3344 591dbd 3343->3344 3345 591de2 GetStdHandle _vsnwprintf_s 3344->3345 3346 591e17 3345->3346 3346->3346 3347 591e21 GetFileType 3346->3347 3348 591e79 GetConsoleOutputCP WideCharToMultiByte ??2@YAPAXI 3347->3348 3349 591e3c GetConsoleMode 3347->3349 3350 591ef8 3348->3350 3351 591eb0 GetConsoleOutputCP WideCharToMultiByte WriteFile ??3@YAXPAX 3348->3351 3349->3348 3352 591e53 WriteConsoleW 3349->3352 3353 5974a1 4 API calls 3350->3353 3351->3350 3352->3350 3354 591f11 3353->3354 3354->3039 3355->3049 3356->3052 3357->3053 3358->3056 3360 59656d 3359->3360 3361 596567 3359->3361 3363 597a42 LocalAlloc 3360->3363 3364 597a5b LocalFree 3361->3364 3363->3066 3364->3360 3371 597a42 LocalAlloc 3365->3371 3367 596528 3367->3068 3367->3072 3368 597a85 3368->3367 3369 597a9c memcpy 3368->3369 3372 597a5b LocalFree 3369->3372 3371->3368 3372->3367 3373->3079 3379 597a42 LocalAlloc 3374->3379 3376 597bed 3377 597c03 3376->3377 3378 597bf5 RaiseException 3376->3378 3377->3101 3377->3105 3378->3377 3379->3376 3661 597a42 LocalAlloc 3380->3661 3382 596ec8 3383 596edb RtlInitializeGenericTable 3382->3383 3388 594882 3382->3388 3384 596f41 3383->3384 3385 596f01 3383->3385 3662 597a42 LocalAlloc 3384->3662 3385->3384 3386 596f06 RtlInsertElementGenericTable 3385->3386 3386->3385 3386->3388 3388->3113 3423 593d5a 3388->3423 3389 596f48 3389->3388 3390 596f55 RtlInitializeGenericTable 3389->3390 3391 596fac 3390->3391 3392 596f6f 3390->3392 3663 597a42 LocalAlloc 3391->3663 3392->3391 3393 596f74 RtlInsertElementGenericTable 3392->3393 3393->3388 3393->3392 3395 596fb3 3395->3388 3396 596fc0 RtlInitializeGenericTable 3395->3396 3397 596fda 3396->3397 3398 597017 3396->3398 3397->3398 3399 596fdf RtlInsertElementGenericTable 3397->3399 3664 597a42 LocalAlloc 3398->3664 3399->3388 3399->3397 3401 59701e 3401->3388 3402 59702b RtlInitializeGenericTable 3401->3402 3403 597082 3402->3403 3404 597045 3402->3404 3665 597a42 LocalAlloc 3403->3665 3404->3403 3405 59704a RtlInsertElementGenericTable 3404->3405 3405->3388 3405->3404 3407 597089 3407->3388 3408 597096 RtlInitializeGenericTable 3407->3408 3409 5970ed 3408->3409 3410 5970b0 3408->3410 3666 597a42 LocalAlloc 3409->3666 3410->3409 3412 5970b5 RtlInsertElementGenericTable 3410->3412 3412->3388 3412->3410 3413 5970f4 3413->3388 3414 5970fd RtlInitializeGenericTable 3413->3414 3415 597154 3414->3415 3416 597117 3414->3416 3667 597a42 LocalAlloc 3415->3667 3416->3415 3417 59711c RtlInsertElementGenericTable 3416->3417 3417->3388 3417->3416 3419 59715b 3419->3388 3420 59716b RtlInitializeGenericTable 3419->3420 3420->3388 3421 597184 3420->3421 3421->3388 3422 59719d RtlInsertElementGenericTable 3421->3422 3422->3388 3422->3421 3668 597a42 LocalAlloc 3423->3668 3425 593d95 3426 593daa RtlInitializeGenericTable 3425->3426 3432 593d9e 3425->3432 3427 593e10 3426->3427 3438 593dc9 3426->3438 3430 593e24 #208 3427->3430 3448 59422a 3427->3448 3428 5942bc 3433 5942ca 3428->3433 3683 597a5b LocalFree 3428->3683 3429 5942b2 #41 3429->3428 3431 593e59 #26 3430->3431 3430->3432 3469 593eae 3431->3469 3432->3428 3432->3429 3433->3113 3433->3123 3433->3133 3434 597abd 2 API calls 3434->3438 3436 593e6e #127 3436->3469 3437 593f7e 3439 593f92 3437->3439 3440 593f84 #41 3437->3440 3438->3427 3438->3432 3438->3434 3441 593de3 RtlInsertElementGenericTable 3438->3441 3442 593f9c #208 3439->3442 3439->3448 3440->3439 3441->3432 3441->3438 3442->3432 3446 593fc5 3442->3446 3443 597abd 2 API calls 3443->3448 3444 593f68 #27 3444->3469 3445 593e84 #140 3447 593e9c _wcsicmp 3445->3447 3452 593ff1 3445->3452 3669 597a5b LocalFree 3446->3669 3450 593eba _wcsicmp 3447->3450 3447->3469 3448->3432 3448->3443 3451 59424e RtlInsertElementGenericTable 3448->3451 3448->3452 3681 597a5b LocalFree 3448->3681 3456 593ee2 _wcsicmp 3450->3456 3450->3469 3451->3448 3453 59415a 3452->3453 3454 594293 #224 3452->3454 3453->3432 3682 597a5b LocalFree 3453->3682 3454->3453 3455 593fcd #36 3457 593ffd 3455->3457 3463 593fe9 3455->3463 3456->3452 3456->3469 3670 597a42 LocalAlloc 3457->3670 3458 597abd LocalAlloc wcscpy_s 3458->3469 3462 594006 3462->3432 3465 59401b memset 3462->3465 3671 593c98 3463->3671 3464 593f43 #224 #167 3464->3469 3465->3463 3468 594061 #26 3470 59420b 3468->3470 3469->3436 3469->3437 3469->3444 3469->3445 3469->3452 3469->3458 3469->3464 3471 594218 3470->3471 3472 594072 #127 3470->3472 3471->3448 3473 59421d #41 3471->3473 3472->3453 3474 594096 #140 3472->3474 3473->3448 3474->3452 3475 5940b0 _wcsicmp 3474->3475 3483 5940c4 3475->3483 3476 597abd LocalAlloc wcscpy_s 3476->3483 3477 5940e5 _wtoi 3679 597a5b LocalFree 3477->3679 3479 5940fa #224 #167 3479->3474 3479->3483 3480 594131 RtlInsertElementGenericTable 3480->3453 3481 5941fc #27 3480->3481 3481->3470 3483->3452 3483->3453 3483->3476 3483->3477 3483->3479 3483->3480 3484 593c98 3 API calls 3483->3484 3680 597a5b LocalFree 3483->3680 3484->3483 3485->3170 3486->3178 3488 59430e 3487->3488 3489 591ad7 wprintf 3488->3489 3490 59431f 3489->3490 3685 5939bd 3490->3685 3493 5943f5 3494 59470a 3493->3494 3754 597a5b LocalFree 3493->3754 3497 59471c 3494->3497 3498 594712 #147 3494->3498 3495 59436f #133 3499 59438e 3495->3499 3500 594387 3495->3500 3501 594729 3497->3501 3755 597a5b LocalFree 3497->3755 3498->3497 3704 592ef0 3499->3704 3505 591f36 23 API calls 3500->3505 3503 594738 3501->3503 3504 59472e #79 3501->3504 3508 594745 3503->3508 3756 597a5b LocalFree 3503->3756 3504->3503 3505->3493 3508->3181 3509 5943b6 fwprintf 3509->3500 3512 5943d7 fwprintf 3509->3512 3511 597abd 2 API calls 3513 5943b3 3511->3513 3514 5943ec 3512->3514 3515 594401 3512->3515 3513->3509 3516 591f36 23 API calls 3514->3516 3517 594409 fputws 3515->3517 3539 594435 3515->3539 3516->3493 3517->3500 3517->3539 3518 5946a2 fputws 3520 59475c 3518->3520 3521 5946be 3518->3521 3519 594458 #142 #77 _wcsicmp 3740 59313d 3519->3740 3524 591f36 23 API calls 3520->3524 3525 591f36 23 API calls 3521->3525 3523 594678 fputws 3523->3521 3523->3539 3540 5946c7 3524->3540 3525->3540 3526 59686e 2 API calls 3526->3539 3527 5946ef 3527->3493 3753 597a5b LocalFree 3527->3753 3530 59460a #79 3530->3539 3531 592ef0 25 API calls 3531->3539 3532 597b37 LocalAlloc #29 3532->3539 3534 5944e6 _wcsicmp 3745 597a5b LocalFree 3534->3745 3535 594645 fwprintf 3537 5946d0 3535->3537 3535->3539 3538 591f36 23 API calls 3537->3538 3538->3540 3539->3518 3539->3519 3539->3523 3539->3526 3539->3530 3539->3531 3539->3532 3539->3534 3539->3535 3539->3540 3541 5964ce wcscat_s LocalAlloc LocalFree memcpy 3539->3541 3542 597a5b LocalFree ctype 3539->3542 3746 5938eb 3539->3746 3540->3527 3752 597a5b LocalFree 3540->3752 3541->3539 3542->3539 3544 596739 3543->3544 3555 596807 3543->3555 3546 596745 FormatMessageW 3544->3546 3544->3555 3545 5974a1 4 API calls 3547 596815 3545->3547 3548 596773 _itow 3546->3548 3549 596787 wcsstr 3546->3549 3547->3220 3551 5967f5 3548->3551 3550 59679c 3549->3550 3549->3551 3553 5967b9 wcscpy_s wcscpy_s 3550->3553 3554 5967d6 wcscpy_s 3550->3554 3552 591f36 23 API calls 3551->3552 3552->3555 3556 5967e1 wcsstr 3553->3556 3554->3556 3555->3545 3556->3550 3556->3551 3558 591ae0 wprintf 3557->3558 3559 591af3 #26 3557->3559 3558->3559 3559->3193 3559->3219 3561 5966db 3560->3561 3565 596690 3560->3565 3563 5974a1 4 API calls 3561->3563 3562 596691 fread ferror 3562->3561 3562->3565 3564 594e1d 3563->3564 3564->3201 3564->3228 3565->3561 3565->3562 3566 5966b4 feof 3565->3566 3567 5966bc fwrite 3565->3567 3568 5966d3 feof 3565->3568 3566->3565 3567->3565 3568->3561 3568->3562 3820 596495 3569->3820 3571 5934b8 _wfopen 3572 5934ef _wfopen 3571->3572 3573 5934d4 3571->3573 3572->3573 3574 59350a 3572->3574 3575 591f36 23 API calls 3573->3575 3576 593518 fputwc 3574->3576 3577 593544 3574->3577 3603 5934e0 3575->3603 3576->3577 3579 59352d 3576->3579 3578 59354a fputws 3577->3578 3582 591f36 23 API calls 3577->3582 3578->3579 3597 59355e 3578->3597 3580 591f36 23 API calls 3579->3580 3580->3603 3584 5935c4 fputws 3582->3584 3583 5938ab 3587 5938b8 3583->3587 3846 597a5b LocalFree 3583->3846 3584->3578 3584->3579 3585 593609 fwprintf 3590 593637 fputws 3585->3590 3591 593627 3585->3591 3588 5938c9 3587->3588 3589 5938c3 fclose 3587->3589 3594 5938ce fclose 3588->3594 3595 5938d4 3588->3595 3589->3588 3590->3591 3591->3590 3596 591f36 23 API calls 3591->3596 3598 593651 fputws 3591->3598 3599 593662 fwscanf 3591->3599 3592 593572 fwprintf 3592->3591 3592->3597 3594->3595 3595->3227 3596->3591 3597->3585 3597->3592 3600 5935a0 fputws 3597->3600 3601 5935ee fputws 3597->3601 3598->3591 3598->3599 3610 593682 3599->3610 3600->3591 3600->3597 3601->3591 3601->3597 3602 59686e LocalAlloc LocalFree 3602->3610 3603->3583 3845 597a5b LocalFree 3603->3845 3605 591f36 23 API calls 3605->3603 3606 591ad7 wprintf 3606->3610 3607 5964ce wcscat_s LocalAlloc LocalFree memcpy 3607->3610 3609 593815 fwprintf 3612 59382b fputws 3609->3612 3613 59387e 3609->3613 3610->3602 3610->3603 3610->3606 3610->3607 3610->3609 3611 5968a8 14 API calls 3610->3611 3610->3613 3614 593851 fwscanf 3610->3614 3615 597a5b LocalFree ctype 3610->3615 3821 5969ef 3610->3821 3837 5932d2 3610->3837 3611->3610 3612->3610 3612->3613 3613->3605 3614->3610 3615->3610 3617 596bad 3616->3617 3618 596bde 3616->3618 3619 596bc1 RtlEnumerateGenericTable 3617->3619 3622 596c02 RtlEnumerateGenericTable 3618->3622 3634 596c1f 3618->3634 3620 596bb1 RtlDeleteElementGenericTable 3619->3620 3621 596bc7 RtlIsGenericTableEmpty 3619->3621 3620->3619 3847 597a5b LocalFree 3621->3847 3625 596c08 RtlIsGenericTableEmpty 3622->3625 3626 596bf2 RtlDeleteElementGenericTable 3622->3626 3623 596c43 RtlEnumerateGenericTable 3627 596c49 RtlIsGenericTableEmpty 3623->3627 3628 596c33 RtlDeleteElementGenericTable 3623->3628 3848 597a5b LocalFree 3625->3848 3626->3622 3849 597a5b LocalFree 3627->3849 3628->3623 3629 596c84 RtlEnumerateGenericTable 3632 596c8a RtlIsGenericTableEmpty 3629->3632 3633 596c74 RtlDeleteElementGenericTable 3629->3633 3850 597a5b LocalFree 3632->3850 3633->3629 3634->3623 3638 596c60 3634->3638 3635 596cc5 RtlEnumerateGenericTable 3636 596ccb RtlIsGenericTableEmpty 3635->3636 3637 596cb5 RtlDeleteElementGenericTable 3635->3637 3851 597a5b LocalFree 3636->3851 3637->3635 3638->3629 3646 596ca1 3638->3646 3639 596d06 RtlEnumerateGenericTable 3644 596d0c RtlIsGenericTableEmpty 3639->3644 3645 596cf6 RtlDeleteElementGenericTable 3639->3645 3641 596d64 3641->3131 3642 596d23 3642->3641 3647 596d47 RtlEnumerateGenericTable 3642->3647 3852 597a5b LocalFree 3644->3852 3645->3639 3646->3635 3648 596ce2 3646->3648 3650 596d4d RtlIsGenericTableEmpty 3647->3650 3651 596d37 RtlDeleteElementGenericTable 3647->3651 3648->3639 3648->3642 3853 597a5b LocalFree 3650->3853 3651->3647 3653->3131 3654->3121 3655->3122 3656->3166 3657->3137 3658->3148 3659->3141 3660->3151 3661->3382 3662->3389 3663->3395 3664->3401 3665->3407 3666->3413 3667->3419 3668->3425 3669->3455 3670->3462 3672 593cb1 3671->3672 3673 593cd0 3672->3673 3674 593d13 3672->3674 3676 593ce3 _memicmp 3672->3676 3673->3432 3673->3468 3684 597a42 LocalAlloc 3674->3684 3676->3672 3676->3673 3677 593d20 3677->3673 3678 593d35 memcpy 3677->3678 3678->3673 3679->3483 3680->3481 3681->3448 3682->3432 3683->3433 3684->3677 3757 5931fe #127 3685->3757 3688 593c74 3688->3493 3688->3495 3689 593a00 #142 #77 3690 593a3c RtlLookupElementGenericTable 3689->3690 3697 5939fe 3689->3697 3690->3697 3691 593c51 #79 #167 3691->3688 3691->3689 3693 593a64 _wcsicmp 3694 593a7c _wcsicmp 3693->3694 3693->3697 3694->3697 3695 593b41 RtlLookupElementGenericTable 3695->3697 3696 59313d 3 API calls 3696->3697 3697->3689 3697->3690 3697->3691 3697->3693 3697->3695 3697->3696 3697->3697 3698 597abd 2 API calls 3697->3698 3700 593c76 3697->3700 3702 593c2e RtlInsertElementGenericTable 3697->3702 3703 597a77 3 API calls 3697->3703 3765 596dde 3697->3765 3769 5933dd 3697->3769 3698->3697 3700->3688 3701 593c81 #79 3700->3701 3701->3688 3702->3697 3703->3697 3705 592f21 wcsstr 3704->3705 3719 592f44 3704->3719 3706 592f32 3705->3706 3705->3719 3777 5968a8 3706->3777 3707 592f63 wcsstr 3710 592f9f wcsstr 3707->3710 3711 592f74 3707->3711 3709 592fe5 wcsstr 3714 59300a 3709->3714 3715 592ffa wcsstr 3709->3715 3712 592fb0 3710->3712 3724 592fc2 3710->3724 3716 5968a8 14 API calls 3711->3716 3717 5968a8 14 API calls 3712->3717 3713 59308b 3720 5930a9 wcsstr 3713->3720 3727 5930b1 3713->3727 3721 5968a8 14 API calls 3714->3721 3715->3713 3715->3714 3722 592f86 3716->3722 3717->3724 3718 593057 3723 593107 3718->3723 3795 597a5b LocalFree 3718->3795 3719->3707 3719->3718 3719->3724 3720->3713 3720->3727 3733 59301c 3721->3733 3722->3710 3722->3718 3726 593114 3723->3726 3796 597a5b LocalFree 3723->3796 3724->3709 3724->3713 3724->3718 3729 593121 3726->3729 3797 597a5b LocalFree 3726->3797 3727->3718 3727->3727 3794 597a42 LocalAlloc 3727->3794 3731 593131 3729->3731 3798 597a5b LocalFree 3729->3798 3731->3493 3731->3509 3731->3511 3733->3718 3733->3733 3793 597a42 LocalAlloc 3733->3793 3735 5930df 3735->3718 3736 5930e9 wcscpy_s 3735->3736 3736->3718 3738 593051 3738->3718 3739 593063 wcscpy_s wcscat_s wcscat_s 3738->3739 3739->3713 3741 5931e9 3740->3741 3743 593154 3740->3743 3741->3539 3743->3741 3811 597b37 3743->3811 3817 597a5b LocalFree 3743->3817 3745->3539 3747 593906 3746->3747 3750 59394a 3747->3750 3819 597a42 LocalAlloc 3747->3819 3749 593944 3749->3750 3751 593971 swprintf_s 3749->3751 3750->3539 3751->3750 3751->3751 3752->3527 3753->3493 3754->3494 3755->3501 3756->3508 3758 5932b6 #127 3757->3758 3762 593230 3757->3762 3758->3688 3758->3697 3759 593231 #140 _wcsicmp 3760 593288 #224 3759->3760 3759->3762 3761 59329a #167 3760->3761 3760->3762 3761->3758 3761->3759 3762->3758 3762->3759 3762->3760 3762->3761 3773 596d74 RtlLookupElementGenericTable 3762->3773 3775 596da9 RtlLookupElementGenericTable 3762->3775 3766 596df5 3765->3766 3767 596e3f RtlLookupElementGenericTable 3766->3767 3768 596e01 3766->3768 3767->3768 3768->3697 3770 5933ed 3769->3770 3771 5933f1 3769->3771 3770->3697 3771->3770 3772 593424 _memicmp 3771->3772 3772->3770 3772->3771 3774 596d99 3773->3774 3774->3762 3776 596dce 3775->3776 3776->3762 3778 5968c1 3777->3778 3799 59657f 3778->3799 3780 59657f 8 API calls 3781 59690c 3780->3781 3781->3780 3782 596935 3781->3782 3785 596912 3781->3785 3810 597a42 LocalAlloc 3782->3810 3784 596949 3784->3785 3786 59657f 8 API calls 3784->3786 3785->3719 3787 59696b wcsncat_s wcscat_s 3786->3787 3788 59657f 8 API calls 3787->3788 3792 596995 3788->3792 3789 59699a wcsncat_s wcscat_s 3791 59657f 8 API calls 3789->3791 3790 5969d0 wcscat_s 3790->3785 3791->3792 3792->3789 3792->3790 3793->3738 3794->3735 3795->3723 3796->3726 3797->3729 3798->3731 3800 596598 3799->3800 3805 596650 3799->3805 3801 59659e iswupper 3800->3801 3800->3805 3806 5965f1 iswupper 3800->3806 3802 5965c1 iswupper 3801->3802 3803 5965b6 towlower 3801->3803 3802->3800 3804 5965cd towlower 3802->3804 3803->3802 3804->3800 3805->3781 3807 596609 towlower 3806->3807 3808 596614 iswupper 3806->3808 3807->3808 3808->3800 3809 596620 towlower 3808->3809 3809->3800 3810->3784 3812 597b59 3811->3812 3816 597b83 3812->3816 3818 597a42 LocalAlloc 3812->3818 3814 597b7d 3815 597b8a #29 3814->3815 3814->3816 3815->3816 3816->3743 3817->3743 3818->3814 3819->3749 3820->3571 3822 59686e 2 API calls 3821->3822 3827 596a36 3822->3827 3823 59655c LocalFree 3825 596b78 3823->3825 3824 596a51 fgetws 3826 596ae9 feof 3824->3826 3824->3827 3829 5974a1 4 API calls 3825->3829 3828 596b05 3826->3828 3833 596afa 3826->3833 3827->3824 3827->3833 3834 596a86 3827->3834 3830 5964a7 2 API calls 3828->3830 3831 596b89 3829->3831 3830->3833 3831->3610 3832 5964ce 4 API calls 3832->3834 3833->3823 3834->3832 3834->3833 3835 596ae3 3834->3835 3836 596aca fgetws 3834->3836 3835->3826 3835->3828 3836->3834 3836->3835 3838 5932e6 3837->3838 3839 59686e 2 API calls 3838->3839 3844 5932f4 3839->3844 3840 59334f 3840->3610 3841 593344 3842 5964a7 2 API calls 3841->3842 3842->3840 3843 5964ce wcscat_s LocalAlloc LocalFree memcpy 3843->3844 3844->3840 3844->3841 3844->3843 3845->3583 3846->3587 3847->3618 3848->3634 3849->3638 3850->3646 3851->3648 3852->3642 3853->3641 3934 595f6d 3854->3934 3857 5951d0 ??3@YAXPAX 3858 5951d7 3857->3858 3858->3261 3859->3261 3860->3251 3862 5954a5 3861->3862 3863 59549f 3861->3863 3865 5954b5 3862->3865 3940 59513b 3862->3940 3939 597a5b LocalFree 3863->3939 3867 5954c3 3865->3867 3868 59513b LocalFree 3865->3868 3869 59503c 3867->3869 3868->3867 3870 59504c 3869->3870 3871 595052 3869->3871 3944 597a5b LocalFree 3870->3944 3871->2951 3874 595f2d 3873->3874 3877 595f26 3873->3877 3875 5969ef 12 API calls 3874->3875 3876 595f39 3875->3876 3876->3877 3945 597a5b LocalFree 3876->3945 3877->3256 3880 5951fa 3879->3880 3946 596828 3880->3946 3882 59534a 3882->3257 3883 595217 3883->3882 3969 597a5b LocalFree 3883->3969 3885 59520e 3886 591f36 23 API calls 3885->3886 3886->3883 3888 595202 3888->3883 3888->3885 3889 597a5b LocalFree ctype 3888->3889 3890 595fc5 34 API calls 3888->3890 3891 59529e 3888->3891 3951 5963e2 3888->3951 3889->3888 3890->3888 3891->3885 3892 5952a8 3891->3892 3957 59632e 3892->3957 3894 5952b8 3894->3883 3895 595317 3894->3895 3896 5952d5 _wcsicmp 3894->3896 3897 5952f6 _wcsicmp 3894->3897 3895->3883 3898 591f36 23 API calls 3895->3898 3896->3894 3897->3894 3898->3883 3901 59544a 3899->3901 3900 595471 3900->3245 3900->3267 3901->3900 3982 597a42 LocalAlloc 3901->3982 3924 5957b6 3903->3924 3904 596828 2 API calls 3904->3924 3905 595490 LocalFree 3906 595a4f 3905->3906 3907 59503c LocalFree 3906->3907 3908 595a55 3907->3908 3918 5957c3 3908->3918 4020 597a5b LocalFree 3908->4020 3909 5959eb 3910 595a76 3909->3910 3920 5959e7 3909->3920 3910->3918 4021 597a5b LocalFree 3910->4021 3912 595a02 3916 591f36 23 API calls 3912->3916 3914 5959de 3915 591f36 23 API calls 3914->3915 3915->3920 3916->3920 3917 5968a8 14 API calls 3917->3924 3918->3289 3919 597abd 2 API calls 3919->3924 3920->3905 3921 597a5b LocalFree ctype 3921->3924 3922 595a20 3922->3910 3922->3912 3923 595fc5 34 API calls 3923->3924 3924->3904 3924->3909 3924->3912 3924->3914 3924->3917 3924->3918 3924->3919 3924->3920 3924->3921 3924->3922 3924->3923 3926 5963e2 LocalAlloc LocalFree memcpy wcscpy_s 3924->3926 3983 5954d0 3924->3983 3926->3924 3928 595072 #69 3927->3928 3931 59507c 3927->3931 3928->3289 3929 59511e 3930 59209f 28 API calls 3929->3930 3930->3928 3931->3929 3932 59209f 28 API calls 3931->3932 3933 591f36 23 API calls 3931->3933 3932->3931 3933->3931 3935 5951ca 3934->3935 3936 595f74 3934->3936 3935->3857 3935->3858 3938 597a5b LocalFree 3936->3938 3938->3935 3939->3862 3941 5951b0 3940->3941 3943 595149 3940->3943 3941->3865 3942 597a5b LocalFree ctype 3942->3943 3943->3941 3943->3942 3944->3871 3945->3877 3970 596453 3946->3970 3950 59683d 3950->3888 3952 5963f9 3951->3952 3953 5963f2 3951->3953 3954 597a77 3 API calls 3952->3954 3956 596417 3952->3956 3953->3888 3954->3956 3955 597abd 2 API calls 3955->3953 3956->3953 3956->3955 3958 59634a 3957->3958 3963 596341 3957->3963 3979 597a42 LocalAlloc 3958->3979 3960 596353 3961 596359 memset 3960->3961 3966 59639c 3960->3966 3962 59636f 3961->3962 3961->3963 3962->3963 3965 597abd 2 API calls 3962->3965 3962->3966 3963->3894 3964 5963c1 3981 597a5b LocalFree 3964->3981 3965->3962 3966->3963 3966->3964 3980 597a5b LocalFree 3966->3980 3969->3882 3971 59645f 3970->3971 3975 596484 3970->3975 3972 59647d 3971->3972 3977 597a5b LocalFree 3971->3977 3978 597a5b LocalFree 3972->3978 3976 597a42 LocalAlloc 3975->3976 3976->3950 3977->3971 3978->3975 3979->3960 3980->3966 3981->3963 3982->3900 4022 597a42 LocalAlloc 3983->4022 3985 5954e6 3986 59550b 3985->3986 3987 595663 3985->3987 4011 5954ec 3985->4011 3989 597abd 2 API calls 3986->3989 3988 597abd 2 API calls 3987->3988 4001 59566e 3988->4001 4002 595512 3989->4002 3990 595675 3999 595689 3990->3999 4027 597a5b LocalFree 3990->4027 3991 595519 3998 59552d 3991->3998 4023 597a5b LocalFree 3991->4023 3993 5956d0 4029 597a5b LocalFree 3993->4029 3995 59555d 4028 597a5b LocalFree 3995->4028 3998->3993 3998->3995 4024 597a5b LocalFree 3998->4024 3999->3993 3999->3995 4003 597a5b LocalFree ctype 3999->4003 4001->3990 4030 597a42 LocalAlloc 4001->4030 4002->3991 4025 597a42 LocalAlloc 4002->4025 4003->3999 4006 595719 4006->3990 4008 595724 memset 4006->4008 4007 595599 4007->3991 4009 5955a4 memset 4007->4009 4010 595632 _wcsicmp 4008->4010 4013 59573a 4008->4013 4009->4010 4015 5955b6 4009->4015 4010->4011 4011->3924 4013->3990 4018 595780 4013->4018 4031 597a42 LocalAlloc 4013->4031 4032 595362 4013->4032 4014 5968a8 14 API calls 4014->4015 4015->3991 4015->4010 4015->4014 4016 597abd 2 API calls 4015->4016 4026 597a5b LocalFree 4015->4026 4016->4015 4018->4010 4020->3918 4021->3918 4022->3985 4023->3998 4024->3998 4025->4007 4026->4015 4027->3999 4028->3993 4029->4011 4030->4006 4031->4013 4033 595372 4032->4033 4033->4033 4034 59539c 4033->4034 4035 595387 4033->4035 4043 597a42 LocalAlloc 4034->4043 4036 591f36 23 API calls 4035->4036 4040 595390 4036->4040 4038 5953a7 4039 5953ad _wcslwr 4038->4039 4038->4040 4041 5953ba 4039->4041 4040->4013 4041->4040 4044 597a5b LocalFree 4041->4044 4043->4038 4044->4040 4182 59746f 4185 597811 4182->4185 4184 597474 4184->4184 4186 597843 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4185->4186 4187 597836 4185->4187 4188 59783a 4186->4188 4187->4186 4187->4188 4188->4184 4189 597543 4190 597580 4189->4190 4192 597555 4189->4192 4191 59757a ?terminate@ 4191->4190 4192->4190 4192->4191 4193 596e83 _wcsicmp 4194 596e9f 4193->4194 4195 597722 _except_handler4_common 4045 592875 4046 5928b5 7 API calls 4045->4046 4151 5919b5 4046->4151 4048 59292f SetThreadUILanguage 4049 5921bc 31 API calls 4048->4049 4050 592947 4049->4050 4051 59295d 4050->4051 4052 592aa3 4050->4052 4066 592986 4050->4066 4059 59686e 2 API calls 4051->4059 4053 597abd 2 API calls 4052->4053 4056 592aad 4053->4056 4054 591f36 23 API calls 4147 592e1f 4054->4147 4055 592e64 4058 592e77 4055->4058 4153 597a5b LocalFree 4055->4153 4065 597abd 2 API calls 4056->4065 4056->4066 4060 592e86 4058->4060 4154 597a5b LocalFree 4058->4154 4062 59297a 4059->4062 4064 592e99 4060->4064 4155 597a5b LocalFree 4060->4155 4062->4066 4071 5964ce 4 API calls 4062->4071 4068 592ea8 fclose 4064->4068 4069 592eac 4064->4069 4070 592a52 4065->4070 4066->4054 4066->4147 4068->4069 4072 592eb9 4069->4072 4073 592eb5 fclose 4069->4073 4070->4066 4074 592a74 _wfopen 4070->4074 4075 592af6 4070->4075 4076 59299b 4071->4076 4077 592ece 4072->4077 4078 592ec1 #13 4072->4078 4073->4072 4079 592a90 4074->4079 4080 592ad4 fputwc 4074->4080 4085 591c1d 8 API calls 4075->4085 4092 592b28 4075->4092 4076->4066 4083 5964ce 4 API calls 4076->4083 4081 591a23 LocalFree 4077->4081 4078->4077 4082 591f36 23 API calls 4079->4082 4080->4066 4080->4075 4084 592eda 4081->4084 4082->4066 4087 5929b2 4083->4087 4089 5974a1 4 API calls 4084->4089 4086 592b24 4085->4086 4091 592b6d 4086->4091 4086->4092 4087->4066 4094 5964ce 4 API calls 4087->4094 4088 591f36 23 API calls 4093 592c09 #170 4088->4093 4090 592ee9 4089->4090 4095 591f36 23 API calls 4091->4095 4105 591f36 23 API calls 4092->4105 4135 592bc7 4092->4135 4096 592c2a 4093->4096 4097 592c65 #14 #14 4093->4097 4100 5929c8 4094->4100 4095->4066 4101 591f36 23 API calls 4096->4101 4098 592ca0 4097->4098 4099 592dc6 4097->4099 4102 592d7a 4098->4102 4103 592cad 4098->4103 4104 591f36 23 API calls 4099->4104 4100->4066 4109 5964a7 2 API calls 4100->4109 4101->4066 4108 591f36 23 API calls 4102->4108 4107 591f36 23 API calls 4103->4107 4110 592dce #73 4104->4110 4106 592b98 4105->4106 4111 591cd9 9 API calls 4106->4111 4112 592cbc #216 4107->4112 4113 592d8e #73 4108->4113 4114 5929e0 4109->4114 4115 592deb #118 4110->4115 4134 592d0f 4110->4134 4117 592bb3 4111->4117 4118 592cd8 4112->4118 4112->4134 4119 592dba #118 4113->4119 4113->4134 4114->4066 4127 59686e 2 API calls 4114->4127 4116 592df5 4115->4116 4120 591f36 23 API calls 4116->4120 4121 592bbb 4117->4121 4122 592c3d 4117->4122 4125 592d6b 4118->4125 4126 592ce1 #14 #216 4118->4126 4119->4116 4120->4066 4130 597c0f 3 API calls 4121->4130 4128 591f36 23 API calls 4122->4128 4123 592e01 4131 595aaa 78 API calls 4123->4131 4124 592d61 4132 594775 230 API calls 4124->4132 4133 592d6e #118 4125->4133 4126->4133 4126->4134 4129 5929f1 4127->4129 4128->4066 4129->4066 4137 5964ce 4 API calls 4129->4137 4130->4135 4136 592d66 4131->4136 4132->4136 4133->4116 4134->4123 4134->4124 4134->4134 4135->4088 4138 592e0c 4136->4138 4139 592e24 4136->4139 4140 592a08 4137->4140 4141 59209f 28 API calls 4138->4141 4145 591f36 23 API calls 4139->4145 4140->4066 4143 5964ce 4 API calls 4140->4143 4142 592e17 4141->4142 4144 591f36 23 API calls 4142->4144 4146 592a1e 4143->4146 4144->4147 4145->4066 4146->4066 4148 5964ce 4 API calls 4146->4148 4147->4055 4152 597a5b LocalFree 4147->4152 4149 592a38 4148->4149 4149->4066 4150 5964a7 2 API calls 4149->4150 4150->4070 4151->4048 4152->4055 4153->4058 4154->4060 4155->4064 4196 597204 __wgetmainargs 4156 596e57 4159 597a42 LocalAlloc 4156->4159 4158 596e64 4159->4158

Callgraph

Hide Legend
  • Executed
  • Not Executed
  • Opacity -> Relevance
  • Disassembly available
callgraph 0 Function_00597A5B 1 Function_00593D5A 1->0 7 Function_00597A42 1->7 75 Function_00593C98 1->75 88 Function_00597ABD 1->88 2 Function_0059655C 2->0 3 Function_00596453 3->0 4 Function_00596E57 4->7 5 Function_0059774C 6 Function_00597543 8 Function_00595E42 8->7 9 Function_0059657F 10 Function_0059767F 11 Function_00592875 11->0 12 Function_00594775 11->12 23 Function_0059686E 11->23 29 Function_00591C1D 11->29 34 Function_00597C0F 11->34 42 Function_00591F36 11->42 46 Function_00591A23 11->46 48 Function_00591CD9 11->48 59 Function_005964CE 11->59 77 Function_0059209F 11->77 81 Function_00596495 11->81 11->88 91 Function_005921BC 11->91 95 Function_005919B5 11->95 102 Function_00595AAA 11->102 106 Function_005974A1 11->106 107 Function_005964A7 11->107 12->0 12->1 12->7 24 Function_00596661 12->24 12->42 58 Function_00591AD7 12->58 64 Function_005966FD 12->64 72 Function_005942EE 12->72 12->77 80 Function_00596B92 12->80 82 Function_00593497 12->82 96 Function_00596EB6 12->96 12->106 13 Function_00596D74 14 Function_00597A77 14->0 14->7 15 Function_00593469 16 Function_00597369 33 Function_00597709 16->33 17 Function_00591B6B 17->7 63 Function_00591AF9 17->63 18 Function_00591A6A 19 Function_00595F6D 19->0 20 Function_00596E6D 20->0 21 Function_0059776C 21->33 62 Function_005976C4 21->62 22 Function_0059746F 31 Function_00597811 22->31 23->2 23->7 24->106 25 Function_00595060 25->42 25->77 26 Function_00595362 26->0 26->7 26->42 27 Function_00597764 28 Function_00591F18 105 Function_00591DAE 28->105 29->88 30 Function_0059631C 32 Function_00595F11 32->0 70 Function_005969EF 32->70 34->15 52 Function_00597BDF 34->52 89 Function_005979BD 34->89 35 Function_00597204 36 Function_00597639 36->33 36->62 67 Function_005975F0 36->67 92 Function_005975B0 36->92 37 Function_0059513B 37->0 38 Function_0059313D 38->0 41 Function_00597B37 38->41 71 Function_005979EF 38->71 39 Function_0059503C 39->0 40 Function_0059723C 40->33 40->36 49 Function_005971DB 40->49 40->62 94 Function_005928B5 40->94 41->7 41->15 41->89 42->28 42->42 60 Function_005974C0 42->60 42->106 43 Function_00595436 43->7 43->15 43->89 44 Function_00596828 44->3 44->7 45 Function_0059632E 45->0 45->7 45->88 46->0 47 Function_00597722 50 Function_005963DA 51 Function_005933DD 101 Function_005933AB 51->101 52->7 53 Function_00596DDE 54 Function_005963D1 55 Function_005954D0 55->0 55->7 55->15 55->26 55->88 55->89 99 Function_005968A8 55->99 56 Function_005932D2 56->23 56->59 56->81 56->107 57 Function_005977D2 57->21 59->14 61 Function_00595FC5 61->0 61->8 61->42 61->70 84 Function_00595E81 61->84 85 Function_00595F80 61->85 61->88 104 Function_00595FAF 61->104 63->18 64->42 64->106 65 Function_005931FE 65->13 98 Function_00596DA9 65->98 66 Function_00592EF0 66->0 66->7 66->99 68 Function_00595EF5 69 Function_005938EB 69->7 69->15 69->89 70->2 70->23 70->59 70->106 70->107 72->0 72->23 72->38 72->41 72->42 72->50 72->58 72->59 72->66 72->69 72->81 72->88 90 Function_005939BD 72->90 73 Function_005951E3 73->0 73->30 73->42 73->44 73->45 73->61 74 Function_005963E2 73->74 74->14 74->88 75->7 75->89 75->101 76 Function_0059579D 76->0 76->30 76->39 76->42 76->44 76->50 76->54 76->55 76->61 76->74 78 Function_00595490 76->78 76->81 76->88 76->99 77->42 77->105 78->0 78->37 79 Function_00597693 79->33 80->0 82->0 82->23 82->42 82->50 82->56 82->58 82->59 82->70 82->81 82->99 83 Function_0059758B 84->0 84->7 86 Function_00596E83 87 Function_005951BD 87->19 88->7 88->15 88->89 90->14 90->15 90->38 90->51 90->53 90->65 90->88 90->89 91->0 91->17 91->18 91->42 91->88 100 Function_005921AB 91->100 91->106 93 Function_005977B2 94->0 94->12 94->23 94->29 94->34 94->42 94->46 94->48 94->59 94->77 94->81 94->88 94->91 94->95 94->102 94->106 94->107 96->7 97 Function_005977B6 97->33 99->7 99->9 100->42 102->0 102->25 102->32 102->39 102->42 102->43 102->58 102->64 102->68 102->73 102->76 102->77 102->78 102->85 102->87 102->104 103 Function_005973AA 103->5 103->27 103->57 105->60 105->106 107->88

Executed Functions

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 337 591f36-591f89 call 5974c0 FormatMessageW 340 591f8b-591f91 GetLastError 337->340 341 591f96-591f9a 337->341 342 59208d-592099 call 5974a1 340->342 343 591f9c-591fa5 341->343 344 591fb5-591fbb 341->344 345 591fab-591faf 343->345 346 591fa7-591fa9 343->346 347 591fbd-591fc9 wprintf 344->347 348 591fcf-591fe5 call 591f18 344->348 350 591fb1-591fb3 345->350 351 591fe6-591fec 345->351 346->345 346->348 347->348 348->351 350->344 350->351 351->342 355 591ff2-591ffd 351->355 356 591fff-59200f fwprintf 355->356 357 592010-592014 355->357 356->357 358 59208c 357->358 359 592016-59201c 357->359 358->342 360 59201e 359->360 361 592025-59202b 359->361 360->361 362 59207b-592088 fwprintf 361->362 363 59202d-592033 361->363 365 59208a-59208b 362->365 363->358 364 592035-59204f _wfopen 363->364 366 592051-592061 call 591f36 364->366 367 592063-592079 fputwc 364->367 365->358 366->365 367->358 367->362
APIs
  • FormatMessageW.KERNELBASE(00000800,00000000,?,00000000,?,00000FFF,?,?,?,005921B4,00000001,00000026,00592806), ref: 00591F81
  • GetLastError.KERNEL32(?,?,005921B4,00000001,00000026,00592806), ref: 00591F8B
  • wprintf.MSVCRT ref: 00591FC2
  • fwprintf.MSVCRT ref: 0059200C
  • _wfopen.MSVCRT ref: 00592040
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ErrorFormatLastMessage_wfopenfwprintfwprintf
  • String ID:
  • API String ID: 2622371381-0
  • Opcode ID: 6e7187a5acf76a670c73b148eb56b53e2e419a6fc1a5f7dd7613a613d81af79f
  • Instruction ID: b338769909de65bd73952e1d7382738c2e620e230b7c69097442d9b72ffef2b9
  • Opcode Fuzzy Hash: 6e7187a5acf76a670c73b148eb56b53e2e419a6fc1a5f7dd7613a613d81af79f
  • Instruction Fuzzy Hash: A231D53140875FAEFF259B28EC8DBA53FA8FB14354F15406BE544830A1D7725988FB18
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 0 5928b5-59294b GetCommandLineW RegisterApplicationRestart setlocale * 5 call 5919b5 SetThreadUILanguage call 5921bc 5 592e3b-592e42 0->5 6 592951-592957 0->6 7 592e4f-592e57 5->7 8 592e44-592e48 call 591f36 5->8 9 59295d-592984 call 596495 call 59686e 6->9 10 592aa3-592ab5 call 597abd 6->10 13 592e59-592e5f call 597a5b 7->13 14 592e64-592e6a 7->14 18 592e4d-592e4e 8->18 33 592990-5929a5 call 5964ce 9->33 34 592986-59298b call 596864 9->34 25 592aca-592acf 10->25 26 592ab7-592ac8 call 597abd 10->26 13->14 20 592e6c-592e72 call 597a5b 14->20 21 592e77-592e7e 14->21 18->7 20->21 23 592e80-592e81 call 597a5b 21->23 24 592e86-592e8c 21->24 23->24 30 592e99-592ea6 24->30 31 592e8e-592e94 call 597a5b 24->31 25->5 26->25 43 592a67-592a6e 26->43 36 592ea8-592eab fclose 30->36 37 592eac-592eb3 30->37 31->30 33->34 52 5929a7-5929bc call 5964ce 33->52 34->5 36->37 41 592eb9-592ebf 37->41 42 592eb5-592eb8 fclose 37->42 48 592ece-592eea call 591a23 call 5974a1 41->48 49 592ec1-592ecd #13 41->49 42->41 44 592a74-592a8e _wfopen 43->44 45 592af6-592b08 43->45 50 592a90-592a9e call 591f36 44->50 51 592ad4-592aea fputwc 44->51 54 592b0a-592b26 call 591c1d 45->54 55 592b34-592b3c 45->55 49->48 72 592e39-592e3a 50->72 51->45 60 592aec-592af1 51->60 52->34 75 5929be-5929d2 call 5964ce 52->75 70 592b28-592b2e 54->70 71 592b6d-592b7b call 591f36 54->71 57 592bf8-592c28 call 591f36 #170 55->57 58 592b42 55->58 81 592c2a-592c35 call 591f36 57->81 82 592c65-592c9a #14 * 2 57->82 65 592b47-592b4d 58->65 60->5 73 592b4f-592b52 65->73 74 592b80-592b82 65->74 70->55 71->72 72->5 77 592b69-592b6b 73->77 78 592b54-592b5c 73->78 83 592b85-592b87 74->83 75->34 93 5929d4-5929ea call 5964a7 75->93 77->83 78->74 86 592b5e-592b67 78->86 102 592c37-592c38 81->102 84 592ca0-592ca7 82->84 85 592dc6-592de5 call 591f36 #73 82->85 83->57 90 592b89-592bb5 call 591f36 call 591cd9 83->90 91 592d7a-592db4 call 591f36 #73 84->91 92 592cad-592cd6 call 591f36 #216 84->92 107 592deb-592df3 #118 85->107 108 592d12-592d19 85->108 86->65 86->77 118 592bbb-592bd2 call 597c0f 90->118 119 592c3d-592c54 call 591f36 90->119 91->108 113 592dba-592dc4 #118 91->113 111 592cd8-592cdb 92->111 112 592d0f-592d11 92->112 93->34 116 5929ec-5929fb call 59686e 93->116 102->5 109 592df5-592dff call 591f36 107->109 114 592d1b-592d22 108->114 115 592d4c-592d5b 108->115 109->5 122 592d6b-592d6d 111->122 123 592ce1-592d0d #14 #216 111->123 112->108 113->109 114->115 124 592d24-592d2a 114->124 120 592e01 call 595aaa 115->120 121 592d61-592d66 call 594775 115->121 116->34 136 5929fd-592a12 call 5964ce 116->136 143 592bd8-592bdd 118->143 141 592c5a-592c5f 119->141 138 592e06-592e0a 120->138 121->138 132 592d6e-592d78 #118 122->132 123->112 123->132 133 592d2d-592d35 124->133 132->109 133->133 134 592d37-592d43 133->134 134->115 140 592d45-592d4a 134->140 136->34 152 592a18-592a28 call 5964ce 136->152 144 592e0c-592e22 call 59209f call 591f36 138->144 145 592e24-592e2a 138->145 140->115 140->140 141->141 146 592c61-592c63 141->146 143->143 148 592bdf-592bf1 143->148 144->7 150 592e2c-592e2e 145->150 151 592e30 145->151 146->102 148->57 154 592e32-592e34 call 591f36 150->154 151->154 152->34 160 592a2e-592a42 call 5964ce 152->160 154->72 160->34 163 592a48-592a61 call 5964a7 call 596864 160->163 163->5 163->43
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: setlocale$fclose$ApplicationCommandLanguageLineRegisterRestartThread_wfopen
  • String ID: .OCP$csv.err$csv.log
  • API String ID: 3001426010-4105646927
  • Opcode ID: 59aa1d72f160dd16683e01a259e2ceb5ee6d870d2d9c67f3c7a0f762ad8d251d
  • Instruction ID: 000f26f21ddf93e173ba92eab410c2feab3d04e56db77f10396b0a00262a7508
  • Opcode Fuzzy Hash: 59aa1d72f160dd16683e01a259e2ceb5ee6d870d2d9c67f3c7a0f762ad8d251d
  • Instruction Fuzzy Hash: 43F1D231D4062BBBDF31AB608C8EBEA7FB8BB64750F040096F508A6191DB744E85DB95
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 168 592875-5928b4 169 5928b5-592942 GetCommandLineW RegisterApplicationRestart setlocale * 5 call 5919b5 SetThreadUILanguage call 5921bc 168->169 173 592947-59294b 169->173 174 592e3b-592e42 173->174 175 592951-592957 173->175 176 592e4f-592e57 174->176 177 592e44-592e48 call 591f36 174->177 178 59295d-592984 call 596495 call 59686e 175->178 179 592aa3-592ab5 call 597abd 175->179 182 592e59-592e5f call 597a5b 176->182 183 592e64-592e6a 176->183 187 592e4d-592e4e 177->187 202 592990-5929a5 call 5964ce 178->202 203 592986-59298b call 596864 178->203 194 592aca-592acf 179->194 195 592ab7-592ac8 call 597abd 179->195 182->183 189 592e6c-592e72 call 597a5b 183->189 190 592e77-592e7e 183->190 187->176 189->190 192 592e80-592e81 call 597a5b 190->192 193 592e86-592e8c 190->193 192->193 199 592e99-592ea6 193->199 200 592e8e-592e94 call 597a5b 193->200 194->174 195->194 212 592a67-592a6e 195->212 205 592ea8-592eab fclose 199->205 206 592eac-592eb3 199->206 200->199 202->203 221 5929a7-5929bc call 5964ce 202->221 203->174 205->206 210 592eb9-592ebf 206->210 211 592eb5-592eb8 fclose 206->211 217 592ece-592eea call 591a23 call 5974a1 210->217 218 592ec1-592ecd #13 210->218 211->210 213 592a74-592a8e _wfopen 212->213 214 592af6-592b08 212->214 219 592a90-592a9e call 591f36 213->219 220 592ad4-592aea fputwc 213->220 223 592b0a-592b26 call 591c1d 214->223 224 592b34-592b3c 214->224 218->217 241 592e39-592e3a 219->241 220->214 229 592aec-592af1 220->229 221->203 244 5929be-5929d2 call 5964ce 221->244 239 592b28-592b2e 223->239 240 592b6d-592b7b call 591f36 223->240 226 592bf8-592c28 call 591f36 #170 224->226 227 592b42 224->227 250 592c2a-592c35 call 591f36 226->250 251 592c65-592c9a #14 * 2 226->251 234 592b47-592b4d 227->234 229->174 242 592b4f-592b52 234->242 243 592b80-592b82 234->243 239->224 240->241 241->174 246 592b69-592b6b 242->246 247 592b54-592b5c 242->247 252 592b85-592b87 243->252 244->203 262 5929d4-5929ea call 5964a7 244->262 246->252 247->243 255 592b5e-592b67 247->255 271 592c37-592c38 250->271 253 592ca0-592ca7 251->253 254 592dc6-592de5 call 591f36 #73 251->254 252->226 259 592b89-592bb5 call 591f36 call 591cd9 252->259 260 592d7a-592db4 call 591f36 #73 253->260 261 592cad-592cd6 call 591f36 #216 253->261 276 592deb-592df3 #118 254->276 277 592d12-592d19 254->277 255->234 255->246 287 592bbb-592bd2 call 597c0f 259->287 288 592c3d-592c54 call 591f36 259->288 260->277 282 592dba-592dc4 #118 260->282 280 592cd8-592cdb 261->280 281 592d0f-592d11 261->281 262->203 285 5929ec-5929fb call 59686e 262->285 271->174 278 592df5-592dff call 591f36 276->278 283 592d1b-592d22 277->283 284 592d4c-592d5b 277->284 278->174 291 592d6b-592d6d 280->291 292 592ce1-592d0d #14 #216 280->292 281->277 282->278 283->284 293 592d24-592d2a 283->293 289 592e01 call 595aaa 284->289 290 592d61 284->290 285->203 305 5929fd-592a12 call 5964ce 285->305 312 592bd8-592bdd 287->312 310 592c5a-592c5f 288->310 307 592e06-592e0a 289->307 300 592d61 call 594775 290->300 301 592d6e-592d78 #118 291->301 292->281 292->301 302 592d2d-592d35 293->302 308 592d66 300->308 301->278 302->302 303 592d37-592d43 302->303 303->284 309 592d45-592d4a 303->309 305->203 321 592a18-592a28 call 5964ce 305->321 313 592e0c-592e22 call 59209f call 591f36 307->313 314 592e24-592e2a 307->314 308->307 309->284 309->309 310->310 315 592c61-592c63 310->315 312->312 317 592bdf-592bf1 312->317 313->176 319 592e2c-592e2e 314->319 320 592e30 314->320 315->271 317->226 323 592e32-592e34 call 591f36 319->323 320->323 321->203 329 592a2e-592a42 call 5964ce 321->329 323->241 329->203 332 592a48-592a61 call 5964a7 call 596864 329->332 332->174 332->212
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: setlocale$fclose$ApplicationCommandLanguageLineRegisterRestartThread_wfopen
  • String ID: .OCP
  • API String ID: 3001426010-2857402590
  • Opcode ID: db4838222621d0aa3ba00699368669c4fc13ded0630cc37a9e91105789ce4796
  • Instruction ID: 3ac16f713ff5438062f0b427e675857120ca43cf2fdd88526efe32ef195d6b94
  • Opcode Fuzzy Hash: db4838222621d0aa3ba00699368669c4fc13ded0630cc37a9e91105789ce4796
  • Instruction Fuzzy Hash: 2841D435D0126ABBCF21EBA5DCCDB9E7FB8FB45310F0500AAE108A6191DA309E84DF55
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00597848
  • GetCurrentProcessId.KERNEL32 ref: 00597854
  • GetCurrentThreadId.KERNEL32 ref: 0059785C
  • GetTickCount.KERNEL32 ref: 00597864
  • QueryPerformanceCounter.KERNEL32(?), ref: 00597870
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
  • String ID:
  • API String ID: 1445889803-0
  • Opcode ID: 172aa65f1615a4f69ec476051b9e5a2701802eea0e4f9c139a9a2c6ce77d854e
  • Instruction ID: 17b1fe46fcfc5ae91d83ff574fcc0ac19fa3a974d7f710531252d1aabe46e6f4
  • Opcode Fuzzy Hash: 172aa65f1615a4f69ec476051b9e5a2701802eea0e4f9c139a9a2c6ce77d854e
  • Instruction Fuzzy Hash: C901A172C00229ABCF209BB8EE4D69ABBB8FB1C381F570567E801E7110D6305A44EB94
Uniqueness

Uniqueness Score: -1.00%

APIs
  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00597964
  • UnhandledExceptionFilter.KERNEL32(0059191C), ref: 0059796F
  • GetCurrentProcess.KERNEL32(C0000409), ref: 0059797A
  • TerminateProcess.KERNEL32(00000000), ref: 00597981
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
  • String ID:
  • API String ID: 3231755760-0
  • Opcode ID: 737fd5d84d7e0eab0ded5b23839fa5251e747ded9c57a8c0b4651ef9a489469f
  • Instruction ID: 9bc1451b64b6de10699c6aa436a22541cdbf702f6560edd8792db1daf8bf33e1
  • Opcode Fuzzy Hash: 737fd5d84d7e0eab0ded5b23839fa5251e747ded9c57a8c0b4651ef9a489469f
  • Instruction Fuzzy Hash: D4219BB8815606EBDB40CF9DF9896887BA8BB68304F12415FE90887370E3715989EF59
Uniqueness

Uniqueness Score: -1.00%

APIs
  • SetUnhandledExceptionFilter.KERNEL32(Function_00007543), ref: 00597590
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled
  • String ID:
  • API String ID: 3192549508-0
  • Opcode ID: 501b795a50d7f2b9d45e5cdfe4fb931d0c30199611cc1ce5a1c15711b5f6d0b6
  • Instruction ID: 58360370e780dc5da09777205b244c67167e4b0f32a712e6a2cb938436a28fb2
  • Opcode Fuzzy Hash: 501b795a50d7f2b9d45e5cdfe4fb931d0c30199611cc1ce5a1c15711b5f6d0b6
  • Instruction Fuzzy Hash: 919002F02655564BAF401B706C0F40529916A6C61274724536005D4064DA5141896515
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 599 593d5a-593d8d 600 593d90 call 597a42 599->600 601 593d95-593d9c 600->601 602 593daa-593dc7 RtlInitializeGenericTable 601->602 603 593d9e-593da5 601->603 605 593dc9-593dcd 602->605 606 593e10-593e14 602->606 604 5942aa-5942b0 603->604 608 5942bc-5942c0 604->608 609 5942b2-5942bb #41 604->609 605->606 607 593dcf 605->607 610 593e24-593e45 #208 606->610 611 593e16-593e18 606->611 614 593dd1-593ddd call 597abd 607->614 615 5942ca-5942cf 608->615 616 5942c2-5942c5 call 597a5b 608->616 609->608 612 593e59-593e69 #26 610->612 613 593e47-593e4c 610->613 611->610 617 593e1a-593e1e 611->617 620 593f76-593f78 612->620 618 5942a9 613->618 619 593e52-593e54 613->619 636 59400f-594016 614->636 637 593de3-593e01 RtlInsertElementGenericTable 614->637 623 5942d1-5942d4 615->623 624 5942d6-5942db 615->624 616->615 617->610 625 594231-594239 617->625 618->604 619->618 626 593e6e-593e7f #127 620->626 627 593f7e-593f82 620->627 623->624 630 5942dd-5942e0 624->630 631 5942e2-5942e6 624->631 625->618 628 59423b 625->628 634 593f5e-593f62 626->634 632 593f92-593f96 627->632 633 593f84-593f91 #41 627->633 635 594240-59424c call 597abd 628->635 630->631 632->625 638 593f9c-593fbf #208 632->638 633->632 642 593f68-593f74 #27 634->642 643 593e84-593e96 #140 634->643 652 59424e-59426c RtlInsertElementGenericTable 635->652 653 594285 635->653 636->618 640 594055-59405c 637->640 641 593e07-593e0e 637->641 638->618 644 593fc5-593fe7 call 597a5b #36 638->644 640->618 641->606 641->614 642->620 645 593e9c-593eac _wcsicmp 643->645 646 593ff1-593ff8 643->646 665 593fe9-593fef 644->665 666 593ffd-594000 644->666 649 593eba-593eca _wcsicmp 645->649 650 593eae-593eb8 call 597abd 645->650 651 59428f-594291 646->651 659 593ecc-593ed6 call 597abd 649->659 660 593ee2-593ef2 _wcsicmp 649->660 674 593ed8-593eda 650->674 655 59429b-59429f 651->655 656 594293-59429a #224 651->656 661 59426e-594271 call 597a5b 652->661 662 594276-594281 652->662 654 594288 653->654 654->651 655->618 664 5942a1-5942a4 call 597a5b 655->664 656->655 659->674 660->646 663 593ef8-593efc 660->663 661->662 662->635 670 594283 662->670 671 593f36-593f38 663->671 664->618 673 59402f-59403a 665->673 675 594001 call 597a42 666->675 670->618 678 593f3a 671->678 679 593efe 671->679 677 59403c-594044 673->677 674->654 681 593ee0 674->681 680 594006-59400d 675->680 677->677 682 594046-594053 call 593c98 677->682 684 593f43-593f5b #224 #167 678->684 683 593f03-593f09 679->683 680->636 685 59401b-59402c memset 680->685 681->684 682->640 693 594061-59406d #26 682->693 687 593f29-593f2b 683->687 688 593f0b-593f0e 683->688 684->634 685->673 692 593f2e-593f30 687->692 690 593f10-593f18 688->690 691 593f25-593f27 688->691 690->687 694 593f1a-593f23 690->694 691->692 695 593f3c 692->695 696 593f32-593f33 692->696 697 59420b-594212 693->697 694->683 694->691 695->684 696->671 698 594218-59421b 697->698 699 594072-594090 #127 697->699 700 59422a 698->700 701 59421d-594227 #41 698->701 702 59415a-594161 699->702 703 594096-5940aa #140 699->703 700->625 701->700 702->655 703->646 704 5940b0-5940c2 _wcsicmp 703->704 705 5940c4-5940ce call 597abd 704->705 706 5940d6-5940df call 597abd 704->706 705->654 712 5940d4 705->712 706->654 711 5940e5-5940f6 _wtoi call 597a5b 706->711 714 5940fa-59411a #224 #167 711->714 712->714 714->703 716 594120-594123 714->716 716->702 717 594125-594129 716->717 718 59412b-59412f 717->718 719 594166-594172 717->719 718->719 720 594131-594154 RtlInsertElementGenericTable 718->720 721 594173-594179 719->721 720->702 722 5941fc-594205 #27 720->722 723 59417b-59417e 721->723 724 594197-594199 721->724 722->697 726 594180-594188 723->726 727 594193-594195 723->727 725 59419c-59419e 724->725 728 5941a0-5941a5 725->728 729 5941f6-5941f7 call 597a5b 725->729 726->724 730 59418a-594191 726->730 727->725 731 5941a7-5941ad 728->731 729->722 730->721 730->727 733 5941cb-5941cd 731->733 734 5941af-5941b2 731->734 737 5941d0-5941d2 733->737 735 5941b4-5941bc 734->735 736 5941c7-5941c9 734->736 735->733 738 5941be-5941c5 735->738 736->737 737->729 739 5941d4-5941d6 737->739 738->731 738->736 740 5941d9-5941e1 739->740 740->740 741 5941e3-5941f0 call 593c98 740->741 741->702 741->729
APIs
    • Part of subcall function 00597A42: LocalAlloc.KERNEL32(00000040,00000000,?,00597B12,00000000,?,00000000,?,00000000,00000002,00000001,00000000,?,?,?,00592455), ref: 00597A4C
  • RtlInitializeGenericTable.NTDLL(00000000,00596E83,00596E57,00596E6D,00000000), ref: 00593DBC
  • RtlInsertElementGenericTable.NTDLL ref: 00593DF7
  • #208.WLDAP32(?,00000000,00000000,(objectClass=*),00599020,00000000,?,?,?,?,?,?,005948CE,?,?,?), ref: 00593E3A
  • #41.WLDAP32(00000000), ref: 005942B5
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: GenericTable$#208AllocElementInitializeInsertLocal
  • String ID: (&(objectClass= attributeSchema)(|(linkid=*)(attributeSyntax=2.5.5.1)))$(objectClass=*)$1.2.840.113556.1.4.319$defaultNamingContext$distinguishedName$f-Y$ldapdisplayname$objectCategory$rimaryGroupID$schemaNamingContext$supportedControl
  • API String ID: 1705104417-3118802605
  • Opcode ID: fb34077e31a6c124bb2b03d45f851b542e4fb823e98708f3796850d5971f385f
  • Instruction ID: 15540215e3d61a7e9953a7f91e52c64027563b876266dcda7920a666479811bf
  • Opcode Fuzzy Hash: fb34077e31a6c124bb2b03d45f851b542e4fb823e98708f3796850d5971f385f
  • Instruction Fuzzy Hash: 99F1CF3590021AEBDF119FA5DC09AEEBFB9FF64350F154016F811A62A0E7728E85DF50
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 744 593497-5934d2 call 596495 _wfopen 747 5934ef-593501 _wfopen 744->747 748 5934d4-5934d7 744->748 750 59350a-593516 747->750 751 593503-593508 747->751 749 5934d9-5934ea call 591f36 748->749 761 59389c-5938a1 749->761 753 593518-59352b fputwc 750->753 754 593544-593548 750->754 751->749 753->754 758 59352d-59353f call 591f36 753->758 755 5935b8-5935d7 call 591f36 fputws 754->755 756 59354a-593551 754->756 755->758 773 5935dd-5935e4 755->773 760 593556-59355c fputws 756->760 758->761 760->758 764 59355e-593569 760->764 765 5938ab-5938ae 761->765 766 5938a3-5938a6 call 597a5b 761->766 768 593609-593625 fwprintf 764->768 769 59356f 764->769 771 5938b8-5938c1 765->771 772 5938b0-5938b3 call 597a5b 765->772 766->765 776 593637-593646 fputws 768->776 777 593627-593631 call 591f36 768->777 778 593572-59358e fwprintf 769->778 774 5938c9-5938cc 771->774 775 5938c3-5938c8 fclose 771->775 772->771 773->760 780 5938ce-5938d3 fclose 774->780 781 5938d4-5938e3 call 596864 774->781 775->774 776->777 783 593648-59364f 776->783 777->776 778->777 784 593594-59359e 778->784 780->781 787 593651-593660 fputws 783->787 788 593662-59367d fwscanf 783->788 789 5935e9 784->789 790 5935a0-5935ab fputws 784->790 787->777 787->788 794 593874-593876 788->794 791 5935ee-5935f4 fputws 789->791 790->777 793 5935ad-5935b6 790->793 791->777 795 5935f6-593603 791->795 793->791 796 59387c 794->796 797 593682-593684 794->797 795->768 795->778 796->761 797->761 798 59368a-59369f call 596495 call 59686e 797->798 803 5936a5-5936b6 call 5969ef 798->803 804 593894-593897 call 596864 798->804 803->804 808 5936bc-5936bf 803->808 804->761 809 59387e-593880 808->809 810 5936c5-5936d5 call 5964ce 808->810 811 593884-593893 call 591f36 809->811 810->804 816 5936db-5936e6 810->816 811->804 817 5936e8-5936f7 call 5964ce 816->817 818 59370b-59371f call 5963da call 59686e 816->818 817->804 824 5936fd-593709 call 597a5b 817->824 818->804 827 593725-593735 818->827 824->803 829 593755-593763 call 5964ce 827->829 830 593737-59374f call 591ad7 call 5932d2 827->830 829->804 836 593769-59376e 829->836 830->804 830->829 838 593770-593774 836->838 839 593786-59378c 836->839 841 5937e3-5937f2 call 5963da 838->841 842 593776-593784 call 5964ce 838->842 840 59378e-593792 839->840 839->841 845 59379b-5937a4 840->845 846 593794-593799 840->846 852 593815-593829 fwprintf 841->852 853 5937f4-593807 call 5968a8 841->853 842->841 850 5937ad 845->850 851 5937a6-5937ab 845->851 849 5937c8-5937d5 call 5964ce 846->849 849->804 864 5937db-5937e1 849->864 854 5937b2-5937bc call 5964ce 850->854 851->854 857 59382b-59383e fputws 852->857 858 593882 852->858 853->804 865 59380d-593810 853->865 854->804 868 5937c2 854->868 857->858 862 593840-593843 857->862 858->811 866 593851-59386f fwscanf call 596864 862->866 867 593845-59384d call 597a5b 862->867 864->840 864->841 865->852 869 593812 865->869 866->794 867->866 868->849 869->852
APIs
  • _wfopen.MSVCRT ref: 005934C7
  • _wfopen.MSVCRT ref: 005934F8
  • fputwc.MSVCRT ref: 0059351E
  • fputws.MSVCRT ref: 00593556
  • fwprintf.MSVCRT ref: 00593583
  • fputws.MSVCRT ref: 005935A5
  • fputws.MSVCRT ref: 005935D0
  • fputws.MSVCRT ref: 005935EE
  • fwprintf.MSVCRT ref: 0059361A
  • fputws.MSVCRT ref: 00593640
  • fputws.MSVCRT ref: 0059365A
  • fwscanf.MSVCRT ref: 00593672
    • Part of subcall function 00591F36: FormatMessageW.KERNELBASE(00000800,00000000,?,00000000,?,00000FFF,?,?,?,005921B4,00000001,00000026,00592806), ref: 00591F81
    • Part of subcall function 00591F36: GetLastError.KERNEL32(?,?,005921B4,00000001,00000026,00592806), ref: 00591F8B
  • fclose.MSVCRT ref: 005938C6
  • fclose.MSVCRT ref: 005938D1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: fputws$_wfopenfclosefwprintf$ErrorFormatLastMessagefputwcfwscanf
  • String ID: %d %d:$DN,$DN,&$f-Y
  • API String ID: 1129342130-1148733891
  • Opcode ID: cbebbc8bb145c01a093f1792f86e1c31242f4b99d955b339236adf6c2f15e3dd
  • Instruction ID: 82d5b9495ff3b1a59f89503cb09670be04235be71b2066f2a56e24b4bfb72345
  • Opcode Fuzzy Hash: cbebbc8bb145c01a093f1792f86e1c31242f4b99d955b339236adf6c2f15e3dd
  • Instruction Fuzzy Hash: E2C19C7190520BFBDF11DF94DC89AAEBFB5FB14354F21806AF504A2191EB319B48EB10
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 873 5942ee-594327 call 596495 call 591ad7 878 594329-594339 873->878 879 59433b-594357 call 5939bd 873->879 878->878 878->879 882 5946fd-594700 879->882 883 59435d-594360 879->883 884 59470d-594710 882->884 885 594702-59470a call 597a5b 882->885 886 59436f-594385 #133 883->886 887 594362-594368 883->887 889 59471c-59471f 884->889 890 594712-59471b #147 884->890 885->884 891 59438e-5943a2 call 592ef0 886->891 892 594387-594389 886->892 887->886 895 594729-59472c 889->895 896 594721-594724 call 597a5b 889->896 890->889 906 5943a8-5943ab 891->906 907 5946fc 891->907 894 594422-594430 call 591f36 892->894 894->907 898 594738-59473b 895->898 899 59472e-594737 #79 895->899 896->895 903 59473d-594740 call 597a5b 898->903 904 594745-594752 call 596864 898->904 899->898 903->904 908 5943ad-5943b3 call 597abd 906->908 909 5943b6-5943d5 fwprintf 906->909 907->882 908->909 913 594420 909->913 914 5943d7-5943ea fwprintf 909->914 913->894 917 5943ec-5943fc call 591f36 914->917 918 594401-594407 914->918 917->907 920 594409-59441e fputws 918->920 921 594435-59443e 918->921 920->913 920->921 923 5946a2-5946b8 fputws 921->923 924 594444-594452 921->924 927 59475c-59476b call 591f36 923->927 928 5946be 923->928 925 594458-5944a6 #142 #77 _wcsicmp call 59313d call 59686e 924->925 926 59466c-594676 924->926 946 5944ac-5944b1 925->946 947 5946e0 925->947 930 594678-59468d fputws 926->930 931 594693-59469c 926->931 940 5946e2-5946e5 927->940 932 5946c0-5946ce call 591f36 928->932 930->931 935 594755-594757 930->935 931->923 931->924 932->940 935->932 941 5946ef-5946f2 940->941 942 5946e7-5946ea call 597a5b 940->942 941->907 945 5946f4-5946f7 call 597a5b 941->945 942->941 945->907 949 59460a-594636 #79 call 5963da call 592ef0 946->949 950 5944b7-5944b9 946->950 947->940 949->947 972 59463c-594641 949->972 952 5944bb-5944c2 950->952 953 59452d 950->953 956 59450c-594513 952->956 957 5944c4-5944e0 call 597b37 952->957 954 594530-594537 953->954 958 594539-59454b call 5938eb 954->958 959 594556-59456c call 597b37 954->959 962 594525-594527 956->962 963 594515-59451d 956->963 957->947 973 5944e6-594509 _wcsicmp call 597a5b 957->973 958->947 974 594551-594554 958->974 959->947 975 594572-59458c call 592ef0 959->975 962->949 962->953 964 594600-594604 963->964 965 594523 963->965 964->949 964->950 965->954 976 594643 972->976 977 594645-59465a fwprintf 972->977 973->956 979 594599 974->979 975->947 993 594592-594597 975->993 976->977 982 59465c-59465e 977->982 983 5946d0-5946db call 591f36 977->983 984 59459c-59459e 979->984 987 59466a 982->987 988 594660-594666 call 597a5b 982->988 983->947 990 5945bb 984->990 991 5945a0-5945a5 984->991 987->926 988->987 995 5945be-5945ca call 5964ce 990->995 991->995 996 5945a7-5945b5 call 5964ce 991->996 993->979 993->984 995->947 1001 5945d0-5945d3 995->1001 996->947 996->990 1002 5945e0-5945e3 1001->1002 1003 5945d5-5945dd call 597a5b 1001->1003 1005 5945f0-5945f3 1002->1005 1006 5945e5-5945ed call 597a5b 1002->1006 1003->1002 1005->964 1007 5945f5-5945fd call 597a5b 1005->1007 1006->1005 1007->964
APIs
    • Part of subcall function 00591AD7: wprintf.MSVCRT ref: 00591AE5
  • #133.WLDAP32(?,?,00000000,?,?,00000000,?,?,?,f-Y,00000000), ref: 00594376
  • fwprintf.MSVCRT ref: 005943CD
  • fwprintf.MSVCRT ref: 005943E2
  • fputws.MSVCRT ref: 00594411
  • #142.WLDAP32(?,?,?), ref: 00594462
  • #77.WLDAP32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00594D85,?), ref: 0059446C
  • _wcsicmp.MSVCRT ref: 0059447B
  • _wcsicmp.MSVCRT ref: 005944EE
  • #79.WLDAP32(?,?,00000000), ref: 0059460D
  • fwprintf.MSVCRT ref: 0059464E
  • fputws.MSVCRT ref: 00594680
  • fputws.MSVCRT ref: 005946AB
    • Part of subcall function 00591F36: FormatMessageW.KERNELBASE(00000800,00000000,?,00000000,?,00000FFF,?,?,?,005921B4,00000001,00000026,00592806), ref: 00591F81
    • Part of subcall function 00591F36: GetLastError.KERNEL32(?,?,005921B4,00000001,00000026,00592806), ref: 00591F8B
  • #147.WLDAP32(?,?,?,00000000,?,?,?,f-Y,00000000,?,?,?,?,?,?,00594D85), ref: 00594715
  • #79.WLDAP32(?,?,?,00000000,?,?,?,f-Y,00000000,?,?,?,?,?,?,00594D85), ref: 00594731
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: fputwsfwprintf$_wcsicmp$#133#142#147ErrorFormatLastMessagewprintf
  • String ID: %d %d:$f-Y$objectClass$top
  • API String ID: 902258377-3827400293
  • Opcode ID: a4ae780e14e4b8855b4279f4375d9755adc0a909b4ef077cb2179732c8cca7fc
  • Instruction ID: b8fa883bfc623c769906e981497481a50e232b2683cf13963a67d1904891f6f7
  • Opcode Fuzzy Hash: a4ae780e14e4b8855b4279f4375d9755adc0a909b4ef077cb2179732c8cca7fc
  • Instruction Fuzzy Hash: 61D1AC71C0021AAFCF229FA4D889EAE7FB1FB58350F11416AF514661A1DB319E56EF80
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1013 596b92-596bab 1014 596bad-596baf 1013->1014 1015 596be5-596bec 1013->1015 1016 596bc1-596bc5 RtlEnumerateGenericTable 1014->1016 1017 596bee-596bf0 1015->1017 1018 596c26-596c2d 1015->1018 1021 596bb1-596bbb RtlDeleteElementGenericTable 1016->1021 1022 596bc7-596bde RtlIsGenericTableEmpty call 597a5b 1016->1022 1023 596c02-596c06 RtlEnumerateGenericTable 1017->1023 1019 596c2f-596c31 1018->1019 1020 596c67-596c6e 1018->1020 1024 596c43-596c47 RtlEnumerateGenericTable 1019->1024 1026 596ca8-596caf 1020->1026 1027 596c70-596c72 1020->1027 1021->1016 1022->1015 1028 596c08-596c1f RtlIsGenericTableEmpty call 597a5b 1023->1028 1029 596bf2-596bfc RtlDeleteElementGenericTable 1023->1029 1030 596c49-596c60 RtlIsGenericTableEmpty call 597a5b 1024->1030 1031 596c33-596c3d RtlDeleteElementGenericTable 1024->1031 1035 596ce9-596cf0 1026->1035 1036 596cb1-596cb3 1026->1036 1033 596c84-596c88 RtlEnumerateGenericTable 1027->1033 1028->1018 1029->1023 1030->1020 1031->1024 1040 596c8a-596ca1 RtlIsGenericTableEmpty call 597a5b 1033->1040 1041 596c74-596c7e RtlDeleteElementGenericTable 1033->1041 1038 596d2a-596d31 1035->1038 1039 596cf2-596cf4 1035->1039 1043 596cc5-596cc9 RtlEnumerateGenericTable 1036->1043 1049 596d6b-596d6e 1038->1049 1050 596d33-596d35 1038->1050 1047 596d06-596d0a RtlEnumerateGenericTable 1039->1047 1040->1026 1041->1033 1044 596ccb-596ce2 RtlIsGenericTableEmpty call 597a5b 1043->1044 1045 596cb5-596cbf RtlDeleteElementGenericTable 1043->1045 1044->1035 1045->1043 1052 596d0c-596d23 RtlIsGenericTableEmpty call 597a5b 1047->1052 1053 596cf6-596d00 RtlDeleteElementGenericTable 1047->1053 1055 596d47-596d4b RtlEnumerateGenericTable 1050->1055 1052->1038 1053->1047 1058 596d4d-596d64 RtlIsGenericTableEmpty call 597a5b 1055->1058 1059 596d37-596d41 RtlDeleteElementGenericTable 1055->1059 1058->1049 1059->1055
APIs
  • RtlDeleteElementGenericTable.NTDLL ref: 00596BB8
  • RtlEnumerateGenericTable.NTDLL ref: 00596BC1
  • RtlIsGenericTableEmpty.NTDLL ref: 00596BCD
  • RtlDeleteElementGenericTable.NTDLL ref: 00596BF9
  • RtlEnumerateGenericTable.NTDLL ref: 00596C02
  • RtlIsGenericTableEmpty.NTDLL ref: 00596C0E
  • RtlDeleteElementGenericTable.NTDLL ref: 00596C3A
  • RtlEnumerateGenericTable.NTDLL ref: 00596C43
  • RtlIsGenericTableEmpty.NTDLL ref: 00596C4F
  • RtlDeleteElementGenericTable.NTDLL ref: 00596C7B
  • RtlEnumerateGenericTable.NTDLL ref: 00596C84
  • RtlIsGenericTableEmpty.NTDLL ref: 00596C90
  • RtlDeleteElementGenericTable.NTDLL ref: 00596CBC
  • RtlEnumerateGenericTable.NTDLL ref: 00596CC5
  • RtlIsGenericTableEmpty.NTDLL ref: 00596CD1
  • RtlDeleteElementGenericTable.NTDLL ref: 00596CFD
  • RtlEnumerateGenericTable.NTDLL ref: 00596D06
  • RtlIsGenericTableEmpty.NTDLL ref: 00596D12
  • RtlDeleteElementGenericTable.NTDLL ref: 00596D3E
  • RtlEnumerateGenericTable.NTDLL ref: 00596D47
  • RtlIsGenericTableEmpty.NTDLL ref: 00596D53
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: GenericTable$DeleteElementEmptyEnumerate
  • String ID:
  • API String ID: 1586803967-0
  • Opcode ID: e9dfc22ff995b717aec203b29a563a3bdc53023129c447f6e45df50fc05b9a9b
  • Instruction ID: 361dbb88b54f1a2a04470c6387646991bda3ac571300ec6cc699d0ec6fbd1384
  • Opcode Fuzzy Hash: e9dfc22ff995b717aec203b29a563a3bdc53023129c447f6e45df50fc05b9a9b
  • Instruction Fuzzy Hash: 6241EAB1510117BFEF116B2AFD4CEAA3E6EFB64389B02402BF64591430D7268C1CFA24
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1063 596eb6-596ec1 1064 596ec3 call 597a42 1063->1064 1065 596ec8-596ecf 1064->1065 1066 596edb-596eff RtlInitializeGenericTable 1065->1066 1067 596ed1-596ed6 1065->1067 1069 596f41 1066->1069 1070 596f01 1066->1070 1068 5971cc-5971ce 1067->1068 1072 596f43 call 597a42 1069->1072 1071 596f06-596f2d RtlInsertElementGenericTable 1070->1071 1073 5971cf-5971d4 1071->1073 1074 596f33-596f3f 1071->1074 1075 596f48-596f4f 1072->1075 1076 5971ca-5971cb 1073->1076 1074->1069 1074->1071 1077 596f55-596f6d RtlInitializeGenericTable 1075->1077 1078 597164-597169 1075->1078 1076->1068 1079 596fac 1077->1079 1080 596f6f 1077->1080 1078->1076 1082 596fae call 597a42 1079->1082 1081 596f74-596f95 RtlInsertElementGenericTable 1080->1081 1081->1073 1083 596f9b-596faa 1081->1083 1084 596fb3-596fba 1082->1084 1083->1079 1083->1081 1084->1078 1085 596fc0-596fd8 RtlInitializeGenericTable 1084->1085 1086 596fda 1085->1086 1087 597017 1085->1087 1088 596fdf-597000 RtlInsertElementGenericTable 1086->1088 1089 597019 call 597a42 1087->1089 1088->1073 1090 597006-597015 1088->1090 1091 59701e-597025 1089->1091 1090->1087 1090->1088 1091->1078 1092 59702b-597043 RtlInitializeGenericTable 1091->1092 1093 597082 1092->1093 1094 597045 1092->1094 1096 597084 call 597a42 1093->1096 1095 59704a-59706b RtlInsertElementGenericTable 1094->1095 1095->1073 1097 597071-597080 1095->1097 1098 597089-597090 1096->1098 1097->1093 1097->1095 1098->1078 1099 597096-5970ae RtlInitializeGenericTable 1098->1099 1100 5970ed 1099->1100 1101 5970b0 1099->1101 1102 5970ef call 597a42 1100->1102 1103 5970b5-5970d6 RtlInsertElementGenericTable 1101->1103 1105 5970f4-5970fb 1102->1105 1103->1073 1104 5970dc-5970eb 1103->1104 1104->1100 1104->1103 1105->1078 1106 5970fd-597115 RtlInitializeGenericTable 1105->1106 1107 597154 1106->1107 1108 597117 1106->1108 1110 597156 call 597a42 1107->1110 1109 59711c-59713d RtlInsertElementGenericTable 1108->1109 1109->1073 1111 597143-597152 1109->1111 1112 59715b-597162 1110->1112 1111->1107 1111->1109 1112->1078 1113 59716b-597182 RtlInitializeGenericTable 1112->1113 1114 5971c8 1113->1114 1115 597184-597189 1113->1115 1114->1076 1116 59718b-59719b 1115->1116 1116->1073 1117 59719d-5971b6 RtlInsertElementGenericTable 1116->1117 1117->1073 1118 5971b8-5971c6 1117->1118 1118->1114 1118->1116
APIs
    • Part of subcall function 00597A42: LocalAlloc.KERNEL32(00000040,00000000,?,00597B12,00000000,?,00000000,?,00000000,00000002,00000001,00000000,?,?,?,00592455), ref: 00597A4C
  • RtlInitializeGenericTable.NTDLL(00000000,00596E83,00596E57,00596E6D,00000000), ref: 00596EF5
  • RtlInsertElementGenericTable.NTDLL ref: 00596F24
  • RtlInitializeGenericTable.NTDLL(00000000,00596E83,00596E57,00596E6D,00000000), ref: 00596F62
  • RtlInsertElementGenericTable.NTDLL ref: 00596F8C
  • RtlInitializeGenericTable.NTDLL(00000000,00596E83,00596E57,00596E6D,00000000), ref: 00596FCD
  • RtlInsertElementGenericTable.NTDLL ref: 00596FF7
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: GenericTable$ElementInitializeInsert$AllocLocal
  • String ID: f-Y
  • API String ID: 2903757959-2173099327
  • Opcode ID: bfafaaca922086662054c0a2fa969316042e567ce72ac7b67549be3940b035e5
  • Instruction ID: 4760be6bc8b802d0c34f66b52a891e98d934d153fd8b8ab09ee9c836a7873bb3
  • Opcode Fuzzy Hash: bfafaaca922086662054c0a2fa969316042e567ce72ac7b67549be3940b035e5
  • Instruction Fuzzy Hash: F1913DB5A0425AAFDF00DFA8DC89DAE7FB8FB58704F11046BE601A7250E7714A4DEB50
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1119 5939bd-5939f8 call 5931fe #127 1122 593c8b-593c90 1119->1122 1123 5939fe-5939ff 1119->1123 1124 593a00-593a23 #142 #77 1123->1124 1125 593a3c-593a55 RtlLookupElementGenericTable 1124->1125 1126 593a25-593a29 1124->1126 1128 593a5b-593a5e 1125->1128 1129 593c50 1125->1129 1126->1125 1127 593a2b-593a36 call 596dde 1126->1127 1127->1125 1127->1129 1132 593b2a-593b2e 1128->1132 1133 593a64-593a76 _wcsicmp 1128->1133 1130 593c51-593c6e #79 #167 1129->1130 1130->1124 1135 593c74 1130->1135 1136 593b41-593b53 RtlLookupElementGenericTable 1132->1136 1137 593b30-593b3b call 59313d 1132->1137 1133->1129 1134 593a7c-593a88 _wcsicmp 1133->1134 1134->1129 1139 593a8e-593a90 1134->1139 1140 593c89-593c8a 1135->1140 1142 593b59-593b69 1136->1142 1143 593c43-593c4c 1136->1143 1137->1129 1137->1136 1144 593a93-593a9b 1139->1144 1140->1122 1146 593b6b-593b82 call 5979bd 1142->1146 1147 593be3-593bee call 597abd 1142->1147 1143->1129 1144->1144 1148 593a9d-593aab call 5933dd 1144->1148 1154 593b88-593b99 call 593469 1146->1154 1155 593c7d-593c7f 1146->1155 1157 593bf4-593c2c call 593469 1147->1157 1158 593c76 1147->1158 1148->1132 1160 593aad-593ab2 1148->1160 1154->1155 1167 593b9f-593bb9 call 5979bd 1154->1167 1155->1140 1161 593c81-593c88 #79 1155->1161 1157->1155 1166 593c2e-593c41 RtlInsertElementGenericTable 1157->1166 1158->1155 1164 593ab4-593aba 1160->1164 1161->1140 1168 593ada-593adc 1164->1168 1169 593abc-593abf 1164->1169 1166->1129 1167->1155 1178 593bbf-593bd2 call 597a77 1167->1178 1173 593adf-593ae1 1168->1173 1171 593ac1-593ac9 1169->1171 1172 593ad6-593ad8 1169->1172 1171->1168 1175 593acb-593ad4 1171->1175 1172->1173 1176 593ae3-593aeb 1173->1176 1177 593b24-593b27 1173->1177 1175->1164 1175->1172 1179 593aee-593af3 1176->1179 1177->1132 1178->1158 1186 593bd8-593bdd 1178->1186 1179->1179 1180 593af5-593afe 1179->1180 1182 593b21 1180->1182 1183 593b00-593b02 1180->1183 1182->1177 1185 593b05-593b0a 1183->1185 1185->1185 1187 593b0c-593b17 1185->1187 1186->1147 1187->1182 1188 593b19-593b1c 1187->1188 1188->1130
APIs
    • Part of subcall function 005931FE: #127.WLDAP32(?,?,?,f-Y,00000000,?,SCY,00000000,?,?,?,?,00594353,?,?,00000000), ref: 0059321D
    • Part of subcall function 005931FE: #140.WLDAP32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00594353,?), ref: 00593238
    • Part of subcall function 005931FE: _wcsicmp.MSVCRT ref: 00593246
    • Part of subcall function 005931FE: #224.WLDAP32(00000000), ref: 00593289
    • Part of subcall function 005931FE: #167.WLDAP32(?,?,?), ref: 005932A3
  • #127.WLDAP32(00000000,?,00000000,00000000,?,?,SCY,00000000,?,?,?,?,00594353,?,?,00000000), ref: 005939EB
  • #142.WLDAP32(00000000,?,00000000,00000000,f-Y,?,?,?,?,?,?,?,00594353,?,?,00000000), ref: 00593A07
  • #77.WLDAP32(00000000,?,?,?,?,?,?,?,00594353,?,?,00000000), ref: 00593A13
  • RtlLookupElementGenericTable.NTDLL(?), ref: 00593A4D
  • _wcsicmp.MSVCRT ref: 00593A70
  • _wcsicmp.MSVCRT ref: 00593A82
  • RtlLookupElementGenericTable.NTDLL(?,?), ref: 00593B4B
  • RtlInsertElementGenericTable.NTDLL ref: 00593C3B
  • #79.WLDAP32(00000000), ref: 00593C51
  • #167.WLDAP32(00000000,?,00000000), ref: 00593C61
  • #79.WLDAP32(00000000,00000000), ref: 00593C82
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ElementGenericTable_wcsicmp$#127#167Lookup$#140#142#224Insert
  • String ID: SCY$f-Y$isCriticalSystemObject$objectGUID
  • API String ID: 1137571381-4214347925
  • Opcode ID: 287c3e617fae62a9e73a67340e2ad43dae0942c359a5600f36a07c7075cfd03d
  • Instruction ID: ebe241286aa8ea3ae19a0f2b4b051f2ac7204fc87fd828f66a780182461f6a7e
  • Opcode Fuzzy Hash: 287c3e617fae62a9e73a67340e2ad43dae0942c359a5600f36a07c7075cfd03d
  • Instruction Fuzzy Hash: 3D916C71A0020AEFDF119FA8DC48AAE7FB9FF18350F15405AE911E6261E772DE48DB50
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1189 595aaa-595aea call 591f36 1192 595b2c-595b32 1189->1192 1193 595aec-595af9 _wfopen 1189->1193 1196 595b39-595b4b _wfopen 1192->1196 1194 595afb-595b0a fgetwc 1193->1194 1195 595b51-595b5c call 591f36 1193->1195 1197 595b0c 1194->1197 1198 595b10-595b1e fclose 1194->1198 1207 595b61-595b70 call 591f36 1195->1207 1196->1195 1199 595bd8-595be2 ??2@YAPAXI@Z 1196->1199 1197->1198 1198->1192 1203 595b20-595b2a 1198->1203 1201 595bed 1199->1201 1202 595be4-595beb call 595ef5 1199->1202 1206 595bef-595bf6 1201->1206 1202->1206 1203->1196 1209 595bf8-595bfd 1206->1209 1210 595c02-595c10 call 595f11 1206->1210 1214 595b72-595b7a 1207->1214 1209->1207 1210->1207 1218 595c16-595c19 1210->1218 1216 595b89-595b8c 1214->1216 1217 595b7c-595b83 call 5951bd 1214->1217 1220 595bae-595bb1 1216->1220 1221 595b8e-595b93 1216->1221 1217->1216 1222 595c3b-595c5c call 5951e3 1218->1222 1223 595c1b-595c2e call 595f80 1218->1223 1228 595bbd-595bd5 call 595490 call 59503c 1220->1228 1229 595bb3-595bbc fclose 1220->1229 1226 595b95-595ba4 call 597a5b 1221->1226 1227 595ba6-595ba9 call 597a5b 1221->1227 1222->1207 1237 595c62-595c72 call 595436 1222->1237 1223->1222 1236 595c30-595c36 call 595faf 1223->1236 1226->1227 1227->1220 1229->1228 1236->1222 1237->1207 1245 595c78-595cb2 call 591f36 call 59209f call 591ad7 call 59579d 1237->1245 1254 595cb8 1245->1254 1255 595dcf-595dd5 1245->1255 1258 595cbd-595cf2 call 59209f call 595060 #69 1254->1258 1256 595dfc-595e0b call 591f36 1255->1256 1257 595dd7-595dd9 1255->1257 1259 595e0e-595e12 1256->1259 1257->1259 1269 595d51-595d63 call 591ad7 call 591f36 1258->1269 1270 595cf4-595d02 call 595060 1258->1270 1259->1207 1264 595e18-595e1d 1259->1264 1264->1207 1266 595e23-595e27 1264->1266 1266->1214 1268 595e2d-595e38 call 591f36 1266->1268 1268->1214 1288 595d64-595d68 1269->1288 1277 595d08-595d0b 1270->1277 1278 595ddb-595dfa #118 call 591f36 call 5966fd 1270->1278 1281 595d0d-595d10 1277->1281 1282 595d2f-595d3c call 59209f 1277->1282 1278->1259 1286 595d1b-595d29 call 59209f 1281->1286 1287 595d12-595d15 1281->1287 1296 595d40-595d4f call 591f36 call 591ad7 1282->1296 1300 595d2b-595d2d 1286->1300 1301 595d3e 1286->1301 1287->1278 1287->1286 1289 595daa-595dc9 call 595490 call 59579d 1288->1289 1290 595d6a-595d7f #157 1288->1290 1289->1255 1289->1258 1294 595d9f-595da9 call 591f36 1290->1294 1295 595d81-595d9d call 59209f call 591f36 call 591ad7 1290->1295 1294->1289 1295->1289 1296->1288 1300->1296 1301->1296
APIs
    • Part of subcall function 00591F36: FormatMessageW.KERNELBASE(00000800,00000000,?,00000000,?,00000FFF,?,?,?,005921B4,00000001,00000026,00592806), ref: 00591F81
    • Part of subcall function 00591F36: GetLastError.KERNEL32(?,?,005921B4,00000001,00000026,00592806), ref: 00591F8B
  • _wfopen.MSVCRT ref: 00595AF0
  • fgetwc.MSVCRT ref: 00595AFC
  • fclose.MSVCRT ref: 00595B13
  • _wfopen.MSVCRT ref: 00595B42
  • ctype.LIBCPMT ref: 00595B7E
  • fclose.MSVCRT ref: 00595BB6
  • ??2@YAPAXI@Z.MSVCRT ref: 00595BDA
  • #69.WLDAP32(00000000,00000000,?,?,00000002,?,00000000,00592E06,00000000,?,?,?,?,?,00000000,00000000), ref: 00595CE5
  • #157.WLDAP32(00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00595D74
  • #118.WLDAP32(00000000,?,00000004,?,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00595DDC
    • Part of subcall function 00591F36: wprintf.MSVCRT ref: 00591FC2
    • Part of subcall function 00591F36: fwprintf.MSVCRT ref: 0059200C
    • Part of subcall function 00591F36: _wfopen.MSVCRT ref: 00592040
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: _wfopen$fclose$#118#157??2@ErrorFormatLastMessagectypefgetwcfwprintfwprintf
  • String ID: %d: $%d: %s
  • API String ID: 4002410116-4003150761
  • Opcode ID: 49478e6048a8af5867ebbbe6e769abf2e672a7a19ee468535e1d5c5a6277ed4b
  • Instruction ID: 778841f050fd3437fdef0b2f66cbf0bb3658c74baec7cc1567fe4a92a9f6686e
  • Opcode Fuzzy Hash: 49478e6048a8af5867ebbbe6e769abf2e672a7a19ee468535e1d5c5a6277ed4b
  • Instruction Fuzzy Hash: 94A1E671A00B0BBFEF226BA4CC4AFAD7FA5FB54300F54002AF60665191FB758A24DB15
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1317 592ef0-592f1f 1318 592f5d-592f61 1317->1318 1319 592f21-592f30 wcsstr 1317->1319 1321 592fdb-592fdf 1318->1321 1322 592f63-592f72 wcsstr 1318->1322 1319->1318 1320 592f32-592f49 call 5968a8 1319->1320 1336 5930f8-5930fd 1320->1336 1337 592f4f-592f54 1320->1337 1324 59308b-593095 1321->1324 1325 592fe5-592ff8 wcsstr 1321->1325 1326 592f9f-592fae wcsstr 1322->1326 1327 592f74-592f8b call 5968a8 1322->1327 1330 5930b1-5930b7 1324->1330 1331 593097-5930a0 1324->1331 1332 59300a-593021 call 5968a8 1325->1332 1333 592ffa-593004 wcsstr 1325->1333 1326->1321 1328 592fb0-592fc7 call 5968a8 1326->1328 1327->1336 1349 592f91-592f96 1327->1349 1328->1336 1351 592fcd-592fd2 1328->1351 1330->1336 1339 5930b9-5930bd 1330->1339 1338 5930a9-5930af wcsstr 1331->1338 1332->1336 1355 593027-59302c 1332->1355 1333->1324 1333->1332 1342 5930ff-593102 call 597a5b 1336->1342 1343 593107-59310a 1336->1343 1337->1318 1345 592f56-592f59 1337->1345 1338->1330 1346 5930a2-5930a8 1338->1346 1339->1336 1347 5930bf-5930c2 1339->1347 1342->1343 1352 59310c-59310f call 597a5b 1343->1352 1353 593114-593117 1343->1353 1345->1318 1346->1338 1354 5930c5-5930cd 1347->1354 1349->1326 1356 592f98-592f9b 1349->1356 1351->1321 1357 592fd4-592fd7 1351->1357 1352->1353 1359 593119-59311c call 597a5b 1353->1359 1360 593121-593127 1353->1360 1354->1354 1361 5930cf-5930d9 1354->1361 1362 59302e 1355->1362 1363 593031-593034 1355->1363 1356->1326 1357->1321 1359->1360 1365 593129-59312c call 597a5b 1360->1365 1366 593131-593135 1360->1366 1367 5930da call 597a42 1361->1367 1362->1363 1368 593037-59303f 1363->1368 1365->1366 1371 5930df-5930e3 1367->1371 1368->1368 1369 593041-59304b 1368->1369 1374 59304c call 597a42 1369->1374 1372 5930e9-5930f6 wcscpy_s 1371->1372 1373 593057-59305e 1371->1373 1372->1336 1373->1336 1375 593051-593055 1374->1375 1375->1373 1376 593063-593089 wcscpy_s wcscat_s * 2 1375->1376 1376->1324
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: wcsstr$wcscat_swcscpy_s
  • String ID: \X'
  • API String ID: 3924677330-1301245169
  • Opcode ID: bdb754105d6abff507c86a98b0225808b1a081e5ffddcde7b92886de389045f4
  • Instruction ID: 6898ac794f864e53454f6e83294ab0d1cab820089b81761bf0b4c830baccf6c5
  • Opcode Fuzzy Hash: bdb754105d6abff507c86a98b0225808b1a081e5ffddcde7b92886de389045f4
  • Instruction Fuzzy Hash: A671AD3190421AFFDF129F54CC89AEEBFB8FF45394F148066F818AA151E7718A85CB90
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 1377 591dae-591dda call 5974c0 1380 591ddc-591dde 1377->1380 1381 591de0 1377->1381 1382 591de2-591e15 GetStdHandle _vsnwprintf_s 1380->1382 1381->1382 1383 591e17-591e1f 1382->1383 1383->1383 1384 591e21-591e3a GetFileType 1383->1384 1385 591e79-591eae GetConsoleOutputCP WideCharToMultiByte ??2@YAPAXI@Z 1384->1385 1386 591e3c-591e51 GetConsoleMode 1384->1386 1387 591ef8 1385->1387 1388 591eb0-591ef6 GetConsoleOutputCP WideCharToMultiByte WriteFile ??3@YAXPAX@Z 1385->1388 1386->1385 1389 591e53-591e74 WriteConsoleW 1386->1389 1391 591efe 1387->1391 1388->1391 1390 591eff-591f12 call 5974a1 1389->1390 1391->1390
APIs
  • GetStdHandle.KERNEL32(000000F5,00000103,?,?,00591F2C,00000001,?,?,?,00591FE4,763A45E0,?,?,?,005921B4,00000001), ref: 00591DE2
  • _vsnwprintf_s.MSVCRT ref: 00591DFE
  • GetFileType.KERNEL32(?), ref: 00591E31
  • GetConsoleMode.KERNEL32(?,?), ref: 00591E49
  • WriteConsoleW.KERNEL32(?,?,?,?,00000000), ref: 00591E6E
  • GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00591E8E
  • WideCharToMultiByte.KERNEL32(00000000), ref: 00591E97
  • ??2@YAPAXI@Z.MSVCRT ref: 00591EA0
  • GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00591EC3
  • WideCharToMultiByte.KERNEL32(00000000), ref: 00591EC6
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00591EE4
  • ??3@YAXPAX@Z.MSVCRT ref: 00591EF0
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: Console$ByteCharFileMultiOutputWideWrite$??2@??3@HandleModeType_vsnwprintf_s
  • String ID:
  • API String ID: 2105736674-0
  • Opcode ID: e046ce925da16da086a329925b257dfe331731e01cdacf3e1c16937800e98f56
  • Instruction ID: afea1d15fe353087394d5566a6128f7b0f9f663ff7d9196af4f0207a61206aba
  • Opcode Fuzzy Hash: e046ce925da16da086a329925b257dfe331731e01cdacf3e1c16937800e98f56
  • Instruction Fuzzy Hash: 62413C71900239ABEF209B64CD8CDEABBBCFF09350F104196F519E2152D6309E94DF68
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: wcscpy_swcsstr$FormatMessage_itow
  • String ID: %d:
  • API String ID: 3491583861-3887144285
  • Opcode ID: 16d18cd9b5ec8b8df22b3c15a48f51cb4542b5baf37db0780c8999f2d29cf192
  • Instruction ID: a6100dbb5ebee56c7a3d029f5f2813351cf737fb61429edf5f31940d573386a5
  • Opcode Fuzzy Hash: 16d18cd9b5ec8b8df22b3c15a48f51cb4542b5baf37db0780c8999f2d29cf192
  • Instruction Fuzzy Hash: 7E31F7B2D406297BDF30AB54DC8EFEB7FBCFB95700F000156F919A2181EA705A48CA55
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetStdHandle.KERNEL32(000000F6,?), ref: 00591CFB
  • GetConsoleMode.KERNEL32(00000000), ref: 00591CFE
  • GetStdHandle.KERNEL32(000000F6,?), ref: 00591D15
  • SetConsoleMode.KERNEL32(00000000), ref: 00591D18
  • GetStdHandle.KERNEL32(000000F6,?,00000001,?,00000000), ref: 00591D2C
  • ReadConsoleW.KERNEL32(00000000), ref: 00591D2F
  • GetStdHandle.KERNEL32(000000F6,?), ref: 00591D83
  • SetConsoleMode.KERNEL32(00000000), ref: 00591D86
  • putchar.MSVCRT ref: 00591D93
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ConsoleHandle$Mode$Readputchar
  • String ID:
  • API String ID: 3423037327-0
  • Opcode ID: 333f6eac386db57036aca046b5febb3cd4c6eae8794701589666210448ea4653
  • Instruction ID: b674079c5b6014837d868ebe31f0c207819ec74687130204c0d28b0be470975f
  • Opcode Fuzzy Hash: 333f6eac386db57036aca046b5febb3cd4c6eae8794701589666210448ea4653
  • Instruction Fuzzy Hash: B3219F7660076AABDF109FA9CD88AAA3BACFF15331F200612F525C60D0D7309940DB69
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: _toupper
  • String ID: Base$P&V$PQV$PhV
  • API String ID: 2698796853-3466698189
  • Opcode ID: 72599410d9ab2f317ca3b144648d4d95bac4d5e8ac1cd9e315e4ea458b40fb14
  • Instruction ID: 4eed16f975652c88aed9f2bd7944c3464a9bd97f66f0817b0e56a97faf26ff74
  • Opcode Fuzzy Hash: 72599410d9ab2f317ca3b144648d4d95bac4d5e8ac1cd9e315e4ea458b40fb14
  • Instruction Fuzzy Hash: 3002B17090870AAFDF24DFA8D4857AD7FF5FF58310F18445AD842AA682DB70E981CB25
Uniqueness

Uniqueness Score: -1.00%

APIs
  • #127.WLDAP32(?,?,?,f-Y,00000000,?,SCY,00000000,?,?,?,?,00594353,?,?,00000000), ref: 0059321D
  • #140.WLDAP32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00594353,?), ref: 00593238
  • _wcsicmp.MSVCRT ref: 00593246
  • #224.WLDAP32(00000000), ref: 00593289
  • #167.WLDAP32(?,?,?), ref: 005932A3
    • Part of subcall function 00596D74: RtlLookupElementGenericTable.NTDLL(e2Y), ref: 00596D8F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: #127#140#167#224ElementGenericLookupTable_wcsicmp
  • String ID: f-Y$objectClass
  • API String ID: 34665122-3751578644
  • Opcode ID: b3643b078f391560fcf0d74084784ffd01427d5edee4ef8b4279f2443329bc25
  • Instruction ID: 97ec05c9870bd4794e89f12240b80228393d008dcb1ab200009a946e96ad2df3
  • Opcode Fuzzy Hash: b3643b078f391560fcf0d74084784ffd01427d5edee4ef8b4279f2443329bc25
  • Instruction Fuzzy Hash: A5214A7AC0021AFFCF21AF94D88889DBFB5FF55351B15807AE905A2210E3324F94DB51
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: feof$ferrorfreadfwrite
  • String ID: f-Y
  • API String ID: 213062636-2173099327
  • Opcode ID: 77ce6e5e29404d568e4b0a267bc3b17e456321249a604a29c4840d6f1d213cf0
  • Instruction ID: 6a114b65831976f05a8cd623148075a02aee1932f635e7066c21665cfa192e4b
  • Opcode Fuzzy Hash: 77ce6e5e29404d568e4b0a267bc3b17e456321249a604a29c4840d6f1d213cf0
  • Instruction Fuzzy Hash: 8B11A371A00229ABDF10AFA9DC48BDE7BACFF55354F110026E604E7140EB74D908DB64
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: iswuppertowlower
  • String ID:
  • API String ID: 2404469642-0
  • Opcode ID: 06d249aef4d67224f2097666efea8c1a43410f884b7d84194482fd3e906dd06a
  • Instruction ID: 10f3af44a3937a090f2ceeea4d16180d53cb13c5e6d177516fba6c43efdf92bc
  • Opcode Fuzzy Hash: 06d249aef4d67224f2097666efea8c1a43410f884b7d84194482fd3e906dd06a
  • Instruction Fuzzy Hash: 18217F32500625EBCF259F19EC889EA3BF4FF563A5B124047F405C71D0DB348D84E668
Uniqueness

Uniqueness Score: -1.00%

APIs
  • DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?), ref: 00591C3A
  • DsGetDcNameW.NETAPI32(00000000,00000000,00000000,00000000,00001010,?,?,00000000,00000001,?), ref: 00591C68
  • DsGetDcNameW.NETAPI32(00000000,00000000,00000000,00000000,00000050,?,?,00000000,00000001,?), ref: 00591C7C
  • DsGetDcNameW.NETAPI32(00000000,00000000,00000000,00000000,00000010,?,?,00000000,00000001,?), ref: 00591C8F
  • DsRoleFreeMemory.NETAPI32(?,00000000,00000001,?), ref: 00591CB9
  • NetApiBufferFree.NETAPI32(?,?), ref: 00591CC8
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: Name$FreeRole$BufferDomainInformationMemoryPrimary
  • String ID:
  • API String ID: 1285339676-0
  • Opcode ID: ebabced8b5642c4969c2d37a252e023c373d1f50725e1531c28a3e7211c26a29
  • Instruction ID: b410038b27a64d285e300df7bab70b16497f4056232f163fa497c264333eea26
  • Opcode Fuzzy Hash: ebabced8b5642c4969c2d37a252e023c373d1f50725e1531c28a3e7211c26a29
  • Instruction Fuzzy Hash: BC2109B194061EBFEF109FA58DC5DAE7BBCFB04354B148476F501E7200D2709E849B64
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 0059657F: iswupper.MSVCRT ref: 005965AB
    • Part of subcall function 0059657F: towlower.MSVCRT ref: 005965B7
    • Part of subcall function 0059657F: iswupper.MSVCRT ref: 005965C2
    • Part of subcall function 0059657F: towlower.MSVCRT ref: 005965CE
    • Part of subcall function 0059657F: iswupper.MSVCRT ref: 005965FE
    • Part of subcall function 0059657F: towlower.MSVCRT ref: 0059660A
    • Part of subcall function 0059657F: iswupper.MSVCRT ref: 00596615
    • Part of subcall function 0059657F: towlower.MSVCRT ref: 00596621
  • wcsncat_s.MSVCRT ref: 00596978
  • wcscat_s.MSVCRT ref: 00596982
  • wcsncat_s.MSVCRT ref: 005969A5
  • wcscat_s.MSVCRT ref: 005969AF
  • wcscat_s.MSVCRT ref: 005969D3
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: iswuppertowlower$wcscat_s$wcsncat_s
  • String ID:
  • API String ID: 3704213178-0
  • Opcode ID: 60b4ee6459a3a7b413e8432aeb2028309c88f78dfba5654ed87d4a4d1e4ac6ce
  • Instruction ID: 0f02409ef189f7dfa7d02684a9885894c299ae4bc35bd5fbf9e4c9917fa0f85e
  • Opcode Fuzzy Hash: 60b4ee6459a3a7b413e8432aeb2028309c88f78dfba5654ed87d4a4d1e4ac6ce
  • Instruction Fuzzy Hash: 05415C3290011ABFCF159F68CC858AE7FB9FF99304B15841AFC559B251EB30EA15CB90
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: vfwprintf$_wfopenfputwcwprintf
  • String ID:
  • API String ID: 515560640-0
  • Opcode ID: 8461944ffeea9f504b3cb59740f362102586adadab66f393d129fdb311aa4d14
  • Instruction ID: 6d5e14f232c7f5488e3b357f1bd5bc05f4e5cab939880a4e3b75d8578feb5d84
  • Opcode Fuzzy Hash: 8461944ffeea9f504b3cb59740f362102586adadab66f393d129fdb311aa4d14
  • Instruction Fuzzy Hash: EB21D53144838ABAEF219B18EC4A7A43F95FB25314F19402FFA84461A1D272499CF745
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 00597A42: LocalAlloc.KERNEL32(00000040,00000000,?,00597B12,00000000,?,00000000,?,00000000,00000002,00000001,00000000,?,?,?,00592455), ref: 00597A4C
  • _wcsicmp.MSVCRT ref: 00595643
  • memset.MSVCRT ref: 00595729
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: AllocLocal_wcsicmpmemset
  • String ID: member
  • API String ID: 1402461977-1894054520
  • Opcode ID: 1a33ab414ab7d8ea1a8e2ca891e475d2351648fa5dec29ad7e42e2acb27c7d1d
  • Instruction ID: 4f73df339b3f55c61dd58d3d5cc1bcb65e9f04c052eae6ed5c717cf5b190075d
  • Opcode Fuzzy Hash: 1a33ab414ab7d8ea1a8e2ca891e475d2351648fa5dec29ad7e42e2acb27c7d1d
  • Instruction Fuzzy Hash: CA915CB560060AEFDF22EF64C88589E7FB5FF48300B55486AF95697211E730EEA1CB50
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 00597A42: LocalAlloc.KERNEL32(00000040,00000000,?,00597B12,00000000,?,00000000,?,00000000,00000002,00000001,00000000,?,?,?,00592455), ref: 00597A4C
  • #29.WLDAP32(00000000,9;Y,00000000,?,?,f-Y,?,?,?,9;Y,00000001,?,00000000,00000000,?,005931A9), ref: 00597B93
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: AllocLocal
  • String ID: 9;Y$f-Y
  • API String ID: 3494564517-2864601455
  • Opcode ID: 4bd6d1da04a228560893d2872ef4b96ea6ea07eb325c924be6366c8b688916c9
  • Instruction ID: 967ac973ae85c46d4b65517af04fbc89270325cfab1f040dc594153105933c58
  • Opcode Fuzzy Hash: 4bd6d1da04a228560893d2872ef4b96ea6ea07eb325c924be6366c8b688916c9
  • Instruction Fuzzy Hash: E1110AB212424FABEF159F55CC4AFAB3BAEFF88750F00441ABD158B291E675E9108760
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: _memicmpmemcpy
  • String ID: rimaryGroupID
  • API String ID: 1297319233-741753559
  • Opcode ID: c1a374e0261abd9f41ff962b62fef23035068629574a3e734e6c915c874513ed
  • Instruction ID: 4d7b1bdf2f56c1b0c52bfeeab1049256cccbec2d3e242bfd922bbef05be60c78
  • Opcode Fuzzy Hash: c1a374e0261abd9f41ff962b62fef23035068629574a3e734e6c915c874513ed
  • Instruction Fuzzy Hash: 25210232604115EBCF119B68DC0D966BFECFF99750B16842EF809DB261D631EE09EB90
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlLookupElementGenericTable.NTDLL(e2Y), ref: 00596D8F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ElementGenericLookupTable
  • String ID: e2Y$e2Y
  • API String ID: 3589993503-2799188899
  • Opcode ID: ea81700653bffee7d639b123f59295d3f84fd3746c16bd7de45b9461a3883f3b
  • Instruction ID: 81e83a2f9c97eaf6f2f1226923be305b18a66a867a1a696db2507f3cd6c725c0
  • Opcode Fuzzy Hash: ea81700653bffee7d639b123f59295d3f84fd3746c16bd7de45b9461a3883f3b
  • Instruction Fuzzy Hash: 3EE08C71200208BBDB008B95CC09E9B7FF8FB40340F118066A015C6110D630EA04EA94
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlLookupElementGenericTable.NTDLL(t2Y), ref: 00596DC4
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1970515488.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
  • Associated: 00000000.00000002.1970497457.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970548404.0000000000599000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1970582915.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_590000_csvde.jbxd
Similarity
  • API ID: ElementGenericLookupTable
  • String ID: t2Y$t2Y
  • API String ID: 3589993503-2056611230
  • Opcode ID: cd7ad4f0a752cc482f14bb56f86f4f4e1c3c7016aab606fd29943a3f73f6c78c
  • Instruction ID: 7561cd9be87624451b74e1bcc11d10585cdbb111493c79a24fa68af790d4fc48
  • Opcode Fuzzy Hash: cd7ad4f0a752cc482f14bb56f86f4f4e1c3c7016aab606fd29943a3f73f6c78c
  • Instruction Fuzzy Hash: 89E08CB2614208BFDB008B95CC08E9B7FF8FB01300F118025A005C6110D670EE04EA94
Uniqueness

Uniqueness Score: -1.00%