Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GIYUCke96G.exe

Overview

General Information

Sample name:GIYUCke96G.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
Analysis ID:1446955
MD5:63ba5ec400ebbe6af65441f442652faa
SHA1:3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c
SHA256:bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • GIYUCke96G.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\GIYUCke96G.exe" MD5: 63BA5EC400EBBE6AF65441F442652FAA)
    • WerFault.exe (PID: 3664 cmdline: C:\Windows\system32\WerFault.exe -u -p 2724 -s 396 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: GIYUCke96G.exeVirustotal: Detection: 13%Perma Link
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B25F8 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00000001402B25F8
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_0000000140008E2E0_2_0000000140008E2E
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B109C0_2_00000001402B109C
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B25F80_2_00000001402B25F8
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_0000000140008ED60_2_0000000140008ED6
Source: C:\Users\user\Desktop\GIYUCke96G.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2724 -s 396
Source: GIYUCke96G.exeBinary or memory string: OriginalFilename vs GIYUCke96G.exe
Source: GIYUCke96G.exe, 00000000.00000000.2003520250.00000001402E1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpaceflight> vs GIYUCke96G.exe
Source: GIYUCke96G.exeBinary or memory string: OriginalFilenameSpaceflight> vs GIYUCke96G.exe
Source: classification engineClassification label: mal52.evad.winEXE@2/5@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2724
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\517a9fb7-3793-4e23-978f-cdbe69ec6437Jump to behavior
Source: GIYUCke96G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GIYUCke96G.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: GIYUCke96G.exeVirustotal: Detection: 13%
Source: unknownProcess created: C:\Users\user\Desktop\GIYUCke96G.exe "C:\Users\user\Desktop\GIYUCke96G.exe"
Source: C:\Users\user\Desktop\GIYUCke96G.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2724 -s 396
Source: C:\Users\user\Desktop\GIYUCke96G.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeSection loaded: kernel.appcore.dllJump to behavior
Source: GIYUCke96G.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: GIYUCke96G.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: GIYUCke96G.exeStatic file information: File size 2983936 > 1048576
Source: GIYUCke96G.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8e00
Source: GIYUCke96G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001400041A0 LoadLibraryA,GetProcAddress,0_2_00000001400041A0
Source: GIYUCke96G.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeAPI coverage: 3.0 %
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B25F8 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00000001402B25F8
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\GIYUCke96G.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B1FEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000001402B1FEC
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001400041A0 LoadLibraryA,GetProcAddress,0_2_00000001400041A0
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B4E20 GetProcessHeap,0_2_00000001402B4E20
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B1FEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000001402B1FEC
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402AC894 SetUnhandledExceptionFilter,0_2_00000001402AC894
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402AC6B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000001402AC6B4
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402B8BC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00000001402B8BC8

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\GIYUCke96G.exeNtMapViewOfSection: Indirect: 0x1402A95E9Jump to behavior
Source: C:\Users\user\Desktop\GIYUCke96G.exeCode function: 0_2_00000001402AC58C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00000001402AC58C
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Process Injection		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446955 Sample: GIYUCke96G Startdate: 24/05/2024 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 6 GIYUCke96G.exe 2->6         started        process3 signatures4 13 Found direct / indirect Syscall (likely to bypass EDR) 6->13 9 WerFault.exe 19 16 6->9         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
GIYUCke96G.exe17%ReversingLabs
GIYUCke96G.exe14%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1446955
Start date and time:2024-05-24 05:24:35 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:GIYUCke96G.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
Detection:MAL
Classification:mal52.evad.winEXE@2/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 6
  • Number of non-executed functions: 30

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.208.16.94
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com

Simulations

Behavior and APIs

TimeTypeDescription
23:25:43API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GIYUCke96G.exe_4f8fc75c7ae03519ba32df973fcbeda86d1ecbbb_135d818b_9064d5b3-0f98-489e-9c5d-f62a688a6a9c\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.745139971575256
Encrypted:false
SSDEEP:96:AtF1t44FzGsycqhsoa7JnuQXIDcQNc6dcEjcw3eM+HbHg/TgJ3YOZUXOyKnhfHNI:A3t4qzGxu0zZZa1j/yzuiFSZ24lO8I
MD5:7718659ED72AAADC4C66260869ED5DE1
SHA1:73E1D294BBA0B133C45F7FF64591BBF560251B87
SHA-256:51DD5720C8BCD3DBDFDE6C5070A294CFA3F38E855BC4D2284C1E7B622BF88484
SHA-512:C2FE993DC4A6D56C79068C879CB2AC8126FFD1FB608F78ABD26EED16067B598350201CADD461E3C16CD83593AB678822B2D2A38F07EA9C7D53D2C1F2E93F195E
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.9.4.7.2.3.5.7.0.8.2.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.9.4.7.2.4.6.4.8.9.4.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.6.4.d.5.b.3.-.0.f.9.8.-.4.8.9.e.-.9.c.5.d.-.f.6.2.a.6.8.8.a.6.a.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.b.7.b.f.5.d.-.d.b.1.1.-.4.8.d.4.-.9.d.9.f.-.4.3.5.5.9.f.4.c.a.3.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.I.Y.U.C.k.e.9.6.G...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.p.a.c.e.f.l.i.g.h.t.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.a.4.-.0.0.0.1.-.0.0.1.4.-.a.0.3.5.-.c.9.0.2.8.a.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.b.d.1.5.b.f.1.8.8.d.2.d.8.8.2.c.e.f.5.6.0.a.3.4.4.a.8.5.1.b.3.0.0.0.0.1.d.0.4.!.0.0.0.0.3.b.8.8.0.7.f.8.1.2.4.c.0.e.0.d.8.c.8.c.d.8.1.6.f.9.a.7.b.c.3.0.4.7.6.f.b.f.5.c.!.G.I.Y.U.C.k.e.9.6.G...

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD900.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Fri May 24 03:25:24 2024, 0x1205a4 type
Category:dropped
Size (bytes):295220
Entropy (8bit):2.652347589422294
Encrypted:false
SSDEEP:3072:fqqSyxQf7GmTWZikG9e4vvYTFpCPxLHk9EMG6h1HOE1t:fqTGAWCvMqHtMG/E1
MD5:362BC322FD2ED697FA854D6F3D379361
SHA1:BF53CA314CD01C18D7008DC571E308992E7B2096
SHA-256:A2DCD1BE59F91D37797C7AABA59AED063763674E6F30A1FC8592749251AAEF2A
SHA-512:D3C8DF8CE196D0E7823747FE56C376D80C767B0B817158CFFD6C6CA5FD4719C63F3B960F1D63FFE7C6DEB6354A8AFEC24F833AF80CE1895748C71A4ACCBD5D5D
Malicious:false
Reputation:low
Preview:MDMP..a..... .........Pf....................................<...........$...6(..........`.......8...........T...............\q......................................................................................................eJ......p.......Lw......................T.............Pf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBFF.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8570
Entropy (8bit):3.708714771647923
Encrypted:false
SSDEEP:192:R6l7wVeJ17cRRBQ6YEIsE2SzgmfYVTprV89bXngfUq9m:R6lXJZcRRBQ6YEzE2SzgmfYWXgfUZ
MD5:3ACB8FE8E07C479A490D3E8351931A95
SHA1:FCDEE5500DFB41F777D72D0369C97F0281CA7852
SHA-256:86FA126B26F23FDEF6EECE0AE6A0EE813E1A8072A25088958FDC7E35A0722FA6
SHA-512:1FC71C78030DDD473EE27BFACD7EEDEB11D7A83BB5E21664C5D639BCE18FA6C33DB85D4E67206CD840B758A079C2691B98DBEDC29A2DBF2C28D3C3015BA3CC86
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCBB.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4752
Entropy (8bit):4.515548037207879
Encrypted:false
SSDEEP:48:cvIwWl8zsWJg771I9xmWpW8VY375Ym8M4JdzFuPyq85YqhZko+Pfd:uIjfsI7+n7VEoJ+Pyoo+nd
MD5:DFF5547E812D29404E1B7C7D21C21040
SHA1:E6E62A3FCA6F226C8A0838AC006349FE44438F05
SHA-256:8451172605F0D6D68711E4674CE4E4A7960EE68FB4B3C0F84F83736CAA346BAA
SHA-512:64D38B6009A6FAEB98542B0DC8B1C03E5518404D938BAB822EB4A6BE5737421AA6A1078F0C972D02C1752829DB7F56010EB6A11A319E57EE2B7C84929CC095B9
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336628" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.42205093861428
Encrypted:false
SSDEEP:6144:qSvfpi6ceLP/9skLmb0OT3WSPHaJG8nAgeMZMMhA2fX4WABlEnNX0uhiTw:ZvloT3W+EZMM6DFyh03w
MD5:C199CD56AEA1F55A426FD179DCDE59DA
SHA1:71B790689E8732CF76DCEBF189C999374E976FFB
SHA-256:6B54B6ECF8B3F9B0CDA7DB6107475F1D8729591C4883D1F4FD06D552C324F09C
SHA-512:C43817830796541C65B0BC3F7B734F94FA50657D03E5EDFFACDD54463ED5884A8E1825A2EF650E95F3BF9566E5FB5B9F374C9DDC679A8D0F7FDDEFFEAA617FB0
Malicious:false
Reputation:low
Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz.O.................................................................................................................................................................................................................................................................................................................................................V.Y7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.506337696486408
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:GIYUCke96G.exe
File size:2'983'936 bytes
MD5:63ba5ec400ebbe6af65441f442652faa
SHA1:3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c
SHA256:bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
SHA512:e240e9e07d88908057bba587e32ef1499d0c2d235eed61f1e996ce8959e1c323068ad483a96a7010ea0050440e12a0d82782e79baa186e880e4727452f3a4baf
SSDEEP:49152:2mVZpRE5HFjH4MLMmcX17+kSmn75+dEsgY5OK:fgvFcXV3cJ5
TLSH:4CD564092A3E0A95E0519CF0A23B4552A9BD7D1CC01C66F9CFD49B457F9AF50A0FA3EC
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............n...n...n...m...n...k...n...j...n.Gek...n.Gej...n.Gem...n...o...n...o...n..em...n...n...n.vfk...n.vf....n.vfl...n.Rich..n

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x1402ac338
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x663BBDCA [Wed May 8 18:00:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:05f2715d0397538255a9df69b1b5b827

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1D1950B530h
dec eax
add esp, 28h
jmp 00007F1D1950B15Fh
int3
int3
dec eax
sub esp, 28h
call 00007F1D1950BAB4h
test eax, eax
je 00007F1D1950B303h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F1D1950B2E7h
dec eax
cmp ecx, eax
je 00007F1D1950B2F6h
xor eax, eax
dec eax
cmpxchg dword ptr [00032A68h], ecx
jne 00007F1D1950B2D0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F1D1950B2D9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F1D1950B2E9h
mov byte ptr [00032A51h], 00000001h
call 00007F1D1950B8C1h
call 00007F1D1950BC8Ch
test al, al
jne 00007F1D1950B2E6h
xor al, al
jmp 00007F1D1950B2F6h
call 00007F1D19510493h
test al, al
jne 00007F1D1950B2EBh
xor ecx, ecx
call 00007F1D1950BC9Ch
jmp 00007F1D1950B2CCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00032A18h], 00000000h
mov ebx, ecx
jne 00007F1D1950B349h
cmp ecx, 01h
jnbe 00007F1D1950B34Ch
call 00007F1D1950BA2Ah
test eax, eax
je 00007F1D1950B30Ah
test ebx, ebx
jne 00007F1D1950B306h
dec eax
lea ecx, dword ptr [00032A02h]
call 00007F1D195102B2h
test eax, eax
jne 00007F1D1950B2F2h
dec eax
lea ecx, dword ptr [00032A0Ah]
call 00007F1D1950B3A2h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2cbc7c0x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e30000x628.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2e10000xffc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x2ca6000x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ca4c00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2ba0000x370.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2b8d100x2b8e00a04fa86212fb20790f5541270260e5d2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2ba0000x1283c0x12a00bedf5cc00eb85189c09aa8e63533827dFalse0.688863255033557data6.694651511423994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2cd0000x130980xb200869ad6d69795428d7887f676a87fb57fFalse0.9097392907303371data7.555905753084373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x2e10000xffc0x1000af9df1cd9b1dc42a0358078c4a79b40cFalse0.490478515625data5.411108677102532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x2e20000x1f40x2005ac9d95ea0733dc97f6055d8be2e8295False0.5078125data4.198538142721472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x2e30000x6280x800c9b6fe748d633493bb092a6791cac656False0.357421875data3.260315682123659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x2e32000x428dataEnglishUnited States0.4718045112781955
RT_MANIFEST0x2e30a00x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

Imports

DLLImport
KERNEL32.dllGetModuleHandleA, GetProcAddress, LoadLibraryA, HeapCreate, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetStringTypeW, GetFileType, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA
ole32.dllOleGetAutoConvert, IsAccelerator, GetClassFile, MonikerRelativePathTo, CoGetObject, CoTreatAsClass, CoFileTimeToDosDateTime, CoIsOle1Class, CoGetInstanceFromFile, CoRevokeInitializeSpy, CoRevokeMallocSpy, CLSIDFromProgIDEx, CoFileTimeNow, CoTaskMemFree, CoTaskMemRealloc, CoInvalidateRemoteMachineBindings, CoGetInterceptor, ProgIDFromCLSID, IIDFromString, StringFromIID, CoSetCancelObject, CoRevertToSelf, CoQueryClientBlanket, CoQueryProxyBlanket, CoGetCallContext, CoLockObjectExternal, CoUnmarshalHresult, CoGetPSClsid, CoResumeClassObjects, CoGetObjectContext, CoGetCurrentLogicalThreadId, CoGetCallerTID, CoGetMalloc, CoGetTreatAsClass

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:23:25:22
Start date:23/05/2024
Path:C:\Users\user\Desktop\GIYUCke96G.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\GIYUCke96G.exe"
Imagebase:0x140000000
File size:2'983'936 bytes
MD5 hash:63BA5EC400EBBE6AF65441F442652FAA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:23:25:23
Start date:23/05/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 2724 -s 396
Imagebase:0x7ff69d980000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5.4%
    Total number of Nodes:949
    Total number of Limit Nodes:17
    execution_graph 5044 1402b400c 5045 1402b4018 5044->5045 5047 1402b403f 5045->5047 5048 1402b3b40 5045->5048 5049 1402b3b45 5048->5049 5053 1402b3b80 5048->5053 5050 1402b3b78 5049->5050 5051 1402b3b66 DeleteCriticalSection 5049->5051 5052 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5050->5052 5051->5050 5051->5051 5052->5053 5053->5045 5477 1402ab84b CoGetCurrentLogicalThreadId 5478 1402ab93b CoGetPSClsid 5477->5478 5480 1402abaf2 CoTreatAsClass 5478->5480 5495 1402abf90 CoIsOle1Class 5480->5495 5482 1402abbad 5496 1402abf50 CLSIDFromProgIDEx 5482->5496 5484 1402abc38 IIDFromString 5497 1402abf90 CoIsOle1Class 5484->5497 5486 1402abcdb MonikerRelativePathTo 5488 1402ac010 2 API calls 5486->5488 5489 1402abe34 5488->5489 5490 1402ac010 2 API calls 5489->5490 5491 1402abe61 CoLockObjectExternal 5490->5491 5493 1402ac010 2 API calls 5491->5493 5494 1402abf36 5493->5494 5495->5482 5496->5484 5497->5486 5498 1402b0f4c 5501 1402b0ed0 5498->5501 5508 1402b39c4 EnterCriticalSection 5501->5508 5054 1402aea0c 5057 1402af160 5054->5057 5056 1402aea35 5058 1402af1b6 __std_exception_copy 5057->5058 5059 1402af181 5057->5059 5058->5056 5059->5058 5061 1402b15f0 5059->5061 5062 1402b1607 5061->5062 5063 1402b15fd 5061->5063 5064 1402b2510 _set_fmode 11 API calls 5062->5064 5063->5062 5068 1402b1622 5063->5068 5065 1402b160e 5064->5065 5067 1402b22b8 _invalid_parameter_noinfo 47 API calls 5065->5067 5066 1402b161a 5066->5058 5067->5066 5068->5066 5069 1402b2510 _set_fmode 11 API calls 5068->5069 5069->5065 5070 1402acf0c 5071 1402b15a8 47 API calls 5070->5071 5072 1402acf15 5071->5072 5073 1402b770b 5074 1402b79b0 5073->5074 5076 1402b774b 5073->5076 5075 1402b79a6 5074->5075 5080 1402b84c0 _log10_special 19 API calls 5074->5080 5076->5074 5077 1402b7992 5076->5077 5078 1402b777f 5076->5078 5081 1402b84c0 5077->5081 5080->5075 5084 1402b84e0 5081->5084 5085 1402b84fa 5084->5085 5086 1402b84db 5085->5086 5088 1402b8320 5085->5088 5086->5075 5089 1402b8360 _raise_exc _log10_special 5088->5089 5090 1402b8409 5089->5090 5091 1402b83d9 5089->5091 5101 1402b8910 5090->5101 5097 1402b81fc 5091->5097 5094 1402b8407 _log10_special 5095 1402b8ba0 _log10_special 8 API calls 5094->5095 5096 1402b8431 5095->5096 5096->5086 5098 1402b8240 _log10_special 5097->5098 5099 1402b8255 5098->5099 5100 1402b8910 _log10_special 11 API calls 5098->5100 5099->5094 5100->5099 5102 1402b8919 5101->5102 5103 1402b8930 5101->5103 5105 1402b8928 5102->5105 5106 1402b2510 _set_fmode 11 API calls 5102->5106 5104 1402b2510 _set_fmode 11 API calls 5103->5104 5104->5105 5105->5094 5106->5105 5107 1402aba10 5108 1402aba14 CoGetPSClsid 5107->5108 5110 1402abaf2 CoTreatAsClass 5108->5110 5125 1402abf90 CoIsOle1Class 5110->5125 5112 1402abbad 5126 1402abf50 CLSIDFromProgIDEx 5112->5126 5114 1402abc38 IIDFromString 5127 1402abf90 CoIsOle1Class 5114->5127 5116 1402abcdb MonikerRelativePathTo 5128 1402ac010 5116->5128 5120 1402ac010 2 API calls 5121 1402abe61 CoLockObjectExternal 5120->5121 5123 1402ac010 2 API calls 5121->5123 5124 1402abf36 5123->5124 5125->5112 5126->5114 5127->5116 5129 1402ac010 CoIsOle1Class 5128->5129 5130 1402ac030 CoGetCallContext 5129->5130 5131 1402ac010 CoIsOle1Class 5130->5131 5132 1402ac058 5131->5132 5135 1402abf90 CoIsOle1Class 5132->5135 5134 1402abe34 5134->5120 5135->5134 5509 1402b4d44 5510 1402b4d7d 5509->5510 5511 1402b4d4e 5509->5511 5511->5510 5512 1402b4d63 FreeLibrary 5511->5512 5512->5511 5698 1402aec84 5699 1402aec9e 5698->5699 5701 1402aeceb 5698->5701 5700 1402acfdc _CallSETranslator 56 API calls 5699->5700 5699->5701 5700->5701 4741 1402ac202 4743 1402ac21f __scrt_release_startup_lock 4741->4743 4742 1402ac223 4743->4742 4744 1402ac2a9 4743->4744 4757 1402b0e44 4743->4757 4754 1402ac7fc 4744->4754 4747 1402ac2ae 4748 1402ac2ca 4747->4748 4762 1402ac840 GetModuleHandleW 4748->4762 4751 1402ac2d1 4753 1402ac325 __FrameHandler3::FrameUnwindToEmptyState 4751->4753 4764 1402ac50c 4751->4764 4768 1402b8e90 4754->4768 4758 1402b0e7c 4757->4758 4759 1402b0e5b 4757->4759 4770 1402b15a8 4758->4770 4759->4744 4763 1402ac851 4762->4763 4763->4751 4766 1402ac51d 4764->4766 4765 1402ac2e8 4765->4742 4766->4765 4984 1402acd70 4766->4984 4769 1402ac813 GetStartupInfoW 4768->4769 4769->4747 4775 1402b1bd4 GetLastError 4770->4775 4776 1402b1bf8 FlsGetValue 4775->4776 4777 1402b1c15 FlsSetValue 4775->4777 4778 1402b1c0f 4776->4778 4794 1402b1c05 SetLastError 4776->4794 4779 1402b1c27 4777->4779 4777->4794 4778->4777 4806 1402b2530 4779->4806 4782 1402b15b1 4797 1402b1650 4782->4797 4783 1402b1ca1 4785 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 40 API calls 4783->4785 4790 1402b1ca6 4785->4790 4786 1402b1c54 FlsSetValue 4788 1402b1c60 FlsSetValue 4786->4788 4789 1402b1c72 4786->4789 4787 1402b1c44 FlsSetValue 4791 1402b1c4d 4787->4791 4788->4791 4819 1402b1984 4789->4819 4813 1402b25a8 4791->4813 4794->4782 4794->4783 4867 1402b4fec 4797->4867 4811 1402b2541 _set_fmode 4806->4811 4807 1402b2592 4827 1402b2510 4807->4827 4808 1402b2576 RtlAllocateHeap 4810 1402b1c36 4808->4810 4808->4811 4810->4786 4810->4787 4811->4807 4811->4808 4824 1402b4f2c 4811->4824 4814 1402b25ad HeapFree 4813->4814 4815 1402b25dc 4813->4815 4814->4815 4816 1402b25c8 GetLastError 4814->4816 4815->4794 4817 1402b25d5 Concurrency::details::SchedulerProxy::DeleteThis 4816->4817 4818 1402b2510 _set_fmode 9 API calls 4817->4818 4818->4815 4853 1402b185c 4819->4853 4830 1402b4f6c 4824->4830 4836 1402b1d4c GetLastError 4827->4836 4829 1402b2519 4829->4810 4835 1402b39c4 EnterCriticalSection 4830->4835 4837 1402b1d70 4836->4837 4838 1402b1d8d FlsSetValue 4836->4838 4837->4838 4850 1402b1d7d 4837->4850 4839 1402b1d9f 4838->4839 4838->4850 4841 1402b2530 _set_fmode 5 API calls 4839->4841 4840 1402b1df9 SetLastError 4840->4829 4842 1402b1dae 4841->4842 4843 1402b1dcc FlsSetValue 4842->4843 4844 1402b1dbc FlsSetValue 4842->4844 4845 1402b1dea 4843->4845 4846 1402b1dd8 FlsSetValue 4843->4846 4847 1402b1dc5 4844->4847 4849 1402b1984 _set_fmode 5 API calls 4845->4849 4846->4847 4848 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 4847->4848 4848->4850 4851 1402b1df2 4849->4851 4850->4840 4852 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 4851->4852 4852->4840 4865 1402b39c4 EnterCriticalSection 4853->4865 4901 1402b4fa4 4867->4901 4906 1402b39c4 EnterCriticalSection 4901->4906 4985 1402acd82 4984->4985 4986 1402acd78 4984->4986 4985->4765 4990 1402ad100 4986->4990 4991 1402acd7d 4990->4991 4992 1402ad10f 4990->4992 4994 1402ad16c 4991->4994 4998 1402ad33c 4992->4998 4995 1402ad197 4994->4995 4996 1402ad19b 4995->4996 4997 1402ad17a DeleteCriticalSection 4995->4997 4996->4985 4997->4995 5002 1402ad1a4 4998->5002 5003 1402ad28e TlsFree 5002->5003 5009 1402ad1e8 __vcrt_InitializeCriticalSectionEx 5002->5009 5004 1402ad216 LoadLibraryExW 5006 1402ad237 GetLastError 5004->5006 5007 1402ad2b5 5004->5007 5005 1402ad2d5 GetProcAddress 5005->5003 5006->5009 5007->5005 5008 1402ad2cc FreeLibrary 5007->5008 5008->5005 5009->5003 5009->5004 5009->5005 5010 1402ad259 LoadLibraryExW 5009->5010 5010->5007 5010->5009 5513 1402b0848 5514 1402b0861 5513->5514 5525 1402b085d 5513->5525 5526 1402b38e0 GetEnvironmentStringsW 5514->5526 5517 1402b087a 5533 1402b08b8 5517->5533 5518 1402b086e 5519 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5518->5519 5519->5525 5522 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5523 1402b08a1 5522->5523 5524 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5523->5524 5524->5525 5527 1402b0866 5526->5527 5529 1402b3904 5526->5529 5527->5517 5527->5518 5528 1402b4300 12 API calls 5530 1402b393b 5528->5530 5529->5528 5531 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5530->5531 5532 1402b395b FreeEnvironmentStringsW 5531->5532 5532->5527 5534 1402b08e0 5533->5534 5535 1402b2530 _set_fmode 11 API calls 5534->5535 5546 1402b091b 5535->5546 5536 1402b0923 5537 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5536->5537 5538 1402b0882 5537->5538 5538->5522 5539 1402b099d 5540 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5539->5540 5540->5538 5541 1402b2530 _set_fmode 11 API calls 5541->5546 5542 1402b098c 5561 1402b09d4 5542->5561 5546->5536 5546->5539 5546->5541 5546->5542 5547 1402b09c0 5546->5547 5550 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5546->5550 5552 1402b2320 5546->5552 5549 1402b22d8 _invalid_parameter_noinfo 17 API calls 5547->5549 5548 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5548->5536 5551 1402b09d2 5549->5551 5550->5546 5553 1402b2337 5552->5553 5554 1402b232d 5552->5554 5555 1402b2510 _set_fmode 11 API calls 5553->5555 5554->5553 5559 1402b2353 5554->5559 5556 1402b233f 5555->5556 5557 1402b22b8 _invalid_parameter_noinfo 47 API calls 5556->5557 5558 1402b234b 5557->5558 5558->5546 5559->5558 5560 1402b2510 _set_fmode 11 API calls 5559->5560 5560->5556 5562 1402b09d9 5561->5562 5566 1402b0994 5561->5566 5563 1402b0a02 5562->5563 5564 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5562->5564 5565 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5563->5565 5564->5562 5565->5566 5566->5548 5567 1402b3748 GetCommandLineA GetCommandLineW 5011 1402ac388 5012 1402ac390 5011->5012 5013 1402ac39c __scrt_dllmain_crt_thread_attach 5012->5013 5014 1402ac3a9 5013->5014 5015 1402ac3a5 5013->5015 5019 1402b155c 5014->5019 5018 1402acd70 7 API calls 5018->5015 5020 1402b4e48 5019->5020 5021 1402ac3ae 5020->5021 5023 1402b3fd0 5020->5023 5021->5015 5021->5018 5034 1402b39c4 EnterCriticalSection 5023->5034 5025 1402b3fe0 5026 1402b3b90 53 API calls 5025->5026 5027 1402b3fe9 5026->5027 5028 1402b3ff7 5027->5028 5029 1402b3dd8 55 API calls 5027->5029 5030 1402b3a18 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 5028->5030 5031 1402b3ff2 5029->5031 5032 1402b4003 5030->5032 5033 1402b3ec8 GetStdHandle GetFileType 5031->5033 5032->5020 5033->5028 5568 1402acd48 5575 1402ad124 5568->5575 5571 1402acd55 5576 1402ad12c 5575->5576 5578 1402ad15d 5576->5578 5579 1402acd51 5576->5579 5588 1402ad420 5576->5588 5580 1402ad16c __vcrt_uninitialize_locks DeleteCriticalSection 5578->5580 5579->5571 5581 1402ad0b8 5579->5581 5580->5579 5593 1402ad2f4 5581->5593 5589 1402ad1a4 __vcrt_InitializeCriticalSectionEx 5 API calls 5588->5589 5590 1402ad456 5589->5590 5591 1402ad46b InitializeCriticalSectionAndSpinCount 5590->5591 5592 1402ad460 5590->5592 5591->5592 5592->5576 5594 1402ad1a4 __vcrt_InitializeCriticalSectionEx 5 API calls 5593->5594 5595 1402ad319 TlsAlloc 5594->5595 5702 1402b029b 5703 1402b1d4c _set_fmode 11 API calls 5702->5703 5704 1402b02be 5702->5704 5703->5704 5136 1402b4e20 GetProcessHeap 5137 1402b5720 5138 1402b572b 5137->5138 5146 1402b70fc 5138->5146 5159 1402b39c4 EnterCriticalSection 5146->5159 6087 1402ac0e0 6088 1402ac0f0 6087->6088 6104 1402b0e90 6088->6104 6090 1402ac0fc 6110 1402ac3c4 6090->6110 6092 1402ac114 _RTC_Initialize 6102 1402ac169 6092->6102 6115 1402ac574 6092->6115 6094 1402ac195 6096 1402ac129 6118 1402b06c4 6096->6118 6103 1402ac185 6102->6103 6143 1402ac6b4 IsProcessorFeaturePresent 6102->6143 6105 1402b0ea1 6104->6105 6106 1402b0ea9 6105->6106 6107 1402b2510 _set_fmode 11 API calls 6105->6107 6106->6090 6108 1402b0eb8 6107->6108 6109 1402b22b8 _invalid_parameter_noinfo 47 API calls 6108->6109 6109->6106 6111 1402ac3d5 6110->6111 6114 1402ac3da __scrt_acquire_startup_lock 6110->6114 6112 1402ac6b4 7 API calls 6111->6112 6111->6114 6113 1402ac44e 6112->6113 6114->6092 6150 1402ac538 6115->6150 6117 1402ac57d 6117->6096 6119 1402b06e4 6118->6119 6141 1402ac135 6118->6141 6120 1402b06ec 6119->6120 6121 1402b0702 GetModuleFileNameW 6119->6121 6122 1402b2510 _set_fmode 11 API calls 6120->6122 6125 1402b072d 6121->6125 6123 1402b06f1 6122->6123 6124 1402b22b8 _invalid_parameter_noinfo 47 API calls 6123->6124 6124->6141 6126 1402b0664 11 API calls 6125->6126 6127 1402b076d 6126->6127 6128 1402b0775 6127->6128 6133 1402b078d 6127->6133 6129 1402b2510 _set_fmode 11 API calls 6128->6129 6130 1402b077a 6129->6130 6131 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6130->6131 6131->6141 6132 1402b07af 6134 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6132->6134 6133->6132 6135 1402b07db 6133->6135 6136 1402b07f4 6133->6136 6134->6141 6137 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6135->6137 6138 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6136->6138 6139 1402b07e4 6137->6139 6138->6132 6140 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6139->6140 6140->6141 6141->6102 6142 1402ac64c InitializeSListHead 6141->6142 6144 1402ac6da __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode 6143->6144 6145 1402ac6f9 RtlCaptureContext RtlLookupFunctionEntry 6144->6145 6146 1402ac75e __scrt_get_show_window_mode 6145->6146 6147 1402ac722 RtlVirtualUnwind 6145->6147 6148 1402ac790 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6146->6148 6147->6146 6149 1402ac7de __FrameHandler3::FrameUnwindToEmptyState 6148->6149 6149->6094 6151 1402ac552 6150->6151 6153 1402ac54b 6150->6153 6154 1402b13e8 6151->6154 6153->6117 6157 1402b1024 6154->6157 6164 1402b39c4 EnterCriticalSection 6157->6164 5597 1402b1a54 5598 1402b1a59 5597->5598 5599 1402b1a6e 5597->5599 5603 1402b1a74 5598->5603 5604 1402b1abe 5603->5604 5605 1402b1ab6 5603->5605 5607 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5604->5607 5606 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5605->5606 5606->5604 5608 1402b1acb 5607->5608 5609 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5608->5609 5610 1402b1ad8 5609->5610 5611 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5610->5611 5612 1402b1ae5 5611->5612 5613 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5612->5613 5614 1402b1af2 5613->5614 5615 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5614->5615 5616 1402b1aff 5615->5616 5617 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5616->5617 5618 1402b1b0c 5617->5618 5619 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5618->5619 5620 1402b1b19 5619->5620 5621 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5620->5621 5622 1402b1b29 5621->5622 5623 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5622->5623 5624 1402b1b39 5623->5624 5629 1402b1924 5624->5629 5643 1402b39c4 EnterCriticalSection 5629->5643 6165 1402b1ed4 6166 1402b1ee4 6165->6166 6167 1402b1d4c _set_fmode 11 API calls 6166->6167 6168 1402b1eef __vcrt_uninitialize_ptd 6166->6168 6167->6168 5705 1402aeb92 5706 1402acfdc _CallSETranslator 56 API calls 5705->5706 5708 1402aeb9f __CxxCallCatchBlock 5706->5708 5707 1402aebe3 RaiseException 5709 1402aec0a 5707->5709 5708->5707 5718 1402ad910 5709->5718 5711 1402acfdc _CallSETranslator 56 API calls 5712 1402aec4e 5711->5712 5713 1402acfdc _CallSETranslator 56 API calls 5712->5713 5715 1402aec57 5713->5715 5717 1402aec3b __CxxCallCatchBlock 5717->5711 5719 1402acfdc _CallSETranslator 56 API calls 5718->5719 5720 1402ad922 5719->5720 5721 1402ad95d 5720->5721 5722 1402acfdc _CallSETranslator 56 API calls 5720->5722 5723 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5721->5723 5726 1402ad92d 5722->5726 5724 1402ad962 5723->5724 5725 1402ad949 5727 1402acfdc _CallSETranslator 56 API calls 5725->5727 5726->5721 5726->5725 5728 1402ad94e 5727->5728 5728->5717 5729 1402ace28 5728->5729 5730 1402acfdc _CallSETranslator 56 API calls 5729->5730 5731 1402ace36 5730->5731 5731->5717 5732 1402abe97 5733 1402abe9d CoLockObjectExternal 5732->5733 5734 1402ac010 2 API calls 5733->5734 5735 1402abf36 5734->5735 5736 1402aea98 5737 1402acfdc _CallSETranslator 56 API calls 5736->5737 5738 1402aeacd 5737->5738 5739 1402acfdc _CallSETranslator 56 API calls 5738->5739 5740 1402aeadb __except_validate_context_record 5739->5740 5741 1402acfdc _CallSETranslator 56 API calls 5740->5741 5742 1402aeb1f 5741->5742 5743 1402acfdc _CallSETranslator 56 API calls 5742->5743 5744 1402aeb28 5743->5744 5745 1402acfdc _CallSETranslator 56 API calls 5744->5745 5746 1402aeb31 5745->5746 5759 1402ad8d4 5746->5759 5749 1402acfdc _CallSETranslator 56 API calls 5750 1402aeb61 __CxxCallCatchBlock 5749->5750 5751 1402ad910 __CxxCallCatchBlock 56 API calls 5750->5751 5756 1402aec12 5751->5756 5752 1402aec3b __CxxCallCatchBlock 5753 1402acfdc _CallSETranslator 56 API calls 5752->5753 5754 1402aec4e 5753->5754 5755 1402acfdc _CallSETranslator 56 API calls 5754->5755 5757 1402aec57 5755->5757 5756->5752 5758 1402ace28 __CxxCallCatchBlock 56 API calls 5756->5758 5758->5752 5760 1402acfdc _CallSETranslator 56 API calls 5759->5760 5761 1402ad8e5 5760->5761 5762 1402ad8f0 5761->5762 5763 1402acfdc _CallSETranslator 56 API calls 5761->5763 5764 1402acfdc _CallSETranslator 56 API calls 5762->5764 5763->5762 5765 1402ad901 5764->5765 5765->5749 5765->5750 5163 1402b61ec 5166 1402b340c 5163->5166 5167 1402b3419 5166->5167 5168 1402b345e 5166->5168 5172 1402b1ca8 5167->5172 5173 1402b1cb9 FlsGetValue 5172->5173 5174 1402b1cd4 FlsSetValue 5172->5174 5175 1402b1cce 5173->5175 5176 1402b1cc6 5173->5176 5174->5176 5177 1402b1ce1 5174->5177 5175->5174 5178 1402b1ccc 5176->5178 5179 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5176->5179 5180 1402b2530 _set_fmode 11 API calls 5177->5180 5192 1402b30e4 5178->5192 5181 1402b1d49 5179->5181 5182 1402b1cf0 5180->5182 5183 1402b1d0e FlsSetValue 5182->5183 5184 1402b1cfe FlsSetValue 5182->5184 5185 1402b1d2c 5183->5185 5186 1402b1d1a FlsSetValue 5183->5186 5187 1402b1d07 5184->5187 5189 1402b1984 _set_fmode 11 API calls 5185->5189 5186->5187 5188 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5187->5188 5188->5176 5190 1402b1d34 5189->5190 5191 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5190->5191 5191->5178 5215 1402b3354 5192->5215 5197 1402b3136 5197->5168 5199 1402b3147 5200 1402b314f 5199->5200 5202 1402b315e 5199->5202 5201 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5200->5201 5201->5197 5202->5202 5240 1402b3488 5202->5240 5205 1402b325a 5206 1402b2510 _set_fmode 11 API calls 5205->5206 5207 1402b325f 5206->5207 5209 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5207->5209 5208 1402b32b5 5211 1402b331c 5208->5211 5251 1402b2c14 5208->5251 5209->5197 5210 1402b3274 5210->5208 5214 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5210->5214 5213 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5211->5213 5213->5197 5214->5208 5216 1402b3377 5215->5216 5218 1402b3381 5216->5218 5266 1402b39c4 EnterCriticalSection 5216->5266 5220 1402b3119 5218->5220 5221 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5218->5221 5226 1402b2de4 5220->5226 5223 1402b340b 5221->5223 5267 1402b2b70 5226->5267 5229 1402b2e04 GetOEMCP 5232 1402b2e2b 5229->5232 5230 1402b2e16 5231 1402b2e1b GetACP 5230->5231 5230->5232 5231->5232 5232->5197 5233 1402b4300 5232->5233 5234 1402b434b 5233->5234 5238 1402b430f _set_fmode 5233->5238 5236 1402b2510 _set_fmode 11 API calls 5234->5236 5235 1402b4332 HeapAlloc 5237 1402b4349 5235->5237 5235->5238 5236->5237 5237->5199 5238->5234 5238->5235 5239 1402b4f2c _set_fmode 2 API calls 5238->5239 5239->5238 5241 1402b2de4 49 API calls 5240->5241 5242 1402b34b5 5241->5242 5243 1402b360b 5242->5243 5244 1402b34f2 IsValidCodePage 5242->5244 5250 1402b350c __scrt_get_show_window_mode 5242->5250 5245 1402b8ba0 _log10_special 8 API calls 5243->5245 5244->5243 5246 1402b3503 5244->5246 5247 1402b3251 5245->5247 5248 1402b3532 GetCPInfo 5246->5248 5246->5250 5247->5205 5247->5210 5248->5243 5248->5250 5299 1402b2efc 5250->5299 5385 1402b39c4 EnterCriticalSection 5251->5385 5268 1402b2b8f 5267->5268 5269 1402b2b94 5267->5269 5268->5229 5268->5230 5269->5268 5270 1402b1bd4 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5269->5270 5271 1402b2baf 5270->5271 5275 1402b5794 5271->5275 5276 1402b57a9 5275->5276 5277 1402b2bd2 5275->5277 5276->5277 5283 1402b4858 5276->5283 5279 1402b5800 5277->5279 5280 1402b5828 5279->5280 5281 1402b5815 5279->5281 5280->5268 5281->5280 5296 1402b346c 5281->5296 5284 1402b1bd4 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5283->5284 5285 1402b4867 5284->5285 5286 1402b48b2 5285->5286 5295 1402b39c4 EnterCriticalSection 5285->5295 5286->5277 5297 1402b1bd4 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5296->5297 5298 1402b3475 5297->5298 5300 1402b2f39 GetCPInfo 5299->5300 5309 1402b302f 5299->5309 5303 1402b2f4c 5300->5303 5300->5309 5301 1402b8ba0 _log10_special 8 API calls 5302 1402b30ce 5301->5302 5302->5243 5310 1402b4394 5303->5310 5309->5301 5311 1402b2b70 47 API calls 5310->5311 5312 1402b43d6 5311->5312 5330 1402b3770 5312->5330 5332 1402b3779 MultiByteToWideChar 5330->5332 5386 1402ac2ec 5387 1402ac840 GetModuleHandleW 5386->5387 5388 1402ac2f3 __FrameHandler3::FrameUnwindToEmptyState 5387->5388 5645 1402acb30 5647 1402acb60 __CxxCallCatchBlock __except_validate_context_record 5645->5647 5646 1402acc61 5647->5646 5648 1402acc24 RtlUnwindEx 5647->5648 5648->5647 5766 1402ae770 5767 1402ae79d __except_validate_context_record 5766->5767 5768 1402acfdc _CallSETranslator 56 API calls 5767->5768 5769 1402ae7a2 5768->5769 5770 1402ae88a 5769->5770 5772 1402ae7fc 5769->5772 5788 1402ae850 5769->5788 5779 1402ae8a9 5770->5779 5822 1402ad964 5770->5822 5773 1402ae877 5772->5773 5776 1402ae81e 5772->5776 5777 1402ae855 5772->5777 5772->5788 5813 1402ad568 5773->5813 5789 1402adaf4 5776->5789 5777->5773 5782 1402ae82d 5777->5782 5785 1402ae8f8 5779->5785 5779->5788 5825 1402ad978 5779->5825 5780 1402ae9a1 5783 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5780->5783 5782->5780 5784 1402ae83f 5782->5784 5786 1402ae9a6 5783->5786 5794 1402aed08 5784->5794 5785->5788 5828 1402adef0 5785->5828 5790 1402adb02 5789->5790 5791 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5790->5791 5793 1402adb13 5790->5793 5792 1402adb59 5791->5792 5793->5782 5795 1402ad964 Is_bad_exception_allowed 56 API calls 5794->5795 5796 1402aed37 5795->5796 5890 1402ada50 5796->5890 5799 1402acfdc _CallSETranslator 56 API calls 5811 1402aed54 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 5799->5811 5800 1402aee4b 5801 1402acfdc _CallSETranslator 56 API calls 5800->5801 5802 1402aee50 5801->5802 5805 1402acfdc _CallSETranslator 56 API calls 5802->5805 5808 1402aee5b 5802->5808 5803 1402aee86 5804 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5803->5804 5804->5808 5805->5808 5806 1402ad964 56 API calls Is_bad_exception_allowed 5806->5811 5807 1402aee68 __FrameHandler3::GetHandlerSearchState 5807->5788 5808->5807 5809 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5808->5809 5810 1402aee91 5809->5810 5811->5800 5811->5803 5811->5806 5812 1402ad98c __FrameHandler3::FrameUnwindToEmptyState 56 API calls 5811->5812 5812->5811 5894 1402ad5cc 5813->5894 5820 1402aed08 __FrameHandler3::FrameUnwindToEmptyState 56 API calls 5821 1402ad5bc 5820->5821 5821->5788 5823 1402acfdc _CallSETranslator 56 API calls 5822->5823 5824 1402ad96d 5823->5824 5824->5779 5826 1402acfdc _CallSETranslator 56 API calls 5825->5826 5827 1402ad981 5826->5827 5827->5785 5908 1402aee94 5828->5908 5830 1402ae3b7 5831 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5830->5831 5833 1402ae3bd 5831->5833 5832 1402ae036 5834 1402ae308 5832->5834 5837 1402ae06e 5832->5837 5834->5830 5835 1402ae306 5834->5835 5971 1402ae3c0 5834->5971 5836 1402acfdc _CallSETranslator 56 API calls 5835->5836 5839 1402ae34a 5836->5839 5840 1402ae235 5837->5840 5936 1402ad69c 5837->5936 5839->5830 5843 1402ae351 5839->5843 5840->5835 5847 1402ae256 5840->5847 5849 1402ad964 Is_bad_exception_allowed 56 API calls 5840->5849 5841 1402acfdc _CallSETranslator 56 API calls 5845 1402adf9d 5841->5845 5846 1402b8ba0 _log10_special 8 API calls 5843->5846 5845->5843 5850 1402acfdc _CallSETranslator 56 API calls 5845->5850 5848 1402ae35d 5846->5848 5847->5835 5854 1402ae278 5847->5854 5963 1402ad53c 5847->5963 5848->5788 5849->5847 5851 1402adfad 5850->5851 5853 1402acfdc _CallSETranslator 56 API calls 5851->5853 5855 1402adfb6 5853->5855 5854->5835 5856 1402ae39a 5854->5856 5857 1402ae28e 5854->5857 5920 1402ad9a4 5855->5920 5859 1402acfdc _CallSETranslator 56 API calls 5856->5859 5858 1402ae299 5857->5858 5861 1402ad964 Is_bad_exception_allowed 56 API calls 5857->5861 5865 1402aef2c 56 API calls 5858->5865 5862 1402ae3a0 5859->5862 5861->5858 5864 1402acfdc _CallSETranslator 56 API calls 5862->5864 5866 1402ae3a9 5864->5866 5867 1402ae2b0 5865->5867 5869 1402b15a8 47 API calls 5866->5869 5867->5835 5871 1402ad5cc __GetUnwindTryBlock 48 API calls 5867->5871 5868 1402acfdc _CallSETranslator 56 API calls 5870 1402adff8 5868->5870 5869->5830 5870->5832 5874 1402acfdc _CallSETranslator 56 API calls 5870->5874 5873 1402ae2ca 5871->5873 5872 1402ad978 56 API calls 5881 1402ae09d 5872->5881 5968 1402ad7d0 RtlUnwindEx 5873->5968 5876 1402ae004 5874->5876 5878 1402acfdc _CallSETranslator 56 API calls 5876->5878 5879 1402ae00d 5878->5879 5923 1402aef2c 5879->5923 5881->5840 5881->5872 5942 1402ae630 5881->5942 5956 1402ade1c 5881->5956 5884 1402ae021 5932 1402af01c 5884->5932 5886 1402ae394 5887 1402b15a8 47 API calls 5886->5887 5887->5856 5888 1402ae029 __CxxCallCatchBlock std::bad_alloc::bad_alloc 5888->5886 5989 1402af218 5888->5989 5891 1402ada72 5890->5891 5892 1402ada67 5890->5892 5891->5799 5893 1402adaf4 __GetCurrentState 47 API calls 5892->5893 5893->5891 5895 1402adaec __FrameHandler3::GetHandlerSearchState 47 API calls 5894->5895 5898 1402ad5fa 5895->5898 5896 1402ad587 5899 1402adaec 5896->5899 5897 1402ad624 RtlLookupFunctionEntry 5897->5898 5898->5896 5898->5897 5900 1402adaf4 5899->5900 5901 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5900->5901 5903 1402ad595 5900->5903 5902 1402adb59 5901->5902 5904 1402ad4d8 5903->5904 5905 1402ad523 5904->5905 5906 1402ad4f8 5904->5906 5905->5820 5906->5905 5907 1402acfdc _CallSETranslator 56 API calls 5906->5907 5907->5906 5909 1402adaec __FrameHandler3::GetHandlerSearchState 47 API calls 5908->5909 5910 1402aeeb9 5909->5910 5911 1402ad5cc __GetUnwindTryBlock 48 API calls 5910->5911 5912 1402aeece 5911->5912 5994 1402ada78 5912->5994 5915 1402aeee0 __FrameHandler3::GetHandlerSearchState 5997 1402adab0 5915->5997 5916 1402aef03 5917 1402ada78 __GetUnwindTryBlock 48 API calls 5916->5917 5918 1402adf51 5917->5918 5918->5830 5918->5832 5918->5841 5921 1402acfdc _CallSETranslator 56 API calls 5920->5921 5922 1402ad9b2 5921->5922 5922->5830 5922->5868 5924 1402af013 5923->5924 5931 1402aef57 5923->5931 5925 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5924->5925 5927 1402af018 5925->5927 5926 1402ae01d 5926->5832 5926->5884 5928 1402ad978 56 API calls 5928->5931 5929 1402ad964 Is_bad_exception_allowed 56 API calls 5929->5931 5930 1402ae630 56 API calls 5930->5931 5931->5926 5931->5928 5931->5929 5931->5930 5934 1402af039 Is_bad_exception_allowed 5932->5934 5935 1402af089 5932->5935 5933 1402ad964 56 API calls Is_bad_exception_allowed 5933->5934 5934->5933 5934->5935 5935->5888 5937 1402adaec __FrameHandler3::GetHandlerSearchState 47 API calls 5936->5937 5938 1402ad6da 5937->5938 5939 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5938->5939 5941 1402ad6e8 5938->5941 5940 1402ad7cc 5939->5940 5941->5881 5943 1402ae6ec 5942->5943 5944 1402ae65d 5942->5944 5943->5881 5945 1402ad964 Is_bad_exception_allowed 56 API calls 5944->5945 5946 1402ae666 5945->5946 5946->5943 5947 1402ae67f 5946->5947 5948 1402ad964 Is_bad_exception_allowed 56 API calls 5946->5948 5947->5943 5949 1402ae6ab 5947->5949 5950 1402ad964 Is_bad_exception_allowed 56 API calls 5947->5950 5948->5947 5951 1402ad978 56 API calls 5949->5951 5950->5949 5952 1402ae6bf 5951->5952 5952->5943 5953 1402ae6d8 5952->5953 5954 1402ad964 Is_bad_exception_allowed 56 API calls 5952->5954 5955 1402ad978 56 API calls 5953->5955 5954->5953 5955->5943 5957 1402ad5cc __GetUnwindTryBlock 48 API calls 5956->5957 5958 1402ade59 5957->5958 5959 1402ad964 Is_bad_exception_allowed 56 API calls 5958->5959 5960 1402ade91 5959->5960 5961 1402ad7d0 9 API calls 5960->5961 5962 1402aded5 5961->5962 5962->5881 5964 1402adaec __FrameHandler3::GetHandlerSearchState 47 API calls 5963->5964 5965 1402ad550 5964->5965 5966 1402ad4d8 __FrameHandler3::ExecutionInCatch 56 API calls 5965->5966 5967 1402ad55a 5966->5967 5967->5854 5969 1402b8ba0 _log10_special 8 API calls 5968->5969 5970 1402ad8ca 5969->5970 5970->5835 5972 1402ae60c 5971->5972 5973 1402ae3f9 5971->5973 5972->5835 5974 1402acfdc _CallSETranslator 56 API calls 5973->5974 5975 1402ae3fe 5974->5975 5976 1402ae41d EncodePointer 5975->5976 5977 1402ae470 5975->5977 5980 1402acfdc _CallSETranslator 56 API calls 5976->5980 5977->5972 5978 1402ae490 5977->5978 5979 1402ae627 5977->5979 5981 1402ad69c 47 API calls 5978->5981 5982 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5979->5982 5984 1402ae42d 5980->5984 5987 1402ae4b2 5981->5987 5983 1402ae62c 5982->5983 5984->5977 6000 1402ad484 5984->6000 5986 1402ad964 56 API calls Is_bad_exception_allowed 5986->5987 5987->5972 5987->5986 5988 1402ade1c 58 API calls 5987->5988 5988->5987 5990 1402af237 5989->5990 5991 1402af260 RtlPcToFileHeader 5990->5991 5992 1402af282 RaiseException 5990->5992 5993 1402af278 5991->5993 5992->5886 5993->5992 5995 1402ad5cc __GetUnwindTryBlock 48 API calls 5994->5995 5996 1402ada8b 5995->5996 5996->5915 5996->5916 5998 1402ad5cc __GetUnwindTryBlock 48 API calls 5997->5998 5999 1402adaca 5998->5999 5999->5918 6001 1402acfdc _CallSETranslator 56 API calls 6000->6001 6002 1402ad4b0 6001->6002 6002->5977 5649 1402aee24 5660 1402aed57 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 5649->5660 5650 1402aee4b 5666 1402acfdc 5650->5666 5653 1402aee86 5654 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5653->5654 5657 1402aee5b 5654->5657 5655 1402acfdc _CallSETranslator 56 API calls 5655->5657 5656 1402aee68 __FrameHandler3::GetHandlerSearchState 5657->5656 5658 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5657->5658 5659 1402aee91 5658->5659 5660->5650 5660->5653 5661 1402ad964 56 API calls Is_bad_exception_allowed 5660->5661 5663 1402ad98c 5660->5663 5661->5660 5664 1402acfdc _CallSETranslator 56 API calls 5663->5664 5665 1402ad99a 5664->5665 5665->5660 5672 1402acff8 5666->5672 5668 1402acfea 5668->5655 5668->5657 5670 1402b1650 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 5671 1402acff4 5670->5671 5673 1402acfe5 5672->5673 5674 1402ad017 GetLastError 5672->5674 5673->5668 5673->5670 5684 1402ad384 5674->5684 5685 1402ad1a4 __vcrt_InitializeCriticalSectionEx 5 API calls 5684->5685 5686 1402ad3ab TlsGetValue 5685->5686 5688 1402b0223 5689 1402b02a8 5688->5689 5690 1402b1d4c _set_fmode 11 API calls 5689->5690 5691 1402b02be 5690->5691 6172 1402ac8a4 6173 1402ac8bc 6172->6173 6174 1402ac8d8 6172->6174 6173->6174 6181 1402acee4 6173->6181 6179 1402b15a8 47 API calls 6180 1402ac8fe 6179->6180 6182 1402acfdc _CallSETranslator 56 API calls 6181->6182 6183 1402ac8ea 6182->6183 6184 1402acef8 6183->6184 6185 1402acfdc _CallSETranslator 56 API calls 6184->6185 6186 1402ac8f6 6185->6186 6186->6179 6003 1402b1468 6006 1402b0a50 6003->6006 6013 1402b0a18 6006->6013 6011 1402b09d4 11 API calls 6012 1402b0a83 6011->6012 6014 1402b0a2d 6013->6014 6015 1402b0a28 6013->6015 6017 1402b0a34 6014->6017 6016 1402b09d4 11 API calls 6015->6016 6016->6014 6018 1402b0a49 6017->6018 6019 1402b0a44 6017->6019 6018->6011 6020 1402b09d4 11 API calls 6019->6020 6020->6018 6187 1402ac1a8 6194 1402ac894 SetUnhandledExceptionFilter 6187->6194 6195 1400040d0 6204 1400045e0 6195->6204 6205 1400040ee GetModuleHandleA 6204->6205 6206 140004400 6205->6206 6207 140004117 GetProcAddress 6206->6207 6208 140004220 6207->6208 6209 140004145 GetModuleHandleA 6208->6209 6210 1400047c0 6209->6210 6211 140004171 GetProcAddress 6210->6211 6021 1402b397c 6022 1402b3984 6021->6022 6023 1402b4b64 6 API calls 6022->6023 6024 1402b39b5 6022->6024 6025 1402b39b1 6022->6025 6023->6022 6027 1402b39e0 6024->6027 6028 1402b3a0b 6027->6028 6029 1402b3a0f 6028->6029 6030 1402b39ee DeleteCriticalSection 6028->6030 6029->6025 6030->6028 6031 1402ace7c 6032 1402ace94 6031->6032 6033 1402acea6 6031->6033 6032->6033 6035 1402ace9c 6032->6035 6034 1402acfdc _CallSETranslator 56 API calls 6033->6034 6036 1402aceab 6034->6036 6037 1402acea4 6035->6037 6038 1402acfdc _CallSETranslator 56 API calls 6035->6038 6036->6037 6039 1402acfdc _CallSETranslator 56 API calls 6036->6039 6040 1402acecb 6038->6040 6039->6037 6041 1402acfdc _CallSETranslator 56 API calls 6040->6041 6042 1402aced8 6041->6042 6043 1402b15a8 47 API calls 6042->6043 6044 1402acee1 6043->6044 6212 1402ad9bc 6213 1402acfdc _CallSETranslator 56 API calls 6212->6213 6214 1402ad9e6 6213->6214 6215 1402acfdc _CallSETranslator 56 API calls 6214->6215 6216 1402ad9f3 6215->6216 6217 1402acfdc _CallSETranslator 56 API calls 6216->6217 6218 1402ad9fc 6217->6218 6045 1402b0c79 6046 1402b15a8 47 API calls 6045->6046 6047 1402b0c7e 6046->6047 6048 1402b0cef 6047->6048 6049 1402b0ca5 GetModuleHandleW 6047->6049 6062 1402b0b7c 6048->6062 6049->6048 6055 1402b0cb2 6049->6055 6055->6048 6057 1402b0da0 GetModuleHandleExW 6055->6057 6058 1402b0dd4 GetProcAddress 6057->6058 6061 1402b0de6 6057->6061 6058->6061 6059 1402b0e09 6059->6048 6060 1402b0e02 FreeLibrary 6060->6059 6061->6059 6061->6060 6076 1402b39c4 EnterCriticalSection 6062->6076 5389 1402b1500 5390 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5389->5390 5391 1402b1510 5390->5391 5392 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5391->5392 5393 1402b1524 5392->5393 5394 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5393->5394 5395 1402b1538 5394->5395 5396 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5395->5396 5397 1402b154c 5396->5397 5398 1402b5600 5399 1402b562a 5398->5399 5400 1402b2530 _set_fmode 11 API calls 5399->5400 5401 1402b5649 5400->5401 5402 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5401->5402 5403 1402b5657 5402->5403 5404 1402b2530 _set_fmode 11 API calls 5403->5404 5408 1402b5681 5403->5408 5405 1402b5673 5404->5405 5407 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5405->5407 5407->5408 5409 1402b568a 5408->5409 5410 1402b4b64 5408->5410 5411 1402b4930 5 API calls 5410->5411 5412 1402b4b9a 5411->5412 5413 1402b4bb9 InitializeCriticalSectionAndSpinCount 5412->5413 5414 1402b4b9f 5412->5414 5413->5414 5414->5408 6219 1402b14c0 6220 1402b14d9 6219->6220 6221 1402b14f1 6219->6221 6220->6221 6222 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6220->6222 6222->6221 6223 1402abfc0 CoTaskMemRealloc 6226 1402abf90 CoIsOle1Class 6223->6226 6225 1402abff8 6226->6225 5415 1402b25f8 5416 1402b2638 5415->5416 5450 1402b2650 5415->5450 5417 1402b2510 _set_fmode 11 API calls 5416->5417 5418 1402b263d 5417->5418 5419 1402b22b8 _invalid_parameter_noinfo 47 API calls 5418->5419 5440 1402b2649 5419->5440 5422 1402b8ba0 _log10_special 8 API calls 5427 1402b29b7 5422->5427 5423 1402b2880 5462 1402b0664 5423->5462 5424 1402b29e8 50 API calls 5424->5450 5425 1402b28d8 5428 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5425->5428 5426 1402b2976 5431 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5426->5431 5430 1402b28df 5428->5430 5429 1402b2829 5434 1402b284a 5429->5434 5437 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5429->5437 5430->5434 5438 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5430->5438 5435 1402b2985 5431->5435 5432 1402b2726 FindFirstFileExW 5432->5450 5433 1402b290a 5433->5426 5433->5433 5445 1402b29d2 5433->5445 5468 1402b2388 5433->5468 5436 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5434->5436 5439 1402b299e 5435->5439 5444 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5435->5444 5436->5440 5437->5429 5438->5430 5441 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5439->5441 5440->5422 5441->5440 5442 1402b2858 5442->5434 5447 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5442->5447 5444->5435 5448 1402b22d8 _invalid_parameter_noinfo 17 API calls 5445->5448 5446 1402b27cf FindNextFileW 5446->5450 5447->5442 5452 1402b29e4 5448->5452 5449 1402b284f FindClose 5449->5442 5450->5423 5450->5424 5450->5429 5450->5432 5450->5442 5450->5446 5450->5449 5451 1402b2811 FindClose 5450->5451 5454 1402b5a10 5450->5454 5451->5450 5455 1402b5a3d 5454->5455 5456 1402b2510 _set_fmode 11 API calls 5455->5456 5461 1402b5a52 5455->5461 5457 1402b5a47 5456->5457 5458 1402b22b8 _invalid_parameter_noinfo 47 API calls 5457->5458 5458->5461 5459 1402b8ba0 _log10_special 8 API calls 5460 1402b5e10 5459->5460 5460->5451 5461->5459 5463 1402b067c 5462->5463 5467 1402b06b4 5462->5467 5464 1402b2530 _set_fmode 11 API calls 5463->5464 5463->5467 5465 1402b06aa 5464->5465 5466 1402b25a8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 5465->5466 5466->5467 5467->5425 5467->5433 5473 1402b23a5 5468->5473 5469 1402b23aa 5470 1402b23c0 5469->5470 5471 1402b2510 _set_fmode 11 API calls 5469->5471 5470->5433 5472 1402b23b4 5471->5472 5474 1402b22b8 _invalid_parameter_noinfo 47 API calls 5472->5474 5473->5469 5473->5470 5475 1402b23f6 5473->5475 5474->5470 5475->5470 5476 1402b2510 _set_fmode 11 API calls 5475->5476 5476->5472 5692 1402ac338 5695 1402ac58c 5692->5695 5696 1402ac5af GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5695->5696 5697 1402ac341 5695->5697 5696->5697 5035 1400041a0 5040 1400049a0 5035->5040 5041 1400041be LoadLibraryA 5040->5041 5042 140004b80 5041->5042 5043 1400041f4 GetProcAddress 5042->5043

    Executed Functions

    Function 0000000140008E2E Relevance: 27.5, Strings: 6, Instructions: 20001threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 140008e2e-1400231b5
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressProc$ClsidFromHandleModule$BlanketCallerClassCurrentLibraryLoadLogicalMonikerObjectPathProgProxyQueryRelativeStringThreadTreat
    • String ID: @$@$H$H$Y$r
    • API String ID: 1894718216-3629373268
    • Opcode ID: 038f2c05af8015c05d38ad835665cb5cf977f3dfd20b3bc0a05d218bb1fc8148
    • Instruction ID: db909e0964cc4a4f4073fb0fa6d168423cbb36b7abef90c82d75138de18a117d
    • Opcode Fuzzy Hash: 038f2c05af8015c05d38ad835665cb5cf977f3dfd20b3bc0a05d218bb1fc8148
    • Instruction Fuzzy Hash: 4FC4A236208AC4CAC775CF29E8906EAB7A1F7C8B41F44411AEA8DC7B68DA7DD550DF10
    Function 00000001400041A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: CreateDXGIFactory$dxgi.dll
    • API String ID: 2574300362-1239289089
    • Opcode ID: 6fd33beb336cd2bc201b088de60c2f410a9f6ad0272571c72995a5aab73a9aac
    • Instruction ID: a5d12e359f0ca4f603bb42c86ca6ac546ffcac3e2eea99c56795c456df7880c0
    • Opcode Fuzzy Hash: 6fd33beb336cd2bc201b088de60c2f410a9f6ad0272571c72995a5aab73a9aac
    • Instruction Fuzzy Hash: 3DF01DB0205E40A2EA12DF16F889BC53330FB8C388F800111EA8D026B5DFBCC65AC704
    Function 00000001402AC202 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: __scrt_get_show_window_mode__scrt_release_startup_lock
    • String ID: XK$G
    • API String ID: 2313669860-2418997595
    • Opcode ID: 2a7e03f0da093cdaf4e397b5df884c7b75e1e2e389455218759f041a7d0a0718
    • Instruction ID: 19d0ab484c720362ae3384981da683f41ac2caa8475927e3aab0f052a83844e2
    • Opcode Fuzzy Hash: 2a7e03f0da093cdaf4e397b5df884c7b75e1e2e389455218759f041a7d0a0718
    • Instruction Fuzzy Hash: 7D215C71220A0151FE57EFA7A49EFE923A19BCD744F645425AB094B2F3DEF8C884CA04
    Function 00000001402B3B90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: d4681ef3ba11a55dceac8b37cdcae43a6c1429e8e55df718a07245dda3385595
    • Instruction ID: 2c4f90d464d89ff6f086db49541c5f5935f9be18aa01c26d9aa92a074346ade7
    • Opcode Fuzzy Hash: d4681ef3ba11a55dceac8b37cdcae43a6c1429e8e55df718a07245dda3385595
    • Instruction Fuzzy Hash: 6811A032204E8082F3129F16E448BDAB7B5F74C780F590925EB99A77F6EBB8D8519700
    Function 00000001402B2530 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • RtlAllocateHeap.NTDLL(?,?,00000000,00000001402B1DAE,?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8), ref: 00000001402B2585
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 40713ccbbc1d0f54883f72b9beb1289b3dcab3e5003ac53910a298c115c6ae3e
    • Instruction ID: 91be01660be9446b6c820d9b2f3def065acd19d33041fa6b28724a6111d43bdf
    • Opcode Fuzzy Hash: 40713ccbbc1d0f54883f72b9beb1289b3dcab3e5003ac53910a298c115c6ae3e
    • Instruction Fuzzy Hash: C4F0F974301B0551FE7B5EA75869BE952A16B5CB80F8C84204F0A966F6EABCC889C310
    Function 00000001402AC388 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000001402AC39C
      • Part of subcall function 00000001402ACD70: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00000001402ACD78
      • Part of subcall function 00000001402ACD70: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00000001402ACD7D
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1208906642-0
    • Opcode ID: ec16af84989917c27705a06c4fef5840aa6d90286ed2c06e97257fc3bee4fb4b
    • Instruction ID: bf3cdbdc8a70876a40036b231d277068856ae36f7c587f60011e48209eddc925
    • Opcode Fuzzy Hash: ec16af84989917c27705a06c4fef5840aa6d90286ed2c06e97257fc3bee4fb4b
    • Instruction Fuzzy Hash: BEE0E27453564081FEAB3A27150EFE906840FEE308FB084E9AB52661F3DDF644D65E22

    Non-executed Functions

    Function 0000000140008ED6 Relevance: 26.3, Strings: 5, Instructions: 20001COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 149 140008ed6-1400231b5
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressBlanketCallerFromLibraryLoadObjectProcProxyQueryString
    • String ID: @$@$H$H$r
    • API String ID: 666015294-3945287539
    • Opcode ID: a0c1e5eb2b1411516c88b3d173d62224a84b06e26947a95c75cd411bf50de0b9
    • Instruction ID: c5bbe874826d3746ab1ef076448cef3d6fb6239318b3dc67789aa3bc30945ca1
    • Opcode Fuzzy Hash: a0c1e5eb2b1411516c88b3d173d62224a84b06e26947a95c75cd411bf50de0b9
    • Instruction Fuzzy Hash: C9C4A236208AC4CAC775CF29E8906EAB7A1F7C8B41F44411AEA8DC3B68DA7DD550DF10
    Function 00000001402AC6B4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 3140674995-0
    • Opcode ID: 7afb6d694b222e546b645fc65cd3fe91a7edead463a92d789e7364e493699f52
    • Instruction ID: 83fb1b7315c843de182df63247d62886b70938f64d569180b938eb02df73d946
    • Opcode Fuzzy Hash: 7afb6d694b222e546b645fc65cd3fe91a7edead463a92d789e7364e493699f52
    • Instruction Fuzzy Hash: 8C313B72215F8096EB618F65E844BED7374F788744F44402ADB4E47BA8DFB8C588CB10
    Function 00000001402B1FEC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: 4ecea2e15c50c040234c0291c608cc000d4d494e678835bf060f456b328a71e0
    • Instruction ID: c444432125d9f9a79dc32746f9ad1b7773f3e3bb89bb8b4eb258b07f06d9c8fc
    • Opcode Fuzzy Hash: 4ecea2e15c50c040234c0291c608cc000d4d494e678835bf060f456b328a71e0
    • Instruction Fuzzy Hash: B4313A32214F8096DB618F2AE844BDA73B4F798754F500126EB9D43BA9EF78C549CB00
    Function 00000001402B25F8 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: FileFindFirst_invalid_parameter_noinfo
    • String ID:
    • API String ID: 2227656907-0
    • Opcode ID: fc25b786cef1f5a770a2721d84f12a51ee61daf0edec9664a92732eaae3375a1
    • Instruction ID: 77de8bb249ac00d04cb752a060f1fe343503dfef3a3a4c6c0652030635d203e0
    • Opcode Fuzzy Hash: fc25b786cef1f5a770a2721d84f12a51ee61daf0edec9664a92732eaae3375a1
    • Instruction Fuzzy Hash: 7AB1BF32714F9041EA66DF279818BE9A3B0E74DBE0F545521EF9A17BE9DEB8C449C300
    Function 00000001402AC58C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: 1d5a125baf1684abd2bac30192f0ce4b34ea4ad278dec54152c71ef2b7d62ff5
    • Instruction ID: cd2491e243a284785d01627eb49247af546fe745c2aaeddbc20f1ebf55742304
    • Opcode Fuzzy Hash: 1d5a125baf1684abd2bac30192f0ce4b34ea4ad278dec54152c71ef2b7d62ff5
    • Instruction Fuzzy Hash: 64112A36710F009AEB00DF65E8587A833B4F75D758F441E21EB6D467A4EFB8C5998380
    Function 00000001402B8BC8 Relevance: 4.5, APIs: 3, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(?,?,00000001,00000001402B8CC9,?,?,?,?,?,?,00000001402B212F), ref: 00000001402B8BD3
    • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000001402B8CC9,?,?,?,?,?,?,00000001402B212F), ref: 00000001402B8BDC
    • GetCurrentProcess.KERNEL32(?,?,00000001,00000001402B8CC9,?,?,?,?,?,?,00000001402B212F), ref: 00000001402B8BE2
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CurrentProcess
    • String ID:
    • API String ID: 1249254920-0
    • Opcode ID: 3c02acc70f0df77d87e0d5b1984459dd989929ec50c3f486856a545a05351746
    • Instruction ID: 3aef326eb1f4ca4ea36ee6b3ab0b679ace7ee8178ade7272b6060aa97718c362
    • Opcode Fuzzy Hash: 3c02acc70f0df77d87e0d5b1984459dd989929ec50c3f486856a545a05351746
    • Instruction Fuzzy Hash: 49D0C972620E05A6FB9A1F67AC1DBA53274A75CB55F041024CB8B463B0EDBCC8858B00
    Function 00000001402B4E20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 16544bf4b707b4a64cbb28ea833b87f135aa1759d969d46fabe785ab77718a3b
    • Instruction ID: 74d79dc8844c5c2b7bacbea1c1cd9462be4e2e3e852a3e9f97c073a02851643e
    • Opcode Fuzzy Hash: 16544bf4b707b4a64cbb28ea833b87f135aa1759d969d46fabe785ab77718a3b
    • Instruction Fuzzy Hash: 35B09230A0BB10C6EA4A2B1A6C8AB4432A57B8C700F884018820D40370DB7C04AEA700
    Function 00000001402B109C Relevance: .1, Instructions: 126COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast
    • String ID:
    • API String ID: 485612231-0
    • Opcode ID: 8dd82e51f9094549ab372f28f6d10f50b60e234daa541b0fb578bf1e71a59b57
    • Instruction ID: 184f0d3e74c4f3ea14d1a38f50f63c01c45697b48cde2d777242e4a59ee03b9e
    • Opcode Fuzzy Hash: 8dd82e51f9094549ab372f28f6d10f50b60e234daa541b0fb578bf1e71a59b57
    • Instruction Fuzzy Hash: F2419372320E5441EF08CF6BD958B9963A5B74CFD0F899426EF0D97BA8EA7CC5428340
    Function 00000001402AC894 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b44a64da980616001572add55df9b11eca919e0492d44fc2c0d224aef2fd1f8a
    • Instruction ID: 98b10b4cb8a65fdcffe13ad5fb5942c90e1b934b02d98d098e411b4ea6ffe468
    • Opcode Fuzzy Hash: b44a64da980616001572add55df9b11eca919e0492d44fc2c0d224aef2fd1f8a
    • Instruction Fuzzy Hash: 5AA00231124D00E8EA478F0AE958B903370F7DC711F561011C28D450F09FBCC580CB00
    Function 00000001400040D0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: MpExitThread$MpIntHandlerReturnAddress$kernel32.dll$ntdll.dll
    • API String ID: 1646373207-4278568421
    • Opcode ID: 9d6eb343c31b395ef900622fd9a5d8ba87d908a8a948cb6debcc423d49452964
    • Instruction ID: b849397bb44b0204d56fe51950d9367d1ff3146b5519135c410321b03221b8da
    • Opcode Fuzzy Hash: 9d6eb343c31b395ef900622fd9a5d8ba87d908a8a948cb6debcc423d49452964
    • Instruction Fuzzy Hash: 4211DAB0615E45A2EA02EF06F899BD53331FF98789F805112E78D026BADFBCC51AC745
    Function 00000001402ADEF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 1402adef0-1402adf57 call 1402aee94 163 1402adf5d-1402adf60 160->163 164 1402ae3b8-1402ae3bf call 1402b1650 160->164 163->164 165 1402adf66-1402adf6c 163->165 167 1402ae03b-1402ae04d 165->167 168 1402adf72-1402adf76 165->168 170 1402ae053-1402ae057 167->170 171 1402ae308-1402ae30c 167->171 168->167 172 1402adf7c-1402adf87 168->172 170->171 173 1402ae05d-1402ae068 170->173 175 1402ae30e-1402ae315 171->175 176 1402ae345-1402ae34f call 1402acfdc 171->176 172->167 174 1402adf8d-1402adf92 172->174 173->171 178 1402ae06e-1402ae075 173->178 174->167 179 1402adf98-1402adfa2 call 1402acfdc 174->179 175->164 180 1402ae31b-1402ae340 call 1402ae3c0 175->180 176->164 186 1402ae351-1402ae370 call 1402b8ba0 176->186 182 1402ae07b-1402ae0b6 call 1402ad69c 178->182 183 1402ae239-1402ae245 178->183 179->186 194 1402adfa8-1402adfd3 call 1402acfdc * 2 call 1402ad9a4 179->194 180->176 182->183 198 1402ae0bc-1402ae0c5 182->198 183->176 187 1402ae24b-1402ae24f 183->187 191 1402ae25f-1402ae267 187->191 192 1402ae251-1402ae25d call 1402ad964 187->192 191->176 197 1402ae26d-1402ae27a call 1402ad53c 191->197 192->191 207 1402ae280-1402ae288 192->207 229 1402adff3-1402adffd call 1402acfdc 194->229 230 1402adfd5-1402adfd9 194->230 197->176 197->207 203 1402ae0ca-1402ae0fc 198->203 204 1402ae102-1402ae10e 203->204 205 1402ae228-1402ae22f 203->205 204->205 209 1402ae114-1402ae12d 204->209 205->203 211 1402ae235 205->211 212 1402ae39b-1402ae3b7 call 1402acfdc * 2 call 1402b15a8 207->212 213 1402ae28e-1402ae292 207->213 217 1402ae133-1402ae178 call 1402ad978 * 2 209->217 218 1402ae225 209->218 211->183 212->164 214 1402ae294-1402ae2a3 call 1402ad964 213->214 215 1402ae2a5 213->215 223 1402ae2a8-1402ae2b2 call 1402aef2c 214->223 215->223 242 1402ae17a-1402ae1a0 call 1402ad978 call 1402ae630 217->242 243 1402ae1b6-1402ae1bc 217->243 218->205 223->176 238 1402ae2b8-1402ae306 call 1402ad5cc call 1402ad7d0 223->238 229->167 245 1402adfff-1402ae01f call 1402acfdc * 2 call 1402aef2c 229->245 230->229 234 1402adfdb-1402adfe6 230->234 234->229 239 1402adfe8-1402adfed 234->239 238->176 239->164 239->229 260 1402ae1a2-1402ae1b4 242->260 261 1402ae1c7-1402ae21b call 1402ade1c 242->261 249 1402ae220 243->249 250 1402ae1be-1402ae1c2 243->250 264 1402ae021-1402ae02b call 1402af01c 245->264 265 1402ae036 245->265 249->218 250->217 260->242 260->243 261->249 268 1402ae031-1402ae394 call 1402acdb4 call 1402ae9ec call 1402af218 264->268 269 1402ae395-1402ae39a call 1402b15a8 264->269 265->167 268->269 269->212
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
    • String ID: csm$csm$csm
    • API String ID: 849930591-393685449
    • Opcode ID: 53ba46935211f5bb2626f798b32362ec7b2ee2b9245032b631a617e438222d51
    • Instruction ID: 82d85fddde6d129d42f4bf4f3b2058e7b870944069e593be76e93710cec264b3
    • Opcode Fuzzy Hash: 53ba46935211f5bb2626f798b32362ec7b2ee2b9245032b631a617e438222d51
    • Instruction Fuzzy Hash: 50D18E326047408AEFA29F669448BED77A4F789788F100116EF8957BE6DFB4D4D2CB00
    Function 00000001402B4930 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 279 1402b4930-1402b4982 280 1402b4a73 279->280 281 1402b4988-1402b498b 279->281 282 1402b4a75-1402b4a91 280->282 283 1402b498d-1402b4990 281->283 284 1402b4995-1402b4998 281->284 283->282 285 1402b499e-1402b49ad 284->285 286 1402b4a58-1402b4a6b 284->286 287 1402b49af-1402b49b2 285->287 288 1402b49bd-1402b49dc LoadLibraryExW 285->288 286->280 289 1402b4ab2-1402b4ac1 GetProcAddress 287->289 290 1402b49b8 287->290 291 1402b4a92-1402b4aa7 288->291 292 1402b49e2-1402b49eb GetLastError 288->292 295 1402b4ac3-1402b4aea 289->295 296 1402b4a51 289->296 293 1402b4a44-1402b4a4b 290->293 291->289 294 1402b4aa9-1402b4aac FreeLibrary 291->294 297 1402b49ed-1402b4a04 call 1402b1830 292->297 298 1402b4a32-1402b4a3c 292->298 293->285 293->296 294->289 295->282 296->286 297->298 301 1402b4a06-1402b4a1a call 1402b1830 297->301 298->293 301->298 304 1402b4a1c-1402b4a30 LoadLibraryExW 301->304 304->291 304->298
    APIs
    • FreeLibrary.KERNEL32(?,?,?,00000001402B4B14,?,?,00000000,00000001402B3A87,?,?,?,00000001402B0D85), ref: 00000001402B4AAC
    • GetProcAddress.KERNEL32(?,?,?,00000001402B4B14,?,?,00000000,00000001402B3A87,?,?,?,00000001402B0D85), ref: 00000001402B4AB8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID: api-ms-$ext-ms-
    • API String ID: 3013587201-537541572
    • Opcode ID: 5d6a5311eb4bc1c95701d5d1e895e2b0fd73fdef6fdd7d0d0f7372516c60878a
    • Instruction ID: 06d522773d8a8ca9966846ec17400faa1ad987793dd7ec90bd03e2a83c5148b6
    • Opcode Fuzzy Hash: 5d6a5311eb4bc1c95701d5d1e895e2b0fd73fdef6fdd7d0d0f7372516c60878a
    • Instruction Fuzzy Hash: 7941EF32311E0055FA57DF17A868FE633A5BB4DBA0F494525DF1A877E4EBB8C8458304
    Function 00000001402AD1A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 1402ad1a4-1402ad1e2 306 1402ad1e8-1402ad1eb 305->306 307 1402ad296 305->307 308 1402ad298-1402ad2b4 306->308 309 1402ad1f1-1402ad1f4 306->309 307->308 310 1402ad1fa-1402ad209 309->310 311 1402ad28e 309->311 312 1402ad20b-1402ad20e 310->312 313 1402ad216-1402ad235 LoadLibraryExW 310->313 311->307 314 1402ad214 312->314 315 1402ad2d5-1402ad2e4 GetProcAddress 312->315 316 1402ad237-1402ad240 GetLastError 313->316 317 1402ad2b5-1402ad2ca 313->317 320 1402ad281-1402ad288 314->320 315->311 319 1402ad2e6-1402ad2f1 315->319 321 1402ad26f-1402ad279 316->321 322 1402ad242-1402ad257 call 1402b1830 316->322 317->315 318 1402ad2cc-1402ad2cf FreeLibrary 317->318 318->315 319->308 320->310 320->311 321->320 322->321 325 1402ad259-1402ad26d LoadLibraryExW 322->325 325->317 325->321
    APIs
    • LoadLibraryExW.KERNEL32(?,?,?,00000001402AD456,?,?,?,00000001402AD148,?,?,?,00000001402ACD51), ref: 00000001402AD229
    • GetLastError.KERNEL32(?,?,?,00000001402AD456,?,?,?,00000001402AD148,?,?,?,00000001402ACD51), ref: 00000001402AD237
    • LoadLibraryExW.KERNEL32(?,?,?,00000001402AD456,?,?,?,00000001402AD148,?,?,?,00000001402ACD51), ref: 00000001402AD261
    • FreeLibrary.KERNEL32(?,?,?,00000001402AD456,?,?,?,00000001402AD148,?,?,?,00000001402ACD51), ref: 00000001402AD2CF
    • GetProcAddress.KERNEL32(?,?,?,00000001402AD456,?,?,?,00000001402AD148,?,?,?,00000001402ACD51), ref: 00000001402AD2DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: e9c3f50ec1f98a7e9b1b681d67c19bc6bc9752d652689df3ffb4f6013840189f
    • Instruction ID: b63d76a067078693628ebc254d0fe4b49e9123f586089ee67f1a61bb1a305f04
    • Opcode Fuzzy Hash: e9c3f50ec1f98a7e9b1b681d67c19bc6bc9752d652689df3ffb4f6013840189f
    • Instruction Fuzzy Hash: 8C316F31212A4095FE539B57A808FA973A4BB4DBA0F490525DF2A0B7E5DFF8C484C710
    Function 00000001402B1BD4 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: a70fca26f3ff1ffc5a55be8c5e041165c6d3e87c69df41f6170837a29767432e
    • Instruction ID: b86a79f1a6aacf9c4149a11fb0b2c54f4f4af59a35e7c725aabdc827c6088df9
    • Opcode Fuzzy Hash: a70fca26f3ff1ffc5a55be8c5e041165c6d3e87c69df41f6170837a29767432e
    • Instruction Fuzzy Hash: BF219F30640E4046FA6B6F27559DFE9A2725F8C7B0F8407159B3617AFBEAB8D4418341
    Function 00000001402B7F14 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
    • String ID: CONOUT$
    • API String ID: 3230265001-3130406586
    • Opcode ID: 59020282af0195f56efa03fd2ec33a8f64bf3b3806e062863287542de83bc4c3
    • Instruction ID: 5d1e608fd77b7b2910ede1372bd08be6ab464e9527296ee1406915c86026e712
    • Opcode Fuzzy Hash: 59020282af0195f56efa03fd2ec33a8f64bf3b3806e062863287542de83bc4c3
    • Instruction Fuzzy Hash: 93114631614F4086E7529F57A848BA9B2B0B78CBE4F044224EB5A87BE4CFBCC9098744
    Function 00000001402AB84B Relevance: 9.3, APIs: 6, Instructions: 259threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ClassFrom$CallClsidContextCurrentExternalLockLogicalMonikerObjectOle1PathProgRelativeStringThreadTreat
    • String ID:
    • API String ID: 2790724248-0
    • Opcode ID: 9e723ffa1d0d076d79e1c5e55415b8ae45ace31598d3c28666bc8cd7fd53cc10
    • Instruction ID: 129da82e473dd3075e7a8703c3825d575e70e3cce9467bf59fede5eea76b9eb4
    • Opcode Fuzzy Hash: 9e723ffa1d0d076d79e1c5e55415b8ae45ace31598d3c28666bc8cd7fd53cc10
    • Instruction Fuzzy Hash: 4DE1B6762086D48AD775CF29F8906EAB7A1F7C8B45F044016EAC9C3B69DA3DD454DF00
    Function 00000001402B1D4C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1D5B
    • FlsSetValue.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1D91
    • FlsSetValue.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1DBE
    • FlsSetValue.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1DCF
    • FlsSetValue.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1DE0
    • SetLastError.KERNEL32(?,?,?,00000001402B2519,?,?,?,?,00000001402B0EB8,?,?,?,?,00000001402AC0FC), ref: 00000001402B1DFB
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: c03ad0e9a7b733168ec2961516d68cdbe639793b0b399b3b9eeecdd25207eff4
    • Instruction ID: 0080a9497d16bcc9fe18a3875e0d67d3ae284b14e83a5c6cf68b654368fd94c1
    • Opcode Fuzzy Hash: c03ad0e9a7b733168ec2961516d68cdbe639793b0b399b3b9eeecdd25207eff4
    • Instruction Fuzzy Hash: 3A116D30700E4142FA6A6F6755ADFE9A2765F8C7B4F844724AB36177FAEEB8D4018340
    Function 00000001402B0DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: e55bd0b1403aa2014f467cd01813cc845d5c2c56ced8563d805b4115a3cf5df4
    • Instruction ID: add9246c5e9ede50f4bf8aa1e29a6c9535212e6fcf2bea2237dcd7864fc0db9c
    • Opcode Fuzzy Hash: e55bd0b1403aa2014f467cd01813cc845d5c2c56ced8563d805b4115a3cf5df4
    • Instruction Fuzzy Hash: 48F06D71314E0592FB128F66E88DBAA7370EB8D7A1F9806158B6A452F4DFBCC089C300
    Function 00000001402ABA10 Relevance: 7.7, APIs: 5, Instructions: 209COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ClassClsidTreat
    • String ID:
    • API String ID: 1148556228-0
    • Opcode ID: 75d63db680d2b9a16afb577865a4eb3da8d832d55886949f4a7a4e6320b6c736
    • Instruction ID: 32e909c1382f93d16e67e44568d2f9aef9a5eeaa51fffa28eb5c5f75dc019e5d
    • Opcode Fuzzy Hash: 75d63db680d2b9a16afb577865a4eb3da8d832d55886949f4a7a4e6320b6c736
    • Instruction Fuzzy Hash: D9B1B5762086D48AD776CF29F890AEAB7A1F7C8745F048016EAC9C3B69DA3DD454CF04
    Function 00000001402B8264 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
    • Instruction ID: b80ed0dcba908c0d23072d7c689e1cccf0bae32d795691e632377f55b12a9daf
    • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
    • Instruction Fuzzy Hash: F011C233A10E9047FA56196AE45EBFA11A06B5D378F480635EF7E163F7DAF88840C209
    Function 00000001402B1E14 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FlsGetValue.KERNEL32(?,?,?,00000001402B1F7B,?,?,00000000,00000001402B2216,?,?,?,?,?,00000001402B21A2), ref: 00000001402B1E33
    • FlsSetValue.KERNEL32(?,?,?,00000001402B1F7B,?,?,00000000,00000001402B2216,?,?,?,?,?,00000001402B21A2), ref: 00000001402B1E52
    • FlsSetValue.KERNEL32(?,?,?,00000001402B1F7B,?,?,00000000,00000001402B2216,?,?,?,?,?,00000001402B21A2), ref: 00000001402B1E7A
    • FlsSetValue.KERNEL32(?,?,?,00000001402B1F7B,?,?,00000000,00000001402B2216,?,?,?,?,?,00000001402B21A2), ref: 00000001402B1E8B
    • FlsSetValue.KERNEL32(?,?,?,00000001402B1F7B,?,?,00000000,00000001402B2216,?,?,?,?,?,00000001402B21A2), ref: 00000001402B1E9C
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 898527402b68eac5eba767d064792ed4a7aab93ace82e8ef198652dc0915b7c1
    • Instruction ID: 4de571638f706919ae6df25c6cfd96c35e49882626082051ae5f3ce0676307ee
    • Opcode Fuzzy Hash: 898527402b68eac5eba767d064792ed4a7aab93ace82e8ef198652dc0915b7c1
    • Instruction Fuzzy Hash: BD115130700E4041FA5A5F67559EFE9A1A25F8C3B0F9447246B39177FAEEB8D8028340
    Function 00000001402B1CA8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 529461bfbc01e1e61aa39a4dc4aba4134dc8f89f54d25a08f6b99f85dc5ce63e
    • Instruction ID: 33bcb0b588fee5aa3df39017ac49c15cd0a577b8baf74d9793db043eb8b25273
    • Opcode Fuzzy Hash: 529461bfbc01e1e61aa39a4dc4aba4134dc8f89f54d25a08f6b99f85dc5ce63e
    • Instruction Fuzzy Hash: 75111E30600E0645F96FAF77546EFE951724F8D374F9807245B361A2FBEAB8D8428351
    Function 00000001402AE3C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: edbae846c16a31a88edb43714467db7abe634e46478ac1c1383c172d6a8dd652
    • Instruction ID: 3adc480d23967df44db561f9c056a6374caac20ecc543d29073b36b63c61db7d
    • Opcode Fuzzy Hash: edbae846c16a31a88edb43714467db7abe634e46478ac1c1383c172d6a8dd652
    • Instruction Fuzzy Hash: 0761AF32504BC485EB729F16E444BDAB7A4F798B88F044215EB9943BA9DFB8C1D1CF00
    Function 00000001402AE770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
    • String ID: csm$csm
    • API String ID: 3896166516-3733052814
    • Opcode ID: 152d4bd7917869bd52f2caa6e71b97cace402a0d297fb2f9916aea461b0fb961
    • Instruction ID: ebb6f32fa9368eb824865e4ca584f9252a2abe74f33584830eec0ab777c4956f
    • Opcode Fuzzy Hash: 152d4bd7917869bd52f2caa6e71b97cace402a0d297fb2f9916aea461b0fb961
    • Instruction Fuzzy Hash: 58516A321043818AEFB68F279448B99B7A0F798B94F184116DB9947BF5CFB8D492CF01
    Function 00000001402B06C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • _invalid_parameter_noinfo.LIBCMT ref: 00000001402B06F6
      • Part of subcall function 00000001402B25A8: HeapFree.KERNEL32(?,?,?,00000001402B41E2,?,?,?,00000001402B421F,?,?,00000000,00000001402B4779,?,?,?,00000001402B46AB), ref: 00000001402B25BE
      • Part of subcall function 00000001402B25A8: GetLastError.KERNEL32(?,?,?,00000001402B41E2,?,?,?,00000001402B421F,?,?,00000000,00000001402B4779,?,?,?,00000001402B46AB), ref: 00000001402B25C8
    • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00000001402AC135), ref: 00000001402B0714
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
    • String ID: &#\$C:\Users\user\Desktop\GIYUCke96G.exe
    • API String ID: 3580290477-673798171
    • Opcode ID: 1f182a73aac2f63ee901aeb77ae39cd8f7c5f534c323df601954f97e71ed5bc6
    • Instruction ID: 731d5fcc0904e1efb9e29ed5133549a2c8bcba74a995fe2bbd9c4cfb65c02b1d
    • Opcode Fuzzy Hash: 1f182a73aac2f63ee901aeb77ae39cd8f7c5f534c323df601954f97e71ed5bc6
    • Instruction Fuzzy Hash: 9E415A36200F1086EB5BDF269499BD867B4FB49784F544025EF4A47BE5DEB4C886C340
    Function 00000001402B64CC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: FileWrite$ConsoleErrorLastOutput
    • String ID:
    • API String ID: 2718003287-0
    • Opcode ID: 3e55d197cb4fd040717d7d18928ff8f083d1fdba854d7873bf9f6328faa62473
    • Instruction ID: 8a4ca609e0459c841ebcfda85ff955622ac0de25bdc95d7efa7edcb538ba1ec2
    • Opcode Fuzzy Hash: 3e55d197cb4fd040717d7d18928ff8f083d1fdba854d7873bf9f6328faa62473
    • Instruction Fuzzy Hash: F7D1C072B14A8089EB12CF7AD448BEC37B2F348798F544216DF5997BE9DA78C656C300
    Function 00000001402B6DF4 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
    Download Yara Rule
    APIs
    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001402B6DDF,00000000), ref: 00000001402B6F10
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001402B6DDF,00000000), ref: 00000001402B6F9B
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode
    • String ID:
    • API String ID: 953036326-0
    • Opcode ID: 9eac54bd6c75c4ebe736856536f372676b4d86a5fcdbfb547ee41adf422539b4
    • Instruction ID: afa4170ec0e156098d3d032a1e4e5eebcc79cd74d045bb7713ee4ed03bbbe6a1
    • Opcode Fuzzy Hash: 9eac54bd6c75c4ebe736856536f372676b4d86a5fcdbfb547ee41adf422539b4
    • Instruction Fuzzy Hash: 4991B072A10E5089FB62DF76944CFED2BB0B748B88F54450ADF0A67AE5DBB8C546C700
    Function 00000001402ACB30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: Unwind__except_validate_context_record
    • String ID: csm
    • API String ID: 2208346422-1018135373
    • Opcode ID: 02e68a7d6bb79483a0bbcb538f19e95ff16182eddf9f76867ba183ede814b7c6
    • Instruction ID: 9033415f59a6bcbf5142e4a7ac6e387891085fea44cfb2b43f7779141293c78b
    • Opcode Fuzzy Hash: 02e68a7d6bb79483a0bbcb538f19e95ff16182eddf9f76867ba183ede814b7c6
    • Instruction Fuzzy Hash: 395197313216048ADB56CF16D448FAC7792F78CBA8F214126DB59477E8DFB9C881CB40
    Function 00000001402B6B64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: U
    • API String ID: 442123175-4171548499
    • Opcode ID: d98ccc516a040d0fbb63b4cb3d17f57cbb66125e9d0163cf1dc3dc5065568bda
    • Instruction ID: 2a36691b13364a63a1313190ee8f24a34a05acf339daa4aacc758e743ed2f374
    • Opcode Fuzzy Hash: d98ccc516a040d0fbb63b4cb3d17f57cbb66125e9d0163cf1dc3dc5065568bda
    • Instruction Fuzzy Hash: 35419F72615A4096EB618F26E84C7EA67B1F798784F804022EF8D877A8EB7CC541CB40
    Function 00000001402AF218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2219093308.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
    • Associated: 00000000.00000002.2219074004.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219337706.00000001402BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219371480.00000001402CD000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219394102.00000001402D5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2219415648.00000001402E1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_140000000_GIYUCke96G.jbxd
    Similarity
    • API ID: ExceptionFileHeaderRaise
    • String ID: csm
    • API String ID: 2573137834-1018135373
    • Opcode ID: 4fc5bd0555118f10ac28622562c5a9382fbcb77a1f611ff60af8d35965ad6150
    • Instruction ID: 4d6c75e4a0dae62cc35f78e48ce22abc3b9a7a6f2557e454d25e43e1e41479b6
    • Opcode Fuzzy Hash: 4fc5bd0555118f10ac28622562c5a9382fbcb77a1f611ff60af8d35965ad6150
    • Instruction Fuzzy Hash: 9C112B36214B8082EBA28F16E444799B7E4F78CB84F584220EF8D077A8DF7CC5518B00