Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
daRNfwifay.exe

Overview

General Information

Sample name:daRNfwifay.exe
renamed because original name is a hash value
Original sample name:00a69916c649b8f347552f045d9529ef.exe
Analysis ID:1469325
MD5:00a69916c649b8f347552f045d9529ef
SHA1:834062535c07857f99732e009358373a9321036a
SHA256:962e9a7e391ed22b6567bc43ea2e2e9e8e8750601562a8356ffcb15c649a3ca0
Tags:64exetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
DNS related to crypt mining pools
Detected Stratum mining protocol
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • daRNfwifay.exe (PID: 1048 cmdline: "C:\Users\user\Desktop\daRNfwifay.exe" MD5: 00A69916C649B8F347552F045D9529EF)
    • sc.exe (PID: 3960 cmdline: C:\Windows\system32\sc.exe delete "Windows.Services" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1524 cmdline: C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6260 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1408 cmdline: C:\Windows\system32\sc.exe start "Windows.Services" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • system_services.exe (PID: 7000 cmdline: C:\ProgramData\system_services.exe MD5: 00A69916C649B8F347552F045D9529EF)
    • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 5612 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 1408 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: explorer.exe PID: 5612JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\daRNfwifay.exe", ParentImage: C:\Users\user\Desktop\daRNfwifay.exe, ParentProcessId: 1048, ParentProcessName: daRNfwifay.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto", ProcessId: 1524, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 1408, ProcessName: svchost.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\daRNfwifay.exe", ParentImage: C:\Users\user\Desktop\daRNfwifay.exe, ParentProcessId: 1048, ParentProcessName: daRNfwifay.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6260, ProcessName: sc.exe
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: C:\ProgramData\system_services.exeReversingLabs: Detection: 63%
        Source: daRNfwifay.exeReversingLabs: Detection: 63%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Bitcoin Miner

        barindex
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5612, type: MEMORYSTR
        Source: unknownDNS query: name: xmr-us-east1.nanopool.org
        Source: global trafficTCP traffic: 192.168.2.6:49710 -> 51.222.200.133:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47qkgrcp96j3spw9abe8dremfsjhp41py4cr83j9zexpdctcmxjz3rcjczsd8gzrjmuyrzfppb5b2u5p2rpmuami1i9sttg","pass":"service1","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
        Source: daRNfwifay.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmp

        Networking

        barindex
        Source: C:\Windows\explorer.exeNetwork Connect: 51.222.200.133 10300Jump to behavior
        Source: global trafficTCP traffic: 192.168.2.6:49710 -> 51.222.200.133:10300
        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: xmr-us-east1.nanopool.org
        Source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
        Source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\daRNfwifay.exeCode function: 0_2_00007FF6CE591394 NtQuerySymbolicLinkObject,0_2_00007FF6CE591394
        Source: C:\ProgramData\system_services.exeCode function: 10_2_00007FF6D1951394 NtCreateTransaction,10_2_00007FF6D1951394
        Source: C:\Windows\System32\conhost.exeCode function: 11_2_0000000140001394 NtClose,11_2_0000000140001394
        Source: C:\ProgramData\system_services.exeFile created: C:\Windows\TEMP\qmnhqdjgokix.sysJump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeCode function: 0_2_00007FF6CE593B400_2_00007FF6CE593B40
        Source: C:\ProgramData\system_services.exeCode function: 10_2_00007FF6D1953B4010_2_00007FF6D1953B40
        Source: C:\Windows\System32\conhost.exeCode function: 11_2_000000014000316011_2_0000000140003160
        Source: C:\Windows\System32\conhost.exeCode function: 11_2_00000001400026E011_2_00000001400026E0
        Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\qmnhqdjgokix.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
        Source: C:\Users\user\Desktop\daRNfwifay.exeCode function: String function: 00007FF6CE591394 appears 32 times
        Source: C:\ProgramData\system_services.exeCode function: String function: 00007FF6D1951394 appears 32 times
        Source: classification engineClassification label: mal100.evad.mine.winEXE@19/2@1/1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
        Source: C:\ProgramData\system_services.exeFile created: C:\Windows\TEMP\qmnhqdjgokix.sysJump to behavior
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\explorer.exe
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\explorer.exeJump to behavior
        Source: daRNfwifay.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Users\user\Desktop\daRNfwifay.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: daRNfwifay.exeReversingLabs: Detection: 63%
        Source: C:\Users\user\Desktop\daRNfwifay.exeFile read: C:\Users\user\Desktop\daRNfwifay.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\daRNfwifay.exe "C:\Users\user\Desktop\daRNfwifay.exe"
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Windows.Services"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Windows.Services"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\ProgramData\system_services.exe C:\ProgramData\system_services.exe
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\explorer.exe explorer.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Windows.Services"Jump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto"Jump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Windows.Services"Jump to behavior
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\system_services.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: daRNfwifay.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: daRNfwifay.exeStatic file information: File size 2644992 > 1048576
        Source: daRNfwifay.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x27d000
        Source: daRNfwifay.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: system_services.exe, 0000000A.00000003.2104745873.000001855E4F0000.00000004.00000001.00020000.00000000.sdmp
        Source: daRNfwifay.exeStatic PE information: section name: .00cfg
        Source: system_services.exe.0.drStatic PE information: section name: .00cfg
        Source: C:\Users\user\Desktop\daRNfwifay.exeCode function: 0_2_00007FF6CE591394 push qword ptr [00007FF6CE59A004h]; ret 0_2_00007FF6CE591403
        Source: C:\ProgramData\system_services.exeCode function: 10_2_00007FF6D1951394 push qword ptr [00007FF6D195A004h]; ret 10_2_00007FF6D1951403
        Source: C:\Windows\System32\conhost.exeCode function: 11_2_0000000140001394 push qword ptr [0000000140008004h]; ret 11_2_0000000140001403

        Persistence and Installation Behavior

        barindex
        Source: C:\ProgramData\system_services.exeFile created: C:\Windows\TEMP\qmnhqdjgokix.sysJump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeFile created: C:\ProgramData\system_services.exeJump to dropped file
        Source: C:\ProgramData\system_services.exeFile created: C:\Windows\Temp\qmnhqdjgokix.sysJump to dropped file
        Source: C:\Users\user\Desktop\daRNfwifay.exeFile created: C:\ProgramData\system_services.exeJump to dropped file
        Source: C:\ProgramData\system_services.exeFile created: C:\Windows\Temp\qmnhqdjgokix.sysJump to dropped file
        Source: C:\Users\user\Desktop\daRNfwifay.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Windows.Services"
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: explorer.exe, 0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4563061570.00000000009EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
        Source: explorer.exe, 0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEERYER
        Source: explorer.exe, 0000000C.00000002.4563061570.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-US-EAST1.NANOPOOL.ORG:10300 --USER="47QKGRCP96J3SPW9ABE8DREMFSJHP41PY4CR83J9ZEXPDCTCMXJZ3RCJCZSD8GZRJMUYRZFPPB5B2U5P2RPMUAMI1I9STTG" --PASS="SERVICE1" --CPU-MAX-THREADS-HINT=10 --CINIT-WINRING="QMNHQDJGOKIX.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=60 --CINIT-ID="ITUJQMUPHBXBXTBD"=
        Source: explorer.exe, 0000000C.00000002.4563061570.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
        Source: explorer.exe, 0000000C.00000002.4563061570.00000000009EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEDLLLECTURE=A
        Source: explorer.exe, 0000000C.00000002.4563061570.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-US-EAST1.NANOPOOL.ORG:10300--USER=47QKGRCP96J3SPW9ABE8DREMFSJHP41PY4CR83J9ZEXPDCTCMXJZ3RCJCZSD8GZRJMUYRZFPPB5B2U5P2RPMUAMI1I9STTG--PASS=SERVICE1--CPU-MAX-THREADS-HINT=10--CINIT-WINRING=QMNHQDJGOKIX.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=60--CINIT-ID=ITUJQMUPHBXBXTBD
        Source: explorer.exe, 0000000C.00000002.4563061570.00000000009EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXET FACTORY
        Source: explorer.exe, 0000000C.00000003.2106238001.0000000000980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEITUJQMUPHBXBXTBD
        Source: explorer.exe, 0000000C.00000002.4563061570.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-US-EAST1.NANOPOOL.ORG:10300 --USER="47QKGRCP96J3SPW9ABE8DREMFSJHP41PY4CR83J9ZEXPDCTCMXJZ3RCJCZSD8GZRJMUYRZFPPB5B2U5P2RPMUAMI1I9STTG" --PASS="SERVICE1" --CPU-MAX-THREADS-HINT=10 --CINIT-WINRING="QMNHQDJGOKIX.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=60 --CINIT-ID="ITUJQMUPHBXBXTBD"
        Source: explorer.exe, 0000000C.00000002.4563061570.00000000009EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2106238001.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4563061570.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
        Source: C:\ProgramData\system_services.exeDropped PE file which has not been started: C:\Windows\Temp\qmnhqdjgokix.sysJump to dropped file
        Source: C:\Users\user\Desktop\daRNfwifay.exeAPI coverage: 3.4 %
        Source: C:\ProgramData\system_services.exeAPI coverage: 3.4 %
        Source: C:\Windows\System32\conhost.exeAPI coverage: 0.9 %
        Source: C:\Windows\explorer.exe TID: 6784Thread sleep count: 91 > 30Jump to behavior
        Source: C:\Windows\explorer.exe TID: 6784Thread sleep count: 48 > 30Jump to behavior
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: explorer.exe, 0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4563061570.0000000000927000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\daRNfwifay.exeCode function: 0_2_00007FF6CE591160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,0_2_00007FF6CE591160
        Source: C:\ProgramData\system_services.exeCode function: 10_2_00007FF6D1951160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,10_2_00007FF6D1951160
        Source: C:\Windows\System32\conhost.exeCode function: 11_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,11_2_0000000140001160

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\explorer.exeNetwork Connect: 51.222.200.133 10300Jump to behavior
        Source: C:\ProgramData\system_services.exeMemory written: PID: 5612 base: 140000000 value: 4DJump to behavior
        Source: C:\ProgramData\system_services.exeMemory written: PID: 5612 base: 140001000 value: NUJump to behavior
        Source: C:\ProgramData\system_services.exeMemory written: PID: 5612 base: 140674000 value: DFJump to behavior
        Source: C:\ProgramData\system_services.exeMemory written: PID: 5612 base: 140847000 value: 00Jump to behavior
        Source: C:\ProgramData\system_services.exeMemory written: PID: 5612 base: 6E3010 value: 00Jump to behavior
        Source: C:\ProgramData\system_services.exeThread register set: target process: 6280Jump to behavior
        Source: C:\ProgramData\system_services.exeThread register set: target process: 5612Jump to behavior
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
        Source: C:\ProgramData\system_services.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: explorer.exe, 0000000C.00000002.4563061570.00000000009EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Windows Management Instrumentation
        11
        Windows Service
        11
        Windows Service
        1
        Masquerading
        OS Credential Dumping321
        Security Software Discovery
        Remote Services1
        Archive Collected Data
        1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Service Execution
        1
        DLL Side-Loading
        311
        Process Injection
        12
        Virtualization/Sandbox Evasion
        LSASS Memory12
        Virtualization/Sandbox Evasion
        Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading
        311
        Process Injection
        Security Account Manager1
        Process Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information
        NTDS3
        System Information Discovery
        Distributed Component Object ModelInput Capture1
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information
        LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading
        Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1469325 Sample: daRNfwifay.exe Startdate: 08/07/2024 Architecture: WINDOWS Score: 100 44 xmr-us-east1.nanopool.org 2->44 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Xmrig cryptocurrency miner 2->56 58 Sigma detected: Stop EventLog 2->58 62 2 other signatures 2->62 8 system_services.exe 1 2->8         started        12 daRNfwifay.exe 1 2->12         started        14 svchost.exe 2->14         started        signatures3 60 DNS related to crypt mining pools 44->60 process4 file5 38 C:\Windows\Temp\qmnhqdjgokix.sys, PE32+ 8->38 dropped 64 Multi AV Scanner detection for dropped file 8->64 66 Injects code into the Windows Explorer (explorer.exe) 8->66 68 Modifies the context of a thread in another process (thread injection) 8->68 70 Sample is not signed and drops a device driver 8->70 16 explorer.exe 8->16         started        20 conhost.exe 8->20         started        40 C:\ProgramData\system_services.exe, PE32+ 12->40 dropped 22 sc.exe 1 12->22         started        24 sc.exe 1 12->24         started        26 sc.exe 1 12->26         started        28 sc.exe 1 12->28         started        signatures6 process7 dnsIp8 42 51.222.200.133, 10300, 49710 OVHFR France 16->42 46 System process connects to network (likely due to code injection or exploit) 16->46 48 Query firmware table information (likely to detect VMs) 16->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->50 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        signatures9 52 Detected Stratum mining protocol 42->52 process10

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        daRNfwifay.exe63%ReversingLabsWin64.Packed.Generic
        SourceDetectionScannerLabelLink
        C:\ProgramData\system_services.exe63%ReversingLabsWin32.Coinminer.XMRig
        C:\Windows\Temp\qmnhqdjgokix.sys5%ReversingLabs
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        NameIPActiveMaliciousAntivirus DetectionReputation
        xmr-us-east1.nanopool.org
        51.222.106.253
        truetrue
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          51.222.200.133
          unknownFrance
          16276OVHFRtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1469325
          Start date and time:2024-07-08 19:31:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 8m 19s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:20
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:daRNfwifay.exe
          renamed because original name is a hash value
          Original Sample Name:00a69916c649b8f347552f045d9529ef.exe
          Detection:MAL
          Classification:mal100.evad.mine.winEXE@19/2@1/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 5
          • Number of non-executed functions: 25
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: daRNfwifay.exe
          TimeTypeDescription
          13:31:57API Interceptor1x Sleep call for process: daRNfwifay.exe modified
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          xmr-us-east1.nanopool.orgvilxost.dllGet hashmaliciousXmrigBrowse
          • 144.217.14.139
          vilxost.dllGet hashmaliciousXmrigBrowse
          • 142.44.243.6
          dllhost.exeGet hashmaliciousNanominerBrowse
          • 192.99.69.170
          4rC1bQcnl5.exeGet hashmaliciousXmrigBrowse
          • 144.217.14.139
          LZF5sOWnss.exeGet hashmaliciousXmrigBrowse
          • 144.217.14.139
          4HoFnQosUb.exeGet hashmaliciousXmrigBrowse
          • 142.44.242.100
          P7Oa6i5muL.exeGet hashmaliciousXmrigBrowse
          • 142.44.242.100
          H9QnI1DbC1.exeGet hashmaliciousXmrigBrowse
          • 144.217.14.139
          7xhLwiPIrR.exeGet hashmaliciousXmrigBrowse
          • 142.44.243.6
          qhgv3aRzkZ.exeGet hashmaliciousXmrigBrowse
          • 144.217.14.139
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          OVHFRComplete with Docusign_ June_Commission-Report.pdf.emlGet hashmaliciousHTMLPhisherBrowse
          • 51.77.64.70
          SecuriteInfo.com.Exploit.CVE-2018-0798.4.20958.13318.rtfGet hashmaliciousFormBookBrowse
          • 213.186.33.5
          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
          • 51.89.93.193
          setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
          • 164.132.58.105
          a9d098e9a73fa5f1240d7b00540fa54472863eac62df2.exeGet hashmaliciousRedLineBrowse
          • 51.81.126.51
          https://ransmonseversdapps.pages.dev/Get hashmaliciousUnknownBrowse
          • 54.38.113.2
          node.js.exeGet hashmaliciousUnknownBrowse
          • 151.80.29.83
          node.js.exeGet hashmaliciousUnknownBrowse
          • 151.80.29.83
          16EngN9Zwd.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
          • 139.99.67.238
          http://sectocarewl.online/mona-michelle/Get hashmaliciousUnknownBrowse
          • 149.56.240.27
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Windows\Temp\qmnhqdjgokix.syscherax.exeGet hashmaliciousBlank GrabberBrowse
            K4gsPJGEi4.exeGet hashmaliciousXmrigBrowse
              32Vec0G7f5.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                BZMxi2zof1.exeGet hashmaliciousRedLine, XmrigBrowse
                  file.exeGet hashmaliciousXmrigBrowse
                    SecuriteInfo.com.Win32.Evo-gen.6791.6790.exeGet hashmaliciousPython Stealer, CStealer, XmrigBrowse
                      d5raNaLQ8Q.exeGet hashmaliciousXmrigBrowse
                        Setup.exeGet hashmaliciousRedLine, XmrigBrowse
                          ZE0514.exeGet hashmaliciousXmrigBrowse
                            FieroHack.exeGet hashmaliciousXmrigBrowse
                              Process:C:\Users\user\Desktop\daRNfwifay.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):2644992
                              Entropy (8bit):6.522789354349936
                              Encrypted:false
                              SSDEEP:49152:MBeicQuxzs62GFUQsRALUKbtr4y8X2GcIqHwE2:MBeXxYAcAL5r4y8XqwE
                              MD5:00A69916C649B8F347552F045D9529EF
                              SHA1:834062535C07857F99732E009358373A9321036A
                              SHA-256:962E9A7E391ED22B6567BC43EA2E2E9E8E8750601562A8356FFCB15C649A3CA0
                              SHA-512:423BC39FCDEEB56ED1449191BCC96607CBD43652EC2589CB810055D48DB4769D8789001383B9DB95BEB36744B38057537E0A8BCFF999874DD69C4B18C21B9172
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 63%
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....f.........."......f....'.....@..........@..............................(...........`.....................................................<.............(...............(.x...............................(.......8...............X............................text...fd.......f.................. ..`.rdata..H............j..............@..@.data...0.'.......'.................@....pdata........(......T(.............@..@.00cfg........(......V(.............@..@.tls..........(......X(.............@....reloc..x.....(......Z(.............@..B................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\ProgramData\system_services.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14544
                              Entropy (8bit):6.2660301556221185
                              Encrypted:false
                              SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                              MD5:0C0195C48B6B8582FA6F6373032118DA
                              SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                              SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                              SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 5%
                              Joe Sandbox View:
                              • Filename: cherax.exe, Detection: malicious, Browse
                              • Filename: K4gsPJGEi4.exe, Detection: malicious, Browse
                              • Filename: 32Vec0G7f5.exe, Detection: malicious, Browse
                              • Filename: BZMxi2zof1.exe, Detection: malicious, Browse
                              • Filename: file.exe, Detection: malicious, Browse
                              • Filename: SecuriteInfo.com.Win32.Evo-gen.6791.6790.exe, Detection: malicious, Browse
                              • Filename: d5raNaLQ8Q.exe, Detection: malicious, Browse
                              • Filename: Setup.exe, Detection: malicious, Browse
                              • Filename: ZE0514.exe, Detection: malicious, Browse
                              • Filename: FieroHack.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                              Entropy (8bit):6.522789354349936
                              TrID:
                              • Win64 Executable GUI (202006/5) 92.65%
                              • Win64 Executable (generic) (12005/4) 5.51%
                              • Generic Win/DOS Executable (2004/3) 0.92%
                              • DOS Executable Generic (2002/1) 0.92%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:daRNfwifay.exe
                              File size:2'644'992 bytes
                              MD5:00a69916c649b8f347552f045d9529ef
                              SHA1:834062535c07857f99732e009358373a9321036a
                              SHA256:962e9a7e391ed22b6567bc43ea2e2e9e8e8750601562a8356ffcb15c649a3ca0
                              SHA512:423bc39fcdeeb56ed1449191bcc96607cbd43652ec2589cb810055d48db4769d8789001383b9db95beb36744b38057537e0a8bcff999874dd69c4b18c21b9172
                              SSDEEP:49152:MBeicQuxzs62GFUQsRALUKbtr4y8X2GcIqHwE2:MBeXxYAcAL5r4y8XqwE
                              TLSH:C4C53385D5A3EDD8F914A1B8A20D3AD11C672C379777B0DB2A4F0D752092BC6C5343AB
                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......f....'.....@..........@..............................(...........`........................................
                              Icon Hash:00928e8e8686b000
                              Entrypoint:0x140001140
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x140000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x668BD31E [Mon Jul 8 11:53:02 2024 UTC]
                              TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:de41d4e0545d977de6ca665131bb479a
                              Instruction
                              dec eax
                              sub esp, 28h
                              dec eax
                              mov eax, dword ptr [00006ED5h]
                              mov dword ptr [eax], 00000001h
                              call 00007FE63D36530Fh
                              nop
                              nop
                              nop
                              dec eax
                              add esp, 28h
                              ret
                              nop
                              inc ecx
                              push edi
                              inc ecx
                              push esi
                              push esi
                              push edi
                              push ebx
                              dec eax
                              sub esp, 20h
                              dec eax
                              mov eax, dword ptr [00000030h]
                              dec eax
                              mov edi, dword ptr [eax+08h]
                              dec eax
                              mov esi, dword ptr [00006EC9h]
                              xor eax, eax
                              dec eax
                              cmpxchg dword ptr [esi], edi
                              sete bl
                              je 00007FE63D365330h
                              dec eax
                              cmp edi, eax
                              je 00007FE63D36532Bh
                              dec esp
                              mov esi, dword ptr [00008331h]
                              nop word ptr [eax+eax+00000000h]
                              mov ecx, 000003E8h
                              inc ecx
                              call esi
                              xor eax, eax
                              dec eax
                              cmpxchg dword ptr [esi], edi
                              sete bl
                              je 00007FE63D365307h
                              dec eax
                              cmp edi, eax
                              jne 00007FE63D3652E9h
                              dec eax
                              mov edi, dword ptr [00006E90h]
                              mov eax, dword ptr [edi]
                              cmp eax, 01h
                              jne 00007FE63D36530Eh
                              mov ecx, 0000001Fh
                              call 00007FE63D36B414h
                              jmp 00007FE63D365329h
                              cmp dword ptr [edi], 00000000h
                              je 00007FE63D36530Bh
                              mov byte ptr [00285D29h], 00000001h
                              jmp 00007FE63D36531Bh
                              mov dword ptr [edi], 00000001h
                              dec eax
                              mov ecx, dword ptr [00006E7Ah]
                              dec eax
                              mov edx, dword ptr [00006E7Bh]
                              call 00007FE63D36B40Bh
                              mov eax, dword ptr [edi]
                              cmp eax, 01h
                              jne 00007FE63D36531Bh
                              dec eax
                              mov ecx, dword ptr [00006E50h]
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x92000x3c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2880000x180.pdata
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x28b0000x78.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x80a00x28.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x84100x138.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x93980x158.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x64660x660005bb354dd7da574fec0bba5e5988cdb7False0.5278416053921569data6.15009983743367IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x80000x19480x1a00ad1e0f5b4ae4ae2a8c1f0cfb2d6aacdbFalse0.44546274038461536data4.655604864249769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xa0000x27db300x27d000249a9e379bdd5a60bd780b2d41884f4bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .pdata0x2880000x1800x20032ad598cd9f6871b20c23fe7a5cd800dFalse0.50390625data3.0902742124848595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .00cfg0x2890000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0x28a0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .reloc0x28b0000x780x200dbc22c10f13c83c5f101767f22d2e646False0.224609375data1.423008734982099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              DLLImport
                              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                              KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
                              TimestampSource PortDest PortSource IPDest IP
                              Jul 8, 2024 19:31:59.226788998 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:31:59.232959986 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:31:59.233067036 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:31:59.233217955 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:31:59.238039970 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:31:59.873688936 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:31:59.916374922 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:02.554006100 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:02.603888035 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:12.784182072 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:12.838372946 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:22.644788027 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:22.728883982 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:32.663400888 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:32.822685003 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:42.641031981 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:42.822622061 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:32:52.731770039 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:32:52.822772026 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:02.693033934 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:02.932054043 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:12.675319910 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:12.788178921 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:22.730956078 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:22.822717905 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:32.791821957 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:32.932142973 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:42.798280954 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:42.932094097 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:48.530093908 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:48.635260105 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:33:58.492002964 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:33:58.635185003 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:34:08.492434978 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:34:08.635199070 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:34:18.571873903 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:34:18.635322094 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:34:28.527863026 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:34:28.635217905 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:34:38.735981941 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:34:38.822741032 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:34:52.575912952 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:34:52.635221004 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:02.666148901 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:02.822771072 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:12.631248951 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:12.822856903 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:22.669765949 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:22.822789907 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:32.572696924 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:32.635330915 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:42.673898935 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:42.729104996 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:35:52.675151110 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:35:52.728972912 CEST4971010300192.168.2.651.222.200.133
                              Jul 8, 2024 19:36:02.655961990 CEST103004971051.222.200.133192.168.2.6
                              Jul 8, 2024 19:36:02.728985071 CEST4971010300192.168.2.651.222.200.133
                              TimestampSource PortDest PortSource IPDest IP
                              Jul 8, 2024 19:31:59.211740017 CEST5873953192.168.2.61.1.1.1
                              Jul 8, 2024 19:31:59.223434925 CEST53587391.1.1.1192.168.2.6
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 8, 2024 19:31:59.211740017 CEST192.168.2.61.1.1.10x2fafStandard query (0)xmr-us-east1.nanopool.orgA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 8, 2024 19:31:59.223434925 CEST1.1.1.1192.168.2.60x2fafNo error (0)xmr-us-east1.nanopool.org51.222.106.253A (IP address)IN (0x0001)false
                              Jul 8, 2024 19:31:59.223434925 CEST1.1.1.1192.168.2.60x2fafNo error (0)xmr-us-east1.nanopool.org51.222.200.133A (IP address)IN (0x0001)false
                              Jul 8, 2024 19:31:59.223434925 CEST1.1.1.1192.168.2.60x2fafNo error (0)xmr-us-east1.nanopool.org51.222.12.201A (IP address)IN (0x0001)false
                              Jul 8, 2024 19:31:59.223434925 CEST1.1.1.1192.168.2.60x2fafNo error (0)xmr-us-east1.nanopool.org51.79.71.77A (IP address)IN (0x0001)false

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:13:31:57
                              Start date:08/07/2024
                              Path:C:\Users\user\Desktop\daRNfwifay.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\daRNfwifay.exe"
                              Imagebase:0x7ff6ce590000
                              File size:2'644'992 bytes
                              MD5 hash:00A69916C649B8F347552F045D9529EF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Target ID:2
                              Start time:13:31:57
                              Start date:08/07/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\sc.exe delete "Windows.Services"
                              Imagebase:0x7ff66f170000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:3
                              Start time:13:31:57
                              Start date:08/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:13:31:57
                              Start date:08/07/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\sc.exe create "Windows.Services" binpath= "C:\ProgramData\system_services.exe" start= "auto"
                              Imagebase:0x7ff66f170000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:5
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:6
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\sc.exe stop eventlog
                              Imagebase:0x7ff66f170000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:7
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\sc.exe start "Windows.Services"
                              Imagebase:0x7ff66f170000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:8
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:10
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\ProgramData\system_services.exe
                              Wow64 process (32bit):false
                              Commandline:C:\ProgramData\system_services.exe
                              Imagebase:0x7ff6d1950000
                              File size:2'644'992 bytes
                              MD5 hash:00A69916C649B8F347552F045D9529EF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 63%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              Target ID:11
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Target ID:12
                              Start time:13:31:58
                              Start date:08/07/2024
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:explorer.exe
                              Imagebase:0x7ff609140000
                              File size:5'141'208 bytes
                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.4563061570.000000000097F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:false

                              Target ID:17
                              Start time:13:32:44
                              Start date:08/07/2024
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                              Imagebase:0x7ff7403e0000
                              File size:55'320 bytes
                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Reset < >

                                Execution Graph

                                Execution Coverage:3.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.7%
                                Total number of Nodes:1655
                                Total number of Limit Nodes:2
                                execution_graph 4220 7ff6ce59219e 4221 7ff6ce592272 4220->4221 4222 7ff6ce5921ab EnterCriticalSection 4220->4222 4223 7ff6ce592265 LeaveCriticalSection 4222->4223 4225 7ff6ce5921c8 4222->4225 4223->4221 4224 7ff6ce5921e9 TlsGetValue GetLastError 4224->4225 4225->4223 4225->4224 2689 7ff6ce591140 2692 7ff6ce591160 2689->2692 2691 7ff6ce591156 2693 7ff6ce5911b9 2692->2693 2694 7ff6ce59118b 2692->2694 2696 7ff6ce5911d3 2693->2696 2697 7ff6ce5911c7 _amsg_exit 2693->2697 2694->2693 2695 7ff6ce591190 2694->2695 2695->2693 2698 7ff6ce5911a0 Sleep 2695->2698 2699 7ff6ce591201 _initterm 2696->2699 2700 7ff6ce59121a 2696->2700 2697->2696 2698->2693 2698->2695 2699->2700 2717 7ff6ce591880 2700->2717 2703 7ff6ce59126a 2704 7ff6ce59126f malloc 2703->2704 2705 7ff6ce59128b 2704->2705 2708 7ff6ce5912d2 2704->2708 2706 7ff6ce5912a0 strlen malloc memcpy 2705->2706 2706->2706 2707 7ff6ce5912d0 2706->2707 2707->2708 2730 7ff6ce593b40 2708->2730 2710 7ff6ce591315 2711 7ff6ce591344 2710->2711 2712 7ff6ce591324 2710->2712 2715 7ff6ce591160 86 API calls 2711->2715 2713 7ff6ce591338 2712->2713 2714 7ff6ce59132d _cexit 2712->2714 2713->2691 2714->2713 2716 7ff6ce591366 2715->2716 2716->2691 2718 7ff6ce591247 SetUnhandledExceptionFilter 2717->2718 2719 7ff6ce5918a2 2717->2719 2718->2703 2719->2718 2720 7ff6ce59194d 2719->2720 2725 7ff6ce591a20 2719->2725 2721 7ff6ce591956 2720->2721 2722 7ff6ce59199e 2720->2722 2721->2722 2878 7ff6ce591ba0 2721->2878 2722->2718 2724 7ff6ce5919e9 VirtualProtect 2722->2724 2724->2722 2725->2722 2726 7ff6ce591b5c 2725->2726 2727 7ff6ce591b36 2725->2727 2728 7ff6ce591ba0 4 API calls 2727->2728 2729 7ff6ce591b53 2728->2729 2729->2726 2732 7ff6ce593b56 2730->2732 2731 7ff6ce593c50 wcslen 2888 7ff6ce59153f 2731->2888 2732->2731 2737 7ff6ce593d50 2740 7ff6ce593d6a memset wcscat memset 2737->2740 2741 7ff6ce593dc3 2740->2741 2743 7ff6ce593e13 wcslen 2741->2743 2744 7ff6ce593e25 2743->2744 2748 7ff6ce593e6c 2743->2748 2745 7ff6ce593e40 _wcsnicmp 2744->2745 2746 7ff6ce593e56 wcslen 2745->2746 2745->2748 2746->2745 2746->2748 2747 7ff6ce593ecd wcscpy wcscat memset 2750 7ff6ce593f0c 2747->2750 2748->2747 2749 7ff6ce594014 wcscpy wcscat memset 2751 7ff6ce59404f 2749->2751 2750->2749 2752 7ff6ce59436d wcslen 2751->2752 2753 7ff6ce59437b 2752->2753 2762 7ff6ce5943bc 2752->2762 2754 7ff6ce594390 _wcsnicmp 2753->2754 2755 7ff6ce5943a6 wcslen 2754->2755 2754->2762 2755->2754 2755->2762 2756 7ff6ce59444c wcscpy wcscat _wcsicmp 2757 7ff6ce594480 2756->2757 2758 7ff6ce594499 memset 2756->2758 3076 7ff6ce5914d6 2757->3076 2761 7ff6ce5944ba 2758->2761 2760 7ff6ce5944ff wcscpy wcscat memset 2764 7ff6ce594545 2760->2764 2761->2760 2762->2756 2763 7ff6ce5945a8 wcscpy wcscat memset 2766 7ff6ce5945ee 2763->2766 2764->2763 2765 7ff6ce59461e wcscpy wcscat 2767 7ff6ce59464f 2765->2767 2768 7ff6ce594b5b memset 2765->2768 2766->2765 2769 7ff6ce595d40 memcpy 2767->2769 2772 7ff6ce594667 2767->2772 2771 7ff6ce594b7c 2768->2771 2769->2772 2770 7ff6ce594bbf wcscpy wcscat 2774 7ff6ce595dca memcpy 2770->2774 2797 7ff6ce594a4f 2770->2797 2771->2770 2773 7ff6ce5947a8 wcslen 2772->2773 3129 7ff6ce59157b 2773->3129 2774->2797 2777 7ff6ce59483e memset 2780 7ff6ce59485f 2777->2780 2778 7ff6ce592df0 11 API calls 2781 7ff6ce594ddb _wcsicmp 2778->2781 2779 7ff6ce5948af wcslen 3150 7ff6ce5915a8 2779->3150 2780->2779 2784 7ff6ce594df6 memset 2781->2784 2802 7ff6ce5951d9 2781->2802 2783 7ff6ce594950 2783->2781 3163 7ff6ce592df0 2783->3163 2791 7ff6ce594e1a 2784->2791 2787 7ff6ce59528d wcslen 2792 7ff6ce59153f 2 API calls 2787->2792 2788 7ff6ce59491f _wcsnicmp 2789 7ff6ce594944 2788->2789 2805 7ff6ce595b3c 2788->2805 2793 7ff6ce59145e 2 API calls 2789->2793 2790 7ff6ce594e5f wcscpy wcscat wcslen 3175 7ff6ce59146d 2790->3175 2791->2790 2796 7ff6ce59531f 2792->2796 2793->2783 2799 7ff6ce59145e 2 API calls 2796->2799 2797->2778 2804 7ff6ce595331 2799->2804 2800 7ff6ce595b99 wcslen 2801 7ff6ce5915a8 2 API calls 2800->2801 2806 7ff6ce595bf5 2801->2806 2802->2787 2816 7ff6ce5953be 2804->2816 3510 7ff6ce592f70 2804->3510 2805->2800 2809 7ff6ce59145e 2 API calls 2806->2809 2807 7ff6ce596227 2811 7ff6ce59145e 2 API calls 2807->2811 2808 7ff6ce594f6a 3291 7ff6ce5914a9 2808->3291 2809->2783 2815 7ff6ce596233 2811->2815 2812 7ff6ce59541b wcslen 2817 7ff6ce595431 2812->2817 2839 7ff6ce59546c 2812->2839 2815->2710 2816->2812 2820 7ff6ce595440 _wcsnicmp 2817->2820 2818 7ff6ce595006 2823 7ff6ce59145e 2 API calls 2818->2823 2819 7ff6ce59535b 3514 7ff6ce5938d0 2819->3514 2824 7ff6ce595456 wcslen 2820->2824 2820->2839 2827 7ff6ce594ffa 2823->2827 2824->2820 2824->2839 3439 7ff6ce593350 memset 2827->3439 2828 7ff6ce594fee 2832 7ff6ce59145e 2 API calls 2828->2832 2829 7ff6ce5955a6 memset wcscpy wcscat 2833 7ff6ce592f70 2 API calls 2829->2833 2830 7ff6ce5914c7 2 API calls 2834 7ff6ce5953b0 2830->2834 2832->2827 2836 7ff6ce5955fd 2833->2836 2834->2816 2837 7ff6ce59145e 2 API calls 2834->2837 2840 7ff6ce593350 11 API calls 2836->2840 2837->2816 2839->2829 2842 7ff6ce595615 2840->2842 2843 7ff6ce5914c7 2 API calls 2842->2843 2844 7ff6ce595643 memset 2843->2844 2846 7ff6ce595664 2844->2846 2845 7ff6ce5956b4 wcslen 2851 7ff6ce5956c6 2845->2851 2852 7ff6ce595707 wcscat memset 2845->2852 2846->2845 2847 7ff6ce592df0 11 API calls 2853 7ff6ce5951d4 2847->2853 2848 7ff6ce5954b3 2848->2847 2849 7ff6ce592df0 11 API calls 2860 7ff6ce5950ea 2849->2860 2850 7ff6ce595061 2850->2849 2854 7ff6ce5956e0 _wcsnicmp 2851->2854 2859 7ff6ce595742 2852->2859 2853->2710 2854->2852 2856 7ff6ce5956f2 wcslen 2854->2856 2856->2852 2856->2854 2857 7ff6ce592df0 11 API calls 2857->2853 2858 7ff6ce5957b2 wcscpy wcscat 2862 7ff6ce5957e4 2858->2862 2859->2858 2860->2857 2861 7ff6ce5960ad memcpy 2864 7ff6ce595921 2861->2864 2862->2861 2862->2864 2863 7ff6ce5959df wcslen 2865 7ff6ce59153f 2 API calls 2863->2865 2864->2863 2866 7ff6ce595a6a 2865->2866 2867 7ff6ce59145e 2 API calls 2866->2867 2868 7ff6ce595a7b 2867->2868 2869 7ff6ce595b13 2868->2869 2871 7ff6ce592f70 2 API calls 2868->2871 2870 7ff6ce59145e 2 API calls 2869->2870 2870->2853 2872 7ff6ce595aa8 2871->2872 2873 7ff6ce5938d0 11 API calls 2872->2873 2874 7ff6ce595acd 2873->2874 2875 7ff6ce5914c7 2 API calls 2874->2875 2876 7ff6ce595b05 2875->2876 2876->2869 2877 7ff6ce59145e 2 API calls 2876->2877 2877->2869 2881 7ff6ce591bc2 2878->2881 2879 7ff6ce591c04 memcpy 2879->2721 2881->2879 2882 7ff6ce591c45 VirtualQuery 2881->2882 2883 7ff6ce591cf4 2881->2883 2882->2883 2887 7ff6ce591c72 2882->2887 2884 7ff6ce591d23 GetLastError 2883->2884 2885 7ff6ce591d37 2884->2885 2886 7ff6ce591ca4 VirtualProtect 2886->2879 2886->2884 2887->2879 2887->2886 3537 7ff6ce591394 2888->3537 2890 7ff6ce59154e 2891 7ff6ce591394 2 API calls 2890->2891 2892 7ff6ce591558 2891->2892 2893 7ff6ce59155d 2892->2893 2894 7ff6ce591394 2 API calls 2892->2894 2895 7ff6ce591394 2 API calls 2893->2895 2894->2893 2896 7ff6ce591567 2895->2896 2897 7ff6ce59156c 2896->2897 2898 7ff6ce591394 2 API calls 2896->2898 2899 7ff6ce591394 2 API calls 2897->2899 2898->2897 2900 7ff6ce591576 2899->2900 2901 7ff6ce59157b 2900->2901 2902 7ff6ce591394 2 API calls 2900->2902 2903 7ff6ce591394 2 API calls 2901->2903 2902->2901 2904 7ff6ce59158a 2903->2904 2905 7ff6ce591394 2 API calls 2904->2905 2906 7ff6ce591599 2905->2906 2907 7ff6ce591394 2 API calls 2906->2907 2908 7ff6ce5915a3 2907->2908 2909 7ff6ce5915a8 2908->2909 2910 7ff6ce591394 2 API calls 2908->2910 2911 7ff6ce591394 2 API calls 2909->2911 2910->2909 2912 7ff6ce5915b7 2911->2912 2913 7ff6ce591394 2 API calls 2912->2913 2914 7ff6ce5915c1 2913->2914 2915 7ff6ce591394 2 API calls 2914->2915 2916 7ff6ce5915c6 2915->2916 2917 7ff6ce591394 2 API calls 2916->2917 2918 7ff6ce5915d5 2917->2918 2919 7ff6ce591394 2 API calls 2918->2919 2920 7ff6ce5915e4 2919->2920 2921 7ff6ce591394 2 API calls 2920->2921 2922 7ff6ce5915f3 2921->2922 2922->2853 2923 7ff6ce591503 2922->2923 2924 7ff6ce591394 2 API calls 2923->2924 2925 7ff6ce59150d 2924->2925 2926 7ff6ce591394 2 API calls 2925->2926 2927 7ff6ce591512 2926->2927 2928 7ff6ce591394 2 API calls 2927->2928 2929 7ff6ce591521 2928->2929 2930 7ff6ce591530 2929->2930 2931 7ff6ce591394 2 API calls 2929->2931 2932 7ff6ce591394 2 API calls 2930->2932 2931->2930 2933 7ff6ce59153a 2932->2933 2934 7ff6ce59153f 2933->2934 2935 7ff6ce591394 2 API calls 2933->2935 2936 7ff6ce591394 2 API calls 2934->2936 2935->2934 2937 7ff6ce59154e 2936->2937 2938 7ff6ce591394 2 API calls 2937->2938 2939 7ff6ce591558 2938->2939 2940 7ff6ce59155d 2939->2940 2941 7ff6ce591394 2 API calls 2939->2941 2942 7ff6ce591394 2 API calls 2940->2942 2941->2940 2943 7ff6ce591567 2942->2943 2944 7ff6ce59156c 2943->2944 2945 7ff6ce591394 2 API calls 2943->2945 2946 7ff6ce591394 2 API calls 2944->2946 2945->2944 2947 7ff6ce591576 2946->2947 2948 7ff6ce59157b 2947->2948 2949 7ff6ce591394 2 API calls 2947->2949 2950 7ff6ce591394 2 API calls 2948->2950 2949->2948 2951 7ff6ce59158a 2950->2951 2952 7ff6ce591394 2 API calls 2951->2952 2953 7ff6ce591599 2952->2953 2954 7ff6ce591394 2 API calls 2953->2954 2955 7ff6ce5915a3 2954->2955 2956 7ff6ce5915a8 2955->2956 2957 7ff6ce591394 2 API calls 2955->2957 2958 7ff6ce591394 2 API calls 2956->2958 2957->2956 2959 7ff6ce5915b7 2958->2959 2960 7ff6ce591394 2 API calls 2959->2960 2961 7ff6ce5915c1 2960->2961 2962 7ff6ce591394 2 API calls 2961->2962 2963 7ff6ce5915c6 2962->2963 2964 7ff6ce591394 2 API calls 2963->2964 2965 7ff6ce5915d5 2964->2965 2966 7ff6ce591394 2 API calls 2965->2966 2967 7ff6ce5915e4 2966->2967 2968 7ff6ce591394 2 API calls 2967->2968 2969 7ff6ce5915f3 2968->2969 2969->2737 2970 7ff6ce59156c 2969->2970 2971 7ff6ce591394 2 API calls 2970->2971 2972 7ff6ce591576 2971->2972 2973 7ff6ce59157b 2972->2973 2974 7ff6ce591394 2 API calls 2972->2974 2975 7ff6ce591394 2 API calls 2973->2975 2974->2973 2976 7ff6ce59158a 2975->2976 2977 7ff6ce591394 2 API calls 2976->2977 2978 7ff6ce591599 2977->2978 2979 7ff6ce591394 2 API calls 2978->2979 2980 7ff6ce5915a3 2979->2980 2981 7ff6ce5915a8 2980->2981 2982 7ff6ce591394 2 API calls 2980->2982 2983 7ff6ce591394 2 API calls 2981->2983 2982->2981 2984 7ff6ce5915b7 2983->2984 2985 7ff6ce591394 2 API calls 2984->2985 2986 7ff6ce5915c1 2985->2986 2987 7ff6ce591394 2 API calls 2986->2987 2988 7ff6ce5915c6 2987->2988 2989 7ff6ce591394 2 API calls 2988->2989 2990 7ff6ce5915d5 2989->2990 2991 7ff6ce591394 2 API calls 2990->2991 2992 7ff6ce5915e4 2991->2992 2993 7ff6ce591394 2 API calls 2992->2993 2994 7ff6ce5915f3 2993->2994 2994->2737 2995 7ff6ce59145e 2994->2995 2996 7ff6ce591394 2 API calls 2995->2996 2997 7ff6ce591468 2996->2997 2998 7ff6ce59146d 2997->2998 2999 7ff6ce591394 2 API calls 2997->2999 3000 7ff6ce591394 2 API calls 2998->3000 2999->2998 3001 7ff6ce591477 3000->3001 3002 7ff6ce59147c 3001->3002 3003 7ff6ce591394 2 API calls 3001->3003 3004 7ff6ce591394 2 API calls 3002->3004 3003->3002 3005 7ff6ce591486 3004->3005 3006 7ff6ce59148b 3005->3006 3007 7ff6ce591394 2 API calls 3005->3007 3008 7ff6ce591394 2 API calls 3006->3008 3007->3006 3009 7ff6ce591495 3008->3009 3010 7ff6ce59149a 3009->3010 3011 7ff6ce591394 2 API calls 3009->3011 3012 7ff6ce591394 2 API calls 3010->3012 3011->3010 3013 7ff6ce5914a4 3012->3013 3014 7ff6ce5914a9 3013->3014 3015 7ff6ce591394 2 API calls 3013->3015 3016 7ff6ce591394 2 API calls 3014->3016 3015->3014 3017 7ff6ce5914b3 3016->3017 3018 7ff6ce591394 2 API calls 3017->3018 3019 7ff6ce5914b8 3018->3019 3020 7ff6ce591394 2 API calls 3019->3020 3021 7ff6ce5914c7 3020->3021 3022 7ff6ce591394 2 API calls 3021->3022 3023 7ff6ce5914d6 3022->3023 3024 7ff6ce591394 2 API calls 3023->3024 3025 7ff6ce5914e5 3024->3025 3026 7ff6ce591394 2 API calls 3025->3026 3027 7ff6ce5914f4 3026->3027 3028 7ff6ce591503 3027->3028 3029 7ff6ce591394 2 API calls 3027->3029 3030 7ff6ce591394 2 API calls 3028->3030 3029->3028 3031 7ff6ce59150d 3030->3031 3032 7ff6ce591394 2 API calls 3031->3032 3033 7ff6ce591512 3032->3033 3034 7ff6ce591394 2 API calls 3033->3034 3035 7ff6ce591521 3034->3035 3036 7ff6ce591530 3035->3036 3037 7ff6ce591394 2 API calls 3035->3037 3038 7ff6ce591394 2 API calls 3036->3038 3037->3036 3039 7ff6ce59153a 3038->3039 3040 7ff6ce59153f 3039->3040 3041 7ff6ce591394 2 API calls 3039->3041 3042 7ff6ce591394 2 API calls 3040->3042 3041->3040 3043 7ff6ce59154e 3042->3043 3044 7ff6ce591394 2 API calls 3043->3044 3045 7ff6ce591558 3044->3045 3046 7ff6ce59155d 3045->3046 3047 7ff6ce591394 2 API calls 3045->3047 3048 7ff6ce591394 2 API calls 3046->3048 3047->3046 3049 7ff6ce591567 3048->3049 3050 7ff6ce59156c 3049->3050 3051 7ff6ce591394 2 API calls 3049->3051 3052 7ff6ce591394 2 API calls 3050->3052 3051->3050 3053 7ff6ce591576 3052->3053 3054 7ff6ce59157b 3053->3054 3055 7ff6ce591394 2 API calls 3053->3055 3056 7ff6ce591394 2 API calls 3054->3056 3055->3054 3057 7ff6ce59158a 3056->3057 3058 7ff6ce591394 2 API calls 3057->3058 3059 7ff6ce591599 3058->3059 3060 7ff6ce591394 2 API calls 3059->3060 3061 7ff6ce5915a3 3060->3061 3062 7ff6ce5915a8 3061->3062 3063 7ff6ce591394 2 API calls 3061->3063 3064 7ff6ce591394 2 API calls 3062->3064 3063->3062 3065 7ff6ce5915b7 3064->3065 3066 7ff6ce591394 2 API calls 3065->3066 3067 7ff6ce5915c1 3066->3067 3068 7ff6ce591394 2 API calls 3067->3068 3069 7ff6ce5915c6 3068->3069 3070 7ff6ce591394 2 API calls 3069->3070 3071 7ff6ce5915d5 3070->3071 3072 7ff6ce591394 2 API calls 3071->3072 3073 7ff6ce5915e4 3072->3073 3074 7ff6ce591394 2 API calls 3073->3074 3075 7ff6ce5915f3 3074->3075 3075->2737 3077 7ff6ce591394 2 API calls 3076->3077 3078 7ff6ce5914e5 3077->3078 3079 7ff6ce591394 2 API calls 3078->3079 3080 7ff6ce5914f4 3079->3080 3081 7ff6ce591503 3080->3081 3082 7ff6ce591394 2 API calls 3080->3082 3083 7ff6ce591394 2 API calls 3081->3083 3082->3081 3084 7ff6ce59150d 3083->3084 3085 7ff6ce591394 2 API calls 3084->3085 3086 7ff6ce591512 3085->3086 3087 7ff6ce591394 2 API calls 3086->3087 3088 7ff6ce591521 3087->3088 3089 7ff6ce591530 3088->3089 3090 7ff6ce591394 2 API calls 3088->3090 3091 7ff6ce591394 2 API calls 3089->3091 3090->3089 3092 7ff6ce59153a 3091->3092 3093 7ff6ce59153f 3092->3093 3094 7ff6ce591394 2 API calls 3092->3094 3095 7ff6ce591394 2 API calls 3093->3095 3094->3093 3096 7ff6ce59154e 3095->3096 3097 7ff6ce591394 2 API calls 3096->3097 3098 7ff6ce591558 3097->3098 3099 7ff6ce59155d 3098->3099 3100 7ff6ce591394 2 API calls 3098->3100 3101 7ff6ce591394 2 API calls 3099->3101 3100->3099 3102 7ff6ce591567 3101->3102 3103 7ff6ce59156c 3102->3103 3104 7ff6ce591394 2 API calls 3102->3104 3105 7ff6ce591394 2 API calls 3103->3105 3104->3103 3106 7ff6ce591576 3105->3106 3107 7ff6ce59157b 3106->3107 3108 7ff6ce591394 2 API calls 3106->3108 3109 7ff6ce591394 2 API calls 3107->3109 3108->3107 3110 7ff6ce59158a 3109->3110 3111 7ff6ce591394 2 API calls 3110->3111 3112 7ff6ce591599 3111->3112 3113 7ff6ce591394 2 API calls 3112->3113 3114 7ff6ce5915a3 3113->3114 3115 7ff6ce5915a8 3114->3115 3116 7ff6ce591394 2 API calls 3114->3116 3117 7ff6ce591394 2 API calls 3115->3117 3116->3115 3118 7ff6ce5915b7 3117->3118 3119 7ff6ce591394 2 API calls 3118->3119 3120 7ff6ce5915c1 3119->3120 3121 7ff6ce591394 2 API calls 3120->3121 3122 7ff6ce5915c6 3121->3122 3123 7ff6ce591394 2 API calls 3122->3123 3124 7ff6ce5915d5 3123->3124 3125 7ff6ce591394 2 API calls 3124->3125 3126 7ff6ce5915e4 3125->3126 3127 7ff6ce591394 2 API calls 3126->3127 3128 7ff6ce5915f3 3127->3128 3128->2758 3130 7ff6ce591394 2 API calls 3129->3130 3131 7ff6ce59158a 3130->3131 3132 7ff6ce591394 2 API calls 3131->3132 3133 7ff6ce591599 3132->3133 3134 7ff6ce591394 2 API calls 3133->3134 3135 7ff6ce5915a3 3134->3135 3136 7ff6ce5915a8 3135->3136 3137 7ff6ce591394 2 API calls 3135->3137 3138 7ff6ce591394 2 API calls 3136->3138 3137->3136 3139 7ff6ce5915b7 3138->3139 3140 7ff6ce591394 2 API calls 3139->3140 3141 7ff6ce5915c1 3140->3141 3142 7ff6ce591394 2 API calls 3141->3142 3143 7ff6ce5915c6 3142->3143 3144 7ff6ce591394 2 API calls 3143->3144 3145 7ff6ce5915d5 3144->3145 3146 7ff6ce591394 2 API calls 3145->3146 3147 7ff6ce5915e4 3146->3147 3148 7ff6ce591394 2 API calls 3147->3148 3149 7ff6ce5915f3 3148->3149 3149->2777 3149->2783 3151 7ff6ce591394 2 API calls 3150->3151 3152 7ff6ce5915b7 3151->3152 3153 7ff6ce591394 2 API calls 3152->3153 3154 7ff6ce5915c1 3153->3154 3155 7ff6ce591394 2 API calls 3154->3155 3156 7ff6ce5915c6 3155->3156 3157 7ff6ce591394 2 API calls 3156->3157 3158 7ff6ce5915d5 3157->3158 3159 7ff6ce591394 2 API calls 3158->3159 3160 7ff6ce5915e4 3159->3160 3161 7ff6ce591394 2 API calls 3160->3161 3162 7ff6ce5915f3 3161->3162 3162->2788 3162->2789 3547 7ff6ce592660 3163->3547 3165 7ff6ce592e00 memset 3166 7ff6ce592e3c 3165->3166 3549 7ff6ce592690 3166->3549 3169 7ff6ce59145e 2 API calls 3170 7ff6ce592f35 3169->3170 3171 7ff6ce592f53 3170->3171 3582 7ff6ce591512 3170->3582 3173 7ff6ce59145e 2 API calls 3171->3173 3174 7ff6ce592f5d 3173->3174 3174->2797 3176 7ff6ce591394 2 API calls 3175->3176 3177 7ff6ce591477 3176->3177 3178 7ff6ce59147c 3177->3178 3179 7ff6ce591394 2 API calls 3177->3179 3180 7ff6ce591394 2 API calls 3178->3180 3179->3178 3181 7ff6ce591486 3180->3181 3182 7ff6ce59148b 3181->3182 3183 7ff6ce591394 2 API calls 3181->3183 3184 7ff6ce591394 2 API calls 3182->3184 3183->3182 3185 7ff6ce591495 3184->3185 3186 7ff6ce59149a 3185->3186 3187 7ff6ce591394 2 API calls 3185->3187 3188 7ff6ce591394 2 API calls 3186->3188 3187->3186 3189 7ff6ce5914a4 3188->3189 3190 7ff6ce5914a9 3189->3190 3191 7ff6ce591394 2 API calls 3189->3191 3192 7ff6ce591394 2 API calls 3190->3192 3191->3190 3193 7ff6ce5914b3 3192->3193 3194 7ff6ce591394 2 API calls 3193->3194 3195 7ff6ce5914b8 3194->3195 3196 7ff6ce591394 2 API calls 3195->3196 3197 7ff6ce5914c7 3196->3197 3198 7ff6ce591394 2 API calls 3197->3198 3199 7ff6ce5914d6 3198->3199 3200 7ff6ce591394 2 API calls 3199->3200 3201 7ff6ce5914e5 3200->3201 3202 7ff6ce591394 2 API calls 3201->3202 3203 7ff6ce5914f4 3202->3203 3204 7ff6ce591503 3203->3204 3205 7ff6ce591394 2 API calls 3203->3205 3206 7ff6ce591394 2 API calls 3204->3206 3205->3204 3207 7ff6ce59150d 3206->3207 3208 7ff6ce591394 2 API calls 3207->3208 3209 7ff6ce591512 3208->3209 3210 7ff6ce591394 2 API calls 3209->3210 3211 7ff6ce591521 3210->3211 3212 7ff6ce591530 3211->3212 3213 7ff6ce591394 2 API calls 3211->3213 3214 7ff6ce591394 2 API calls 3212->3214 3213->3212 3215 7ff6ce59153a 3214->3215 3216 7ff6ce59153f 3215->3216 3217 7ff6ce591394 2 API calls 3215->3217 3218 7ff6ce591394 2 API calls 3216->3218 3217->3216 3219 7ff6ce59154e 3218->3219 3220 7ff6ce591394 2 API calls 3219->3220 3221 7ff6ce591558 3220->3221 3222 7ff6ce59155d 3221->3222 3223 7ff6ce591394 2 API calls 3221->3223 3224 7ff6ce591394 2 API calls 3222->3224 3223->3222 3225 7ff6ce591567 3224->3225 3226 7ff6ce59156c 3225->3226 3227 7ff6ce591394 2 API calls 3225->3227 3228 7ff6ce591394 2 API calls 3226->3228 3227->3226 3229 7ff6ce591576 3228->3229 3230 7ff6ce59157b 3229->3230 3231 7ff6ce591394 2 API calls 3229->3231 3232 7ff6ce591394 2 API calls 3230->3232 3231->3230 3233 7ff6ce59158a 3232->3233 3234 7ff6ce591394 2 API calls 3233->3234 3235 7ff6ce591599 3234->3235 3236 7ff6ce591394 2 API calls 3235->3236 3237 7ff6ce5915a3 3236->3237 3238 7ff6ce5915a8 3237->3238 3239 7ff6ce591394 2 API calls 3237->3239 3240 7ff6ce591394 2 API calls 3238->3240 3239->3238 3241 7ff6ce5915b7 3240->3241 3242 7ff6ce591394 2 API calls 3241->3242 3243 7ff6ce5915c1 3242->3243 3244 7ff6ce591394 2 API calls 3243->3244 3245 7ff6ce5915c6 3244->3245 3246 7ff6ce591394 2 API calls 3245->3246 3247 7ff6ce5915d5 3246->3247 3248 7ff6ce591394 2 API calls 3247->3248 3249 7ff6ce5915e4 3248->3249 3250 7ff6ce591394 2 API calls 3249->3250 3251 7ff6ce5915f3 3250->3251 3252 7ff6ce591530 3251->3252 3253 7ff6ce591394 2 API calls 3252->3253 3254 7ff6ce59153a 3253->3254 3255 7ff6ce59153f 3254->3255 3256 7ff6ce591394 2 API calls 3254->3256 3257 7ff6ce591394 2 API calls 3255->3257 3256->3255 3258 7ff6ce59154e 3257->3258 3259 7ff6ce591394 2 API calls 3258->3259 3260 7ff6ce591558 3259->3260 3261 7ff6ce59155d 3260->3261 3262 7ff6ce591394 2 API calls 3260->3262 3263 7ff6ce591394 2 API calls 3261->3263 3262->3261 3264 7ff6ce591567 3263->3264 3265 7ff6ce59156c 3264->3265 3266 7ff6ce591394 2 API calls 3264->3266 3267 7ff6ce591394 2 API calls 3265->3267 3266->3265 3268 7ff6ce591576 3267->3268 3269 7ff6ce59157b 3268->3269 3270 7ff6ce591394 2 API calls 3268->3270 3271 7ff6ce591394 2 API calls 3269->3271 3270->3269 3272 7ff6ce59158a 3271->3272 3273 7ff6ce591394 2 API calls 3272->3273 3274 7ff6ce591599 3273->3274 3275 7ff6ce591394 2 API calls 3274->3275 3276 7ff6ce5915a3 3275->3276 3277 7ff6ce5915a8 3276->3277 3278 7ff6ce591394 2 API calls 3276->3278 3279 7ff6ce591394 2 API calls 3277->3279 3278->3277 3280 7ff6ce5915b7 3279->3280 3281 7ff6ce591394 2 API calls 3280->3281 3282 7ff6ce5915c1 3281->3282 3283 7ff6ce591394 2 API calls 3282->3283 3284 7ff6ce5915c6 3283->3284 3285 7ff6ce591394 2 API calls 3284->3285 3286 7ff6ce5915d5 3285->3286 3287 7ff6ce591394 2 API calls 3286->3287 3288 7ff6ce5915e4 3287->3288 3289 7ff6ce591394 2 API calls 3288->3289 3290 7ff6ce5915f3 3289->3290 3290->2807 3290->2808 3292 7ff6ce591394 2 API calls 3291->3292 3293 7ff6ce5914b3 3292->3293 3294 7ff6ce591394 2 API calls 3293->3294 3295 7ff6ce5914b8 3294->3295 3296 7ff6ce591394 2 API calls 3295->3296 3297 7ff6ce5914c7 3296->3297 3298 7ff6ce591394 2 API calls 3297->3298 3299 7ff6ce5914d6 3298->3299 3300 7ff6ce591394 2 API calls 3299->3300 3301 7ff6ce5914e5 3300->3301 3302 7ff6ce591394 2 API calls 3301->3302 3303 7ff6ce5914f4 3302->3303 3304 7ff6ce591503 3303->3304 3305 7ff6ce591394 2 API calls 3303->3305 3306 7ff6ce591394 2 API calls 3304->3306 3305->3304 3307 7ff6ce59150d 3306->3307 3308 7ff6ce591394 2 API calls 3307->3308 3309 7ff6ce591512 3308->3309 3310 7ff6ce591394 2 API calls 3309->3310 3311 7ff6ce591521 3310->3311 3312 7ff6ce591530 3311->3312 3313 7ff6ce591394 2 API calls 3311->3313 3314 7ff6ce591394 2 API calls 3312->3314 3313->3312 3315 7ff6ce59153a 3314->3315 3316 7ff6ce59153f 3315->3316 3317 7ff6ce591394 2 API calls 3315->3317 3318 7ff6ce591394 2 API calls 3316->3318 3317->3316 3319 7ff6ce59154e 3318->3319 3320 7ff6ce591394 2 API calls 3319->3320 3321 7ff6ce591558 3320->3321 3322 7ff6ce59155d 3321->3322 3323 7ff6ce591394 2 API calls 3321->3323 3324 7ff6ce591394 2 API calls 3322->3324 3323->3322 3325 7ff6ce591567 3324->3325 3326 7ff6ce59156c 3325->3326 3327 7ff6ce591394 2 API calls 3325->3327 3328 7ff6ce591394 2 API calls 3326->3328 3327->3326 3329 7ff6ce591576 3328->3329 3330 7ff6ce59157b 3329->3330 3331 7ff6ce591394 2 API calls 3329->3331 3332 7ff6ce591394 2 API calls 3330->3332 3331->3330 3333 7ff6ce59158a 3332->3333 3334 7ff6ce591394 2 API calls 3333->3334 3335 7ff6ce591599 3334->3335 3336 7ff6ce591394 2 API calls 3335->3336 3337 7ff6ce5915a3 3336->3337 3338 7ff6ce5915a8 3337->3338 3339 7ff6ce591394 2 API calls 3337->3339 3340 7ff6ce591394 2 API calls 3338->3340 3339->3338 3341 7ff6ce5915b7 3340->3341 3342 7ff6ce591394 2 API calls 3341->3342 3343 7ff6ce5915c1 3342->3343 3344 7ff6ce591394 2 API calls 3343->3344 3345 7ff6ce5915c6 3344->3345 3346 7ff6ce591394 2 API calls 3345->3346 3347 7ff6ce5915d5 3346->3347 3348 7ff6ce591394 2 API calls 3347->3348 3349 7ff6ce5915e4 3348->3349 3350 7ff6ce591394 2 API calls 3349->3350 3351 7ff6ce5915f3 3350->3351 3351->2818 3352 7ff6ce591440 3351->3352 3353 7ff6ce591394 2 API calls 3352->3353 3354 7ff6ce59144f 3353->3354 3355 7ff6ce591394 2 API calls 3354->3355 3356 7ff6ce591459 3355->3356 3357 7ff6ce59145e 3356->3357 3358 7ff6ce591394 2 API calls 3356->3358 3359 7ff6ce591394 2 API calls 3357->3359 3358->3357 3360 7ff6ce591468 3359->3360 3361 7ff6ce59146d 3360->3361 3362 7ff6ce591394 2 API calls 3360->3362 3363 7ff6ce591394 2 API calls 3361->3363 3362->3361 3364 7ff6ce591477 3363->3364 3365 7ff6ce59147c 3364->3365 3366 7ff6ce591394 2 API calls 3364->3366 3367 7ff6ce591394 2 API calls 3365->3367 3366->3365 3368 7ff6ce591486 3367->3368 3369 7ff6ce59148b 3368->3369 3370 7ff6ce591394 2 API calls 3368->3370 3371 7ff6ce591394 2 API calls 3369->3371 3370->3369 3372 7ff6ce591495 3371->3372 3373 7ff6ce59149a 3372->3373 3374 7ff6ce591394 2 API calls 3372->3374 3375 7ff6ce591394 2 API calls 3373->3375 3374->3373 3376 7ff6ce5914a4 3375->3376 3377 7ff6ce5914a9 3376->3377 3378 7ff6ce591394 2 API calls 3376->3378 3379 7ff6ce591394 2 API calls 3377->3379 3378->3377 3380 7ff6ce5914b3 3379->3380 3381 7ff6ce591394 2 API calls 3380->3381 3382 7ff6ce5914b8 3381->3382 3383 7ff6ce591394 2 API calls 3382->3383 3384 7ff6ce5914c7 3383->3384 3385 7ff6ce591394 2 API calls 3384->3385 3386 7ff6ce5914d6 3385->3386 3387 7ff6ce591394 2 API calls 3386->3387 3388 7ff6ce5914e5 3387->3388 3389 7ff6ce591394 2 API calls 3388->3389 3390 7ff6ce5914f4 3389->3390 3391 7ff6ce591503 3390->3391 3392 7ff6ce591394 2 API calls 3390->3392 3393 7ff6ce591394 2 API calls 3391->3393 3392->3391 3394 7ff6ce59150d 3393->3394 3395 7ff6ce591394 2 API calls 3394->3395 3396 7ff6ce591512 3395->3396 3397 7ff6ce591394 2 API calls 3396->3397 3398 7ff6ce591521 3397->3398 3399 7ff6ce591530 3398->3399 3400 7ff6ce591394 2 API calls 3398->3400 3401 7ff6ce591394 2 API calls 3399->3401 3400->3399 3402 7ff6ce59153a 3401->3402 3403 7ff6ce59153f 3402->3403 3404 7ff6ce591394 2 API calls 3402->3404 3405 7ff6ce591394 2 API calls 3403->3405 3404->3403 3406 7ff6ce59154e 3405->3406 3407 7ff6ce591394 2 API calls 3406->3407 3408 7ff6ce591558 3407->3408 3409 7ff6ce59155d 3408->3409 3410 7ff6ce591394 2 API calls 3408->3410 3411 7ff6ce591394 2 API calls 3409->3411 3410->3409 3412 7ff6ce591567 3411->3412 3413 7ff6ce59156c 3412->3413 3414 7ff6ce591394 2 API calls 3412->3414 3415 7ff6ce591394 2 API calls 3413->3415 3414->3413 3416 7ff6ce591576 3415->3416 3417 7ff6ce59157b 3416->3417 3418 7ff6ce591394 2 API calls 3416->3418 3419 7ff6ce591394 2 API calls 3417->3419 3418->3417 3420 7ff6ce59158a 3419->3420 3421 7ff6ce591394 2 API calls 3420->3421 3422 7ff6ce591599 3421->3422 3423 7ff6ce591394 2 API calls 3422->3423 3424 7ff6ce5915a3 3423->3424 3425 7ff6ce5915a8 3424->3425 3426 7ff6ce591394 2 API calls 3424->3426 3427 7ff6ce591394 2 API calls 3425->3427 3426->3425 3428 7ff6ce5915b7 3427->3428 3429 7ff6ce591394 2 API calls 3428->3429 3430 7ff6ce5915c1 3429->3430 3431 7ff6ce591394 2 API calls 3430->3431 3432 7ff6ce5915c6 3431->3432 3433 7ff6ce591394 2 API calls 3432->3433 3434 7ff6ce5915d5 3433->3434 3435 7ff6ce591394 2 API calls 3434->3435 3436 7ff6ce5915e4 3435->3436 3437 7ff6ce591394 2 API calls 3436->3437 3438 7ff6ce5915f3 3437->3438 3438->2818 3438->2828 3440 7ff6ce5935c1 memset 3439->3440 3450 7ff6ce5933c3 3439->3450 3444 7ff6ce5935e6 3440->3444 3441 7ff6ce59343a memset 3441->3450 3442 7ff6ce59362b wcscpy wcscat wcslen 3443 7ff6ce591422 2 API calls 3442->3443 3446 7ff6ce593728 3443->3446 3444->3442 3445 7ff6ce593493 wcscpy wcscat wcslen 3754 7ff6ce591422 3445->3754 3448 7ff6ce593767 3446->3448 3849 7ff6ce591431 3446->3849 3455 7ff6ce5914c7 3448->3455 3450->3440 3450->3441 3450->3445 3452 7ff6ce59145e 2 API calls 3450->3452 3454 7ff6ce593579 3450->3454 3452->3450 3453 7ff6ce59145e 2 API calls 3453->3448 3454->3440 3456 7ff6ce591394 2 API calls 3455->3456 3457 7ff6ce5914d6 3456->3457 3458 7ff6ce591394 2 API calls 3457->3458 3459 7ff6ce5914e5 3458->3459 3460 7ff6ce591394 2 API calls 3459->3460 3461 7ff6ce5914f4 3460->3461 3462 7ff6ce591503 3461->3462 3463 7ff6ce591394 2 API calls 3461->3463 3464 7ff6ce591394 2 API calls 3462->3464 3463->3462 3465 7ff6ce59150d 3464->3465 3466 7ff6ce591394 2 API calls 3465->3466 3467 7ff6ce591512 3466->3467 3468 7ff6ce591394 2 API calls 3467->3468 3469 7ff6ce591521 3468->3469 3470 7ff6ce591530 3469->3470 3471 7ff6ce591394 2 API calls 3469->3471 3472 7ff6ce591394 2 API calls 3470->3472 3471->3470 3473 7ff6ce59153a 3472->3473 3474 7ff6ce59153f 3473->3474 3475 7ff6ce591394 2 API calls 3473->3475 3476 7ff6ce591394 2 API calls 3474->3476 3475->3474 3477 7ff6ce59154e 3476->3477 3478 7ff6ce591394 2 API calls 3477->3478 3479 7ff6ce591558 3478->3479 3480 7ff6ce59155d 3479->3480 3481 7ff6ce591394 2 API calls 3479->3481 3482 7ff6ce591394 2 API calls 3480->3482 3481->3480 3483 7ff6ce591567 3482->3483 3484 7ff6ce59156c 3483->3484 3485 7ff6ce591394 2 API calls 3483->3485 3486 7ff6ce591394 2 API calls 3484->3486 3485->3484 3487 7ff6ce591576 3486->3487 3488 7ff6ce59157b 3487->3488 3489 7ff6ce591394 2 API calls 3487->3489 3490 7ff6ce591394 2 API calls 3488->3490 3489->3488 3491 7ff6ce59158a 3490->3491 3492 7ff6ce591394 2 API calls 3491->3492 3493 7ff6ce591599 3492->3493 3494 7ff6ce591394 2 API calls 3493->3494 3495 7ff6ce5915a3 3494->3495 3496 7ff6ce5915a8 3495->3496 3497 7ff6ce591394 2 API calls 3495->3497 3498 7ff6ce591394 2 API calls 3496->3498 3497->3496 3499 7ff6ce5915b7 3498->3499 3500 7ff6ce591394 2 API calls 3499->3500 3501 7ff6ce5915c1 3500->3501 3502 7ff6ce591394 2 API calls 3501->3502 3503 7ff6ce5915c6 3502->3503 3504 7ff6ce591394 2 API calls 3503->3504 3505 7ff6ce5915d5 3504->3505 3506 7ff6ce591394 2 API calls 3505->3506 3507 7ff6ce5915e4 3506->3507 3508 7ff6ce591394 2 API calls 3507->3508 3509 7ff6ce5915f3 3508->3509 3509->2848 3509->2850 3511 7ff6ce592f88 3510->3511 3512 7ff6ce5914a9 2 API calls 3511->3512 3513 7ff6ce592fd0 3512->3513 3513->2819 3515 7ff6ce592690 10 API calls 3514->3515 3516 7ff6ce59390e 3515->3516 3517 7ff6ce593b11 3516->3517 3518 7ff6ce5914a9 2 API calls 3516->3518 3517->2830 3519 7ff6ce593957 3518->3519 3520 7ff6ce593b18 3519->3520 3940 7ff6ce5914b8 3519->3940 4209 7ff6ce5915c6 3520->4209 3523 7ff6ce59397f 3524 7ff6ce593a77 memset 3523->3524 3527 7ff6ce5914b8 2 API calls 3523->3527 3997 7ff6ce5915d5 3523->3997 4002 7ff6ce59148b 3524->4002 3527->3523 3531 7ff6ce5914b8 2 API calls 3532 7ff6ce593af7 3531->3532 3532->3520 3533 7ff6ce593afb 3532->3533 4136 7ff6ce59147c 3533->4136 3536 7ff6ce59145e 2 API calls 3536->3517 3541 7ff6ce596e50 3537->3541 3539 7ff6ce5913b8 3540 7ff6ce5913c6 NtQuerySymbolicLinkObject 3539->3540 3540->2890 3542 7ff6ce596e6e 3541->3542 3545 7ff6ce596e9b 3541->3545 3542->3539 3543 7ff6ce596f43 3544 7ff6ce596f5f malloc 3543->3544 3546 7ff6ce596f80 3544->3546 3545->3542 3545->3543 3546->3542 3548 7ff6ce59266f 3547->3548 3548->3165 3548->3548 3625 7ff6ce59155d 3549->3625 3551 7ff6ce5927f4 3552 7ff6ce5914c7 2 API calls 3551->3552 3555 7ff6ce592816 3552->3555 3553 7ff6ce592785 wcsncmp 3654 7ff6ce5914e5 3553->3654 3557 7ff6ce591503 2 API calls 3555->3557 3559 7ff6ce59283d 3557->3559 3558 7ff6ce592d27 3560 7ff6ce592847 memset 3559->3560 3561 7ff6ce592877 3560->3561 3562 7ff6ce5928bc wcscpy wcscat wcslen 3561->3562 3563 7ff6ce5928ee wcslen 3562->3563 3564 7ff6ce59291a 3562->3564 3563->3564 3565 7ff6ce592967 wcslen 3564->3565 3566 7ff6ce592985 3564->3566 3565->3566 3566->3558 3567 7ff6ce5929d9 wcslen 3566->3567 3568 7ff6ce5914a9 2 API calls 3567->3568 3569 7ff6ce592a73 3568->3569 3570 7ff6ce5914a9 2 API calls 3569->3570 3571 7ff6ce592bd2 3570->3571 3705 7ff6ce5914f4 3571->3705 3574 7ff6ce5914c7 2 API calls 3575 7ff6ce592c99 3574->3575 3576 7ff6ce5914c7 2 API calls 3575->3576 3577 7ff6ce592cb1 3576->3577 3578 7ff6ce59145e 2 API calls 3577->3578 3579 7ff6ce592cbb 3578->3579 3580 7ff6ce59145e 2 API calls 3579->3580 3581 7ff6ce592cc5 3580->3581 3581->3169 3583 7ff6ce591394 2 API calls 3582->3583 3584 7ff6ce591521 3583->3584 3585 7ff6ce591530 3584->3585 3586 7ff6ce591394 2 API calls 3584->3586 3587 7ff6ce591394 2 API calls 3585->3587 3586->3585 3588 7ff6ce59153a 3587->3588 3589 7ff6ce59153f 3588->3589 3590 7ff6ce591394 2 API calls 3588->3590 3591 7ff6ce591394 2 API calls 3589->3591 3590->3589 3592 7ff6ce59154e 3591->3592 3593 7ff6ce591394 2 API calls 3592->3593 3594 7ff6ce591558 3593->3594 3595 7ff6ce59155d 3594->3595 3596 7ff6ce591394 2 API calls 3594->3596 3597 7ff6ce591394 2 API calls 3595->3597 3596->3595 3598 7ff6ce591567 3597->3598 3599 7ff6ce59156c 3598->3599 3600 7ff6ce591394 2 API calls 3598->3600 3601 7ff6ce591394 2 API calls 3599->3601 3600->3599 3602 7ff6ce591576 3601->3602 3603 7ff6ce59157b 3602->3603 3604 7ff6ce591394 2 API calls 3602->3604 3605 7ff6ce591394 2 API calls 3603->3605 3604->3603 3606 7ff6ce59158a 3605->3606 3607 7ff6ce591394 2 API calls 3606->3607 3608 7ff6ce591599 3607->3608 3609 7ff6ce591394 2 API calls 3608->3609 3610 7ff6ce5915a3 3609->3610 3611 7ff6ce5915a8 3610->3611 3612 7ff6ce591394 2 API calls 3610->3612 3613 7ff6ce591394 2 API calls 3611->3613 3612->3611 3614 7ff6ce5915b7 3613->3614 3615 7ff6ce591394 2 API calls 3614->3615 3616 7ff6ce5915c1 3615->3616 3617 7ff6ce591394 2 API calls 3616->3617 3618 7ff6ce5915c6 3617->3618 3619 7ff6ce591394 2 API calls 3618->3619 3620 7ff6ce5915d5 3619->3620 3621 7ff6ce591394 2 API calls 3620->3621 3622 7ff6ce5915e4 3621->3622 3623 7ff6ce591394 2 API calls 3622->3623 3624 7ff6ce5915f3 3623->3624 3624->3171 3626 7ff6ce591394 2 API calls 3625->3626 3627 7ff6ce591567 3626->3627 3628 7ff6ce59156c 3627->3628 3629 7ff6ce591394 2 API calls 3627->3629 3630 7ff6ce591394 2 API calls 3628->3630 3629->3628 3631 7ff6ce591576 3630->3631 3632 7ff6ce59157b 3631->3632 3633 7ff6ce591394 2 API calls 3631->3633 3634 7ff6ce591394 2 API calls 3632->3634 3633->3632 3635 7ff6ce59158a 3634->3635 3636 7ff6ce591394 2 API calls 3635->3636 3637 7ff6ce591599 3636->3637 3638 7ff6ce591394 2 API calls 3637->3638 3639 7ff6ce5915a3 3638->3639 3640 7ff6ce5915a8 3639->3640 3641 7ff6ce591394 2 API calls 3639->3641 3642 7ff6ce591394 2 API calls 3640->3642 3641->3640 3643 7ff6ce5915b7 3642->3643 3644 7ff6ce591394 2 API calls 3643->3644 3645 7ff6ce5915c1 3644->3645 3646 7ff6ce591394 2 API calls 3645->3646 3647 7ff6ce5915c6 3646->3647 3648 7ff6ce591394 2 API calls 3647->3648 3649 7ff6ce5915d5 3648->3649 3650 7ff6ce591394 2 API calls 3649->3650 3651 7ff6ce5915e4 3650->3651 3652 7ff6ce591394 2 API calls 3651->3652 3653 7ff6ce5915f3 3652->3653 3653->3551 3653->3553 3653->3558 3655 7ff6ce591394 2 API calls 3654->3655 3656 7ff6ce5914f4 3655->3656 3657 7ff6ce591503 3656->3657 3658 7ff6ce591394 2 API calls 3656->3658 3659 7ff6ce591394 2 API calls 3657->3659 3658->3657 3660 7ff6ce59150d 3659->3660 3661 7ff6ce591394 2 API calls 3660->3661 3662 7ff6ce591512 3661->3662 3663 7ff6ce591394 2 API calls 3662->3663 3664 7ff6ce591521 3663->3664 3665 7ff6ce591530 3664->3665 3666 7ff6ce591394 2 API calls 3664->3666 3667 7ff6ce591394 2 API calls 3665->3667 3666->3665 3668 7ff6ce59153a 3667->3668 3669 7ff6ce59153f 3668->3669 3670 7ff6ce591394 2 API calls 3668->3670 3671 7ff6ce591394 2 API calls 3669->3671 3670->3669 3672 7ff6ce59154e 3671->3672 3673 7ff6ce591394 2 API calls 3672->3673 3674 7ff6ce591558 3673->3674 3675 7ff6ce59155d 3674->3675 3676 7ff6ce591394 2 API calls 3674->3676 3677 7ff6ce591394 2 API calls 3675->3677 3676->3675 3678 7ff6ce591567 3677->3678 3679 7ff6ce59156c 3678->3679 3680 7ff6ce591394 2 API calls 3678->3680 3681 7ff6ce591394 2 API calls 3679->3681 3680->3679 3682 7ff6ce591576 3681->3682 3683 7ff6ce59157b 3682->3683 3684 7ff6ce591394 2 API calls 3682->3684 3685 7ff6ce591394 2 API calls 3683->3685 3684->3683 3686 7ff6ce59158a 3685->3686 3687 7ff6ce591394 2 API calls 3686->3687 3688 7ff6ce591599 3687->3688 3689 7ff6ce591394 2 API calls 3688->3689 3690 7ff6ce5915a3 3689->3690 3691 7ff6ce5915a8 3690->3691 3692 7ff6ce591394 2 API calls 3690->3692 3693 7ff6ce591394 2 API calls 3691->3693 3692->3691 3694 7ff6ce5915b7 3693->3694 3695 7ff6ce591394 2 API calls 3694->3695 3696 7ff6ce5915c1 3695->3696 3697 7ff6ce591394 2 API calls 3696->3697 3698 7ff6ce5915c6 3697->3698 3699 7ff6ce591394 2 API calls 3698->3699 3700 7ff6ce5915d5 3699->3700 3701 7ff6ce591394 2 API calls 3700->3701 3702 7ff6ce5915e4 3701->3702 3703 7ff6ce591394 2 API calls 3702->3703 3704 7ff6ce5915f3 3703->3704 3704->3551 3706 7ff6ce591503 3705->3706 3707 7ff6ce591394 2 API calls 3705->3707 3708 7ff6ce591394 2 API calls 3706->3708 3707->3706 3709 7ff6ce59150d 3708->3709 3710 7ff6ce591394 2 API calls 3709->3710 3711 7ff6ce591512 3710->3711 3712 7ff6ce591394 2 API calls 3711->3712 3713 7ff6ce591521 3712->3713 3714 7ff6ce591530 3713->3714 3715 7ff6ce591394 2 API calls 3713->3715 3716 7ff6ce591394 2 API calls 3714->3716 3715->3714 3717 7ff6ce59153a 3716->3717 3718 7ff6ce59153f 3717->3718 3719 7ff6ce591394 2 API calls 3717->3719 3720 7ff6ce591394 2 API calls 3718->3720 3719->3718 3721 7ff6ce59154e 3720->3721 3722 7ff6ce591394 2 API calls 3721->3722 3723 7ff6ce591558 3722->3723 3724 7ff6ce59155d 3723->3724 3725 7ff6ce591394 2 API calls 3723->3725 3726 7ff6ce591394 2 API calls 3724->3726 3725->3724 3727 7ff6ce591567 3726->3727 3728 7ff6ce59156c 3727->3728 3729 7ff6ce591394 2 API calls 3727->3729 3730 7ff6ce591394 2 API calls 3728->3730 3729->3728 3731 7ff6ce591576 3730->3731 3732 7ff6ce59157b 3731->3732 3733 7ff6ce591394 2 API calls 3731->3733 3734 7ff6ce591394 2 API calls 3732->3734 3733->3732 3735 7ff6ce59158a 3734->3735 3736 7ff6ce591394 2 API calls 3735->3736 3737 7ff6ce591599 3736->3737 3738 7ff6ce591394 2 API calls 3737->3738 3739 7ff6ce5915a3 3738->3739 3740 7ff6ce5915a8 3739->3740 3741 7ff6ce591394 2 API calls 3739->3741 3742 7ff6ce591394 2 API calls 3740->3742 3741->3740 3743 7ff6ce5915b7 3742->3743 3744 7ff6ce591394 2 API calls 3743->3744 3745 7ff6ce5915c1 3744->3745 3746 7ff6ce591394 2 API calls 3745->3746 3747 7ff6ce5915c6 3746->3747 3748 7ff6ce591394 2 API calls 3747->3748 3749 7ff6ce5915d5 3748->3749 3750 7ff6ce591394 2 API calls 3749->3750 3751 7ff6ce5915e4 3750->3751 3752 7ff6ce591394 2 API calls 3751->3752 3753 7ff6ce5915f3 3752->3753 3753->3574 3755 7ff6ce591394 2 API calls 3754->3755 3756 7ff6ce59142c 3755->3756 3757 7ff6ce591431 3756->3757 3758 7ff6ce591394 2 API calls 3756->3758 3759 7ff6ce591394 2 API calls 3757->3759 3758->3757 3760 7ff6ce59143b 3759->3760 3761 7ff6ce591440 3760->3761 3762 7ff6ce591394 2 API calls 3760->3762 3763 7ff6ce591394 2 API calls 3761->3763 3762->3761 3764 7ff6ce59144f 3763->3764 3765 7ff6ce591394 2 API calls 3764->3765 3766 7ff6ce591459 3765->3766 3767 7ff6ce59145e 3766->3767 3768 7ff6ce591394 2 API calls 3766->3768 3769 7ff6ce591394 2 API calls 3767->3769 3768->3767 3770 7ff6ce591468 3769->3770 3771 7ff6ce59146d 3770->3771 3772 7ff6ce591394 2 API calls 3770->3772 3773 7ff6ce591394 2 API calls 3771->3773 3772->3771 3774 7ff6ce591477 3773->3774 3775 7ff6ce59147c 3774->3775 3776 7ff6ce591394 2 API calls 3774->3776 3777 7ff6ce591394 2 API calls 3775->3777 3776->3775 3778 7ff6ce591486 3777->3778 3779 7ff6ce59148b 3778->3779 3780 7ff6ce591394 2 API calls 3778->3780 3781 7ff6ce591394 2 API calls 3779->3781 3780->3779 3782 7ff6ce591495 3781->3782 3783 7ff6ce59149a 3782->3783 3784 7ff6ce591394 2 API calls 3782->3784 3785 7ff6ce591394 2 API calls 3783->3785 3784->3783 3786 7ff6ce5914a4 3785->3786 3787 7ff6ce5914a9 3786->3787 3788 7ff6ce591394 2 API calls 3786->3788 3789 7ff6ce591394 2 API calls 3787->3789 3788->3787 3790 7ff6ce5914b3 3789->3790 3791 7ff6ce591394 2 API calls 3790->3791 3792 7ff6ce5914b8 3791->3792 3793 7ff6ce591394 2 API calls 3792->3793 3794 7ff6ce5914c7 3793->3794 3795 7ff6ce591394 2 API calls 3794->3795 3796 7ff6ce5914d6 3795->3796 3797 7ff6ce591394 2 API calls 3796->3797 3798 7ff6ce5914e5 3797->3798 3799 7ff6ce591394 2 API calls 3798->3799 3800 7ff6ce5914f4 3799->3800 3801 7ff6ce591503 3800->3801 3802 7ff6ce591394 2 API calls 3800->3802 3803 7ff6ce591394 2 API calls 3801->3803 3802->3801 3804 7ff6ce59150d 3803->3804 3805 7ff6ce591394 2 API calls 3804->3805 3806 7ff6ce591512 3805->3806 3807 7ff6ce591394 2 API calls 3806->3807 3808 7ff6ce591521 3807->3808 3809 7ff6ce591530 3808->3809 3810 7ff6ce591394 2 API calls 3808->3810 3811 7ff6ce591394 2 API calls 3809->3811 3810->3809 3812 7ff6ce59153a 3811->3812 3813 7ff6ce59153f 3812->3813 3814 7ff6ce591394 2 API calls 3812->3814 3815 7ff6ce591394 2 API calls 3813->3815 3814->3813 3816 7ff6ce59154e 3815->3816 3817 7ff6ce591394 2 API calls 3816->3817 3818 7ff6ce591558 3817->3818 3819 7ff6ce59155d 3818->3819 3820 7ff6ce591394 2 API calls 3818->3820 3821 7ff6ce591394 2 API calls 3819->3821 3820->3819 3822 7ff6ce591567 3821->3822 3823 7ff6ce59156c 3822->3823 3824 7ff6ce591394 2 API calls 3822->3824 3825 7ff6ce591394 2 API calls 3823->3825 3824->3823 3826 7ff6ce591576 3825->3826 3827 7ff6ce59157b 3826->3827 3828 7ff6ce591394 2 API calls 3826->3828 3829 7ff6ce591394 2 API calls 3827->3829 3828->3827 3830 7ff6ce59158a 3829->3830 3831 7ff6ce591394 2 API calls 3830->3831 3832 7ff6ce591599 3831->3832 3833 7ff6ce591394 2 API calls 3832->3833 3834 7ff6ce5915a3 3833->3834 3835 7ff6ce5915a8 3834->3835 3836 7ff6ce591394 2 API calls 3834->3836 3837 7ff6ce591394 2 API calls 3835->3837 3836->3835 3838 7ff6ce5915b7 3837->3838 3839 7ff6ce591394 2 API calls 3838->3839 3840 7ff6ce5915c1 3839->3840 3841 7ff6ce591394 2 API calls 3840->3841 3842 7ff6ce5915c6 3841->3842 3843 7ff6ce591394 2 API calls 3842->3843 3844 7ff6ce5915d5 3843->3844 3845 7ff6ce591394 2 API calls 3844->3845 3846 7ff6ce5915e4 3845->3846 3847 7ff6ce591394 2 API calls 3846->3847 3848 7ff6ce5915f3 3847->3848 3848->3450 3850 7ff6ce591394 2 API calls 3849->3850 3851 7ff6ce59143b 3850->3851 3852 7ff6ce591440 3851->3852 3853 7ff6ce591394 2 API calls 3851->3853 3854 7ff6ce591394 2 API calls 3852->3854 3853->3852 3855 7ff6ce59144f 3854->3855 3856 7ff6ce591394 2 API calls 3855->3856 3857 7ff6ce591459 3856->3857 3858 7ff6ce59145e 3857->3858 3859 7ff6ce591394 2 API calls 3857->3859 3860 7ff6ce591394 2 API calls 3858->3860 3859->3858 3861 7ff6ce591468 3860->3861 3862 7ff6ce59146d 3861->3862 3863 7ff6ce591394 2 API calls 3861->3863 3864 7ff6ce591394 2 API calls 3862->3864 3863->3862 3865 7ff6ce591477 3864->3865 3866 7ff6ce59147c 3865->3866 3867 7ff6ce591394 2 API calls 3865->3867 3868 7ff6ce591394 2 API calls 3866->3868 3867->3866 3869 7ff6ce591486 3868->3869 3870 7ff6ce59148b 3869->3870 3871 7ff6ce591394 2 API calls 3869->3871 3872 7ff6ce591394 2 API calls 3870->3872 3871->3870 3873 7ff6ce591495 3872->3873 3874 7ff6ce59149a 3873->3874 3875 7ff6ce591394 2 API calls 3873->3875 3876 7ff6ce591394 2 API calls 3874->3876 3875->3874 3877 7ff6ce5914a4 3876->3877 3878 7ff6ce5914a9 3877->3878 3879 7ff6ce591394 2 API calls 3877->3879 3880 7ff6ce591394 2 API calls 3878->3880 3879->3878 3881 7ff6ce5914b3 3880->3881 3882 7ff6ce591394 2 API calls 3881->3882 3883 7ff6ce5914b8 3882->3883 3884 7ff6ce591394 2 API calls 3883->3884 3885 7ff6ce5914c7 3884->3885 3886 7ff6ce591394 2 API calls 3885->3886 3887 7ff6ce5914d6 3886->3887 3888 7ff6ce591394 2 API calls 3887->3888 3889 7ff6ce5914e5 3888->3889 3890 7ff6ce591394 2 API calls 3889->3890 3891 7ff6ce5914f4 3890->3891 3892 7ff6ce591503 3891->3892 3893 7ff6ce591394 2 API calls 3891->3893 3894 7ff6ce591394 2 API calls 3892->3894 3893->3892 3895 7ff6ce59150d 3894->3895 3896 7ff6ce591394 2 API calls 3895->3896 3897 7ff6ce591512 3896->3897 3898 7ff6ce591394 2 API calls 3897->3898 3899 7ff6ce591521 3898->3899 3900 7ff6ce591530 3899->3900 3901 7ff6ce591394 2 API calls 3899->3901 3902 7ff6ce591394 2 API calls 3900->3902 3901->3900 3903 7ff6ce59153a 3902->3903 3904 7ff6ce59153f 3903->3904 3905 7ff6ce591394 2 API calls 3903->3905 3906 7ff6ce591394 2 API calls 3904->3906 3905->3904 3907 7ff6ce59154e 3906->3907 3908 7ff6ce591394 2 API calls 3907->3908 3909 7ff6ce591558 3908->3909 3910 7ff6ce59155d 3909->3910 3911 7ff6ce591394 2 API calls 3909->3911 3912 7ff6ce591394 2 API calls 3910->3912 3911->3910 3913 7ff6ce591567 3912->3913 3914 7ff6ce59156c 3913->3914 3915 7ff6ce591394 2 API calls 3913->3915 3916 7ff6ce591394 2 API calls 3914->3916 3915->3914 3917 7ff6ce591576 3916->3917 3918 7ff6ce59157b 3917->3918 3919 7ff6ce591394 2 API calls 3917->3919 3920 7ff6ce591394 2 API calls 3918->3920 3919->3918 3921 7ff6ce59158a 3920->3921 3922 7ff6ce591394 2 API calls 3921->3922 3923 7ff6ce591599 3922->3923 3924 7ff6ce591394 2 API calls 3923->3924 3925 7ff6ce5915a3 3924->3925 3926 7ff6ce5915a8 3925->3926 3927 7ff6ce591394 2 API calls 3925->3927 3928 7ff6ce591394 2 API calls 3926->3928 3927->3926 3929 7ff6ce5915b7 3928->3929 3930 7ff6ce591394 2 API calls 3929->3930 3931 7ff6ce5915c1 3930->3931 3932 7ff6ce591394 2 API calls 3931->3932 3933 7ff6ce5915c6 3932->3933 3934 7ff6ce591394 2 API calls 3933->3934 3935 7ff6ce5915d5 3934->3935 3936 7ff6ce591394 2 API calls 3935->3936 3937 7ff6ce5915e4 3936->3937 3938 7ff6ce591394 2 API calls 3937->3938 3939 7ff6ce5915f3 3938->3939 3939->3453 3941 7ff6ce591394 2 API calls 3940->3941 3942 7ff6ce5914c7 3941->3942 3943 7ff6ce591394 2 API calls 3942->3943 3944 7ff6ce5914d6 3943->3944 3945 7ff6ce591394 2 API calls 3944->3945 3946 7ff6ce5914e5 3945->3946 3947 7ff6ce591394 2 API calls 3946->3947 3948 7ff6ce5914f4 3947->3948 3949 7ff6ce591503 3948->3949 3950 7ff6ce591394 2 API calls 3948->3950 3951 7ff6ce591394 2 API calls 3949->3951 3950->3949 3952 7ff6ce59150d 3951->3952 3953 7ff6ce591394 2 API calls 3952->3953 3954 7ff6ce591512 3953->3954 3955 7ff6ce591394 2 API calls 3954->3955 3956 7ff6ce591521 3955->3956 3957 7ff6ce591530 3956->3957 3958 7ff6ce591394 2 API calls 3956->3958 3959 7ff6ce591394 2 API calls 3957->3959 3958->3957 3960 7ff6ce59153a 3959->3960 3961 7ff6ce59153f 3960->3961 3962 7ff6ce591394 2 API calls 3960->3962 3963 7ff6ce591394 2 API calls 3961->3963 3962->3961 3964 7ff6ce59154e 3963->3964 3965 7ff6ce591394 2 API calls 3964->3965 3966 7ff6ce591558 3965->3966 3967 7ff6ce59155d 3966->3967 3968 7ff6ce591394 2 API calls 3966->3968 3969 7ff6ce591394 2 API calls 3967->3969 3968->3967 3970 7ff6ce591567 3969->3970 3971 7ff6ce59156c 3970->3971 3972 7ff6ce591394 2 API calls 3970->3972 3973 7ff6ce591394 2 API calls 3971->3973 3972->3971 3974 7ff6ce591576 3973->3974 3975 7ff6ce59157b 3974->3975 3976 7ff6ce591394 2 API calls 3974->3976 3977 7ff6ce591394 2 API calls 3975->3977 3976->3975 3978 7ff6ce59158a 3977->3978 3979 7ff6ce591394 2 API calls 3978->3979 3980 7ff6ce591599 3979->3980 3981 7ff6ce591394 2 API calls 3980->3981 3982 7ff6ce5915a3 3981->3982 3983 7ff6ce5915a8 3982->3983 3984 7ff6ce591394 2 API calls 3982->3984 3985 7ff6ce591394 2 API calls 3983->3985 3984->3983 3986 7ff6ce5915b7 3985->3986 3987 7ff6ce591394 2 API calls 3986->3987 3988 7ff6ce5915c1 3987->3988 3989 7ff6ce591394 2 API calls 3988->3989 3990 7ff6ce5915c6 3989->3990 3991 7ff6ce591394 2 API calls 3990->3991 3992 7ff6ce5915d5 3991->3992 3993 7ff6ce591394 2 API calls 3992->3993 3994 7ff6ce5915e4 3993->3994 3995 7ff6ce591394 2 API calls 3994->3995 3996 7ff6ce5915f3 3995->3996 3996->3523 3998 7ff6ce591394 2 API calls 3997->3998 3999 7ff6ce5915e4 3998->3999 4000 7ff6ce591394 2 API calls 3999->4000 4001 7ff6ce5915f3 4000->4001 4001->3523 4003 7ff6ce591394 2 API calls 4002->4003 4004 7ff6ce591495 4003->4004 4005 7ff6ce59149a 4004->4005 4006 7ff6ce591394 2 API calls 4004->4006 4007 7ff6ce591394 2 API calls 4005->4007 4006->4005 4008 7ff6ce5914a4 4007->4008 4009 7ff6ce5914a9 4008->4009 4010 7ff6ce591394 2 API calls 4008->4010 4011 7ff6ce591394 2 API calls 4009->4011 4010->4009 4012 7ff6ce5914b3 4011->4012 4013 7ff6ce591394 2 API calls 4012->4013 4014 7ff6ce5914b8 4013->4014 4015 7ff6ce591394 2 API calls 4014->4015 4016 7ff6ce5914c7 4015->4016 4017 7ff6ce591394 2 API calls 4016->4017 4018 7ff6ce5914d6 4017->4018 4019 7ff6ce591394 2 API calls 4018->4019 4020 7ff6ce5914e5 4019->4020 4021 7ff6ce591394 2 API calls 4020->4021 4022 7ff6ce5914f4 4021->4022 4023 7ff6ce591503 4022->4023 4024 7ff6ce591394 2 API calls 4022->4024 4025 7ff6ce591394 2 API calls 4023->4025 4024->4023 4026 7ff6ce59150d 4025->4026 4027 7ff6ce591394 2 API calls 4026->4027 4028 7ff6ce591512 4027->4028 4029 7ff6ce591394 2 API calls 4028->4029 4030 7ff6ce591521 4029->4030 4031 7ff6ce591530 4030->4031 4032 7ff6ce591394 2 API calls 4030->4032 4033 7ff6ce591394 2 API calls 4031->4033 4032->4031 4034 7ff6ce59153a 4033->4034 4035 7ff6ce59153f 4034->4035 4036 7ff6ce591394 2 API calls 4034->4036 4037 7ff6ce591394 2 API calls 4035->4037 4036->4035 4038 7ff6ce59154e 4037->4038 4039 7ff6ce591394 2 API calls 4038->4039 4040 7ff6ce591558 4039->4040 4041 7ff6ce59155d 4040->4041 4042 7ff6ce591394 2 API calls 4040->4042 4043 7ff6ce591394 2 API calls 4041->4043 4042->4041 4044 7ff6ce591567 4043->4044 4045 7ff6ce59156c 4044->4045 4046 7ff6ce591394 2 API calls 4044->4046 4047 7ff6ce591394 2 API calls 4045->4047 4046->4045 4048 7ff6ce591576 4047->4048 4049 7ff6ce59157b 4048->4049 4050 7ff6ce591394 2 API calls 4048->4050 4051 7ff6ce591394 2 API calls 4049->4051 4050->4049 4052 7ff6ce59158a 4051->4052 4053 7ff6ce591394 2 API calls 4052->4053 4054 7ff6ce591599 4053->4054 4055 7ff6ce591394 2 API calls 4054->4055 4056 7ff6ce5915a3 4055->4056 4057 7ff6ce5915a8 4056->4057 4058 7ff6ce591394 2 API calls 4056->4058 4059 7ff6ce591394 2 API calls 4057->4059 4058->4057 4060 7ff6ce5915b7 4059->4060 4061 7ff6ce591394 2 API calls 4060->4061 4062 7ff6ce5915c1 4061->4062 4063 7ff6ce591394 2 API calls 4062->4063 4064 7ff6ce5915c6 4063->4064 4065 7ff6ce591394 2 API calls 4064->4065 4066 7ff6ce5915d5 4065->4066 4067 7ff6ce591394 2 API calls 4066->4067 4068 7ff6ce5915e4 4067->4068 4069 7ff6ce591394 2 API calls 4068->4069 4070 7ff6ce5915f3 4069->4070 4070->3520 4071 7ff6ce59149a 4070->4071 4072 7ff6ce591394 2 API calls 4071->4072 4073 7ff6ce5914a4 4072->4073 4074 7ff6ce5914a9 4073->4074 4075 7ff6ce591394 2 API calls 4073->4075 4076 7ff6ce591394 2 API calls 4074->4076 4075->4074 4077 7ff6ce5914b3 4076->4077 4078 7ff6ce591394 2 API calls 4077->4078 4079 7ff6ce5914b8 4078->4079 4080 7ff6ce591394 2 API calls 4079->4080 4081 7ff6ce5914c7 4080->4081 4082 7ff6ce591394 2 API calls 4081->4082 4083 7ff6ce5914d6 4082->4083 4084 7ff6ce591394 2 API calls 4083->4084 4085 7ff6ce5914e5 4084->4085 4086 7ff6ce591394 2 API calls 4085->4086 4087 7ff6ce5914f4 4086->4087 4088 7ff6ce591503 4087->4088 4089 7ff6ce591394 2 API calls 4087->4089 4090 7ff6ce591394 2 API calls 4088->4090 4089->4088 4091 7ff6ce59150d 4090->4091 4092 7ff6ce591394 2 API calls 4091->4092 4093 7ff6ce591512 4092->4093 4094 7ff6ce591394 2 API calls 4093->4094 4095 7ff6ce591521 4094->4095 4096 7ff6ce591530 4095->4096 4097 7ff6ce591394 2 API calls 4095->4097 4098 7ff6ce591394 2 API calls 4096->4098 4097->4096 4099 7ff6ce59153a 4098->4099 4100 7ff6ce59153f 4099->4100 4101 7ff6ce591394 2 API calls 4099->4101 4102 7ff6ce591394 2 API calls 4100->4102 4101->4100 4103 7ff6ce59154e 4102->4103 4104 7ff6ce591394 2 API calls 4103->4104 4105 7ff6ce591558 4104->4105 4106 7ff6ce59155d 4105->4106 4107 7ff6ce591394 2 API calls 4105->4107 4108 7ff6ce591394 2 API calls 4106->4108 4107->4106 4109 7ff6ce591567 4108->4109 4110 7ff6ce59156c 4109->4110 4111 7ff6ce591394 2 API calls 4109->4111 4112 7ff6ce591394 2 API calls 4110->4112 4111->4110 4113 7ff6ce591576 4112->4113 4114 7ff6ce59157b 4113->4114 4115 7ff6ce591394 2 API calls 4113->4115 4116 7ff6ce591394 2 API calls 4114->4116 4115->4114 4117 7ff6ce59158a 4116->4117 4118 7ff6ce591394 2 API calls 4117->4118 4119 7ff6ce591599 4118->4119 4120 7ff6ce591394 2 API calls 4119->4120 4121 7ff6ce5915a3 4120->4121 4122 7ff6ce5915a8 4121->4122 4123 7ff6ce591394 2 API calls 4121->4123 4124 7ff6ce591394 2 API calls 4122->4124 4123->4122 4125 7ff6ce5915b7 4124->4125 4126 7ff6ce591394 2 API calls 4125->4126 4127 7ff6ce5915c1 4126->4127 4128 7ff6ce591394 2 API calls 4127->4128 4129 7ff6ce5915c6 4128->4129 4130 7ff6ce591394 2 API calls 4129->4130 4131 7ff6ce5915d5 4130->4131 4132 7ff6ce591394 2 API calls 4131->4132 4133 7ff6ce5915e4 4132->4133 4134 7ff6ce591394 2 API calls 4133->4134 4135 7ff6ce5915f3 4134->4135 4135->3520 4135->3531 4137 7ff6ce591394 2 API calls 4136->4137 4138 7ff6ce591486 4137->4138 4139 7ff6ce59148b 4138->4139 4140 7ff6ce591394 2 API calls 4138->4140 4141 7ff6ce591394 2 API calls 4139->4141 4140->4139 4142 7ff6ce591495 4141->4142 4143 7ff6ce59149a 4142->4143 4144 7ff6ce591394 2 API calls 4142->4144 4145 7ff6ce591394 2 API calls 4143->4145 4144->4143 4146 7ff6ce5914a4 4145->4146 4147 7ff6ce5914a9 4146->4147 4148 7ff6ce591394 2 API calls 4146->4148 4149 7ff6ce591394 2 API calls 4147->4149 4148->4147 4150 7ff6ce5914b3 4149->4150 4151 7ff6ce591394 2 API calls 4150->4151 4152 7ff6ce5914b8 4151->4152 4153 7ff6ce591394 2 API calls 4152->4153 4154 7ff6ce5914c7 4153->4154 4155 7ff6ce591394 2 API calls 4154->4155 4156 7ff6ce5914d6 4155->4156 4157 7ff6ce591394 2 API calls 4156->4157 4158 7ff6ce5914e5 4157->4158 4159 7ff6ce591394 2 API calls 4158->4159 4160 7ff6ce5914f4 4159->4160 4161 7ff6ce591503 4160->4161 4162 7ff6ce591394 2 API calls 4160->4162 4163 7ff6ce591394 2 API calls 4161->4163 4162->4161 4164 7ff6ce59150d 4163->4164 4165 7ff6ce591394 2 API calls 4164->4165 4166 7ff6ce591512 4165->4166 4167 7ff6ce591394 2 API calls 4166->4167 4168 7ff6ce591521 4167->4168 4169 7ff6ce591530 4168->4169 4170 7ff6ce591394 2 API calls 4168->4170 4171 7ff6ce591394 2 API calls 4169->4171 4170->4169 4172 7ff6ce59153a 4171->4172 4173 7ff6ce59153f 4172->4173 4174 7ff6ce591394 2 API calls 4172->4174 4175 7ff6ce591394 2 API calls 4173->4175 4174->4173 4176 7ff6ce59154e 4175->4176 4177 7ff6ce591394 2 API calls 4176->4177 4178 7ff6ce591558 4177->4178 4179 7ff6ce59155d 4178->4179 4180 7ff6ce591394 2 API calls 4178->4180 4181 7ff6ce591394 2 API calls 4179->4181 4180->4179 4182 7ff6ce591567 4181->4182 4183 7ff6ce59156c 4182->4183 4184 7ff6ce591394 2 API calls 4182->4184 4185 7ff6ce591394 2 API calls 4183->4185 4184->4183 4186 7ff6ce591576 4185->4186 4187 7ff6ce59157b 4186->4187 4188 7ff6ce591394 2 API calls 4186->4188 4189 7ff6ce591394 2 API calls 4187->4189 4188->4187 4190 7ff6ce59158a 4189->4190 4191 7ff6ce591394 2 API calls 4190->4191 4192 7ff6ce591599 4191->4192 4193 7ff6ce591394 2 API calls 4192->4193 4194 7ff6ce5915a3 4193->4194 4195 7ff6ce5915a8 4194->4195 4196 7ff6ce591394 2 API calls 4194->4196 4197 7ff6ce591394 2 API calls 4195->4197 4196->4195 4198 7ff6ce5915b7 4197->4198 4199 7ff6ce591394 2 API calls 4198->4199 4200 7ff6ce5915c1 4199->4200 4201 7ff6ce591394 2 API calls 4200->4201 4202 7ff6ce5915c6 4201->4202 4203 7ff6ce591394 2 API calls 4202->4203 4204 7ff6ce5915d5 4203->4204 4205 7ff6ce591394 2 API calls 4204->4205 4206 7ff6ce5915e4 4205->4206 4207 7ff6ce591394 2 API calls 4206->4207 4208 7ff6ce5915f3 4207->4208 4208->3536 4210 7ff6ce591394 2 API calls 4209->4210 4211 7ff6ce5915d5 4210->4211 4212 7ff6ce591394 2 API calls 4211->4212 4213 7ff6ce5915e4 4212->4213 4214 7ff6ce591394 2 API calls 4213->4214 4215 7ff6ce5915f3 4214->4215 4215->3517 4226 7ff6ce592320 strlen 4227 7ff6ce592337 4226->4227 4236 7ff6ce591000 4237 7ff6ce59108b __set_app_type 4236->4237 4238 7ff6ce591040 4236->4238 4240 7ff6ce5910b6 4237->4240 4238->4237 4239 7ff6ce5910e5 4240->4239 4242 7ff6ce591e00 4240->4242 4243 7ff6ce5973e0 __setusermatherr 4242->4243 4244 7ff6ce591800 4245 7ff6ce591812 4244->4245 4246 7ff6ce591835 fprintf 4245->4246 4388 7ff6ce591ac3 4389 7ff6ce591a70 4388->4389 4390 7ff6ce591b36 4389->4390 4393 7ff6ce591b53 4389->4393 4394 7ff6ce59199e 4389->4394 4391 7ff6ce591ba0 4 API calls 4390->4391 4391->4393 4392 7ff6ce591a0f 4394->4392 4395 7ff6ce5919e9 VirtualProtect 4394->4395 4395->4394 4247 7ff6ce591404 4248 7ff6ce591394 2 API calls 4247->4248 4249 7ff6ce591413 4248->4249 4250 7ff6ce591422 4249->4250 4251 7ff6ce591394 2 API calls 4249->4251 4252 7ff6ce591394 2 API calls 4250->4252 4251->4250 4253 7ff6ce59142c 4252->4253 4254 7ff6ce591431 4253->4254 4255 7ff6ce591394 2 API calls 4253->4255 4256 7ff6ce591394 2 API calls 4254->4256 4255->4254 4257 7ff6ce59143b 4256->4257 4258 7ff6ce591440 4257->4258 4259 7ff6ce591394 2 API calls 4257->4259 4260 7ff6ce591394 2 API calls 4258->4260 4259->4258 4261 7ff6ce59144f 4260->4261 4262 7ff6ce591394 2 API calls 4261->4262 4263 7ff6ce591459 4262->4263 4264 7ff6ce59145e 4263->4264 4265 7ff6ce591394 2 API calls 4263->4265 4266 7ff6ce591394 2 API calls 4264->4266 4265->4264 4267 7ff6ce591468 4266->4267 4268 7ff6ce59146d 4267->4268 4269 7ff6ce591394 2 API calls 4267->4269 4270 7ff6ce591394 2 API calls 4268->4270 4269->4268 4271 7ff6ce591477 4270->4271 4272 7ff6ce59147c 4271->4272 4273 7ff6ce591394 2 API calls 4271->4273 4274 7ff6ce591394 2 API calls 4272->4274 4273->4272 4275 7ff6ce591486 4274->4275 4276 7ff6ce59148b 4275->4276 4277 7ff6ce591394 2 API calls 4275->4277 4278 7ff6ce591394 2 API calls 4276->4278 4277->4276 4279 7ff6ce591495 4278->4279 4280 7ff6ce59149a 4279->4280 4281 7ff6ce591394 2 API calls 4279->4281 4282 7ff6ce591394 2 API calls 4280->4282 4281->4280 4283 7ff6ce5914a4 4282->4283 4284 7ff6ce5914a9 4283->4284 4285 7ff6ce591394 2 API calls 4283->4285 4286 7ff6ce591394 2 API calls 4284->4286 4285->4284 4287 7ff6ce5914b3 4286->4287 4288 7ff6ce591394 2 API calls 4287->4288 4289 7ff6ce5914b8 4288->4289 4290 7ff6ce591394 2 API calls 4289->4290 4291 7ff6ce5914c7 4290->4291 4292 7ff6ce591394 2 API calls 4291->4292 4293 7ff6ce5914d6 4292->4293 4294 7ff6ce591394 2 API calls 4293->4294 4295 7ff6ce5914e5 4294->4295 4296 7ff6ce591394 2 API calls 4295->4296 4297 7ff6ce5914f4 4296->4297 4298 7ff6ce591503 4297->4298 4299 7ff6ce591394 2 API calls 4297->4299 4300 7ff6ce591394 2 API calls 4298->4300 4299->4298 4301 7ff6ce59150d 4300->4301 4302 7ff6ce591394 2 API calls 4301->4302 4303 7ff6ce591512 4302->4303 4304 7ff6ce591394 2 API calls 4303->4304 4305 7ff6ce591521 4304->4305 4306 7ff6ce591530 4305->4306 4307 7ff6ce591394 2 API calls 4305->4307 4308 7ff6ce591394 2 API calls 4306->4308 4307->4306 4309 7ff6ce59153a 4308->4309 4310 7ff6ce59153f 4309->4310 4311 7ff6ce591394 2 API calls 4309->4311 4312 7ff6ce591394 2 API calls 4310->4312 4311->4310 4313 7ff6ce59154e 4312->4313 4314 7ff6ce591394 2 API calls 4313->4314 4315 7ff6ce591558 4314->4315 4316 7ff6ce59155d 4315->4316 4317 7ff6ce591394 2 API calls 4315->4317 4318 7ff6ce591394 2 API calls 4316->4318 4317->4316 4319 7ff6ce591567 4318->4319 4320 7ff6ce59156c 4319->4320 4321 7ff6ce591394 2 API calls 4319->4321 4322 7ff6ce591394 2 API calls 4320->4322 4321->4320 4323 7ff6ce591576 4322->4323 4324 7ff6ce59157b 4323->4324 4325 7ff6ce591394 2 API calls 4323->4325 4326 7ff6ce591394 2 API calls 4324->4326 4325->4324 4327 7ff6ce59158a 4326->4327 4328 7ff6ce591394 2 API calls 4327->4328 4329 7ff6ce591599 4328->4329 4330 7ff6ce591394 2 API calls 4329->4330 4331 7ff6ce5915a3 4330->4331 4332 7ff6ce5915a8 4331->4332 4333 7ff6ce591394 2 API calls 4331->4333 4334 7ff6ce591394 2 API calls 4332->4334 4333->4332 4335 7ff6ce5915b7 4334->4335 4336 7ff6ce591394 2 API calls 4335->4336 4337 7ff6ce5915c1 4336->4337 4338 7ff6ce591394 2 API calls 4337->4338 4339 7ff6ce5915c6 4338->4339 4340 7ff6ce591394 2 API calls 4339->4340 4341 7ff6ce5915d5 4340->4341 4342 7ff6ce591394 2 API calls 4341->4342 4343 7ff6ce5915e4 4342->4343 4344 7ff6ce591394 2 API calls 4343->4344 4345 7ff6ce5915f3 4344->4345 4346 7ff6ce592104 4347 7ff6ce592111 EnterCriticalSection 4346->4347 4348 7ff6ce592218 4346->4348 4349 7ff6ce59212e 4347->4349 4350 7ff6ce59220b LeaveCriticalSection 4347->4350 4351 7ff6ce592272 4348->4351 4353 7ff6ce592241 DeleteCriticalSection 4348->4353 4354 7ff6ce592230 free 4348->4354 4349->4350 4352 7ff6ce59214d TlsGetValue GetLastError 4349->4352 4350->4348 4352->4349 4353->4351 4354->4353 4354->4354 4372 7ff6ce591e65 4373 7ff6ce591e67 signal 4372->4373 4374 7ff6ce591e7c 4373->4374 4376 7ff6ce591e99 4373->4376 4375 7ff6ce591e82 signal 4374->4375 4374->4376 4375->4376 4377 7ff6ce59216f 4378 7ff6ce592178 InitializeCriticalSection 4377->4378 4379 7ff6ce592185 4377->4379 4378->4379 4355 7ff6ce591e10 4356 7ff6ce591e2f 4355->4356 4357 7ff6ce591e55 4356->4357 4358 7ff6ce591ecc 4356->4358 4359 7ff6ce591eb5 4356->4359 4357->4359 4363 7ff6ce591f12 signal 4357->4363 4358->4359 4360 7ff6ce591ed3 signal 4358->4360 4360->4359 4361 7ff6ce591ee4 4360->4361 4361->4359 4362 7ff6ce591eea signal 4361->4362 4362->4359 4363->4359 4380 7ff6ce591a70 4381 7ff6ce59199e 4380->4381 4385 7ff6ce591a7d 4380->4385 4382 7ff6ce591a0f 4381->4382 4383 7ff6ce5919e9 VirtualProtect 4381->4383 4383->4381 4384 7ff6ce591b53 4385->4380 4385->4384 4386 7ff6ce591b36 4385->4386 4387 7ff6ce591ba0 4 API calls 4386->4387 4387->4384 4396 7ff6ce592050 4397 7ff6ce59205e EnterCriticalSection 4396->4397 4398 7ff6ce5920cf 4396->4398 4399 7ff6ce5920c2 LeaveCriticalSection 4397->4399 4400 7ff6ce592079 4397->4400 4399->4398 4400->4399 4401 7ff6ce5920bd free 4400->4401 4401->4399 4402 7ff6ce591fd0 4403 7ff6ce591fe4 4402->4403 4404 7ff6ce592033 4402->4404 4403->4404 4405 7ff6ce591ffd EnterCriticalSection LeaveCriticalSection 4403->4405 4405->4404 4228 7ff6ce591ab3 4229 7ff6ce591a70 4228->4229 4229->4228 4230 7ff6ce59199e 4229->4230 4231 7ff6ce591b36 4229->4231 4235 7ff6ce591b53 4229->4235 4233 7ff6ce591a0f 4230->4233 4234 7ff6ce5919e9 VirtualProtect 4230->4234 4232 7ff6ce591ba0 4 API calls 4231->4232 4232->4235 4234->4230 4216 7ff6ce591394 4217 7ff6ce596e50 malloc 4216->4217 4218 7ff6ce5913b8 4217->4218 4219 7ff6ce5913c6 NtQuerySymbolicLinkObject 4218->4219 4414 7ff6ce591f47 4415 7ff6ce591e67 signal 4414->4415 4418 7ff6ce591e99 4414->4418 4416 7ff6ce591e7c 4415->4416 4415->4418 4417 7ff6ce591e82 signal 4416->4417 4416->4418 4417->4418

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00007FF6CE59219E 1 Function_00007FF6CE591BA0 6 Function_00007FF6CE5923B0 1->6 50 Function_00007FF6CE591D40 1->50 116 Function_00007FF6CE5924D0 1->116 2 Function_00007FF6CE591FA0 3 Function_00007FF6CE5962A1 4 Function_00007FF6CE592DA1 5 Function_00007FF6CE59149A 26 Function_00007FF6CE591394 5->26 7 Function_00007FF6CE5967B0 8 Function_00007FF6CE591FB0 9 Function_00007FF6CE5922B0 10 Function_00007FF6CE5938B0 11 Function_00007FF6CE591AB3 11->1 11->50 12 Function_00007FF6CE5915A8 12->26 13 Function_00007FF6CE5914A9 13->26 14 Function_00007FF6CE591880 14->1 30 Function_00007FF6CE592660 14->30 14->50 62 Function_00007FF6CE592420 14->62 15 Function_00007FF6CE596481 16 Function_00007FF6CE596281 17 Function_00007FF6CE59157B 17->26 18 Function_00007FF6CE59147C 18->26 19 Function_00007FF6CE593890 20 Function_00007FF6CE592590 21 Function_00007FF6CE596490 22 Function_00007FF6CE592290 23 Function_00007FF6CE591F90 24 Function_00007FF6CE592690 24->13 29 Function_00007FF6CE59145E 24->29 37 Function_00007FF6CE59155D 24->37 41 Function_00007FF6CE591370 24->41 51 Function_00007FF6CE596E40 24->51 83 Function_00007FF6CE591503 24->83 99 Function_00007FF6CE5914E5 24->99 106 Function_00007FF6CE5914F4 24->106 123 Function_00007FF6CE5914C7 24->123 25 Function_00007FF6CE596791 56 Function_00007FF6CE596E50 26->56 74 Function_00007FF6CE597100 26->74 27 Function_00007FF6CE592194 42 Function_00007FF6CE591870 27->42 28 Function_00007FF6CE59148B 28->26 29->26 31 Function_00007FF6CE591160 31->14 31->23 31->31 31->42 48 Function_00007FF6CE593B40 31->48 109 Function_00007FF6CE5916C0 31->109 32 Function_00007FF6CE591760 94 Function_00007FF6CE5920E0 32->94 33 Function_00007FF6CE592460 34 Function_00007FF6CE596461 35 Function_00007FF6CE596661 36 Function_00007FF6CE591E65 36->42 37->26 38 Function_00007FF6CE59216F 39 Function_00007FF6CE592F70 39->13 93 Function_00007FF6CE5931E0 39->93 40 Function_00007FF6CE591A70 40->1 40->50 43 Function_00007FF6CE593871 44 Function_00007FF6CE59156C 44->26 45 Function_00007FF6CE59146D 45->26 46 Function_00007FF6CE59153F 46->26 47 Function_00007FF6CE591140 47->31 48->7 48->12 48->13 48->17 48->21 48->29 48->30 48->39 48->41 48->44 48->45 48->46 49 Function_00007FF6CE591440 48->49 48->51 52 Function_00007FF6CE596940 48->52 53 Function_00007FF6CE596C40 48->53 57 Function_00007FF6CE593350 48->57 70 Function_00007FF6CE591530 48->70 71 Function_00007FF6CE596330 48->71 48->83 86 Function_00007FF6CE596B10 48->86 100 Function_00007FF6CE5914D6 48->100 102 Function_00007FF6CE592DF0 48->102 108 Function_00007FF6CE5966C0 48->108 48->109 117 Function_00007FF6CE5938D0 48->117 48->123 49->26 50->22 54 Function_00007FF6CE596441 55 Function_00007FF6CE596641 56->51 57->29 57->41 69 Function_00007FF6CE591422 57->69 72 Function_00007FF6CE591431 57->72 58 Function_00007FF6CE591750 59 Function_00007FF6CE591650 60 Function_00007FF6CE592050 61 Function_00007FF6CE591F47 61->42 63 Function_00007FF6CE592320 64 Function_00007FF6CE596920 65 Function_00007FF6CE596E20 66 Function_00007FF6CE593821 67 Function_00007FF6CE596421 68 Function_00007FF6CE596C21 69->26 70->26 72->26 73 Function_00007FF6CE593331 74->51 75 Function_00007FF6CE591E00 76 Function_00007FF6CE591000 76->8 76->58 76->75 107 Function_00007FF6CE591FC0 76->107 77 Function_00007FF6CE591800 77->22 78 Function_00007FF6CE592500 79 Function_00007FF6CE593800 80 Function_00007FF6CE596601 81 Function_00007FF6CE596C01 82 Function_00007FF6CE596E01 83->26 84 Function_00007FF6CE591404 84->26 85 Function_00007FF6CE592104 87 Function_00007FF6CE591E10 88 Function_00007FF6CE596311 89 Function_00007FF6CE591512 89->26 90 Function_00007FF6CE5922E0 91 Function_00007FF6CE592DE0 92 Function_00007FF6CE5937E0 93->41 95 Function_00007FF6CE5917E0 95->94 96 Function_00007FF6CE5965E1 97 Function_00007FF6CE596BE1 98 Function_00007FF6CE591AE4 98->1 98->50 99->26 100->26 101 Function_00007FF6CE5910F0 102->24 102->29 102->30 102->89 103 Function_00007FF6CE596AF0 104 Function_00007FF6CE5962F1 105 Function_00007FF6CE5968F1 106->26 110 Function_00007FF6CE592DC0 111 Function_00007FF6CE5962C1 112 Function_00007FF6CE596AC1 113 Function_00007FF6CE591AC3 113->1 113->50 114 Function_00007FF6CE5914B8 114->26 115 Function_00007FF6CE5917D0 117->5 117->13 117->18 117->24 117->28 117->29 117->114 121 Function_00007FF6CE5915D5 117->121 122 Function_00007FF6CE5915C6 117->122 118 Function_00007FF6CE591FD0 119 Function_00007FF6CE596DD1 120 Function_00007FF6CE591AD4 120->1 120->50 121->26 122->26 123->26

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                • String ID:
                                • API String ID: 2643109117-0
                                • Opcode ID: e40d977814605a0f93f2d998e9fdae947e316efba747862f1935729e8d83170b
                                • Instruction ID: 4ce1ee6f2bf46a3ae05d96ac8053e98ac8a11a5653841564b471e955185791de
                                • Opcode Fuzzy Hash: e40d977814605a0f93f2d998e9fdae947e316efba747862f1935729e8d83170b
                                • Instruction Fuzzy Hash: 65517EB2A0965285FB109F55EA603F933B1AF64782F855031E9DDE33A5DE3EE4528300

                                Control-flow Graph

                                APIs
                                • NtQuerySymbolicLinkObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE591156), ref: 00007FF6CE5913F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: LinkObjectQuerySymbolic
                                • String ID:
                                • API String ID: 679174118-0
                                • Opcode ID: 7268df7e5cfa79fb4a8563cd703875b617d8e80e9955c701edb4f4955cdd1ac4
                                • Instruction ID: 654a7229bcf94af22b76a270d5dafc42c4037ad09c55a4062564443e2d63c20f
                                • Opcode Fuzzy Hash: 7268df7e5cfa79fb4a8563cd703875b617d8e80e9955c701edb4f4955cdd1ac4
                                • Instruction Fuzzy Hash: 77F0FFB590CB4186D610EF51F8600AA7770FB68781B404435F9CCA3726DF3EE051CB50
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                • String ID: $X&
                                • API String ID: 3604702941-100112515
                                • Opcode ID: 709ca5fddccdf55507c9480d72c1033acce8f536a14c18890b1d792b618772f3
                                • Instruction ID: 80512383e76d26089da77ac36d20b9f4c2bde06a1a0ab10a1052730789677e52
                                • Opcode Fuzzy Hash: 709ca5fddccdf55507c9480d72c1033acce8f536a14c18890b1d792b618772f3
                                • Instruction Fuzzy Hash: 27236CA1C2D7C288FB118F68A8112F47770AF76346F845239F9DCF65A5EF6EA2458304

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: memset$wcscatwcscpywcslen
                                • String ID: $0$0$@$@
                                • API String ID: 4263182637-1413854666
                                • Opcode ID: 59ab4ffbad1c94c8e89f6c6391b24e12640be275aebda49ad401e6e1a0cf9a42
                                • Instruction ID: fb6e4aaec975354d108a92b91a10ddf56e559547640bf479f6b7c6a1c46c04fd
                                • Opcode Fuzzy Hash: 59ab4ffbad1c94c8e89f6c6391b24e12640be275aebda49ad401e6e1a0cf9a42
                                • Instruction Fuzzy Hash: F4B16D6190C7C285E7218F54E4153EA77B0FBA5349F444239FACCA66A5DF7EE14A8B00

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                • String ID: 0$X$`
                                • API String ID: 329590056-2527496196
                                • Opcode ID: 02986b39d885733c9968b0222c049767e36aa813aa5f7dd44f00938c55c8f831
                                • Instruction ID: 4db4667da531301ea8226b4b1f17ee2e5e2e2e2ec78a9ca72c74cebdf9ea2cdb
                                • Opcode Fuzzy Hash: 02986b39d885733c9968b0222c049767e36aa813aa5f7dd44f00938c55c8f831
                                • Instruction Fuzzy Hash: 4E028E62908B8181E7218F55E8143EA77B0FBA57A5F404239EAECA77E5DF3DD146C700

                                Control-flow Graph

                                APIs
                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF6CE599180,00007FF6CE599180,?,?,00007FF6CE590000,?,00007FF6CE591991), ref: 00007FF6CE591C63
                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF6CE599180,00007FF6CE599180,?,?,00007FF6CE590000,?,00007FF6CE591991), ref: 00007FF6CE591CC7
                                • memcpy.MSVCRT ref: 00007FF6CE591CE0
                                • GetLastError.KERNEL32(?,?,?,?,00007FF6CE599180,00007FF6CE599180,?,?,00007FF6CE590000,?,00007FF6CE591991), ref: 00007FF6CE591D23
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                • API String ID: 2595394609-2123141913
                                • Opcode ID: 7512f2eac9aa76a994b51ddc5a0ad258ab91a77bea0d85f379085d31040b2c68
                                • Instruction ID: c7bdd9c989aa2b3e3a9f7ed033c28f5a8f4a62a0209943da2d039966749df538
                                • Opcode Fuzzy Hash: 7512f2eac9aa76a994b51ddc5a0ad258ab91a77bea0d85f379085d31040b2c68
                                • Instruction Fuzzy Hash: 004193B2A0966291EA118F41D5646F82770FF64BC2F964032EE8EE7395DE3DE547C300

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                • String ID:
                                • API String ID: 3326252324-0
                                • Opcode ID: a3f50990dafef5f20fe13fa5a8709b198bdd4a8216d1cc2d24d41753a25ef540
                                • Instruction ID: 2b5f4140c54bb07daaec938c94ea878f72152fe5ac86de8b67969ea2685bf4ff
                                • Opcode Fuzzy Hash: a3f50990dafef5f20fe13fa5a8709b198bdd4a8216d1cc2d24d41753a25ef540
                                • Instruction Fuzzy Hash: CD21CFA4A0A54281FA159F41F9602B83374BF20BA2F841071E9DDE76A8DF2EE8479300

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 552 7ff6ce591e10-7ff6ce591e2d 553 7ff6ce591e3e-7ff6ce591e48 552->553 554 7ff6ce591e2f-7ff6ce591e38 552->554 556 7ff6ce591ea3-7ff6ce591ea8 553->556 557 7ff6ce591e4a-7ff6ce591e53 553->557 554->553 555 7ff6ce591f60-7ff6ce591f69 554->555 556->555 560 7ff6ce591eae-7ff6ce591eb3 556->560 558 7ff6ce591e55-7ff6ce591e60 557->558 559 7ff6ce591ecc-7ff6ce591ed1 557->559 558->556 563 7ff6ce591f23-7ff6ce591f2d 559->563 564 7ff6ce591ed3-7ff6ce591ee2 signal 559->564 561 7ff6ce591eb5-7ff6ce591eba 560->561 562 7ff6ce591efb-7ff6ce591f0a call 7ff6ce5973f0 560->562 561->555 568 7ff6ce591ec0 561->568 562->563 573 7ff6ce591f0c-7ff6ce591f10 562->573 566 7ff6ce591f2f-7ff6ce591f3f 563->566 567 7ff6ce591f43-7ff6ce591f45 563->567 564->563 569 7ff6ce591ee4-7ff6ce591ee8 564->569 574 7ff6ce591f5a 566->574 567->555 568->563 571 7ff6ce591f4e-7ff6ce591f53 569->571 572 7ff6ce591eea-7ff6ce591ef9 signal 569->572 571->574 572->555 575 7ff6ce591f12-7ff6ce591f21 signal 573->575 576 7ff6ce591f55 573->576 574->555 575->555 575->563 576->574
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID:
                                • String ID: CCG
                                • API String ID: 0-1584390748
                                • Opcode ID: 91cdb2e244844669afe764d020935d6240960ef710ac1ac52fd823a53d8d270e
                                • Instruction ID: 05c303e2312e02db3c62cb368cebf17cc29e4f8377302dd4d5ceaaf3e560a431
                                • Opcode Fuzzy Hash: 91cdb2e244844669afe764d020935d6240960ef710ac1ac52fd823a53d8d270e
                                • Instruction Fuzzy Hash: 9821DBA3F0911A41FA244E1496603F913719FA47A6FA64531FD9DD73D8CE2EA8838211

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 577 7ff6ce591880-7ff6ce59189c 578 7ff6ce591a0f-7ff6ce591a1f 577->578 579 7ff6ce5918a2-7ff6ce5918f9 call 7ff6ce592420 call 7ff6ce592660 577->579 579->578 584 7ff6ce5918ff-7ff6ce591910 579->584 585 7ff6ce59193e-7ff6ce591941 584->585 586 7ff6ce591912-7ff6ce59191c 584->586 588 7ff6ce59194d-7ff6ce591954 585->588 589 7ff6ce591943-7ff6ce591947 585->589 587 7ff6ce59191e-7ff6ce591929 586->587 586->588 587->588 590 7ff6ce59192b-7ff6ce59193a 587->590 592 7ff6ce59199e-7ff6ce5919a6 588->592 593 7ff6ce591956-7ff6ce591961 588->593 589->588 591 7ff6ce591a20-7ff6ce591a26 589->591 590->585 594 7ff6ce591b87-7ff6ce591b98 call 7ff6ce591d40 591->594 595 7ff6ce591a2c-7ff6ce591a37 591->595 592->578 597 7ff6ce5919a8-7ff6ce5919c1 592->597 596 7ff6ce591970-7ff6ce59199c call 7ff6ce591ba0 593->596 595->592 599 7ff6ce591a3d-7ff6ce591a5f 595->599 596->592 601 7ff6ce5919df-7ff6ce5919e7 597->601 605 7ff6ce591a7d-7ff6ce591a97 599->605 602 7ff6ce5919d0-7ff6ce5919dd 601->602 603 7ff6ce5919e9-7ff6ce591a0d VirtualProtect 601->603 602->578 602->601 603->602 607 7ff6ce591b74-7ff6ce591b82 call 7ff6ce591d40 605->607 608 7ff6ce591a9d-7ff6ce591afa 605->608 607->594 613 7ff6ce591b22-7ff6ce591b26 608->613 614 7ff6ce591afc-7ff6ce591b0e 608->614 617 7ff6ce591a70-7ff6ce591a77 613->617 618 7ff6ce591b2c-7ff6ce591b30 613->618 615 7ff6ce591b10-7ff6ce591b20 614->615 616 7ff6ce591b5c-7ff6ce591b6f call 7ff6ce591d40 614->616 615->613 615->616 616->607 617->592 617->605 618->617 620 7ff6ce591b36-7ff6ce591b53 call 7ff6ce591ba0 618->620 620->616
                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE591247), ref: 00007FF6CE5919F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                • API String ID: 544645111-395989641
                                • Opcode ID: d6994086fcb1fc14bbec2f488f1ae26f8e14eecf9dee085739d6d0ac41247db6
                                • Instruction ID: 3e2fa1a1b22e2342d9603ae61eb8d59ba28e0563cf069b038bb888ccb6e97e4d
                                • Opcode Fuzzy Hash: d6994086fcb1fc14bbec2f488f1ae26f8e14eecf9dee085739d6d0ac41247db6
                                • Instruction Fuzzy Hash: FC5192A6F08596D6EB108F21D9507F83771AB24B96F854131E99DA7794CF3DE883C700

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 623 7ff6ce591800-7ff6ce591810 624 7ff6ce591812-7ff6ce591822 623->624 625 7ff6ce591824 623->625 626 7ff6ce59182b-7ff6ce591867 call 7ff6ce592290 fprintf 624->626 625->626
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: fprintf
                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                • API String ID: 383729395-3474627141
                                • Opcode ID: def3b4d1b7afcdc9c41babcfd7ad642259afce1846380b257a200b73c214eff3
                                • Instruction ID: e6c0f2e4431b3f1ba74ef88ffd94d4061982bb3aede600b8f00ab92d26bd5cd1
                                • Opcode Fuzzy Hash: def3b4d1b7afcdc9c41babcfd7ad642259afce1846380b257a200b73c214eff3
                                • Instruction Fuzzy Hash: 6BF0C252E18A8582E6119F24AA510F96370EB693C2FC09231FE8DF7255DF2DE1838300

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2102929578.00007FF6CE591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CE590000, based on PE: true
                                • Associated: 00000000.00000002.2102917503.00007FF6CE590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102941995.00007FF6CE598000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102954025.00007FF6CE59A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2102966177.00007FF6CE59B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103111889.00007FF6CE816000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2103125413.00007FF6CE818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff6ce590000_daRNfwifay.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                • String ID:
                                • API String ID: 682475483-0
                                • Opcode ID: 7aa9b52c2fbcd742ec20c09a8dcd10f4a078d7388be026f4a444c53322c0ebf1
                                • Instruction ID: 8ec3334e4312470580f91dd60e029384880e96aa55df8abe95cfd7eeaf3b6c52
                                • Opcode Fuzzy Hash: 7aa9b52c2fbcd742ec20c09a8dcd10f4a078d7388be026f4a444c53322c0ebf1
                                • Instruction Fuzzy Hash: 890121A9A0A54281F6069F41FD142B82334BF24BA3F844031E99DE37A4DF2EF952D300

                                Execution Graph

                                Execution Coverage:4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:1516
                                Total number of Limit Nodes:2
                                execution_graph 4015 7ff6d1951404 4016 7ff6d1951394 2 API calls 4015->4016 4017 7ff6d1951413 4016->4017 4018 7ff6d1951422 4017->4018 4019 7ff6d1951394 2 API calls 4017->4019 4020 7ff6d1951394 2 API calls 4018->4020 4019->4018 4021 7ff6d195142c 4020->4021 4022 7ff6d1951431 4021->4022 4023 7ff6d1951394 2 API calls 4021->4023 4024 7ff6d1951394 2 API calls 4022->4024 4023->4022 4025 7ff6d195143b 4024->4025 4026 7ff6d1951394 2 API calls 4025->4026 4027 7ff6d1951440 4026->4027 4028 7ff6d1951394 2 API calls 4027->4028 4029 7ff6d195144f 4028->4029 4030 7ff6d1951394 2 API calls 4029->4030 4031 7ff6d195145e 4030->4031 4032 7ff6d1951394 2 API calls 4031->4032 4033 7ff6d195146d 4032->4033 4034 7ff6d1951394 2 API calls 4033->4034 4035 7ff6d195147c 4034->4035 4036 7ff6d1951394 2 API calls 4035->4036 4037 7ff6d195148b 4036->4037 4038 7ff6d1951394 2 API calls 4037->4038 4039 7ff6d195149a 4038->4039 4040 7ff6d1951394 2 API calls 4039->4040 4041 7ff6d19514a9 4040->4041 4042 7ff6d19514b8 4041->4042 4043 7ff6d1951394 2 API calls 4041->4043 4044 7ff6d1951394 2 API calls 4042->4044 4043->4042 4045 7ff6d19514c2 4044->4045 4046 7ff6d19514c7 4045->4046 4047 7ff6d1951394 2 API calls 4045->4047 4048 7ff6d1951394 2 API calls 4046->4048 4047->4046 4049 7ff6d19514d1 4048->4049 4050 7ff6d19514d6 4049->4050 4051 7ff6d1951394 2 API calls 4049->4051 4052 7ff6d1951394 2 API calls 4050->4052 4051->4050 4053 7ff6d19514e0 4052->4053 4054 7ff6d19514e5 4053->4054 4055 7ff6d1951394 2 API calls 4053->4055 4056 7ff6d1951394 2 API calls 4054->4056 4055->4054 4057 7ff6d19514ef 4056->4057 4058 7ff6d19514f4 4057->4058 4059 7ff6d1951394 2 API calls 4057->4059 4060 7ff6d1951394 2 API calls 4058->4060 4059->4058 4061 7ff6d19514fe 4060->4061 4062 7ff6d1951503 4061->4062 4063 7ff6d1951394 2 API calls 4061->4063 4064 7ff6d1951394 2 API calls 4062->4064 4063->4062 4065 7ff6d195150d 4064->4065 4066 7ff6d1951394 2 API calls 4065->4066 4067 7ff6d1951512 4066->4067 4068 7ff6d1951394 2 API calls 4067->4068 4069 7ff6d1951521 4068->4069 4070 7ff6d1951530 4069->4070 4071 7ff6d1951394 2 API calls 4069->4071 4072 7ff6d1951394 2 API calls 4070->4072 4071->4070 4073 7ff6d195153a 4072->4073 4074 7ff6d1951394 2 API calls 4073->4074 4075 7ff6d195153f 4074->4075 4076 7ff6d1951394 2 API calls 4075->4076 4077 7ff6d195154e 4076->4077 4078 7ff6d1951394 2 API calls 4077->4078 4079 7ff6d195155d 4078->4079 4080 7ff6d1951394 2 API calls 4079->4080 4081 7ff6d195156c 4080->4081 4082 7ff6d1951394 2 API calls 4081->4082 4083 7ff6d195157b 4082->4083 4084 7ff6d1951394 2 API calls 4083->4084 4085 7ff6d195158a 4084->4085 4086 7ff6d1951394 2 API calls 4085->4086 4087 7ff6d1951599 4086->4087 4088 7ff6d1951394 2 API calls 4087->4088 4089 7ff6d19515a8 4088->4089 4090 7ff6d1951394 2 API calls 4089->4090 4091 7ff6d19515b7 4090->4091 4092 7ff6d19515c6 4091->4092 4093 7ff6d1951394 2 API calls 4091->4093 4094 7ff6d1951394 2 API calls 4092->4094 4093->4092 4095 7ff6d19515d0 4094->4095 4096 7ff6d19515d5 4095->4096 4097 7ff6d1951394 2 API calls 4095->4097 4098 7ff6d1951394 2 API calls 4096->4098 4097->4096 4099 7ff6d19515e4 4098->4099 4100 7ff6d1951394 2 API calls 4099->4100 4101 7ff6d19515f3 4100->4101 4102 7ff6d1952104 4103 7ff6d1952111 EnterCriticalSection 4102->4103 4106 7ff6d1952218 4102->4106 4105 7ff6d195220b LeaveCriticalSection 4103->4105 4110 7ff6d195212e 4103->4110 4104 7ff6d1952272 4105->4106 4106->4104 4107 7ff6d1952241 DeleteCriticalSection 4106->4107 4109 7ff6d1952230 free 4106->4109 4107->4104 4108 7ff6d195214d TlsGetValue GetLastError 4108->4110 4109->4107 4109->4109 4110->4105 4110->4108 3955 7ff6d1951e65 3956 7ff6d1951e67 signal 3955->3956 3957 7ff6d1951e7c 3956->3957 3959 7ff6d1951e99 3956->3959 3958 7ff6d1951e82 signal 3957->3958 3957->3959 3958->3959 3999 7ff6d195219e 4000 7ff6d19521ab EnterCriticalSection 3999->4000 4001 7ff6d1952272 3999->4001 4002 7ff6d1952265 LeaveCriticalSection 4000->4002 4004 7ff6d19521c8 4000->4004 4002->4001 4003 7ff6d19521e9 TlsGetValue GetLastError 4003->4004 4004->4002 4004->4003 2550 7ff6d1951140 2553 7ff6d1951160 2550->2553 2552 7ff6d1951156 2554 7ff6d195118b 2553->2554 2555 7ff6d19511b9 2553->2555 2554->2555 2556 7ff6d1951190 2554->2556 2557 7ff6d19511c7 _amsg_exit 2555->2557 2558 7ff6d19511d3 2555->2558 2556->2555 2559 7ff6d19511a0 Sleep 2556->2559 2557->2558 2560 7ff6d195121a 2558->2560 2561 7ff6d1951201 _initterm 2558->2561 2559->2555 2559->2556 2578 7ff6d1951880 2560->2578 2561->2560 2563 7ff6d1951247 SetUnhandledExceptionFilter 2564 7ff6d195126a 2563->2564 2565 7ff6d195126f malloc 2564->2565 2566 7ff6d195128b 2565->2566 2569 7ff6d19512d2 2565->2569 2567 7ff6d19512a0 strlen malloc memcpy 2566->2567 2567->2567 2568 7ff6d19512d0 2567->2568 2568->2569 2585 7ff6d1953b40 2569->2585 2571 7ff6d1951315 2572 7ff6d1951344 2571->2572 2573 7ff6d1951324 2571->2573 2576 7ff6d1951160 86 API calls 2572->2576 2574 7ff6d195132d _cexit 2573->2574 2575 7ff6d1951338 2573->2575 2574->2575 2575->2552 2577 7ff6d1951366 2576->2577 2577->2552 2579 7ff6d19518a2 2578->2579 2584 7ff6d1951a0f 2578->2584 2580 7ff6d195199e 2579->2580 2583 7ff6d1951956 2579->2583 2579->2584 2582 7ff6d19519e9 VirtualProtect 2580->2582 2580->2584 2582->2580 2583->2580 2733 7ff6d1951ba0 2583->2733 2584->2563 2587 7ff6d1953b56 2585->2587 2586 7ff6d1953c50 wcslen 2743 7ff6d195153f 2586->2743 2587->2586 2592 7ff6d1953d50 2595 7ff6d1953d6a memset wcscat memset 2592->2595 2598 7ff6d1953dc3 2595->2598 2597 7ff6d1953e13 wcslen 2599 7ff6d1953e25 2597->2599 2603 7ff6d1953e6c 2597->2603 2598->2597 2600 7ff6d1953e40 _wcsnicmp 2599->2600 2601 7ff6d1953e56 wcslen 2600->2601 2600->2603 2601->2600 2601->2603 2602 7ff6d1953ecd wcscpy wcscat memset 2605 7ff6d1953f0c 2602->2605 2603->2602 2604 7ff6d1954014 wcscpy wcscat memset 2606 7ff6d195404f 2604->2606 2605->2604 2607 7ff6d195436d wcslen 2606->2607 2608 7ff6d195437b 2607->2608 2617 7ff6d19543bc 2607->2617 2609 7ff6d1954390 _wcsnicmp 2608->2609 2610 7ff6d19543a6 wcslen 2609->2610 2609->2617 2610->2609 2610->2617 2611 7ff6d195444c wcscpy wcscat _wcsicmp 2612 7ff6d1954499 memset 2611->2612 2613 7ff6d1954480 2611->2613 2616 7ff6d19544ba 2612->2616 2901 7ff6d19514d6 2613->2901 2615 7ff6d19544ff wcscpy wcscat memset 2619 7ff6d1954545 2615->2619 2616->2615 2617->2611 2618 7ff6d19545a8 wcscpy wcscat memset 2620 7ff6d19545ee 2618->2620 2619->2618 2621 7ff6d195461e wcscpy wcscat 2620->2621 2622 7ff6d1954b5b memset 2621->2622 2623 7ff6d195464f 2621->2623 2625 7ff6d1954b7c 2622->2625 2624 7ff6d1955d40 memcpy 2623->2624 2628 7ff6d1954667 2623->2628 2624->2628 2627 7ff6d1954bbf wcscpy wcscat 2625->2627 2626 7ff6d19547a8 wcslen 2952 7ff6d195157b 2626->2952 2630 7ff6d1955dca memcpy 2627->2630 2652 7ff6d1954a4f 2627->2652 2628->2626 2630->2652 2632 7ff6d195483e memset 2634 7ff6d195485f 2632->2634 2633 7ff6d1952df0 11 API calls 2636 7ff6d1954ddb _wcsicmp 2633->2636 2635 7ff6d19548af wcslen 2634->2635 2971 7ff6d19515a8 2635->2971 2637 7ff6d1954df6 memset 2636->2637 2657 7ff6d19551d9 2636->2657 2642 7ff6d1954e1a 2637->2642 2640 7ff6d1954950 2640->2636 2984 7ff6d1952df0 2640->2984 2643 7ff6d1954e5f wcscpy wcscat wcslen 2642->2643 2996 7ff6d195146d 2643->2996 2644 7ff6d195528d wcslen 2648 7ff6d195153f 2 API calls 2644->2648 2645 7ff6d1954944 2649 7ff6d195145e 2 API calls 2645->2649 2646 7ff6d195491f _wcsnicmp 2646->2645 2660 7ff6d1955b3c 2646->2660 2651 7ff6d195531f 2648->2651 2649->2640 2655 7ff6d195145e 2 API calls 2651->2655 2652->2633 2653 7ff6d1955b99 wcslen 2656 7ff6d19515a8 2 API calls 2653->2656 2659 7ff6d1955331 2655->2659 2661 7ff6d1955bf5 2656->2661 2657->2644 2671 7ff6d19553be 2659->2671 3303 7ff6d1952f70 2659->3303 2660->2653 2665 7ff6d195145e 2 API calls 2661->2665 2662 7ff6d1954f6a 3096 7ff6d19514a9 2662->3096 2663 7ff6d1956227 2664 7ff6d195145e 2 API calls 2663->2664 2667 7ff6d1956233 2664->2667 2665->2640 2667->2571 2668 7ff6d195541b wcslen 2672 7ff6d1955431 2668->2672 2695 7ff6d195546c 2668->2695 2671->2668 2677 7ff6d1955440 _wcsnicmp 2672->2677 2673 7ff6d1955006 2676 7ff6d195145e 2 API calls 2673->2676 2674 7ff6d195535b 3307 7ff6d19538d0 2674->3307 2680 7ff6d1954ffa 2676->2680 2681 7ff6d1955456 wcslen 2677->2681 2677->2695 3232 7ff6d1953350 memset 2680->3232 2681->2677 2681->2695 2683 7ff6d19514c7 2 API calls 2687 7ff6d19553b0 2683->2687 2684 7ff6d1954fee 2689 7ff6d195145e 2 API calls 2684->2689 2685 7ff6d19555a6 memset wcscpy wcscat 2686 7ff6d1952f70 2 API calls 2685->2686 2690 7ff6d19555fd 2686->2690 2687->2671 2693 7ff6d195145e 2 API calls 2687->2693 2689->2680 2692 7ff6d1953350 11 API calls 2690->2692 2696 7ff6d1955615 2692->2696 2693->2671 2695->2685 2698 7ff6d19514c7 2 API calls 2696->2698 2699 7ff6d1955643 memset 2698->2699 2700 7ff6d1955664 2699->2700 2701 7ff6d19556b4 wcslen 2700->2701 2706 7ff6d19556c6 2701->2706 2707 7ff6d1955707 wcscat memset 2701->2707 2702 7ff6d1952df0 11 API calls 2708 7ff6d19551d4 2702->2708 2703 7ff6d19554b3 2703->2702 2704 7ff6d1952df0 11 API calls 2714 7ff6d19550ea 2704->2714 2705 7ff6d1955061 2705->2704 2709 7ff6d19556e0 _wcsnicmp 2706->2709 2715 7ff6d1955742 2707->2715 2708->2571 2709->2707 2711 7ff6d19556f2 wcslen 2709->2711 2711->2707 2711->2709 2712 7ff6d1952df0 11 API calls 2712->2708 2713 7ff6d19557b2 wcscpy wcscat 2716 7ff6d19557e4 2713->2716 2714->2712 2715->2713 2717 7ff6d19560ad memcpy 2716->2717 2718 7ff6d1955921 2716->2718 2717->2718 2719 7ff6d19559df wcslen 2718->2719 2720 7ff6d195153f 2 API calls 2719->2720 2721 7ff6d1955a6a 2720->2721 2722 7ff6d195145e 2 API calls 2721->2722 2723 7ff6d1955a7b 2722->2723 2724 7ff6d1955b13 2723->2724 2726 7ff6d1952f70 2 API calls 2723->2726 2725 7ff6d195145e 2 API calls 2724->2725 2725->2708 2727 7ff6d1955aa8 2726->2727 2728 7ff6d19538d0 11 API calls 2727->2728 2729 7ff6d1955acd 2728->2729 2730 7ff6d19514c7 2 API calls 2729->2730 2731 7ff6d1955b05 2730->2731 2731->2724 2732 7ff6d195145e 2 API calls 2731->2732 2732->2724 2735 7ff6d1951bc2 2733->2735 2736 7ff6d1951c45 VirtualQuery 2735->2736 2737 7ff6d1951cf4 2735->2737 2740 7ff6d1951c04 memcpy 2735->2740 2736->2737 2742 7ff6d1951c72 2736->2742 2738 7ff6d1951d23 GetLastError 2737->2738 2739 7ff6d1951d37 2738->2739 2740->2583 2741 7ff6d1951ca4 VirtualProtect 2741->2738 2741->2740 2742->2740 2742->2741 3330 7ff6d1951394 2743->3330 2745 7ff6d195154e 2746 7ff6d1951394 2 API calls 2745->2746 2747 7ff6d195155d 2746->2747 2748 7ff6d1951394 2 API calls 2747->2748 2749 7ff6d195156c 2748->2749 2750 7ff6d1951394 2 API calls 2749->2750 2751 7ff6d195157b 2750->2751 2752 7ff6d1951394 2 API calls 2751->2752 2753 7ff6d195158a 2752->2753 2754 7ff6d1951394 2 API calls 2753->2754 2755 7ff6d1951599 2754->2755 2756 7ff6d1951394 2 API calls 2755->2756 2757 7ff6d19515a8 2756->2757 2758 7ff6d1951394 2 API calls 2757->2758 2759 7ff6d19515b7 2758->2759 2760 7ff6d19515c6 2759->2760 2761 7ff6d1951394 2 API calls 2759->2761 2762 7ff6d1951394 2 API calls 2760->2762 2761->2760 2763 7ff6d19515d0 2762->2763 2764 7ff6d19515d5 2763->2764 2765 7ff6d1951394 2 API calls 2763->2765 2766 7ff6d1951394 2 API calls 2764->2766 2765->2764 2767 7ff6d19515e4 2766->2767 2768 7ff6d1951394 2 API calls 2767->2768 2769 7ff6d19515f3 2768->2769 2769->2708 2770 7ff6d1951503 2769->2770 2771 7ff6d1951394 2 API calls 2770->2771 2772 7ff6d195150d 2771->2772 2773 7ff6d1951394 2 API calls 2772->2773 2774 7ff6d1951512 2773->2774 2775 7ff6d1951394 2 API calls 2774->2775 2776 7ff6d1951521 2775->2776 2777 7ff6d1951530 2776->2777 2778 7ff6d1951394 2 API calls 2776->2778 2779 7ff6d1951394 2 API calls 2777->2779 2778->2777 2780 7ff6d195153a 2779->2780 2781 7ff6d1951394 2 API calls 2780->2781 2782 7ff6d195153f 2781->2782 2783 7ff6d1951394 2 API calls 2782->2783 2784 7ff6d195154e 2783->2784 2785 7ff6d1951394 2 API calls 2784->2785 2786 7ff6d195155d 2785->2786 2787 7ff6d1951394 2 API calls 2786->2787 2788 7ff6d195156c 2787->2788 2789 7ff6d1951394 2 API calls 2788->2789 2790 7ff6d195157b 2789->2790 2791 7ff6d1951394 2 API calls 2790->2791 2792 7ff6d195158a 2791->2792 2793 7ff6d1951394 2 API calls 2792->2793 2794 7ff6d1951599 2793->2794 2795 7ff6d1951394 2 API calls 2794->2795 2796 7ff6d19515a8 2795->2796 2797 7ff6d1951394 2 API calls 2796->2797 2798 7ff6d19515b7 2797->2798 2799 7ff6d19515c6 2798->2799 2800 7ff6d1951394 2 API calls 2798->2800 2801 7ff6d1951394 2 API calls 2799->2801 2800->2799 2802 7ff6d19515d0 2801->2802 2803 7ff6d19515d5 2802->2803 2804 7ff6d1951394 2 API calls 2802->2804 2805 7ff6d1951394 2 API calls 2803->2805 2804->2803 2806 7ff6d19515e4 2805->2806 2807 7ff6d1951394 2 API calls 2806->2807 2808 7ff6d19515f3 2807->2808 2808->2592 2809 7ff6d195156c 2808->2809 2810 7ff6d1951394 2 API calls 2809->2810 2811 7ff6d195157b 2810->2811 2812 7ff6d1951394 2 API calls 2811->2812 2813 7ff6d195158a 2812->2813 2814 7ff6d1951394 2 API calls 2813->2814 2815 7ff6d1951599 2814->2815 2816 7ff6d1951394 2 API calls 2815->2816 2817 7ff6d19515a8 2816->2817 2818 7ff6d1951394 2 API calls 2817->2818 2819 7ff6d19515b7 2818->2819 2820 7ff6d19515c6 2819->2820 2821 7ff6d1951394 2 API calls 2819->2821 2822 7ff6d1951394 2 API calls 2820->2822 2821->2820 2823 7ff6d19515d0 2822->2823 2824 7ff6d19515d5 2823->2824 2825 7ff6d1951394 2 API calls 2823->2825 2826 7ff6d1951394 2 API calls 2824->2826 2825->2824 2827 7ff6d19515e4 2826->2827 2828 7ff6d1951394 2 API calls 2827->2828 2829 7ff6d19515f3 2828->2829 2829->2592 2830 7ff6d195145e 2829->2830 2831 7ff6d1951394 2 API calls 2830->2831 2832 7ff6d195146d 2831->2832 2833 7ff6d1951394 2 API calls 2832->2833 2834 7ff6d195147c 2833->2834 2835 7ff6d1951394 2 API calls 2834->2835 2836 7ff6d195148b 2835->2836 2837 7ff6d1951394 2 API calls 2836->2837 2838 7ff6d195149a 2837->2838 2839 7ff6d1951394 2 API calls 2838->2839 2840 7ff6d19514a9 2839->2840 2841 7ff6d19514b8 2840->2841 2842 7ff6d1951394 2 API calls 2840->2842 2843 7ff6d1951394 2 API calls 2841->2843 2842->2841 2844 7ff6d19514c2 2843->2844 2845 7ff6d19514c7 2844->2845 2846 7ff6d1951394 2 API calls 2844->2846 2847 7ff6d1951394 2 API calls 2845->2847 2846->2845 2848 7ff6d19514d1 2847->2848 2849 7ff6d19514d6 2848->2849 2850 7ff6d1951394 2 API calls 2848->2850 2851 7ff6d1951394 2 API calls 2849->2851 2850->2849 2852 7ff6d19514e0 2851->2852 2853 7ff6d19514e5 2852->2853 2854 7ff6d1951394 2 API calls 2852->2854 2855 7ff6d1951394 2 API calls 2853->2855 2854->2853 2856 7ff6d19514ef 2855->2856 2857 7ff6d19514f4 2856->2857 2858 7ff6d1951394 2 API calls 2856->2858 2859 7ff6d1951394 2 API calls 2857->2859 2858->2857 2860 7ff6d19514fe 2859->2860 2861 7ff6d1951503 2860->2861 2862 7ff6d1951394 2 API calls 2860->2862 2863 7ff6d1951394 2 API calls 2861->2863 2862->2861 2864 7ff6d195150d 2863->2864 2865 7ff6d1951394 2 API calls 2864->2865 2866 7ff6d1951512 2865->2866 2867 7ff6d1951394 2 API calls 2866->2867 2868 7ff6d1951521 2867->2868 2869 7ff6d1951530 2868->2869 2870 7ff6d1951394 2 API calls 2868->2870 2871 7ff6d1951394 2 API calls 2869->2871 2870->2869 2872 7ff6d195153a 2871->2872 2873 7ff6d1951394 2 API calls 2872->2873 2874 7ff6d195153f 2873->2874 2875 7ff6d1951394 2 API calls 2874->2875 2876 7ff6d195154e 2875->2876 2877 7ff6d1951394 2 API calls 2876->2877 2878 7ff6d195155d 2877->2878 2879 7ff6d1951394 2 API calls 2878->2879 2880 7ff6d195156c 2879->2880 2881 7ff6d1951394 2 API calls 2880->2881 2882 7ff6d195157b 2881->2882 2883 7ff6d1951394 2 API calls 2882->2883 2884 7ff6d195158a 2883->2884 2885 7ff6d1951394 2 API calls 2884->2885 2886 7ff6d1951599 2885->2886 2887 7ff6d1951394 2 API calls 2886->2887 2888 7ff6d19515a8 2887->2888 2889 7ff6d1951394 2 API calls 2888->2889 2890 7ff6d19515b7 2889->2890 2891 7ff6d19515c6 2890->2891 2892 7ff6d1951394 2 API calls 2890->2892 2893 7ff6d1951394 2 API calls 2891->2893 2892->2891 2894 7ff6d19515d0 2893->2894 2895 7ff6d19515d5 2894->2895 2896 7ff6d1951394 2 API calls 2894->2896 2897 7ff6d1951394 2 API calls 2895->2897 2896->2895 2898 7ff6d19515e4 2897->2898 2899 7ff6d1951394 2 API calls 2898->2899 2900 7ff6d19515f3 2899->2900 2900->2592 2902 7ff6d1951394 2 API calls 2901->2902 2903 7ff6d19514e0 2902->2903 2904 7ff6d19514e5 2903->2904 2905 7ff6d1951394 2 API calls 2903->2905 2906 7ff6d1951394 2 API calls 2904->2906 2905->2904 2907 7ff6d19514ef 2906->2907 2908 7ff6d19514f4 2907->2908 2909 7ff6d1951394 2 API calls 2907->2909 2910 7ff6d1951394 2 API calls 2908->2910 2909->2908 2911 7ff6d19514fe 2910->2911 2912 7ff6d1951503 2911->2912 2913 7ff6d1951394 2 API calls 2911->2913 2914 7ff6d1951394 2 API calls 2912->2914 2913->2912 2915 7ff6d195150d 2914->2915 2916 7ff6d1951394 2 API calls 2915->2916 2917 7ff6d1951512 2916->2917 2918 7ff6d1951394 2 API calls 2917->2918 2919 7ff6d1951521 2918->2919 2920 7ff6d1951530 2919->2920 2921 7ff6d1951394 2 API calls 2919->2921 2922 7ff6d1951394 2 API calls 2920->2922 2921->2920 2923 7ff6d195153a 2922->2923 2924 7ff6d1951394 2 API calls 2923->2924 2925 7ff6d195153f 2924->2925 2926 7ff6d1951394 2 API calls 2925->2926 2927 7ff6d195154e 2926->2927 2928 7ff6d1951394 2 API calls 2927->2928 2929 7ff6d195155d 2928->2929 2930 7ff6d1951394 2 API calls 2929->2930 2931 7ff6d195156c 2930->2931 2932 7ff6d1951394 2 API calls 2931->2932 2933 7ff6d195157b 2932->2933 2934 7ff6d1951394 2 API calls 2933->2934 2935 7ff6d195158a 2934->2935 2936 7ff6d1951394 2 API calls 2935->2936 2937 7ff6d1951599 2936->2937 2938 7ff6d1951394 2 API calls 2937->2938 2939 7ff6d19515a8 2938->2939 2940 7ff6d1951394 2 API calls 2939->2940 2941 7ff6d19515b7 2940->2941 2942 7ff6d19515c6 2941->2942 2943 7ff6d1951394 2 API calls 2941->2943 2944 7ff6d1951394 2 API calls 2942->2944 2943->2942 2945 7ff6d19515d0 2944->2945 2946 7ff6d19515d5 2945->2946 2947 7ff6d1951394 2 API calls 2945->2947 2948 7ff6d1951394 2 API calls 2946->2948 2947->2946 2949 7ff6d19515e4 2948->2949 2950 7ff6d1951394 2 API calls 2949->2950 2951 7ff6d19515f3 2950->2951 2951->2612 2953 7ff6d1951394 2 API calls 2952->2953 2954 7ff6d195158a 2953->2954 2955 7ff6d1951394 2 API calls 2954->2955 2956 7ff6d1951599 2955->2956 2957 7ff6d1951394 2 API calls 2956->2957 2958 7ff6d19515a8 2957->2958 2959 7ff6d1951394 2 API calls 2958->2959 2960 7ff6d19515b7 2959->2960 2961 7ff6d19515c6 2960->2961 2962 7ff6d1951394 2 API calls 2960->2962 2963 7ff6d1951394 2 API calls 2961->2963 2962->2961 2964 7ff6d19515d0 2963->2964 2965 7ff6d19515d5 2964->2965 2966 7ff6d1951394 2 API calls 2964->2966 2967 7ff6d1951394 2 API calls 2965->2967 2966->2965 2968 7ff6d19515e4 2967->2968 2969 7ff6d1951394 2 API calls 2968->2969 2970 7ff6d19515f3 2969->2970 2970->2632 2970->2640 2972 7ff6d1951394 2 API calls 2971->2972 2973 7ff6d19515b7 2972->2973 2974 7ff6d19515c6 2973->2974 2975 7ff6d1951394 2 API calls 2973->2975 2976 7ff6d1951394 2 API calls 2974->2976 2975->2974 2977 7ff6d19515d0 2976->2977 2978 7ff6d19515d5 2977->2978 2979 7ff6d1951394 2 API calls 2977->2979 2980 7ff6d1951394 2 API calls 2978->2980 2979->2978 2981 7ff6d19515e4 2980->2981 2982 7ff6d1951394 2 API calls 2981->2982 2983 7ff6d19515f3 2982->2983 2983->2645 2983->2646 3334 7ff6d1952660 2984->3334 2989 7ff6d195145e 2 API calls 2990 7ff6d1952f35 2989->2990 2991 7ff6d1952f53 2990->2991 3369 7ff6d1951512 2990->3369 2994 7ff6d195145e 2 API calls 2991->2994 2992 7ff6d1952e3c 3336 7ff6d1952690 2992->3336 2995 7ff6d1952f5d 2994->2995 2995->2652 2997 7ff6d1951394 2 API calls 2996->2997 2998 7ff6d195147c 2997->2998 2999 7ff6d1951394 2 API calls 2998->2999 3000 7ff6d195148b 2999->3000 3001 7ff6d1951394 2 API calls 3000->3001 3002 7ff6d195149a 3001->3002 3003 7ff6d1951394 2 API calls 3002->3003 3004 7ff6d19514a9 3003->3004 3005 7ff6d19514b8 3004->3005 3006 7ff6d1951394 2 API calls 3004->3006 3007 7ff6d1951394 2 API calls 3005->3007 3006->3005 3008 7ff6d19514c2 3007->3008 3009 7ff6d19514c7 3008->3009 3010 7ff6d1951394 2 API calls 3008->3010 3011 7ff6d1951394 2 API calls 3009->3011 3010->3009 3012 7ff6d19514d1 3011->3012 3013 7ff6d19514d6 3012->3013 3014 7ff6d1951394 2 API calls 3012->3014 3015 7ff6d1951394 2 API calls 3013->3015 3014->3013 3016 7ff6d19514e0 3015->3016 3017 7ff6d19514e5 3016->3017 3018 7ff6d1951394 2 API calls 3016->3018 3019 7ff6d1951394 2 API calls 3017->3019 3018->3017 3020 7ff6d19514ef 3019->3020 3021 7ff6d19514f4 3020->3021 3022 7ff6d1951394 2 API calls 3020->3022 3023 7ff6d1951394 2 API calls 3021->3023 3022->3021 3024 7ff6d19514fe 3023->3024 3025 7ff6d1951503 3024->3025 3026 7ff6d1951394 2 API calls 3024->3026 3027 7ff6d1951394 2 API calls 3025->3027 3026->3025 3028 7ff6d195150d 3027->3028 3029 7ff6d1951394 2 API calls 3028->3029 3030 7ff6d1951512 3029->3030 3031 7ff6d1951394 2 API calls 3030->3031 3032 7ff6d1951521 3031->3032 3033 7ff6d1951530 3032->3033 3034 7ff6d1951394 2 API calls 3032->3034 3035 7ff6d1951394 2 API calls 3033->3035 3034->3033 3036 7ff6d195153a 3035->3036 3037 7ff6d1951394 2 API calls 3036->3037 3038 7ff6d195153f 3037->3038 3039 7ff6d1951394 2 API calls 3038->3039 3040 7ff6d195154e 3039->3040 3041 7ff6d1951394 2 API calls 3040->3041 3042 7ff6d195155d 3041->3042 3043 7ff6d1951394 2 API calls 3042->3043 3044 7ff6d195156c 3043->3044 3045 7ff6d1951394 2 API calls 3044->3045 3046 7ff6d195157b 3045->3046 3047 7ff6d1951394 2 API calls 3046->3047 3048 7ff6d195158a 3047->3048 3049 7ff6d1951394 2 API calls 3048->3049 3050 7ff6d1951599 3049->3050 3051 7ff6d1951394 2 API calls 3050->3051 3052 7ff6d19515a8 3051->3052 3053 7ff6d1951394 2 API calls 3052->3053 3054 7ff6d19515b7 3053->3054 3055 7ff6d19515c6 3054->3055 3056 7ff6d1951394 2 API calls 3054->3056 3057 7ff6d1951394 2 API calls 3055->3057 3056->3055 3058 7ff6d19515d0 3057->3058 3059 7ff6d19515d5 3058->3059 3060 7ff6d1951394 2 API calls 3058->3060 3061 7ff6d1951394 2 API calls 3059->3061 3060->3059 3062 7ff6d19515e4 3061->3062 3063 7ff6d1951394 2 API calls 3062->3063 3064 7ff6d19515f3 3063->3064 3065 7ff6d1951530 3064->3065 3066 7ff6d1951394 2 API calls 3065->3066 3067 7ff6d195153a 3066->3067 3068 7ff6d1951394 2 API calls 3067->3068 3069 7ff6d195153f 3068->3069 3070 7ff6d1951394 2 API calls 3069->3070 3071 7ff6d195154e 3070->3071 3072 7ff6d1951394 2 API calls 3071->3072 3073 7ff6d195155d 3072->3073 3074 7ff6d1951394 2 API calls 3073->3074 3075 7ff6d195156c 3074->3075 3076 7ff6d1951394 2 API calls 3075->3076 3077 7ff6d195157b 3076->3077 3078 7ff6d1951394 2 API calls 3077->3078 3079 7ff6d195158a 3078->3079 3080 7ff6d1951394 2 API calls 3079->3080 3081 7ff6d1951599 3080->3081 3082 7ff6d1951394 2 API calls 3081->3082 3083 7ff6d19515a8 3082->3083 3084 7ff6d1951394 2 API calls 3083->3084 3085 7ff6d19515b7 3084->3085 3086 7ff6d19515c6 3085->3086 3087 7ff6d1951394 2 API calls 3085->3087 3088 7ff6d1951394 2 API calls 3086->3088 3087->3086 3089 7ff6d19515d0 3088->3089 3090 7ff6d19515d5 3089->3090 3091 7ff6d1951394 2 API calls 3089->3091 3092 7ff6d1951394 2 API calls 3090->3092 3091->3090 3093 7ff6d19515e4 3092->3093 3094 7ff6d1951394 2 API calls 3093->3094 3095 7ff6d19515f3 3094->3095 3095->2662 3095->2663 3097 7ff6d19514b8 3096->3097 3098 7ff6d1951394 2 API calls 3096->3098 3099 7ff6d1951394 2 API calls 3097->3099 3098->3097 3100 7ff6d19514c2 3099->3100 3101 7ff6d19514c7 3100->3101 3102 7ff6d1951394 2 API calls 3100->3102 3103 7ff6d1951394 2 API calls 3101->3103 3102->3101 3104 7ff6d19514d1 3103->3104 3105 7ff6d19514d6 3104->3105 3106 7ff6d1951394 2 API calls 3104->3106 3107 7ff6d1951394 2 API calls 3105->3107 3106->3105 3108 7ff6d19514e0 3107->3108 3109 7ff6d19514e5 3108->3109 3110 7ff6d1951394 2 API calls 3108->3110 3111 7ff6d1951394 2 API calls 3109->3111 3110->3109 3112 7ff6d19514ef 3111->3112 3113 7ff6d19514f4 3112->3113 3114 7ff6d1951394 2 API calls 3112->3114 3115 7ff6d1951394 2 API calls 3113->3115 3114->3113 3116 7ff6d19514fe 3115->3116 3117 7ff6d1951503 3116->3117 3118 7ff6d1951394 2 API calls 3116->3118 3119 7ff6d1951394 2 API calls 3117->3119 3118->3117 3120 7ff6d195150d 3119->3120 3121 7ff6d1951394 2 API calls 3120->3121 3122 7ff6d1951512 3121->3122 3123 7ff6d1951394 2 API calls 3122->3123 3124 7ff6d1951521 3123->3124 3125 7ff6d1951530 3124->3125 3126 7ff6d1951394 2 API calls 3124->3126 3127 7ff6d1951394 2 API calls 3125->3127 3126->3125 3128 7ff6d195153a 3127->3128 3129 7ff6d1951394 2 API calls 3128->3129 3130 7ff6d195153f 3129->3130 3131 7ff6d1951394 2 API calls 3130->3131 3132 7ff6d195154e 3131->3132 3133 7ff6d1951394 2 API calls 3132->3133 3134 7ff6d195155d 3133->3134 3135 7ff6d1951394 2 API calls 3134->3135 3136 7ff6d195156c 3135->3136 3137 7ff6d1951394 2 API calls 3136->3137 3138 7ff6d195157b 3137->3138 3139 7ff6d1951394 2 API calls 3138->3139 3140 7ff6d195158a 3139->3140 3141 7ff6d1951394 2 API calls 3140->3141 3142 7ff6d1951599 3141->3142 3143 7ff6d1951394 2 API calls 3142->3143 3144 7ff6d19515a8 3143->3144 3145 7ff6d1951394 2 API calls 3144->3145 3146 7ff6d19515b7 3145->3146 3147 7ff6d19515c6 3146->3147 3148 7ff6d1951394 2 API calls 3146->3148 3149 7ff6d1951394 2 API calls 3147->3149 3148->3147 3150 7ff6d19515d0 3149->3150 3151 7ff6d19515d5 3150->3151 3152 7ff6d1951394 2 API calls 3150->3152 3153 7ff6d1951394 2 API calls 3151->3153 3152->3151 3154 7ff6d19515e4 3153->3154 3155 7ff6d1951394 2 API calls 3154->3155 3156 7ff6d19515f3 3155->3156 3156->2673 3157 7ff6d1951440 3156->3157 3158 7ff6d1951394 2 API calls 3157->3158 3159 7ff6d195144f 3158->3159 3160 7ff6d1951394 2 API calls 3159->3160 3161 7ff6d195145e 3160->3161 3162 7ff6d1951394 2 API calls 3161->3162 3163 7ff6d195146d 3162->3163 3164 7ff6d1951394 2 API calls 3163->3164 3165 7ff6d195147c 3164->3165 3166 7ff6d1951394 2 API calls 3165->3166 3167 7ff6d195148b 3166->3167 3168 7ff6d1951394 2 API calls 3167->3168 3169 7ff6d195149a 3168->3169 3170 7ff6d1951394 2 API calls 3169->3170 3171 7ff6d19514a9 3170->3171 3172 7ff6d19514b8 3171->3172 3173 7ff6d1951394 2 API calls 3171->3173 3174 7ff6d1951394 2 API calls 3172->3174 3173->3172 3175 7ff6d19514c2 3174->3175 3176 7ff6d19514c7 3175->3176 3177 7ff6d1951394 2 API calls 3175->3177 3178 7ff6d1951394 2 API calls 3176->3178 3177->3176 3179 7ff6d19514d1 3178->3179 3180 7ff6d19514d6 3179->3180 3181 7ff6d1951394 2 API calls 3179->3181 3182 7ff6d1951394 2 API calls 3180->3182 3181->3180 3183 7ff6d19514e0 3182->3183 3184 7ff6d19514e5 3183->3184 3185 7ff6d1951394 2 API calls 3183->3185 3186 7ff6d1951394 2 API calls 3184->3186 3185->3184 3187 7ff6d19514ef 3186->3187 3188 7ff6d19514f4 3187->3188 3189 7ff6d1951394 2 API calls 3187->3189 3190 7ff6d1951394 2 API calls 3188->3190 3189->3188 3191 7ff6d19514fe 3190->3191 3192 7ff6d1951503 3191->3192 3193 7ff6d1951394 2 API calls 3191->3193 3194 7ff6d1951394 2 API calls 3192->3194 3193->3192 3195 7ff6d195150d 3194->3195 3196 7ff6d1951394 2 API calls 3195->3196 3197 7ff6d1951512 3196->3197 3198 7ff6d1951394 2 API calls 3197->3198 3199 7ff6d1951521 3198->3199 3200 7ff6d1951530 3199->3200 3201 7ff6d1951394 2 API calls 3199->3201 3202 7ff6d1951394 2 API calls 3200->3202 3201->3200 3203 7ff6d195153a 3202->3203 3204 7ff6d1951394 2 API calls 3203->3204 3205 7ff6d195153f 3204->3205 3206 7ff6d1951394 2 API calls 3205->3206 3207 7ff6d195154e 3206->3207 3208 7ff6d1951394 2 API calls 3207->3208 3209 7ff6d195155d 3208->3209 3210 7ff6d1951394 2 API calls 3209->3210 3211 7ff6d195156c 3210->3211 3212 7ff6d1951394 2 API calls 3211->3212 3213 7ff6d195157b 3212->3213 3214 7ff6d1951394 2 API calls 3213->3214 3215 7ff6d195158a 3214->3215 3216 7ff6d1951394 2 API calls 3215->3216 3217 7ff6d1951599 3216->3217 3218 7ff6d1951394 2 API calls 3217->3218 3219 7ff6d19515a8 3218->3219 3220 7ff6d1951394 2 API calls 3219->3220 3221 7ff6d19515b7 3220->3221 3222 7ff6d19515c6 3221->3222 3223 7ff6d1951394 2 API calls 3221->3223 3224 7ff6d1951394 2 API calls 3222->3224 3223->3222 3225 7ff6d19515d0 3224->3225 3226 7ff6d19515d5 3225->3226 3227 7ff6d1951394 2 API calls 3225->3227 3228 7ff6d1951394 2 API calls 3226->3228 3227->3226 3229 7ff6d19515e4 3228->3229 3230 7ff6d1951394 2 API calls 3229->3230 3231 7ff6d19515f3 3230->3231 3231->2673 3231->2684 3233 7ff6d19535c1 memset 3232->3233 3237 7ff6d19533c3 3232->3237 3234 7ff6d19535e6 3233->3234 3236 7ff6d195362b wcscpy wcscat wcslen 3234->3236 3235 7ff6d195343a memset 3235->3237 3238 7ff6d1951422 2 API calls 3236->3238 3237->3233 3237->3235 3239 7ff6d1953493 wcscpy wcscat wcslen 3237->3239 3245 7ff6d195145e 2 API calls 3237->3245 3247 7ff6d1953579 3237->3247 3240 7ff6d1953728 3238->3240 3517 7ff6d1951422 3239->3517 3242 7ff6d1953767 3240->3242 3600 7ff6d1951431 3240->3600 3248 7ff6d19514c7 3242->3248 3245->3237 3246 7ff6d195145e 2 API calls 3246->3242 3247->3233 3249 7ff6d1951394 2 API calls 3248->3249 3250 7ff6d19514d1 3249->3250 3251 7ff6d19514d6 3250->3251 3252 7ff6d1951394 2 API calls 3250->3252 3253 7ff6d1951394 2 API calls 3251->3253 3252->3251 3254 7ff6d19514e0 3253->3254 3255 7ff6d19514e5 3254->3255 3256 7ff6d1951394 2 API calls 3254->3256 3257 7ff6d1951394 2 API calls 3255->3257 3256->3255 3258 7ff6d19514ef 3257->3258 3259 7ff6d19514f4 3258->3259 3260 7ff6d1951394 2 API calls 3258->3260 3261 7ff6d1951394 2 API calls 3259->3261 3260->3259 3262 7ff6d19514fe 3261->3262 3263 7ff6d1951503 3262->3263 3264 7ff6d1951394 2 API calls 3262->3264 3265 7ff6d1951394 2 API calls 3263->3265 3264->3263 3266 7ff6d195150d 3265->3266 3267 7ff6d1951394 2 API calls 3266->3267 3268 7ff6d1951512 3267->3268 3269 7ff6d1951394 2 API calls 3268->3269 3270 7ff6d1951521 3269->3270 3271 7ff6d1951530 3270->3271 3272 7ff6d1951394 2 API calls 3270->3272 3273 7ff6d1951394 2 API calls 3271->3273 3272->3271 3274 7ff6d195153a 3273->3274 3275 7ff6d1951394 2 API calls 3274->3275 3276 7ff6d195153f 3275->3276 3277 7ff6d1951394 2 API calls 3276->3277 3278 7ff6d195154e 3277->3278 3279 7ff6d1951394 2 API calls 3278->3279 3280 7ff6d195155d 3279->3280 3281 7ff6d1951394 2 API calls 3280->3281 3282 7ff6d195156c 3281->3282 3283 7ff6d1951394 2 API calls 3282->3283 3284 7ff6d195157b 3283->3284 3285 7ff6d1951394 2 API calls 3284->3285 3286 7ff6d195158a 3285->3286 3287 7ff6d1951394 2 API calls 3286->3287 3288 7ff6d1951599 3287->3288 3289 7ff6d1951394 2 API calls 3288->3289 3290 7ff6d19515a8 3289->3290 3291 7ff6d1951394 2 API calls 3290->3291 3292 7ff6d19515b7 3291->3292 3293 7ff6d19515c6 3292->3293 3294 7ff6d1951394 2 API calls 3292->3294 3295 7ff6d1951394 2 API calls 3293->3295 3294->3293 3296 7ff6d19515d0 3295->3296 3297 7ff6d19515d5 3296->3297 3298 7ff6d1951394 2 API calls 3296->3298 3299 7ff6d1951394 2 API calls 3297->3299 3298->3297 3300 7ff6d19515e4 3299->3300 3301 7ff6d1951394 2 API calls 3300->3301 3302 7ff6d19515f3 3301->3302 3302->2703 3302->2705 3304 7ff6d1952f88 3303->3304 3305 7ff6d19514a9 2 API calls 3304->3305 3306 7ff6d1952fd0 3305->3306 3306->2674 3308 7ff6d1952690 10 API calls 3307->3308 3309 7ff6d195390e 3308->3309 3310 7ff6d19514a9 2 API calls 3309->3310 3329 7ff6d1953b11 3309->3329 3311 7ff6d1953957 3310->3311 3312 7ff6d1953b18 3311->3312 3679 7ff6d19514b8 3311->3679 3938 7ff6d19515c6 3312->3938 3315 7ff6d1953a77 memset 3743 7ff6d195148b 3315->3743 3318 7ff6d19514b8 2 API calls 3319 7ff6d195397f 3318->3319 3319->3315 3319->3318 3738 7ff6d19515d5 3319->3738 3323 7ff6d19514b8 2 API calls 3324 7ff6d1953af7 3323->3324 3324->3312 3325 7ff6d1953afb 3324->3325 3871 7ff6d195147c 3325->3871 3328 7ff6d195145e 2 API calls 3328->3329 3329->2683 3331 7ff6d1956e50 malloc 3330->3331 3332 7ff6d19513b8 3331->3332 3333 7ff6d19513c6 NtCreateTransaction 3332->3333 3333->2745 3335 7ff6d195266f memset 3334->3335 3335->2992 3404 7ff6d195155d 3336->3404 3338 7ff6d19527f4 3339 7ff6d19514c7 2 API calls 3338->3339 3342 7ff6d1952816 3339->3342 3341 7ff6d1952785 wcsncmp 3427 7ff6d19514e5 3341->3427 3344 7ff6d1951503 2 API calls 3342->3344 3345 7ff6d195283d 3344->3345 3347 7ff6d1952847 memset 3345->3347 3346 7ff6d1952d27 3348 7ff6d1952877 3347->3348 3349 7ff6d19528bc wcscpy wcscat wcslen 3348->3349 3350 7ff6d195291a 3349->3350 3351 7ff6d19528ee wcslen 3349->3351 3352 7ff6d1952967 wcslen 3350->3352 3354 7ff6d1952985 3350->3354 3351->3350 3352->3354 3353 7ff6d19529d9 wcslen 3355 7ff6d19514a9 2 API calls 3353->3355 3354->3346 3354->3353 3356 7ff6d1952a73 3355->3356 3357 7ff6d19514a9 2 API calls 3356->3357 3358 7ff6d1952bd2 3357->3358 3474 7ff6d19514f4 3358->3474 3361 7ff6d19514c7 2 API calls 3362 7ff6d1952c99 3361->3362 3363 7ff6d19514c7 2 API calls 3362->3363 3364 7ff6d1952cb1 3363->3364 3365 7ff6d195145e 2 API calls 3364->3365 3366 7ff6d1952cbb 3365->3366 3367 7ff6d195145e 2 API calls 3366->3367 3368 7ff6d1952cc5 3367->3368 3368->2989 3370 7ff6d1951394 2 API calls 3369->3370 3371 7ff6d1951521 3370->3371 3372 7ff6d1951530 3371->3372 3373 7ff6d1951394 2 API calls 3371->3373 3374 7ff6d1951394 2 API calls 3372->3374 3373->3372 3375 7ff6d195153a 3374->3375 3376 7ff6d1951394 2 API calls 3375->3376 3377 7ff6d195153f 3376->3377 3378 7ff6d1951394 2 API calls 3377->3378 3379 7ff6d195154e 3378->3379 3380 7ff6d1951394 2 API calls 3379->3380 3381 7ff6d195155d 3380->3381 3382 7ff6d1951394 2 API calls 3381->3382 3383 7ff6d195156c 3382->3383 3384 7ff6d1951394 2 API calls 3383->3384 3385 7ff6d195157b 3384->3385 3386 7ff6d1951394 2 API calls 3385->3386 3387 7ff6d195158a 3386->3387 3388 7ff6d1951394 2 API calls 3387->3388 3389 7ff6d1951599 3388->3389 3390 7ff6d1951394 2 API calls 3389->3390 3391 7ff6d19515a8 3390->3391 3392 7ff6d1951394 2 API calls 3391->3392 3393 7ff6d19515b7 3392->3393 3394 7ff6d19515c6 3393->3394 3395 7ff6d1951394 2 API calls 3393->3395 3396 7ff6d1951394 2 API calls 3394->3396 3395->3394 3397 7ff6d19515d0 3396->3397 3398 7ff6d19515d5 3397->3398 3399 7ff6d1951394 2 API calls 3397->3399 3400 7ff6d1951394 2 API calls 3398->3400 3399->3398 3401 7ff6d19515e4 3400->3401 3402 7ff6d1951394 2 API calls 3401->3402 3403 7ff6d19515f3 3402->3403 3403->2991 3405 7ff6d1951394 2 API calls 3404->3405 3406 7ff6d195156c 3405->3406 3407 7ff6d1951394 2 API calls 3406->3407 3408 7ff6d195157b 3407->3408 3409 7ff6d1951394 2 API calls 3408->3409 3410 7ff6d195158a 3409->3410 3411 7ff6d1951394 2 API calls 3410->3411 3412 7ff6d1951599 3411->3412 3413 7ff6d1951394 2 API calls 3412->3413 3414 7ff6d19515a8 3413->3414 3415 7ff6d1951394 2 API calls 3414->3415 3416 7ff6d19515b7 3415->3416 3417 7ff6d19515c6 3416->3417 3418 7ff6d1951394 2 API calls 3416->3418 3419 7ff6d1951394 2 API calls 3417->3419 3418->3417 3420 7ff6d19515d0 3419->3420 3421 7ff6d19515d5 3420->3421 3422 7ff6d1951394 2 API calls 3420->3422 3423 7ff6d1951394 2 API calls 3421->3423 3422->3421 3424 7ff6d19515e4 3423->3424 3425 7ff6d1951394 2 API calls 3424->3425 3426 7ff6d19515f3 3425->3426 3426->3338 3426->3341 3426->3346 3428 7ff6d1951394 2 API calls 3427->3428 3429 7ff6d19514ef 3428->3429 3430 7ff6d19514f4 3429->3430 3431 7ff6d1951394 2 API calls 3429->3431 3432 7ff6d1951394 2 API calls 3430->3432 3431->3430 3433 7ff6d19514fe 3432->3433 3434 7ff6d1951503 3433->3434 3435 7ff6d1951394 2 API calls 3433->3435 3436 7ff6d1951394 2 API calls 3434->3436 3435->3434 3437 7ff6d195150d 3436->3437 3438 7ff6d1951394 2 API calls 3437->3438 3439 7ff6d1951512 3438->3439 3440 7ff6d1951394 2 API calls 3439->3440 3441 7ff6d1951521 3440->3441 3442 7ff6d1951530 3441->3442 3443 7ff6d1951394 2 API calls 3441->3443 3444 7ff6d1951394 2 API calls 3442->3444 3443->3442 3445 7ff6d195153a 3444->3445 3446 7ff6d1951394 2 API calls 3445->3446 3447 7ff6d195153f 3446->3447 3448 7ff6d1951394 2 API calls 3447->3448 3449 7ff6d195154e 3448->3449 3450 7ff6d1951394 2 API calls 3449->3450 3451 7ff6d195155d 3450->3451 3452 7ff6d1951394 2 API calls 3451->3452 3453 7ff6d195156c 3452->3453 3454 7ff6d1951394 2 API calls 3453->3454 3455 7ff6d195157b 3454->3455 3456 7ff6d1951394 2 API calls 3455->3456 3457 7ff6d195158a 3456->3457 3458 7ff6d1951394 2 API calls 3457->3458 3459 7ff6d1951599 3458->3459 3460 7ff6d1951394 2 API calls 3459->3460 3461 7ff6d19515a8 3460->3461 3462 7ff6d1951394 2 API calls 3461->3462 3463 7ff6d19515b7 3462->3463 3464 7ff6d19515c6 3463->3464 3465 7ff6d1951394 2 API calls 3463->3465 3466 7ff6d1951394 2 API calls 3464->3466 3465->3464 3467 7ff6d19515d0 3466->3467 3468 7ff6d19515d5 3467->3468 3469 7ff6d1951394 2 API calls 3467->3469 3470 7ff6d1951394 2 API calls 3468->3470 3469->3468 3471 7ff6d19515e4 3470->3471 3472 7ff6d1951394 2 API calls 3471->3472 3473 7ff6d19515f3 3472->3473 3473->3338 3475 7ff6d1951394 2 API calls 3474->3475 3476 7ff6d19514fe 3475->3476 3477 7ff6d1951503 3476->3477 3478 7ff6d1951394 2 API calls 3476->3478 3479 7ff6d1951394 2 API calls 3477->3479 3478->3477 3480 7ff6d195150d 3479->3480 3481 7ff6d1951394 2 API calls 3480->3481 3482 7ff6d1951512 3481->3482 3483 7ff6d1951394 2 API calls 3482->3483 3484 7ff6d1951521 3483->3484 3485 7ff6d1951530 3484->3485 3486 7ff6d1951394 2 API calls 3484->3486 3487 7ff6d1951394 2 API calls 3485->3487 3486->3485 3488 7ff6d195153a 3487->3488 3489 7ff6d1951394 2 API calls 3488->3489 3490 7ff6d195153f 3489->3490 3491 7ff6d1951394 2 API calls 3490->3491 3492 7ff6d195154e 3491->3492 3493 7ff6d1951394 2 API calls 3492->3493 3494 7ff6d195155d 3493->3494 3495 7ff6d1951394 2 API calls 3494->3495 3496 7ff6d195156c 3495->3496 3497 7ff6d1951394 2 API calls 3496->3497 3498 7ff6d195157b 3497->3498 3499 7ff6d1951394 2 API calls 3498->3499 3500 7ff6d195158a 3499->3500 3501 7ff6d1951394 2 API calls 3500->3501 3502 7ff6d1951599 3501->3502 3503 7ff6d1951394 2 API calls 3502->3503 3504 7ff6d19515a8 3503->3504 3505 7ff6d1951394 2 API calls 3504->3505 3506 7ff6d19515b7 3505->3506 3507 7ff6d19515c6 3506->3507 3508 7ff6d1951394 2 API calls 3506->3508 3509 7ff6d1951394 2 API calls 3507->3509 3508->3507 3510 7ff6d19515d0 3509->3510 3511 7ff6d19515d5 3510->3511 3512 7ff6d1951394 2 API calls 3510->3512 3513 7ff6d1951394 2 API calls 3511->3513 3512->3511 3514 7ff6d19515e4 3513->3514 3515 7ff6d1951394 2 API calls 3514->3515 3516 7ff6d19515f3 3515->3516 3516->3361 3518 7ff6d1951394 2 API calls 3517->3518 3519 7ff6d195142c 3518->3519 3520 7ff6d1951431 3519->3520 3521 7ff6d1951394 2 API calls 3519->3521 3522 7ff6d1951394 2 API calls 3520->3522 3521->3520 3523 7ff6d195143b 3522->3523 3524 7ff6d1951394 2 API calls 3523->3524 3525 7ff6d1951440 3524->3525 3526 7ff6d1951394 2 API calls 3525->3526 3527 7ff6d195144f 3526->3527 3528 7ff6d1951394 2 API calls 3527->3528 3529 7ff6d195145e 3528->3529 3530 7ff6d1951394 2 API calls 3529->3530 3531 7ff6d195146d 3530->3531 3532 7ff6d1951394 2 API calls 3531->3532 3533 7ff6d195147c 3532->3533 3534 7ff6d1951394 2 API calls 3533->3534 3535 7ff6d195148b 3534->3535 3536 7ff6d1951394 2 API calls 3535->3536 3537 7ff6d195149a 3536->3537 3538 7ff6d1951394 2 API calls 3537->3538 3539 7ff6d19514a9 3538->3539 3540 7ff6d19514b8 3539->3540 3541 7ff6d1951394 2 API calls 3539->3541 3542 7ff6d1951394 2 API calls 3540->3542 3541->3540 3543 7ff6d19514c2 3542->3543 3544 7ff6d19514c7 3543->3544 3545 7ff6d1951394 2 API calls 3543->3545 3546 7ff6d1951394 2 API calls 3544->3546 3545->3544 3547 7ff6d19514d1 3546->3547 3548 7ff6d19514d6 3547->3548 3549 7ff6d1951394 2 API calls 3547->3549 3550 7ff6d1951394 2 API calls 3548->3550 3549->3548 3551 7ff6d19514e0 3550->3551 3552 7ff6d19514e5 3551->3552 3553 7ff6d1951394 2 API calls 3551->3553 3554 7ff6d1951394 2 API calls 3552->3554 3553->3552 3555 7ff6d19514ef 3554->3555 3556 7ff6d19514f4 3555->3556 3557 7ff6d1951394 2 API calls 3555->3557 3558 7ff6d1951394 2 API calls 3556->3558 3557->3556 3559 7ff6d19514fe 3558->3559 3560 7ff6d1951503 3559->3560 3561 7ff6d1951394 2 API calls 3559->3561 3562 7ff6d1951394 2 API calls 3560->3562 3561->3560 3563 7ff6d195150d 3562->3563 3564 7ff6d1951394 2 API calls 3563->3564 3565 7ff6d1951512 3564->3565 3566 7ff6d1951394 2 API calls 3565->3566 3567 7ff6d1951521 3566->3567 3568 7ff6d1951530 3567->3568 3569 7ff6d1951394 2 API calls 3567->3569 3570 7ff6d1951394 2 API calls 3568->3570 3569->3568 3571 7ff6d195153a 3570->3571 3572 7ff6d1951394 2 API calls 3571->3572 3573 7ff6d195153f 3572->3573 3574 7ff6d1951394 2 API calls 3573->3574 3575 7ff6d195154e 3574->3575 3576 7ff6d1951394 2 API calls 3575->3576 3577 7ff6d195155d 3576->3577 3578 7ff6d1951394 2 API calls 3577->3578 3579 7ff6d195156c 3578->3579 3580 7ff6d1951394 2 API calls 3579->3580 3581 7ff6d195157b 3580->3581 3582 7ff6d1951394 2 API calls 3581->3582 3583 7ff6d195158a 3582->3583 3584 7ff6d1951394 2 API calls 3583->3584 3585 7ff6d1951599 3584->3585 3586 7ff6d1951394 2 API calls 3585->3586 3587 7ff6d19515a8 3586->3587 3588 7ff6d1951394 2 API calls 3587->3588 3589 7ff6d19515b7 3588->3589 3590 7ff6d19515c6 3589->3590 3591 7ff6d1951394 2 API calls 3589->3591 3592 7ff6d1951394 2 API calls 3590->3592 3591->3590 3593 7ff6d19515d0 3592->3593 3594 7ff6d19515d5 3593->3594 3595 7ff6d1951394 2 API calls 3593->3595 3596 7ff6d1951394 2 API calls 3594->3596 3595->3594 3597 7ff6d19515e4 3596->3597 3598 7ff6d1951394 2 API calls 3597->3598 3599 7ff6d19515f3 3598->3599 3599->3237 3601 7ff6d1951394 2 API calls 3600->3601 3602 7ff6d195143b 3601->3602 3603 7ff6d1951394 2 API calls 3602->3603 3604 7ff6d1951440 3603->3604 3605 7ff6d1951394 2 API calls 3604->3605 3606 7ff6d195144f 3605->3606 3607 7ff6d1951394 2 API calls 3606->3607 3608 7ff6d195145e 3607->3608 3609 7ff6d1951394 2 API calls 3608->3609 3610 7ff6d195146d 3609->3610 3611 7ff6d1951394 2 API calls 3610->3611 3612 7ff6d195147c 3611->3612 3613 7ff6d1951394 2 API calls 3612->3613 3614 7ff6d195148b 3613->3614 3615 7ff6d1951394 2 API calls 3614->3615 3616 7ff6d195149a 3615->3616 3617 7ff6d1951394 2 API calls 3616->3617 3618 7ff6d19514a9 3617->3618 3619 7ff6d19514b8 3618->3619 3620 7ff6d1951394 2 API calls 3618->3620 3621 7ff6d1951394 2 API calls 3619->3621 3620->3619 3622 7ff6d19514c2 3621->3622 3623 7ff6d19514c7 3622->3623 3624 7ff6d1951394 2 API calls 3622->3624 3625 7ff6d1951394 2 API calls 3623->3625 3624->3623 3626 7ff6d19514d1 3625->3626 3627 7ff6d19514d6 3626->3627 3628 7ff6d1951394 2 API calls 3626->3628 3629 7ff6d1951394 2 API calls 3627->3629 3628->3627 3630 7ff6d19514e0 3629->3630 3631 7ff6d19514e5 3630->3631 3632 7ff6d1951394 2 API calls 3630->3632 3633 7ff6d1951394 2 API calls 3631->3633 3632->3631 3634 7ff6d19514ef 3633->3634 3635 7ff6d19514f4 3634->3635 3636 7ff6d1951394 2 API calls 3634->3636 3637 7ff6d1951394 2 API calls 3635->3637 3636->3635 3638 7ff6d19514fe 3637->3638 3639 7ff6d1951503 3638->3639 3640 7ff6d1951394 2 API calls 3638->3640 3641 7ff6d1951394 2 API calls 3639->3641 3640->3639 3642 7ff6d195150d 3641->3642 3643 7ff6d1951394 2 API calls 3642->3643 3644 7ff6d1951512 3643->3644 3645 7ff6d1951394 2 API calls 3644->3645 3646 7ff6d1951521 3645->3646 3647 7ff6d1951530 3646->3647 3648 7ff6d1951394 2 API calls 3646->3648 3649 7ff6d1951394 2 API calls 3647->3649 3648->3647 3650 7ff6d195153a 3649->3650 3651 7ff6d1951394 2 API calls 3650->3651 3652 7ff6d195153f 3651->3652 3653 7ff6d1951394 2 API calls 3652->3653 3654 7ff6d195154e 3653->3654 3655 7ff6d1951394 2 API calls 3654->3655 3656 7ff6d195155d 3655->3656 3657 7ff6d1951394 2 API calls 3656->3657 3658 7ff6d195156c 3657->3658 3659 7ff6d1951394 2 API calls 3658->3659 3660 7ff6d195157b 3659->3660 3661 7ff6d1951394 2 API calls 3660->3661 3662 7ff6d195158a 3661->3662 3663 7ff6d1951394 2 API calls 3662->3663 3664 7ff6d1951599 3663->3664 3665 7ff6d1951394 2 API calls 3664->3665 3666 7ff6d19515a8 3665->3666 3667 7ff6d1951394 2 API calls 3666->3667 3668 7ff6d19515b7 3667->3668 3669 7ff6d19515c6 3668->3669 3670 7ff6d1951394 2 API calls 3668->3670 3671 7ff6d1951394 2 API calls 3669->3671 3670->3669 3672 7ff6d19515d0 3671->3672 3673 7ff6d19515d5 3672->3673 3674 7ff6d1951394 2 API calls 3672->3674 3675 7ff6d1951394 2 API calls 3673->3675 3674->3673 3676 7ff6d19515e4 3675->3676 3677 7ff6d1951394 2 API calls 3676->3677 3678 7ff6d19515f3 3677->3678 3678->3246 3680 7ff6d1951394 2 API calls 3679->3680 3681 7ff6d19514c2 3680->3681 3682 7ff6d19514c7 3681->3682 3683 7ff6d1951394 2 API calls 3681->3683 3684 7ff6d1951394 2 API calls 3682->3684 3683->3682 3685 7ff6d19514d1 3684->3685 3686 7ff6d19514d6 3685->3686 3687 7ff6d1951394 2 API calls 3685->3687 3688 7ff6d1951394 2 API calls 3686->3688 3687->3686 3689 7ff6d19514e0 3688->3689 3690 7ff6d19514e5 3689->3690 3691 7ff6d1951394 2 API calls 3689->3691 3692 7ff6d1951394 2 API calls 3690->3692 3691->3690 3693 7ff6d19514ef 3692->3693 3694 7ff6d19514f4 3693->3694 3695 7ff6d1951394 2 API calls 3693->3695 3696 7ff6d1951394 2 API calls 3694->3696 3695->3694 3697 7ff6d19514fe 3696->3697 3698 7ff6d1951503 3697->3698 3699 7ff6d1951394 2 API calls 3697->3699 3700 7ff6d1951394 2 API calls 3698->3700 3699->3698 3701 7ff6d195150d 3700->3701 3702 7ff6d1951394 2 API calls 3701->3702 3703 7ff6d1951512 3702->3703 3704 7ff6d1951394 2 API calls 3703->3704 3705 7ff6d1951521 3704->3705 3706 7ff6d1951530 3705->3706 3707 7ff6d1951394 2 API calls 3705->3707 3708 7ff6d1951394 2 API calls 3706->3708 3707->3706 3709 7ff6d195153a 3708->3709 3710 7ff6d1951394 2 API calls 3709->3710 3711 7ff6d195153f 3710->3711 3712 7ff6d1951394 2 API calls 3711->3712 3713 7ff6d195154e 3712->3713 3714 7ff6d1951394 2 API calls 3713->3714 3715 7ff6d195155d 3714->3715 3716 7ff6d1951394 2 API calls 3715->3716 3717 7ff6d195156c 3716->3717 3718 7ff6d1951394 2 API calls 3717->3718 3719 7ff6d195157b 3718->3719 3720 7ff6d1951394 2 API calls 3719->3720 3721 7ff6d195158a 3720->3721 3722 7ff6d1951394 2 API calls 3721->3722 3723 7ff6d1951599 3722->3723 3724 7ff6d1951394 2 API calls 3723->3724 3725 7ff6d19515a8 3724->3725 3726 7ff6d1951394 2 API calls 3725->3726 3727 7ff6d19515b7 3726->3727 3728 7ff6d19515c6 3727->3728 3729 7ff6d1951394 2 API calls 3727->3729 3730 7ff6d1951394 2 API calls 3728->3730 3729->3728 3731 7ff6d19515d0 3730->3731 3732 7ff6d19515d5 3731->3732 3733 7ff6d1951394 2 API calls 3731->3733 3734 7ff6d1951394 2 API calls 3732->3734 3733->3732 3735 7ff6d19515e4 3734->3735 3736 7ff6d1951394 2 API calls 3735->3736 3737 7ff6d19515f3 3736->3737 3737->3319 3739 7ff6d1951394 2 API calls 3738->3739 3740 7ff6d19515e4 3739->3740 3741 7ff6d1951394 2 API calls 3740->3741 3742 7ff6d19515f3 3741->3742 3742->3319 3744 7ff6d1951394 2 API calls 3743->3744 3745 7ff6d195149a 3744->3745 3746 7ff6d1951394 2 API calls 3745->3746 3747 7ff6d19514a9 3746->3747 3748 7ff6d19514b8 3747->3748 3749 7ff6d1951394 2 API calls 3747->3749 3750 7ff6d1951394 2 API calls 3748->3750 3749->3748 3751 7ff6d19514c2 3750->3751 3752 7ff6d19514c7 3751->3752 3753 7ff6d1951394 2 API calls 3751->3753 3754 7ff6d1951394 2 API calls 3752->3754 3753->3752 3755 7ff6d19514d1 3754->3755 3756 7ff6d19514d6 3755->3756 3757 7ff6d1951394 2 API calls 3755->3757 3758 7ff6d1951394 2 API calls 3756->3758 3757->3756 3759 7ff6d19514e0 3758->3759 3760 7ff6d19514e5 3759->3760 3761 7ff6d1951394 2 API calls 3759->3761 3762 7ff6d1951394 2 API calls 3760->3762 3761->3760 3763 7ff6d19514ef 3762->3763 3764 7ff6d19514f4 3763->3764 3765 7ff6d1951394 2 API calls 3763->3765 3766 7ff6d1951394 2 API calls 3764->3766 3765->3764 3767 7ff6d19514fe 3766->3767 3768 7ff6d1951503 3767->3768 3769 7ff6d1951394 2 API calls 3767->3769 3770 7ff6d1951394 2 API calls 3768->3770 3769->3768 3771 7ff6d195150d 3770->3771 3772 7ff6d1951394 2 API calls 3771->3772 3773 7ff6d1951512 3772->3773 3774 7ff6d1951394 2 API calls 3773->3774 3775 7ff6d1951521 3774->3775 3776 7ff6d1951530 3775->3776 3777 7ff6d1951394 2 API calls 3775->3777 3778 7ff6d1951394 2 API calls 3776->3778 3777->3776 3779 7ff6d195153a 3778->3779 3780 7ff6d1951394 2 API calls 3779->3780 3781 7ff6d195153f 3780->3781 3782 7ff6d1951394 2 API calls 3781->3782 3783 7ff6d195154e 3782->3783 3784 7ff6d1951394 2 API calls 3783->3784 3785 7ff6d195155d 3784->3785 3786 7ff6d1951394 2 API calls 3785->3786 3787 7ff6d195156c 3786->3787 3788 7ff6d1951394 2 API calls 3787->3788 3789 7ff6d195157b 3788->3789 3790 7ff6d1951394 2 API calls 3789->3790 3791 7ff6d195158a 3790->3791 3792 7ff6d1951394 2 API calls 3791->3792 3793 7ff6d1951599 3792->3793 3794 7ff6d1951394 2 API calls 3793->3794 3795 7ff6d19515a8 3794->3795 3796 7ff6d1951394 2 API calls 3795->3796 3797 7ff6d19515b7 3796->3797 3798 7ff6d19515c6 3797->3798 3799 7ff6d1951394 2 API calls 3797->3799 3800 7ff6d1951394 2 API calls 3798->3800 3799->3798 3801 7ff6d19515d0 3800->3801 3802 7ff6d19515d5 3801->3802 3803 7ff6d1951394 2 API calls 3801->3803 3804 7ff6d1951394 2 API calls 3802->3804 3803->3802 3805 7ff6d19515e4 3804->3805 3806 7ff6d1951394 2 API calls 3805->3806 3807 7ff6d19515f3 3806->3807 3807->3312 3808 7ff6d195149a 3807->3808 3809 7ff6d1951394 2 API calls 3808->3809 3810 7ff6d19514a9 3809->3810 3811 7ff6d19514b8 3810->3811 3812 7ff6d1951394 2 API calls 3810->3812 3813 7ff6d1951394 2 API calls 3811->3813 3812->3811 3814 7ff6d19514c2 3813->3814 3815 7ff6d19514c7 3814->3815 3816 7ff6d1951394 2 API calls 3814->3816 3817 7ff6d1951394 2 API calls 3815->3817 3816->3815 3818 7ff6d19514d1 3817->3818 3819 7ff6d19514d6 3818->3819 3820 7ff6d1951394 2 API calls 3818->3820 3821 7ff6d1951394 2 API calls 3819->3821 3820->3819 3822 7ff6d19514e0 3821->3822 3823 7ff6d19514e5 3822->3823 3824 7ff6d1951394 2 API calls 3822->3824 3825 7ff6d1951394 2 API calls 3823->3825 3824->3823 3826 7ff6d19514ef 3825->3826 3827 7ff6d19514f4 3826->3827 3828 7ff6d1951394 2 API calls 3826->3828 3829 7ff6d1951394 2 API calls 3827->3829 3828->3827 3830 7ff6d19514fe 3829->3830 3831 7ff6d1951503 3830->3831 3832 7ff6d1951394 2 API calls 3830->3832 3833 7ff6d1951394 2 API calls 3831->3833 3832->3831 3834 7ff6d195150d 3833->3834 3835 7ff6d1951394 2 API calls 3834->3835 3836 7ff6d1951512 3835->3836 3837 7ff6d1951394 2 API calls 3836->3837 3838 7ff6d1951521 3837->3838 3839 7ff6d1951530 3838->3839 3840 7ff6d1951394 2 API calls 3838->3840 3841 7ff6d1951394 2 API calls 3839->3841 3840->3839 3842 7ff6d195153a 3841->3842 3843 7ff6d1951394 2 API calls 3842->3843 3844 7ff6d195153f 3843->3844 3845 7ff6d1951394 2 API calls 3844->3845 3846 7ff6d195154e 3845->3846 3847 7ff6d1951394 2 API calls 3846->3847 3848 7ff6d195155d 3847->3848 3849 7ff6d1951394 2 API calls 3848->3849 3850 7ff6d195156c 3849->3850 3851 7ff6d1951394 2 API calls 3850->3851 3852 7ff6d195157b 3851->3852 3853 7ff6d1951394 2 API calls 3852->3853 3854 7ff6d195158a 3853->3854 3855 7ff6d1951394 2 API calls 3854->3855 3856 7ff6d1951599 3855->3856 3857 7ff6d1951394 2 API calls 3856->3857 3858 7ff6d19515a8 3857->3858 3859 7ff6d1951394 2 API calls 3858->3859 3860 7ff6d19515b7 3859->3860 3861 7ff6d19515c6 3860->3861 3862 7ff6d1951394 2 API calls 3860->3862 3863 7ff6d1951394 2 API calls 3861->3863 3862->3861 3864 7ff6d19515d0 3863->3864 3865 7ff6d19515d5 3864->3865 3866 7ff6d1951394 2 API calls 3864->3866 3867 7ff6d1951394 2 API calls 3865->3867 3866->3865 3868 7ff6d19515e4 3867->3868 3869 7ff6d1951394 2 API calls 3868->3869 3870 7ff6d19515f3 3869->3870 3870->3312 3870->3323 3872 7ff6d1951394 2 API calls 3871->3872 3873 7ff6d195148b 3872->3873 3874 7ff6d1951394 2 API calls 3873->3874 3875 7ff6d195149a 3874->3875 3876 7ff6d1951394 2 API calls 3875->3876 3877 7ff6d19514a9 3876->3877 3878 7ff6d19514b8 3877->3878 3879 7ff6d1951394 2 API calls 3877->3879 3880 7ff6d1951394 2 API calls 3878->3880 3879->3878 3881 7ff6d19514c2 3880->3881 3882 7ff6d19514c7 3881->3882 3883 7ff6d1951394 2 API calls 3881->3883 3884 7ff6d1951394 2 API calls 3882->3884 3883->3882 3885 7ff6d19514d1 3884->3885 3886 7ff6d19514d6 3885->3886 3887 7ff6d1951394 2 API calls 3885->3887 3888 7ff6d1951394 2 API calls 3886->3888 3887->3886 3889 7ff6d19514e0 3888->3889 3890 7ff6d19514e5 3889->3890 3891 7ff6d1951394 2 API calls 3889->3891 3892 7ff6d1951394 2 API calls 3890->3892 3891->3890 3893 7ff6d19514ef 3892->3893 3894 7ff6d19514f4 3893->3894 3895 7ff6d1951394 2 API calls 3893->3895 3896 7ff6d1951394 2 API calls 3894->3896 3895->3894 3897 7ff6d19514fe 3896->3897 3898 7ff6d1951503 3897->3898 3899 7ff6d1951394 2 API calls 3897->3899 3900 7ff6d1951394 2 API calls 3898->3900 3899->3898 3901 7ff6d195150d 3900->3901 3902 7ff6d1951394 2 API calls 3901->3902 3903 7ff6d1951512 3902->3903 3904 7ff6d1951394 2 API calls 3903->3904 3905 7ff6d1951521 3904->3905 3906 7ff6d1951530 3905->3906 3907 7ff6d1951394 2 API calls 3905->3907 3908 7ff6d1951394 2 API calls 3906->3908 3907->3906 3909 7ff6d195153a 3908->3909 3910 7ff6d1951394 2 API calls 3909->3910 3911 7ff6d195153f 3910->3911 3912 7ff6d1951394 2 API calls 3911->3912 3913 7ff6d195154e 3912->3913 3914 7ff6d1951394 2 API calls 3913->3914 3915 7ff6d195155d 3914->3915 3916 7ff6d1951394 2 API calls 3915->3916 3917 7ff6d195156c 3916->3917 3918 7ff6d1951394 2 API calls 3917->3918 3919 7ff6d195157b 3918->3919 3920 7ff6d1951394 2 API calls 3919->3920 3921 7ff6d195158a 3920->3921 3922 7ff6d1951394 2 API calls 3921->3922 3923 7ff6d1951599 3922->3923 3924 7ff6d1951394 2 API calls 3923->3924 3925 7ff6d19515a8 3924->3925 3926 7ff6d1951394 2 API calls 3925->3926 3927 7ff6d19515b7 3926->3927 3928 7ff6d19515c6 3927->3928 3929 7ff6d1951394 2 API calls 3927->3929 3930 7ff6d1951394 2 API calls 3928->3930 3929->3928 3931 7ff6d19515d0 3930->3931 3932 7ff6d19515d5 3931->3932 3933 7ff6d1951394 2 API calls 3931->3933 3934 7ff6d1951394 2 API calls 3932->3934 3933->3932 3935 7ff6d19515e4 3934->3935 3936 7ff6d1951394 2 API calls 3935->3936 3937 7ff6d19515f3 3936->3937 3937->3328 3939 7ff6d1951394 2 API calls 3938->3939 3940 7ff6d19515d0 3939->3940 3941 7ff6d19515d5 3940->3941 3942 7ff6d1951394 2 API calls 3940->3942 3943 7ff6d1951394 2 API calls 3941->3943 3942->3941 3944 7ff6d19515e4 3943->3944 3945 7ff6d1951394 2 API calls 3944->3945 3946 7ff6d19515f3 3945->3946 3946->3329 4005 7ff6d1952320 strlen 4006 7ff6d1952337 4005->4006 4111 7ff6d1951000 4112 7ff6d195108b __set_app_type 4111->4112 4113 7ff6d1951040 4111->4113 4114 7ff6d19510b6 4112->4114 4113->4112 4115 7ff6d19510e5 4114->4115 4117 7ff6d1951e00 4114->4117 4118 7ff6d19573e0 __setusermatherr 4117->4118 4119 7ff6d1951800 4120 7ff6d1951812 4119->4120 4121 7ff6d1951835 fprintf 4120->4121 3976 7ff6d1951f47 3977 7ff6d1951e67 signal 3976->3977 3978 7ff6d1951e99 3976->3978 3977->3978 3979 7ff6d1951e7c 3977->3979 3979->3978 3980 7ff6d1951e82 signal 3979->3980 3980->3978 4007 7ff6d1951ab3 4008 7ff6d1951ade 4007->4008 4009 7ff6d1951b36 4008->4009 4012 7ff6d195199e 4008->4012 4014 7ff6d1951a0f 4008->4014 4010 7ff6d1951ba0 4 API calls 4009->4010 4011 7ff6d1951b53 4010->4011 4013 7ff6d19519e9 VirtualProtect 4012->4013 4012->4014 4013->4012 2540 7ff6d1951394 2544 7ff6d1956e50 2540->2544 2542 7ff6d19513b8 2543 7ff6d19513c6 NtCreateTransaction 2542->2543 2545 7ff6d1956e6e 2544->2545 2546 7ff6d1956e9b 2544->2546 2545->2542 2546->2545 2547 7ff6d1956f43 2546->2547 2548 7ff6d1956f5f malloc 2547->2548 2549 7ff6d1956f80 2548->2549 2549->2545 3981 7ff6d1951ad4 3982 7ff6d1951ade 3981->3982 3983 7ff6d1951a0f 3982->3983 3984 7ff6d1951b36 3982->3984 3986 7ff6d195199e 3982->3986 3985 7ff6d1951ba0 4 API calls 3984->3985 3988 7ff6d1951b53 3985->3988 3986->3983 3987 7ff6d19519e9 VirtualProtect 3986->3987 3987->3986 3988->3988 3960 7ff6d195216f 3961 7ff6d1952178 InitializeCriticalSection 3960->3961 3962 7ff6d1952185 3960->3962 3961->3962 3963 7ff6d1951a70 3964 7ff6d195199e 3963->3964 3967 7ff6d1951a7d 3963->3967 3965 7ff6d1951a0f 3964->3965 3966 7ff6d19519e9 VirtualProtect 3964->3966 3966->3964 3989 7ff6d1951fd0 3990 7ff6d1951fe4 3989->3990 3992 7ff6d1952033 3989->3992 3991 7ff6d1951ffd EnterCriticalSection LeaveCriticalSection 3990->3991 3990->3992 3991->3992 3993 7ff6d1952050 3994 7ff6d195205e EnterCriticalSection 3993->3994 3995 7ff6d19520cf 3993->3995 3996 7ff6d19520c2 LeaveCriticalSection 3994->3996 3997 7ff6d1952079 3994->3997 3996->3995 3997->3996 3998 7ff6d19520bd free 3997->3998 3998->3996 4122 7ff6d1951e10 4123 7ff6d1951e2f 4122->4123 4124 7ff6d1951e55 4123->4124 4125 7ff6d1951ecc 4123->4125 4126 7ff6d1951eb5 4123->4126 4124->4126 4130 7ff6d1951f12 signal 4124->4130 4125->4126 4127 7ff6d1951ed3 signal 4125->4127 4127->4126 4128 7ff6d1951ee4 4127->4128 4128->4126 4129 7ff6d1951eea signal 4128->4129 4129->4126 4130->4126

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00007FF6D19514D6 115 Function_00007FF6D1951394 0->115 1 Function_00007FF6D1951AE4 86 Function_00007FF6D1951D40 1->86 97 Function_00007FF6D1951BA0 1->97 2 Function_00007FF6D19514E5 2->115 3 Function_00007FF6D19520E0 4 Function_00007FF6D19531E0 75 Function_00007FF6D1951370 4->75 5 Function_00007FF6D19517E0 5->3 6 Function_00007FF6D19522E0 7 Function_00007FF6D1952DE0 8 Function_00007FF6D19537E0 9 Function_00007FF6D19565E1 10 Function_00007FF6D1956BE1 11 Function_00007FF6D19514F4 11->115 12 Function_00007FF6D19510F0 13 Function_00007FF6D1952DF0 58 Function_00007FF6D1951512 13->58 64 Function_00007FF6D195145E 13->64 67 Function_00007FF6D1952660 13->67 117 Function_00007FF6D1952690 13->117 14 Function_00007FF6D1956AF0 15 Function_00007FF6D19562F1 16 Function_00007FF6D19568F1 17 Function_00007FF6D19514B8 17->115 18 Function_00007FF6D1951AC3 18->86 18->97 19 Function_00007FF6D19516C0 20 Function_00007FF6D1951FC0 21 Function_00007FF6D19566C0 22 Function_00007FF6D1952DC0 23 Function_00007FF6D19562C1 24 Function_00007FF6D1956AC1 25 Function_00007FF6D19515C6 25->115 26 Function_00007FF6D19514C7 26->115 27 Function_00007FF6D1951AD4 27->86 27->97 28 Function_00007FF6D19515D5 28->115 29 Function_00007FF6D1951FD0 30 Function_00007FF6D19517D0 31 Function_00007FF6D19524D0 32 Function_00007FF6D19538D0 32->17 32->25 32->28 32->64 95 Function_00007FF6D195149A 32->95 102 Function_00007FF6D19514A9 32->102 110 Function_00007FF6D195147C 32->110 114 Function_00007FF6D195148B 32->114 32->117 33 Function_00007FF6D1956DD1 34 Function_00007FF6D1951422 34->115 35 Function_00007FF6D1952420 36 Function_00007FF6D1952320 37 Function_00007FF6D1956920 38 Function_00007FF6D1956E20 39 Function_00007FF6D1953821 40 Function_00007FF6D1956421 41 Function_00007FF6D1956C21 42 Function_00007FF6D1951530 42->115 43 Function_00007FF6D1956330 44 Function_00007FF6D1951431 44->115 45 Function_00007FF6D1953331 46 Function_00007FF6D1951503 46->115 47 Function_00007FF6D1951404 47->115 48 Function_00007FF6D1952104 49 Function_00007FF6D1957100 80 Function_00007FF6D1956E40 49->80 50 Function_00007FF6D1951E00 51 Function_00007FF6D1951000 51->20 51->50 92 Function_00007FF6D1951750 51->92 106 Function_00007FF6D1951FB0 51->106 52 Function_00007FF6D1951800 119 Function_00007FF6D1952290 52->119 53 Function_00007FF6D1952500 54 Function_00007FF6D1953800 55 Function_00007FF6D1956601 56 Function_00007FF6D1956C01 57 Function_00007FF6D1956E01 58->115 59 Function_00007FF6D1956B10 60 Function_00007FF6D1951E10 61 Function_00007FF6D1956311 62 Function_00007FF6D195155D 62->115 63 Function_00007FF6D1951E65 76 Function_00007FF6D1951870 63->76 64->115 65 Function_00007FF6D1951760 65->3 66 Function_00007FF6D1951160 66->19 66->66 66->76 85 Function_00007FF6D1953B40 66->85 111 Function_00007FF6D1951880 66->111 118 Function_00007FF6D1951F90 66->118 68 Function_00007FF6D1952460 69 Function_00007FF6D1956461 70 Function_00007FF6D1956661 71 Function_00007FF6D195156C 71->115 72 Function_00007FF6D195146D 72->115 73 Function_00007FF6D195216F 74 Function_00007FF6D1952F70 74->4 74->102 77 Function_00007FF6D1951A70 77->86 78 Function_00007FF6D1953871 79 Function_00007FF6D195153F 79->115 81 Function_00007FF6D1951140 81->66 82 Function_00007FF6D1956C40 83 Function_00007FF6D1956940 84 Function_00007FF6D1951440 84->115 85->0 85->13 85->19 85->21 85->26 85->32 85->42 85->43 85->46 85->59 85->64 85->67 85->71 85->72 85->74 85->75 85->79 85->80 85->82 85->83 85->84 91 Function_00007FF6D1953350 85->91 101 Function_00007FF6D19515A8 85->101 85->102 105 Function_00007FF6D19567B0 85->105 109 Function_00007FF6D195157B 85->109 120 Function_00007FF6D1956490 85->120 86->119 87 Function_00007FF6D1956441 88 Function_00007FF6D1956641 89 Function_00007FF6D1951F47 89->76 90 Function_00007FF6D1956E50 90->80 91->34 91->44 91->64 91->75 93 Function_00007FF6D1951650 94 Function_00007FF6D1952050 95->115 96 Function_00007FF6D195219E 97->31 97->86 104 Function_00007FF6D19523B0 97->104 98 Function_00007FF6D1951FA0 99 Function_00007FF6D1952DA1 100 Function_00007FF6D19562A1 101->115 102->115 103 Function_00007FF6D1951AB3 103->86 103->97 107 Function_00007FF6D19522B0 108 Function_00007FF6D19538B0 109->115 110->115 111->35 111->67 111->86 111->97 112 Function_00007FF6D1956281 113 Function_00007FF6D1956481 114->115 115->49 115->90 116 Function_00007FF6D1952194 116->76 117->2 117->11 117->26 117->46 117->62 117->64 117->75 117->80 117->102 121 Function_00007FF6D1952590 122 Function_00007FF6D1953890 123 Function_00007FF6D1956791

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                • String ID:
                                • API String ID: 2643109117-0
                                • Opcode ID: e40d977814605a0f93f2d998e9fdae947e316efba747862f1935729e8d83170b
                                • Instruction ID: 91f072b798e5a5d9be335c6fd9e2911b0f8305daf8bfea45cec7b066328d92dd
                                • Opcode Fuzzy Hash: e40d977814605a0f93f2d998e9fdae947e316efba747862f1935729e8d83170b
                                • Instruction Fuzzy Hash: 54515BB1E0960385FB149B26E95137D27A1BF8579EF845073D90EEB7A3DEBCA4618300

                                Control-flow Graph

                                APIs
                                • NtCreateTransaction.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D1951156), ref: 00007FF6D19513F7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: CreateTransaction
                                • String ID:
                                • API String ID: 2853108320-0
                                • Opcode ID: 7268df7e5cfa79fb4a8563cd703875b617d8e80e9955c701edb4f4955cdd1ac4
                                • Instruction ID: bed8a7af4501ba7a5e4b24bc3bc33178109b9a9f41ebeed64d01e7a79e2c85a5
                                • Opcode Fuzzy Hash: 7268df7e5cfa79fb4a8563cd703875b617d8e80e9955c701edb4f4955cdd1ac4
                                • Instruction Fuzzy Hash: C5F0B67191CB4282F710CB61F84007E77A1FB5A789B404436EA8CAA766DF7CE1608B48

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: memset$wcscatwcscpywcslen
                                • String ID: $0$0$@$@
                                • API String ID: 4263182637-1413854666
                                • Opcode ID: 59ab4ffbad1c94c8e89f6c6391b24e12640be275aebda49ad401e6e1a0cf9a42
                                • Instruction ID: 5939a811518a82515ba71cc8ccc15be0cb3237912e3d5bfe66f34f3d595b67fc
                                • Opcode Fuzzy Hash: 59ab4ffbad1c94c8e89f6c6391b24e12640be275aebda49ad401e6e1a0cf9a42
                                • Instruction Fuzzy Hash: C7B17F2190CAC385F3258B15F4057BE77A0FF8574DF405136EA8DA66A6DFBCD2668B00

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                • String ID: 0$X$`
                                • API String ID: 329590056-2527496196
                                • Opcode ID: 02986b39d885733c9968b0222c049767e36aa813aa5f7dd44f00938c55c8f831
                                • Instruction ID: 233bb4524a75abf32e578828569327b6df46377d8978e0f84384250a6905205f
                                • Opcode Fuzzy Hash: 02986b39d885733c9968b0222c049767e36aa813aa5f7dd44f00938c55c8f831
                                • Instruction Fuzzy Hash: 7A026C22A09B8281F7218B15E8443BE77A0FB857ACF405236DA9D9B7E6DFBCD155C700

                                Control-flow Graph

                                APIs
                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF6D1959180,00007FF6D1959180,?,?,00007FF6D1950000,?,00007FF6D1951991), ref: 00007FF6D1951C63
                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF6D1959180,00007FF6D1959180,?,?,00007FF6D1950000,?,00007FF6D1951991), ref: 00007FF6D1951CC7
                                • memcpy.MSVCRT ref: 00007FF6D1951CE0
                                • GetLastError.KERNEL32(?,?,?,?,00007FF6D1959180,00007FF6D1959180,?,?,00007FF6D1950000,?,00007FF6D1951991), ref: 00007FF6D1951D23
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                • API String ID: 2595394609-2123141913
                                • Opcode ID: 7512f2eac9aa76a994b51ddc5a0ad258ab91a77bea0d85f379085d31040b2c68
                                • Instruction ID: b98893c818c43e49d7525fba59899f52124006b0d8972c50b41d2f07b073a643
                                • Opcode Fuzzy Hash: 7512f2eac9aa76a994b51ddc5a0ad258ab91a77bea0d85f379085d31040b2c68
                                • Instruction Fuzzy Hash: 54417DB1A09A4385FB149B01D8446BC2B60EB85BCDF544133CE0EEB3A6DEBCE965C300

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                • String ID:
                                • API String ID: 3326252324-0
                                • Opcode ID: a3f50990dafef5f20fe13fa5a8709b198bdd4a8216d1cc2d24d41753a25ef540
                                • Instruction ID: d342150122d8ce1a29e1425a22f590f63d0b71bce52e53087f02b1e1ab39ac3e
                                • Opcode Fuzzy Hash: a3f50990dafef5f20fe13fa5a8709b198bdd4a8216d1cc2d24d41753a25ef540
                                • Instruction Fuzzy Hash: 6821EF24A09913C5FB1D9B15E94037D2360BF51B9EF841073C91EEB6A5DFACA8668340

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 552 7ff6d1951e10-7ff6d1951e2d 553 7ff6d1951e3e-7ff6d1951e48 552->553 554 7ff6d1951e2f-7ff6d1951e38 552->554 556 7ff6d1951e4a-7ff6d1951e53 553->556 557 7ff6d1951ea3-7ff6d1951ea8 553->557 554->553 555 7ff6d1951f60-7ff6d1951f69 554->555 558 7ff6d1951ecc-7ff6d1951ed1 556->558 559 7ff6d1951e55-7ff6d1951e60 556->559 557->555 560 7ff6d1951eae-7ff6d1951eb3 557->560 563 7ff6d1951f23-7ff6d1951f2d 558->563 564 7ff6d1951ed3-7ff6d1951ee2 signal 558->564 559->557 561 7ff6d1951efb-7ff6d1951f0a call 7ff6d19573f0 560->561 562 7ff6d1951eb5-7ff6d1951eba 560->562 561->563 574 7ff6d1951f0c-7ff6d1951f10 561->574 562->555 565 7ff6d1951ec0 562->565 568 7ff6d1951f43-7ff6d1951f45 563->568 569 7ff6d1951f2f-7ff6d1951f3f 563->569 564->563 566 7ff6d1951ee4-7ff6d1951ee8 564->566 565->563 570 7ff6d1951eea-7ff6d1951ef9 signal 566->570 571 7ff6d1951f4e-7ff6d1951f53 566->571 568->555 569->568 570->555 573 7ff6d1951f5a 571->573 573->555 575 7ff6d1951f12-7ff6d1951f21 signal 574->575 576 7ff6d1951f55 574->576 575->555 576->573
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID:
                                • String ID: CCG
                                • API String ID: 0-1584390748
                                • Opcode ID: 91cdb2e244844669afe764d020935d6240960ef710ac1ac52fd823a53d8d270e
                                • Instruction ID: 9240ca9b8e398ae25a2e886b9e6cd7191ec54b0dbdc8e59df07a56dc41f45fe5
                                • Opcode Fuzzy Hash: 91cdb2e244844669afe764d020935d6240960ef710ac1ac52fd823a53d8d270e
                                • Instruction Fuzzy Hash: 7221AEA1F0D10741FB684219A99037D1181DF987AEF658533DD1EEB3D7CFECA8A18241

                                Control-flow Graph

                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D1951247), ref: 00007FF6D19519F9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                • API String ID: 544645111-395989641
                                • Opcode ID: d6994086fcb1fc14bbec2f488f1ae26f8e14eecf9dee085739d6d0ac41247db6
                                • Instruction ID: daca973f7ec93c5c202918583b12ac1379501f9ee5c65e87ec05f1434a02b73f
                                • Opcode Fuzzy Hash: d6994086fcb1fc14bbec2f488f1ae26f8e14eecf9dee085739d6d0ac41247db6
                                • Instruction Fuzzy Hash: 4D518F75F08547C6FB109B22E8417BC2761AB04B9EF844133D91D9B7A6CEBCE9A1C700

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 611 7ff6d1951800-7ff6d1951810 612 7ff6d1951812-7ff6d1951822 611->612 613 7ff6d1951824 611->613 614 7ff6d195182b-7ff6d1951867 call 7ff6d1952290 fprintf 612->614 613->614
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: fprintf
                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                • API String ID: 383729395-3474627141
                                • Opcode ID: def3b4d1b7afcdc9c41babcfd7ad642259afce1846380b257a200b73c214eff3
                                • Instruction ID: 0e7987ca823f14520cdce32cd7a418db57c38475df987f43267350c1724b65a5
                                • Opcode Fuzzy Hash: def3b4d1b7afcdc9c41babcfd7ad642259afce1846380b257a200b73c214eff3
                                • Instruction Fuzzy Hash: F6F04F11A18A4682F721AB25A9410BD6360FB597DEF909232EE4DAA652DF6CE1928300

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2105762967.00007FF6D1951000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D1950000, based on PE: true
                                • Associated: 0000000A.00000002.2105748527.00007FF6D1950000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105778456.00007FF6D1958000.00000002.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105793045.00007FF6D195A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 0000000A.00000002.2105969996.00007FF6D1BD8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7ff6d1950000_system_services.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                • String ID:
                                • API String ID: 682475483-0
                                • Opcode ID: 7aa9b52c2fbcd742ec20c09a8dcd10f4a078d7388be026f4a444c53322c0ebf1
                                • Instruction ID: 8d2477342df52c766f84d185315219c00737e5b9e425d3d79f4c460fd7676659
                                • Opcode Fuzzy Hash: 7aa9b52c2fbcd742ec20c09a8dcd10f4a078d7388be026f4a444c53322c0ebf1
                                • Instruction Fuzzy Hash: 69011E29A0991386F7099B11AD4027C2720BF45B9EF840073C90EAB695DFACA871C300

                                Execution Graph

                                Execution Coverage:2.4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:860
                                Total number of Limit Nodes:2
                                execution_graph 2831 140001ac3 2832 140001a70 2831->2832 2833 140001b36 2832->2833 2834 14000199e 2832->2834 2835 140001b53 2832->2835 2836 140001ba0 4 API calls 2833->2836 2837 140001a0f 2834->2837 2838 1400019e9 VirtualProtect 2834->2838 2836->2835 2838->2834 1973 140001ae4 1975 140001a70 1973->1975 1974 140001b36 1981 140001ba0 1974->1981 1975->1974 1976 14000199e 1975->1976 1979 140001b53 1975->1979 1978 140001a0f 1976->1978 1980 1400019e9 VirtualProtect 1976->1980 1980->1976 1984 140001bc2 1981->1984 1982 140001c04 memcpy 1982->1979 1984->1982 1985 140001c45 VirtualQuery 1984->1985 1986 140001cf4 1984->1986 1985->1986 1987 140001c72 1985->1987 1988 140001d23 GetLastError 1986->1988 1987->1982 1989 140001ca4 VirtualProtect 1987->1989 1990 140001d37 1988->1990 1989->1982 1989->1988 2018 140001404 2091 140001394 2018->2091 2020 140001413 2021 140001394 2 API calls 2020->2021 2022 140001422 2021->2022 2023 140001394 2 API calls 2022->2023 2024 140001431 2023->2024 2025 140001394 2 API calls 2024->2025 2026 140001440 2025->2026 2027 140001394 2 API calls 2026->2027 2028 14000144f 2027->2028 2029 140001394 2 API calls 2028->2029 2030 14000145e 2029->2030 2031 140001394 2 API calls 2030->2031 2032 14000146d 2031->2032 2033 140001394 2 API calls 2032->2033 2034 14000147c 2033->2034 2035 140001394 2 API calls 2034->2035 2036 14000148b 2035->2036 2037 140001394 2 API calls 2036->2037 2038 14000149a 2037->2038 2039 140001394 2 API calls 2038->2039 2040 1400014a9 2039->2040 2041 140001394 2 API calls 2040->2041 2042 1400014b8 2041->2042 2043 140001394 2 API calls 2042->2043 2044 1400014c7 2043->2044 2045 140001394 2 API calls 2044->2045 2046 1400014d6 2045->2046 2047 1400014e5 2046->2047 2048 140001394 2 API calls 2046->2048 2049 140001394 2 API calls 2047->2049 2048->2047 2050 1400014ef 2049->2050 2051 1400014f4 2050->2051 2052 140001394 2 API calls 2050->2052 2053 140001394 2 API calls 2051->2053 2052->2051 2054 1400014fe 2053->2054 2055 140001503 2054->2055 2056 140001394 2 API calls 2054->2056 2057 140001394 2 API calls 2055->2057 2056->2055 2058 14000150d 2057->2058 2059 140001394 2 API calls 2058->2059 2060 140001512 2059->2060 2061 140001394 2 API calls 2060->2061 2062 140001521 2061->2062 2063 140001394 2 API calls 2062->2063 2064 140001530 2063->2064 2065 140001394 2 API calls 2064->2065 2066 14000153f 2065->2066 2067 140001394 2 API calls 2066->2067 2068 14000154e 2067->2068 2069 140001394 2 API calls 2068->2069 2070 14000155d 2069->2070 2071 140001394 2 API calls 2070->2071 2072 14000156c 2071->2072 2073 140001394 2 API calls 2072->2073 2074 14000157b 2073->2074 2075 140001394 2 API calls 2074->2075 2076 14000158a 2075->2076 2077 140001394 2 API calls 2076->2077 2078 140001599 2077->2078 2079 140001394 2 API calls 2078->2079 2080 1400015a8 2079->2080 2081 140001394 2 API calls 2080->2081 2082 1400015b7 2081->2082 2083 140001394 2 API calls 2082->2083 2084 1400015c6 2083->2084 2085 140001394 2 API calls 2084->2085 2086 1400015d5 2085->2086 2087 140001394 2 API calls 2086->2087 2088 1400015e4 2087->2088 2089 140001394 2 API calls 2088->2089 2090 1400015f3 2089->2090 2092 1400057f0 malloc 2091->2092 2093 1400013b8 2092->2093 2094 1400013c6 NtClose 2093->2094 2094->2020 2095 140002104 2096 140002111 EnterCriticalSection 2095->2096 2097 140002218 2095->2097 2099 14000220b LeaveCriticalSection 2096->2099 2103 14000212e 2096->2103 2098 140002272 2097->2098 2100 140002241 DeleteCriticalSection 2097->2100 2102 140002230 free 2097->2102 2099->2097 2100->2098 2101 14000214d TlsGetValue GetLastError 2101->2103 2102->2100 2102->2102 2103->2099 2103->2101 1991 140001e65 1992 140001e67 signal 1991->1992 1993 140001e7c 1992->1993 1995 140001e99 1992->1995 1994 140001e82 signal 1993->1994 1993->1995 1994->1995 2839 140001f47 2840 140001e67 signal 2839->2840 2841 140001e99 2839->2841 2840->2841 2842 140001e7c 2840->2842 2842->2841 2843 140001e82 signal 2842->2843 2843->2841 1996 14000216f 1997 140002185 1996->1997 1998 140002178 InitializeCriticalSection 1996->1998 1998->1997 1999 140001a70 2000 14000199e 1999->2000 2004 140001a7d 1999->2004 2001 140001a0f 2000->2001 2002 1400019e9 VirtualProtect 2000->2002 2002->2000 2003 140001b53 2004->1999 2004->2003 2005 140001b36 2004->2005 2006 140001ba0 4 API calls 2005->2006 2006->2003 2104 140001e10 2105 140001e2f 2104->2105 2106 140001e55 2105->2106 2107 140001ecc 2105->2107 2109 140001eb5 2105->2109 2106->2109 2112 140001f12 signal 2106->2112 2108 140001ed3 signal 2107->2108 2107->2109 2108->2109 2110 140001ee4 2108->2110 2110->2109 2111 140001eea signal 2110->2111 2111->2109 2112->2109 2844 140002050 2845 14000205e EnterCriticalSection 2844->2845 2846 1400020cf 2844->2846 2847 1400020c2 LeaveCriticalSection 2845->2847 2848 140002079 2845->2848 2847->2846 2848->2847 2849 1400020bd free 2848->2849 2849->2847 2850 140001fd0 2851 140001fe4 2850->2851 2852 140002033 2850->2852 2851->2852 2853 140001ffd EnterCriticalSection LeaveCriticalSection 2851->2853 2853->2852 2121 140001ab3 2126 140001a70 2121->2126 2122 140001b36 2124 140001ba0 4 API calls 2122->2124 2123 14000199e 2125 140001a0f 2123->2125 2128 1400019e9 VirtualProtect 2123->2128 2127 140001b53 2124->2127 2126->2121 2126->2122 2126->2123 2126->2127 2128->2123 1963 140001394 1967 1400057f0 1963->1967 1965 1400013b8 1966 1400013c6 NtClose 1965->1966 1968 14000580e 1967->1968 1971 14000583b 1967->1971 1968->1965 1969 1400058e3 1970 1400058ff malloc 1969->1970 1972 140005920 1970->1972 1971->1968 1971->1969 1972->1968 2113 14000219e 2114 140002272 2113->2114 2115 1400021ab EnterCriticalSection 2113->2115 2116 140002265 LeaveCriticalSection 2115->2116 2118 1400021c8 2115->2118 2116->2114 2117 1400021e9 TlsGetValue GetLastError 2117->2118 2118->2116 2118->2117 2007 140001000 2008 14000108b __set_app_type 2007->2008 2009 140001040 2007->2009 2011 1400010b6 2008->2011 2009->2008 2010 1400010e5 2011->2010 2013 140001e00 2011->2013 2014 140005d80 __setusermatherr 2013->2014 2015 140001800 2016 140001812 2015->2016 2017 140001835 fprintf 2016->2017 2119 140002320 strlen 2120 140002337 2119->2120 2129 140001140 2132 140001160 2129->2132 2131 140001156 2133 1400011b9 2132->2133 2134 14000118b 2132->2134 2135 1400011d3 2133->2135 2136 1400011c7 _amsg_exit 2133->2136 2134->2133 2137 1400011a0 Sleep 2134->2137 2138 140001201 _initterm 2135->2138 2139 14000121a 2135->2139 2136->2135 2137->2133 2137->2134 2138->2139 2155 140001880 2139->2155 2142 14000126a 2143 14000126f malloc 2142->2143 2144 14000128b 2143->2144 2146 1400012d0 2143->2146 2145 1400012a0 strlen malloc memcpy 2144->2145 2145->2145 2145->2146 2166 140003160 2146->2166 2148 140001315 2149 140001344 2148->2149 2150 140001324 2148->2150 2153 140001160 67 API calls 2149->2153 2151 140001338 2150->2151 2152 14000132d _cexit 2150->2152 2151->2131 2152->2151 2154 140001366 2153->2154 2154->2131 2156 140001247 SetUnhandledExceptionFilter 2155->2156 2157 1400018a2 2155->2157 2156->2142 2157->2156 2158 14000194d 2157->2158 2162 140001a20 2157->2162 2159 14000199e 2158->2159 2160 140001ba0 4 API calls 2158->2160 2159->2156 2161 1400019e9 VirtualProtect 2159->2161 2160->2158 2161->2159 2162->2159 2163 140001b53 2162->2163 2164 140001b36 2162->2164 2165 140001ba0 4 API calls 2164->2165 2165->2163 2169 140003176 2166->2169 2167 140003288 wcslen 2251 14000153f 2167->2251 2169->2167 2171 14000347e 2171->2148 2174 140003383 2177 1400033a9 memset 2174->2177 2179 1400033db 2177->2179 2180 14000342b wcslen 2179->2180 2181 140003441 2180->2181 2185 14000347c 2180->2185 2182 140003450 _wcsnicmp 2181->2182 2183 140003466 wcslen 2182->2183 2182->2185 2183->2182 2183->2185 2184 140003541 wcscpy wcscat memset 2187 140003580 2184->2187 2185->2184 2186 1400035c3 wcscpy wcscat memset 2188 140003606 2186->2188 2187->2186 2189 14000370e wcscpy wcscat memset 2188->2189 2190 140003750 2189->2190 2191 140003aa2 wcslen 2190->2191 2192 140003ab0 2191->2192 2196 140003aeb 2191->2196 2193 140003ac0 _wcsnicmp 2192->2193 2194 140003ad6 wcslen 2193->2194 2193->2196 2194->2193 2194->2196 2195 140003b7d wcscpy wcscat memset 2198 140003bbf 2195->2198 2196->2195 2197 140003c02 wcscpy wcscat memset 2199 140003c48 2197->2199 2198->2197 2200 140003c78 wcscpy wcscat memset 2199->2200 2201 140003ccc 2200->2201 2202 140003d11 wcscpy wcscat wcslen 2201->2202 2391 14000146d 2202->2391 2205 140003ec6 2210 140003f7e memset 2205->2210 2208 140003f5e 2212 14000145e 2 API calls 2208->2212 2209 140003e2e 2477 1400014a9 2209->2477 2213 140003fa2 wcscpy wcscat wcslen 2210->2213 2214 1400054da 2210->2214 2212->2205 2249 1400040d0 2213->2249 2217 140003f4d 2219 14000145e 2 API calls 2217->2219 2219->2205 2222 140003eba 2224 14000145e 2 API calls 2222->2224 2223 1400041be wcslen 2225 14000153f 2 API calls 2223->2225 2224->2205 2225->2249 2226 1400051f1 memcpy 2226->2249 2227 14000463d wcslen 2229 14000153f 2 API calls 2227->2229 2228 1400043cb wcslen 2638 14000157b 2228->2638 2229->2249 2231 140004459 memset 2231->2249 2232 14000145e NtClose malloc 2232->2249 2233 1400044c3 wcslen 2655 1400015a8 2233->2655 2236 140005236 memcpy 2236->2249 2237 14000452b _wcsnicmp 2237->2249 2238 140004b89 memset 2240 140004d90 memset 2238->2240 2238->2249 2239 1400026e0 11 API calls 2239->2249 2240->2249 2241 140004fe0 wcslen 2242 1400015a8 2 API calls 2241->2242 2242->2249 2243 140004beb memset 2243->2249 2244 140004df1 wcscpy wcscat wcslen 2245 140001422 2 API calls 2244->2245 2245->2249 2246 140004c45 wcscpy wcscat wcslen 2695 140001422 2246->2695 2249->2223 2249->2226 2249->2227 2249->2228 2249->2231 2249->2232 2249->2233 2249->2236 2249->2237 2249->2238 2249->2239 2249->2240 2249->2241 2249->2243 2249->2244 2249->2246 2250 140004f35 2249->2250 2593 1400014d6 2249->2593 2666 140001521 2249->2666 2764 140001431 2249->2764 2250->2148 2252 140001394 2 API calls 2251->2252 2253 14000154e 2252->2253 2254 140001394 2 API calls 2253->2254 2255 14000155d 2254->2255 2256 140001394 2 API calls 2255->2256 2257 14000156c 2256->2257 2258 140001394 2 API calls 2257->2258 2259 14000157b 2258->2259 2260 140001394 2 API calls 2259->2260 2261 14000158a 2260->2261 2262 140001394 2 API calls 2261->2262 2263 140001599 2262->2263 2264 140001394 2 API calls 2263->2264 2265 1400015a8 2264->2265 2266 140001394 2 API calls 2265->2266 2267 1400015b7 2266->2267 2268 140001394 2 API calls 2267->2268 2269 1400015c6 2268->2269 2270 140001394 2 API calls 2269->2270 2271 1400015d5 2270->2271 2272 140001394 2 API calls 2271->2272 2273 1400015e4 2272->2273 2274 140001394 2 API calls 2273->2274 2275 1400015f3 2274->2275 2275->2171 2276 140001503 2275->2276 2277 140001394 2 API calls 2276->2277 2278 14000150d 2277->2278 2279 140001394 2 API calls 2278->2279 2280 140001512 2279->2280 2281 140001394 2 API calls 2280->2281 2282 140001521 2281->2282 2283 140001394 2 API calls 2282->2283 2284 140001530 2283->2284 2285 140001394 2 API calls 2284->2285 2286 14000153f 2285->2286 2287 140001394 2 API calls 2286->2287 2288 14000154e 2287->2288 2289 140001394 2 API calls 2288->2289 2290 14000155d 2289->2290 2291 140001394 2 API calls 2290->2291 2292 14000156c 2291->2292 2293 140001394 2 API calls 2292->2293 2294 14000157b 2293->2294 2295 140001394 2 API calls 2294->2295 2296 14000158a 2295->2296 2297 140001394 2 API calls 2296->2297 2298 140001599 2297->2298 2299 140001394 2 API calls 2298->2299 2300 1400015a8 2299->2300 2301 140001394 2 API calls 2300->2301 2302 1400015b7 2301->2302 2303 140001394 2 API calls 2302->2303 2304 1400015c6 2303->2304 2305 140001394 2 API calls 2304->2305 2306 1400015d5 2305->2306 2307 140001394 2 API calls 2306->2307 2308 1400015e4 2307->2308 2309 140001394 2 API calls 2308->2309 2310 1400015f3 2309->2310 2310->2174 2311 14000156c 2310->2311 2312 140001394 2 API calls 2311->2312 2313 14000157b 2312->2313 2314 140001394 2 API calls 2313->2314 2315 14000158a 2314->2315 2316 140001394 2 API calls 2315->2316 2317 140001599 2316->2317 2318 140001394 2 API calls 2317->2318 2319 1400015a8 2318->2319 2320 140001394 2 API calls 2319->2320 2321 1400015b7 2320->2321 2322 140001394 2 API calls 2321->2322 2323 1400015c6 2322->2323 2324 140001394 2 API calls 2323->2324 2325 1400015d5 2324->2325 2326 140001394 2 API calls 2325->2326 2327 1400015e4 2326->2327 2328 140001394 2 API calls 2327->2328 2329 1400015f3 2328->2329 2329->2174 2330 14000145e 2329->2330 2331 140001394 2 API calls 2330->2331 2332 14000146d 2331->2332 2333 140001394 2 API calls 2332->2333 2334 14000147c 2333->2334 2335 140001394 2 API calls 2334->2335 2336 14000148b 2335->2336 2337 140001394 2 API calls 2336->2337 2338 14000149a 2337->2338 2339 140001394 2 API calls 2338->2339 2340 1400014a9 2339->2340 2341 140001394 2 API calls 2340->2341 2342 1400014b8 2341->2342 2343 140001394 2 API calls 2342->2343 2344 1400014c7 2343->2344 2345 140001394 2 API calls 2344->2345 2346 1400014d6 2345->2346 2347 1400014e5 2346->2347 2348 140001394 2 API calls 2346->2348 2349 140001394 2 API calls 2347->2349 2348->2347 2350 1400014ef 2349->2350 2351 1400014f4 2350->2351 2352 140001394 2 API calls 2350->2352 2353 140001394 2 API calls 2351->2353 2352->2351 2354 1400014fe 2353->2354 2355 140001503 2354->2355 2356 140001394 2 API calls 2354->2356 2357 140001394 2 API calls 2355->2357 2356->2355 2358 14000150d 2357->2358 2359 140001394 2 API calls 2358->2359 2360 140001512 2359->2360 2361 140001394 2 API calls 2360->2361 2362 140001521 2361->2362 2363 140001394 2 API calls 2362->2363 2364 140001530 2363->2364 2365 140001394 2 API calls 2364->2365 2366 14000153f 2365->2366 2367 140001394 2 API calls 2366->2367 2368 14000154e 2367->2368 2369 140001394 2 API calls 2368->2369 2370 14000155d 2369->2370 2371 140001394 2 API calls 2370->2371 2372 14000156c 2371->2372 2373 140001394 2 API calls 2372->2373 2374 14000157b 2373->2374 2375 140001394 2 API calls 2374->2375 2376 14000158a 2375->2376 2377 140001394 2 API calls 2376->2377 2378 140001599 2377->2378 2379 140001394 2 API calls 2378->2379 2380 1400015a8 2379->2380 2381 140001394 2 API calls 2380->2381 2382 1400015b7 2381->2382 2383 140001394 2 API calls 2382->2383 2384 1400015c6 2383->2384 2385 140001394 2 API calls 2384->2385 2386 1400015d5 2385->2386 2387 140001394 2 API calls 2386->2387 2388 1400015e4 2387->2388 2389 140001394 2 API calls 2388->2389 2390 1400015f3 2389->2390 2390->2174 2392 140001394 2 API calls 2391->2392 2393 14000147c 2392->2393 2394 140001394 2 API calls 2393->2394 2395 14000148b 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000149a 2396->2397 2398 140001394 2 API calls 2397->2398 2399 1400014a9 2398->2399 2400 140001394 2 API calls 2399->2400 2401 1400014b8 2400->2401 2402 140001394 2 API calls 2401->2402 2403 1400014c7 2402->2403 2404 140001394 2 API calls 2403->2404 2405 1400014d6 2404->2405 2406 1400014e5 2405->2406 2407 140001394 2 API calls 2405->2407 2408 140001394 2 API calls 2406->2408 2407->2406 2409 1400014ef 2408->2409 2410 1400014f4 2409->2410 2411 140001394 2 API calls 2409->2411 2412 140001394 2 API calls 2410->2412 2411->2410 2413 1400014fe 2412->2413 2414 140001503 2413->2414 2415 140001394 2 API calls 2413->2415 2416 140001394 2 API calls 2414->2416 2415->2414 2417 14000150d 2416->2417 2418 140001394 2 API calls 2417->2418 2419 140001512 2418->2419 2420 140001394 2 API calls 2419->2420 2421 140001521 2420->2421 2422 140001394 2 API calls 2421->2422 2423 140001530 2422->2423 2424 140001394 2 API calls 2423->2424 2425 14000153f 2424->2425 2426 140001394 2 API calls 2425->2426 2427 14000154e 2426->2427 2428 140001394 2 API calls 2427->2428 2429 14000155d 2428->2429 2430 140001394 2 API calls 2429->2430 2431 14000156c 2430->2431 2432 140001394 2 API calls 2431->2432 2433 14000157b 2432->2433 2434 140001394 2 API calls 2433->2434 2435 14000158a 2434->2435 2436 140001394 2 API calls 2435->2436 2437 140001599 2436->2437 2438 140001394 2 API calls 2437->2438 2439 1400015a8 2438->2439 2440 140001394 2 API calls 2439->2440 2441 1400015b7 2440->2441 2442 140001394 2 API calls 2441->2442 2443 1400015c6 2442->2443 2444 140001394 2 API calls 2443->2444 2445 1400015d5 2444->2445 2446 140001394 2 API calls 2445->2446 2447 1400015e4 2446->2447 2448 140001394 2 API calls 2447->2448 2449 1400015f3 2448->2449 2449->2205 2450 140001530 2449->2450 2451 140001394 2 API calls 2450->2451 2452 14000153f 2451->2452 2453 140001394 2 API calls 2452->2453 2454 14000154e 2453->2454 2455 140001394 2 API calls 2454->2455 2456 14000155d 2455->2456 2457 140001394 2 API calls 2456->2457 2458 14000156c 2457->2458 2459 140001394 2 API calls 2458->2459 2460 14000157b 2459->2460 2461 140001394 2 API calls 2460->2461 2462 14000158a 2461->2462 2463 140001394 2 API calls 2462->2463 2464 140001599 2463->2464 2465 140001394 2 API calls 2464->2465 2466 1400015a8 2465->2466 2467 140001394 2 API calls 2466->2467 2468 1400015b7 2467->2468 2469 140001394 2 API calls 2468->2469 2470 1400015c6 2469->2470 2471 140001394 2 API calls 2470->2471 2472 1400015d5 2471->2472 2473 140001394 2 API calls 2472->2473 2474 1400015e4 2473->2474 2475 140001394 2 API calls 2474->2475 2476 1400015f3 2475->2476 2476->2208 2476->2209 2478 140001394 2 API calls 2477->2478 2479 1400014b8 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400014c7 2480->2481 2482 140001394 2 API calls 2481->2482 2483 1400014d6 2482->2483 2484 1400014e5 2483->2484 2485 140001394 2 API calls 2483->2485 2486 140001394 2 API calls 2484->2486 2485->2484 2487 1400014ef 2486->2487 2488 1400014f4 2487->2488 2489 140001394 2 API calls 2487->2489 2490 140001394 2 API calls 2488->2490 2489->2488 2491 1400014fe 2490->2491 2492 140001503 2491->2492 2493 140001394 2 API calls 2491->2493 2494 140001394 2 API calls 2492->2494 2493->2492 2495 14000150d 2494->2495 2496 140001394 2 API calls 2495->2496 2497 140001512 2496->2497 2498 140001394 2 API calls 2497->2498 2499 140001521 2498->2499 2500 140001394 2 API calls 2499->2500 2501 140001530 2500->2501 2502 140001394 2 API calls 2501->2502 2503 14000153f 2502->2503 2504 140001394 2 API calls 2503->2504 2505 14000154e 2504->2505 2506 140001394 2 API calls 2505->2506 2507 14000155d 2506->2507 2508 140001394 2 API calls 2507->2508 2509 14000156c 2508->2509 2510 140001394 2 API calls 2509->2510 2511 14000157b 2510->2511 2512 140001394 2 API calls 2511->2512 2513 14000158a 2512->2513 2514 140001394 2 API calls 2513->2514 2515 140001599 2514->2515 2516 140001394 2 API calls 2515->2516 2517 1400015a8 2516->2517 2518 140001394 2 API calls 2517->2518 2519 1400015b7 2518->2519 2520 140001394 2 API calls 2519->2520 2521 1400015c6 2520->2521 2522 140001394 2 API calls 2521->2522 2523 1400015d5 2522->2523 2524 140001394 2 API calls 2523->2524 2525 1400015e4 2524->2525 2526 140001394 2 API calls 2525->2526 2527 1400015f3 2526->2527 2527->2217 2528 140001440 2527->2528 2529 140001394 2 API calls 2528->2529 2530 14000144f 2529->2530 2531 140001394 2 API calls 2530->2531 2532 14000145e 2531->2532 2533 140001394 2 API calls 2532->2533 2534 14000146d 2533->2534 2535 140001394 2 API calls 2534->2535 2536 14000147c 2535->2536 2537 140001394 2 API calls 2536->2537 2538 14000148b 2537->2538 2539 140001394 2 API calls 2538->2539 2540 14000149a 2539->2540 2541 140001394 2 API calls 2540->2541 2542 1400014a9 2541->2542 2543 140001394 2 API calls 2542->2543 2544 1400014b8 2543->2544 2545 140001394 2 API calls 2544->2545 2546 1400014c7 2545->2546 2547 140001394 2 API calls 2546->2547 2548 1400014d6 2547->2548 2549 1400014e5 2548->2549 2550 140001394 2 API calls 2548->2550 2551 140001394 2 API calls 2549->2551 2550->2549 2552 1400014ef 2551->2552 2553 1400014f4 2552->2553 2554 140001394 2 API calls 2552->2554 2555 140001394 2 API calls 2553->2555 2554->2553 2556 1400014fe 2555->2556 2557 140001503 2556->2557 2558 140001394 2 API calls 2556->2558 2559 140001394 2 API calls 2557->2559 2558->2557 2560 14000150d 2559->2560 2561 140001394 2 API calls 2560->2561 2562 140001512 2561->2562 2563 140001394 2 API calls 2562->2563 2564 140001521 2563->2564 2565 140001394 2 API calls 2564->2565 2566 140001530 2565->2566 2567 140001394 2 API calls 2566->2567 2568 14000153f 2567->2568 2569 140001394 2 API calls 2568->2569 2570 14000154e 2569->2570 2571 140001394 2 API calls 2570->2571 2572 14000155d 2571->2572 2573 140001394 2 API calls 2572->2573 2574 14000156c 2573->2574 2575 140001394 2 API calls 2574->2575 2576 14000157b 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000158a 2577->2578 2579 140001394 2 API calls 2578->2579 2580 140001599 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400015a8 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400015b7 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400015c6 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400015d5 2587->2588 2589 140001394 2 API calls 2588->2589 2590 1400015e4 2589->2590 2591 140001394 2 API calls 2590->2591 2592 1400015f3 2591->2592 2592->2217 2592->2222 2594 1400014e5 2593->2594 2595 140001394 2 API calls 2593->2595 2596 140001394 2 API calls 2594->2596 2595->2594 2597 1400014ef 2596->2597 2598 1400014f4 2597->2598 2599 140001394 2 API calls 2597->2599 2600 140001394 2 API calls 2598->2600 2599->2598 2601 1400014fe 2600->2601 2602 140001503 2601->2602 2603 140001394 2 API calls 2601->2603 2604 140001394 2 API calls 2602->2604 2603->2602 2605 14000150d 2604->2605 2606 140001394 2 API calls 2605->2606 2607 140001512 2606->2607 2608 140001394 2 API calls 2607->2608 2609 140001521 2608->2609 2610 140001394 2 API calls 2609->2610 2611 140001530 2610->2611 2612 140001394 2 API calls 2611->2612 2613 14000153f 2612->2613 2614 140001394 2 API calls 2613->2614 2615 14000154e 2614->2615 2616 140001394 2 API calls 2615->2616 2617 14000155d 2616->2617 2618 140001394 2 API calls 2617->2618 2619 14000156c 2618->2619 2620 140001394 2 API calls 2619->2620 2621 14000157b 2620->2621 2622 140001394 2 API calls 2621->2622 2623 14000158a 2622->2623 2624 140001394 2 API calls 2623->2624 2625 140001599 2624->2625 2626 140001394 2 API calls 2625->2626 2627 1400015a8 2626->2627 2628 140001394 2 API calls 2627->2628 2629 1400015b7 2628->2629 2630 140001394 2 API calls 2629->2630 2631 1400015c6 2630->2631 2632 140001394 2 API calls 2631->2632 2633 1400015d5 2632->2633 2634 140001394 2 API calls 2633->2634 2635 1400015e4 2634->2635 2636 140001394 2 API calls 2635->2636 2637 1400015f3 2636->2637 2637->2249 2639 140001394 2 API calls 2638->2639 2640 14000158a 2639->2640 2641 140001394 2 API calls 2640->2641 2642 140001599 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015a8 2643->2644 2645 140001394 2 API calls 2644->2645 2646 1400015b7 2645->2646 2647 140001394 2 API calls 2646->2647 2648 1400015c6 2647->2648 2649 140001394 2 API calls 2648->2649 2650 1400015d5 2649->2650 2651 140001394 2 API calls 2650->2651 2652 1400015e4 2651->2652 2653 140001394 2 API calls 2652->2653 2654 1400015f3 2653->2654 2654->2249 2656 140001394 2 API calls 2655->2656 2657 1400015b7 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015c6 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015d5 2660->2661 2662 140001394 2 API calls 2661->2662 2663 1400015e4 2662->2663 2664 140001394 2 API calls 2663->2664 2665 1400015f3 2664->2665 2665->2249 2667 140001394 2 API calls 2666->2667 2668 140001530 2667->2668 2669 140001394 2 API calls 2668->2669 2670 14000153f 2669->2670 2671 140001394 2 API calls 2670->2671 2672 14000154e 2671->2672 2673 140001394 2 API calls 2672->2673 2674 14000155d 2673->2674 2675 140001394 2 API calls 2674->2675 2676 14000156c 2675->2676 2677 140001394 2 API calls 2676->2677 2678 14000157b 2677->2678 2679 140001394 2 API calls 2678->2679 2680 14000158a 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001599 2681->2682 2683 140001394 2 API calls 2682->2683 2684 1400015a8 2683->2684 2685 140001394 2 API calls 2684->2685 2686 1400015b7 2685->2686 2687 140001394 2 API calls 2686->2687 2688 1400015c6 2687->2688 2689 140001394 2 API calls 2688->2689 2690 1400015d5 2689->2690 2691 140001394 2 API calls 2690->2691 2692 1400015e4 2691->2692 2693 140001394 2 API calls 2692->2693 2694 1400015f3 2693->2694 2694->2249 2696 140001394 2 API calls 2695->2696 2697 140001431 2696->2697 2698 140001394 2 API calls 2697->2698 2699 140001440 2698->2699 2700 140001394 2 API calls 2699->2700 2701 14000144f 2700->2701 2702 140001394 2 API calls 2701->2702 2703 14000145e 2702->2703 2704 140001394 2 API calls 2703->2704 2705 14000146d 2704->2705 2706 140001394 2 API calls 2705->2706 2707 14000147c 2706->2707 2708 140001394 2 API calls 2707->2708 2709 14000148b 2708->2709 2710 140001394 2 API calls 2709->2710 2711 14000149a 2710->2711 2712 140001394 2 API calls 2711->2712 2713 1400014a9 2712->2713 2714 140001394 2 API calls 2713->2714 2715 1400014b8 2714->2715 2716 140001394 2 API calls 2715->2716 2717 1400014c7 2716->2717 2718 140001394 2 API calls 2717->2718 2719 1400014d6 2718->2719 2720 1400014e5 2719->2720 2721 140001394 2 API calls 2719->2721 2722 140001394 2 API calls 2720->2722 2721->2720 2723 1400014ef 2722->2723 2724 1400014f4 2723->2724 2725 140001394 2 API calls 2723->2725 2726 140001394 2 API calls 2724->2726 2725->2724 2727 1400014fe 2726->2727 2728 140001503 2727->2728 2729 140001394 2 API calls 2727->2729 2730 140001394 2 API calls 2728->2730 2729->2728 2731 14000150d 2730->2731 2732 140001394 2 API calls 2731->2732 2733 140001512 2732->2733 2734 140001394 2 API calls 2733->2734 2735 140001521 2734->2735 2736 140001394 2 API calls 2735->2736 2737 140001530 2736->2737 2738 140001394 2 API calls 2737->2738 2739 14000153f 2738->2739 2740 140001394 2 API calls 2739->2740 2741 14000154e 2740->2741 2742 140001394 2 API calls 2741->2742 2743 14000155d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 14000156c 2744->2745 2746 140001394 2 API calls 2745->2746 2747 14000157b 2746->2747 2748 140001394 2 API calls 2747->2748 2749 14000158a 2748->2749 2750 140001394 2 API calls 2749->2750 2751 140001599 2750->2751 2752 140001394 2 API calls 2751->2752 2753 1400015a8 2752->2753 2754 140001394 2 API calls 2753->2754 2755 1400015b7 2754->2755 2756 140001394 2 API calls 2755->2756 2757 1400015c6 2756->2757 2758 140001394 2 API calls 2757->2758 2759 1400015d5 2758->2759 2760 140001394 2 API calls 2759->2760 2761 1400015e4 2760->2761 2762 140001394 2 API calls 2761->2762 2763 1400015f3 2762->2763 2763->2249 2765 140001394 2 API calls 2764->2765 2766 140001440 2765->2766 2767 140001394 2 API calls 2766->2767 2768 14000144f 2767->2768 2769 140001394 2 API calls 2768->2769 2770 14000145e 2769->2770 2771 140001394 2 API calls 2770->2771 2772 14000146d 2771->2772 2773 140001394 2 API calls 2772->2773 2774 14000147c 2773->2774 2775 140001394 2 API calls 2774->2775 2776 14000148b 2775->2776 2777 140001394 2 API calls 2776->2777 2778 14000149a 2777->2778 2779 140001394 2 API calls 2778->2779 2780 1400014a9 2779->2780 2781 140001394 2 API calls 2780->2781 2782 1400014b8 2781->2782 2783 140001394 2 API calls 2782->2783 2784 1400014c7 2783->2784 2785 140001394 2 API calls 2784->2785 2786 1400014d6 2785->2786 2787 1400014e5 2786->2787 2788 140001394 2 API calls 2786->2788 2789 140001394 2 API calls 2787->2789 2788->2787 2790 1400014ef 2789->2790 2791 1400014f4 2790->2791 2792 140001394 2 API calls 2790->2792 2793 140001394 2 API calls 2791->2793 2792->2791 2794 1400014fe 2793->2794 2795 140001503 2794->2795 2796 140001394 2 API calls 2794->2796 2797 140001394 2 API calls 2795->2797 2796->2795 2798 14000150d 2797->2798 2799 140001394 2 API calls 2798->2799 2800 140001512 2799->2800 2801 140001394 2 API calls 2800->2801 2802 140001521 2801->2802 2803 140001394 2 API calls 2802->2803 2804 140001530 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000153f 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000154e 2807->2808 2809 140001394 2 API calls 2808->2809 2810 14000155d 2809->2810 2811 140001394 2 API calls 2810->2811 2812 14000156c 2811->2812 2813 140001394 2 API calls 2812->2813 2814 14000157b 2813->2814 2815 140001394 2 API calls 2814->2815 2816 14000158a 2815->2816 2817 140001394 2 API calls 2816->2817 2818 140001599 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015a8 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015b7 2821->2822 2823 140001394 2 API calls 2822->2823 2824 1400015c6 2823->2824 2825 140001394 2 API calls 2824->2825 2826 1400015d5 2825->2826 2827 140001394 2 API calls 2826->2827 2828 1400015e4 2827->2828 2829 140001394 2 API calls 2828->2829 2830 1400015f3 2829->2830 2830->2249

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00000001400055E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 72 Function_0000000140001BA0 1->72 2 Function_00000001400014E5 69 Function_0000000140001394 2->69 3 Function_00000001400057F0 98 Function_00000001400057E0 3->98 4 Function_00000001400010F0 5 Function_00000001400014F4 5->69 6 Function_0000000140001E00 7 Function_0000000140002F00 55 Function_0000000140001370 7->55 8 Function_0000000140001000 8->6 38 Function_0000000140001750 8->38 78 Function_0000000140001FB0 8->78 84 Function_0000000140001FC0 8->84 9 Function_0000000140001800 63 Function_0000000140002290 9->63 10 Function_0000000140002500 11 Function_0000000140003101 12 Function_0000000140005601 13 Function_0000000140005701 14 Function_0000000140001503 14->69 15 Function_0000000140001404 15->69 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140001512 18->69 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140003120 22 Function_0000000140001521 22->69 23 Function_0000000140005521 24 Function_0000000140005621 25 Function_0000000140005721 26 Function_0000000140001422 26->69 27 Function_0000000140001530 27->69 28 Function_0000000140001431 28->69 29 Function_000000014000153F 29->69 30 Function_0000000140001440 30->69 31 Function_0000000140003140 32 Function_0000000140001140 46 Function_0000000140001160 32->46 33->63 34 Function_0000000140005641 35 Function_0000000140001F47 54 Function_0000000140001870 35->54 36 Function_0000000140002050 37 Function_0000000140001650 39 Function_0000000140003051 40 Function_0000000140005551 41 Function_000000014000155D 41->69 42 Function_000000014000145E 42->69 43 Function_0000000140001760 100 Function_00000001400020E0 43->100 44 Function_0000000140002660 45 Function_0000000140003160 45->7 45->14 45->22 45->26 45->27 45->28 45->29 45->30 45->42 45->44 51 Function_000000014000156C 45->51 52 Function_000000014000146D 45->52 45->55 60 Function_000000014000157B 45->60 75 Function_00000001400015A8 45->75 76 Function_00000001400014A9 45->76 85 Function_00000001400016C0 45->85 95 Function_00000001400014D6 45->95 45->98 99 Function_00000001400026E0 45->99 46->45 46->46 46->54 61 Function_0000000140001880 46->61 62 Function_0000000140001F90 46->62 46->85 47 Function_0000000140002460 48 Function_0000000140005661 49 Function_0000000140005761 50 Function_0000000140001E65 50->54 51->69 52->69 53 Function_000000014000216F 56 Function_0000000140001A70 56->33 56->72 57 Function_0000000140003070 58 Function_0000000140005670 59 Function_0000000140005571 60->69 61->19 61->33 61->44 61->72 64 Function_0000000140002590 65 Function_0000000140003090 66 Function_0000000140002691 67 Function_0000000140005591 68 Function_0000000140005691 69->3 73 Function_0000000140005AA0 69->73 70 Function_0000000140002194 70->54 71 Function_000000014000219E 72->33 77 Function_00000001400023B0 72->77 90 Function_00000001400024D0 72->90 73->98 74 Function_0000000140001FA0 75->69 76->69 79 Function_00000001400022B0 80 Function_00000001400026B0 81 Function_00000001400030B1 82 Function_00000001400055B1 83 Function_0000000140001AB3 83->33 83->72 86 Function_00000001400057C0 87 Function_00000001400056C1 88 Function_0000000140001AC3 88->33 88->72 89 Function_00000001400014C7 89->69 91 Function_00000001400017D0 92 Function_0000000140001FD0 93 Function_00000001400026D0 94 Function_0000000140001AD4 94->33 94->72 95->69 96 Function_00000001400022E0 97 Function_00000001400017E0 97->100 99->2 99->5 99->14 99->18 99->41 99->42 99->44 99->55 99->76 99->89 99->98

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 140001394-140001403 call 1400057f0 call 140005aa0 NtClose
                                APIs
                                • NtClose.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: c3609cf2cb2092e000b4915667627901b514c2c2a81a18991c74a448e963ac4f
                                • Instruction ID: c1b1d9a136a725e47f8d31920808aef158ce49fd56cb278b19e5a0ada10eeb6e
                                • Opcode Fuzzy Hash: c3609cf2cb2092e000b4915667627901b514c2c2a81a18991c74a448e963ac4f
                                • Instruction Fuzzy Hash: 40F092B6608B4086EAA1DB52F85579A77A1F38D7C4F005919BFC943735DB38C1548F44

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 293 1400026e0-14000273b call 140002660 memset 296 140002741-14000274b 293->296 297 14000280e-14000285e call 14000155d 293->297 299 140002774-14000277a 296->299 302 140002953-14000297b call 1400014c7 297->302 303 140002864-140002873 297->303 299->297 301 140002780-140002787 299->301 304 140002789-140002792 301->304 305 140002750-140002752 301->305 319 140002986-1400029c8 call 140001503 call 1400057e0 memset 302->319 320 14000297d 302->320 309 140002eb7-140002ef4 call 140001370 303->309 310 140002879-140002888 303->310 307 140002794-1400027ab 304->307 308 1400027f8-1400027fb 304->308 311 14000275a-14000276e 305->311 313 1400027f5 307->313 314 1400027ad-1400027c2 307->314 308->311 315 1400028e4-14000294e wcsncmp call 1400014e5 310->315 316 14000288a-1400028dd 310->316 311->297 311->299 313->308 321 1400027d0-1400027d7 314->321 315->302 316->315 329 140002e49-140002e84 call 140001370 319->329 330 1400029ce-1400029d5 319->330 320->319 323 1400027d9-1400027f3 321->323 324 140002800-140002809 321->324 323->313 323->321 324->311 333 1400029d7-140002a0c 329->333 337 140002e8a 329->337 332 140002a13-140002a43 wcscpy wcscat wcslen 330->332 330->333 335 140002a45-140002a76 wcslen 332->335 336 140002a78-140002aa5 332->336 333->332 338 140002aa8-140002abf wcslen 335->338 336->338 337->332 339 140002ac5-140002ad8 338->339 340 140002e8f-140002eab call 140001370 338->340 342 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 339->342 343 140002ada-140002aee 339->343 340->309 361 140002dfd-140002e1b call 140001512 342->361 362 140002e20-140002e48 call 14000145e 342->362 343->342 361->362
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                • String ID: 0$X$`
                                • API String ID: 780471329-2527496196
                                • Opcode ID: 67adea92daefdf72406e49debd58999c4046566575e8210a8936ef30efd3ea1e
                                • Instruction ID: a061608f5942af0b4255951c32e60da3b88a0c5e6ceaf9d20bade6d7e387d412
                                • Opcode Fuzzy Hash: 67adea92daefdf72406e49debd58999c4046566575e8210a8936ef30efd3ea1e
                                • Instruction Fuzzy Hash: B51248B2618B8085E772CB26F8443EA77A4F789794F404215EBA957BF5EF78C189C700

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                • String ID:
                                • API String ID: 2643109117-0
                                • Opcode ID: 50f4902f83eec53fbcc3f8145c15d5120974d6ab61e6ce0c2de9f201a4190000
                                • Instruction ID: a695897f6492b5ee849e5e35b617f3050ea55020472db8fd334771a623f3ad14
                                • Opcode Fuzzy Hash: 50f4902f83eec53fbcc3f8145c15d5120974d6ab61e6ce0c2de9f201a4190000
                                • Instruction Fuzzy Hash: E85117B1611A4485FA66EF27F9543EA27A1B78D7C0F448021FF4D973B1DE38C4998300

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 407 140001ba0-140001bc0 408 140001bc2-140001bd7 407->408 409 140001c09 407->409 410 140001be9-140001bf1 408->410 411 140001c0c-140001c17 call 1400023b0 409->411 412 140001bf3-140001c02 410->412 413 140001be0-140001be7 410->413 418 140001cf4-140001cfe call 140001d40 411->418 419 140001c1d-140001c6c call 1400024d0 VirtualQuery 411->419 412->413 415 140001c04 412->415 413->410 413->411 417 140001cd7-140001cf3 memcpy 415->417 422 140001d03-140001d1e call 140001d40 418->422 419->422 425 140001c72-140001c79 419->425 426 140001d23-140001d38 GetLastError call 140001d40 422->426 427 140001c7b-140001c7e 425->427 428 140001c8e-140001c97 425->428 432 140001cd1 427->432 433 140001c80-140001c83 427->433 429 140001ca4-140001ccf VirtualProtect 428->429 430 140001c99-140001c9c 428->430 429->426 429->432 430->432 435 140001c9e 430->435 432->417 433->432 434 140001c85-140001c8a 433->434 434->432 437 140001c8c 434->437 435->429 437->435
                                APIs
                                • VirtualQuery.KERNEL32(?,?,?,?,0000000140006B50,0000000140006B50,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                • VirtualProtect.KERNEL32(?,?,?,?,0000000140006B50,0000000140006B50,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                • memcpy.MSVCRT ref: 0000000140001CE0
                                • GetLastError.KERNEL32(?,?,?,?,0000000140006B50,0000000140006B50,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                • API String ID: 2595394609-2123141913
                                • Opcode ID: 6376516b6f98ee0298ffb230645a8224a186dd1411a2ebe970d64ad3fa722b50
                                • Instruction ID: 20180175eaa3abc6a4e7f715434528f16900e60138e59d674dbb2cdcdb4dbba1
                                • Opcode Fuzzy Hash: 6376516b6f98ee0298ffb230645a8224a186dd1411a2ebe970d64ad3fa722b50
                                • Instruction Fuzzy Hash: A64114F1200A4482FA66DF57F884BE927A1F79DBC4F554526AF0E877B1DA38C58AC700

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 438 140002104-14000210b 439 140002111-140002128 EnterCriticalSection 438->439 440 140002218-140002221 438->440 443 14000220b-140002212 LeaveCriticalSection 439->443 444 14000212e-14000213c 439->444 441 140002272-140002280 440->441 442 140002223-14000222d 440->442 445 140002241-140002263 DeleteCriticalSection 442->445 446 14000222f 442->446 443->440 447 14000214d-140002159 TlsGetValue GetLastError 444->447 445->441 450 140002230-14000223f free 446->450 448 14000215b-14000215e 447->448 449 140002140-140002147 447->449 448->449 451 140002160-14000216d 448->451 449->443 449->447 450->445 450->450 451->449
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                • String ID:
                                • API String ID: 3326252324-0
                                • Opcode ID: 54bda51121878257c2438a553ea7cc3192bbeb2fe36f27e7e87c2ab04036406f
                                • Instruction ID: 5b6b3eed6e6b3a11e30d4138deaafbe51ccc2eabda3ba4ac3cb3d50a499de08e
                                • Opcode Fuzzy Hash: 54bda51121878257c2438a553ea7cc3192bbeb2fe36f27e7e87c2ab04036406f
                                • Instruction Fuzzy Hash: A32125B5205A5092FA2BDB53FD443E923A5BB2CBD0F444021FF4A57AB0DB78C9868700

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 453 140001e10-140001e2d 454 140001e3e-140001e48 453->454 455 140001e2f-140001e38 453->455 457 140001ea3-140001ea8 454->457 458 140001e4a-140001e53 454->458 455->454 456 140001f60-140001f69 455->456 457->456 461 140001eae-140001eb3 457->461 459 140001e55-140001e60 458->459 460 140001ecc-140001ed1 458->460 459->457 464 140001f23-140001f2d 460->464 465 140001ed3-140001ee2 signal 460->465 462 140001eb5-140001eba 461->462 463 140001efb-140001f0a call 140005d90 461->463 462->456 468 140001ec0 462->468 463->464 475 140001f0c-140001f10 463->475 466 140001f43-140001f45 464->466 467 140001f2f-140001f3f 464->467 465->464 469 140001ee4-140001ee8 465->469 466->456 467->466 468->464 471 140001eea-140001ef9 signal 469->471 472 140001f4e-140001f53 469->472 471->456 474 140001f5a 472->474 474->456 476 140001f12-140001f21 signal 475->476 477 140001f55 475->477 476->456 477->474
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: CCG
                                • API String ID: 0-1584390748
                                • Opcode ID: 6fc05ad7c38b4d70b8e351c005cd07f5f38d22941888cff044698c78064d2598
                                • Instruction ID: f1cf3a48b04ef8184b23928cf459bd526c02ba325cc1eebf4457be002ae4e6ba
                                • Opcode Fuzzy Hash: 6fc05ad7c38b4d70b8e351c005cd07f5f38d22941888cff044698c78064d2598
                                • Instruction Fuzzy Hash: 272159B1A0150542FA7BDA2BB5943FA1182ABCD7E4F258536BF19473F5DE3888828241

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 478 140001880-14000189c 479 1400018a2-1400018f9 call 140002420 call 140002660 478->479 480 140001a0f-140001a1f 478->480 479->480 485 1400018ff-140001910 479->485 486 140001912-14000191c 485->486 487 14000193e-140001941 485->487 488 14000194d-140001954 486->488 489 14000191e-140001929 486->489 487->488 490 140001943-140001947 487->490 491 140001956-140001961 488->491 492 14000199e-1400019a6 488->492 489->488 493 14000192b-14000193a 489->493 490->488 494 140001a20-140001a26 490->494 495 140001970-14000199c call 140001ba0 491->495 492->480 496 1400019a8-1400019c1 492->496 493->487 497 140001b87-140001b98 call 140001d40 494->497 498 140001a2c-140001a37 494->498 495->492 501 1400019df-1400019e7 496->501 498->492 502 140001a3d-140001a5f 498->502 505 1400019e9-140001a0d VirtualProtect 501->505 506 1400019d0-1400019dd 501->506 507 140001a7d-140001a97 502->507 505->506 506->480 506->501 508 140001b74-140001b82 call 140001d40 507->508 509 140001a9d-140001afa 507->509 508->497 515 140001b22-140001b26 509->515 516 140001afc-140001b0e 509->516 519 140001b2c-140001b30 515->519 520 140001a70-140001a77 515->520 517 140001b5c-140001b6c 516->517 518 140001b10-140001b20 516->518 517->508 521 140001b6f call 140001d40 517->521 518->515 518->517 519->520 522 140001b36-140001b57 call 140001ba0 519->522 520->492 520->507 521->508 522->517
                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                • API String ID: 544645111-395989641
                                • Opcode ID: 36aa4ce4cd8a4466fdeec354701812192005fa26f6bd4fb7fc964bff0b9ebb6c
                                • Instruction ID: e2a1e5e24c78735f6ff97877b97f9c2ce010021547e24e4cf036b21bf59b3cbd
                                • Opcode Fuzzy Hash: 36aa4ce4cd8a4466fdeec354701812192005fa26f6bd4fb7fc964bff0b9ebb6c
                                • Instruction Fuzzy Hash: 1B5136B6710A44D6EB22CF67F8407D92762B75DBE8F448221EB19177B4CB38C586C700

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 526 140001800-140001810 527 140001812-140001822 526->527 528 140001824 526->528 529 14000182b-140001867 call 140002290 fprintf 527->529 528->529
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: fprintf
                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                • API String ID: 383729395-3474627141
                                • Opcode ID: ef2f09961511cd4ab5630825cd5931c773d9f2eb864ae32531cca3efa5ebf356
                                • Instruction ID: 53a4782100587c7f3edd25e989b0e44ab1190d5fd7af7f5b378face3a30af834
                                • Opcode Fuzzy Hash: ef2f09961511cd4ab5630825cd5931c773d9f2eb864ae32531cca3efa5ebf356
                                • Instruction Fuzzy Hash: 2EF09671614A4482E622EB76B9413ED6361E75D7C1F54D211FF4D67662DF38D182C300

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 532 14000219e-1400021a5 533 140002272-140002280 532->533 534 1400021ab-1400021c2 EnterCriticalSection 532->534 535 140002265-14000226c LeaveCriticalSection 534->535 536 1400021c8-1400021d6 534->536 535->533 537 1400021e9-1400021f5 TlsGetValue GetLastError 536->537 538 1400021f7-1400021fa 537->538 539 1400021e0-1400021e7 537->539 538->539 540 1400021fc-140002209 538->540 539->535 539->537 540->539
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.4562821526.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                • Associated: 0000000B.00000002.4562743862.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562885093.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4562978068.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.4563029558.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140000000_conhost.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                • String ID:
                                • API String ID: 682475483-0
                                • Opcode ID: 8723d206235c772f45a365bdec227a0577aef047d1071f4de1ff99643d148309
                                • Instruction ID: 3cc5cb6b398bbaf2229530a5eda2076771d09d0ffc9b80e74d3a869af43461a7
                                • Opcode Fuzzy Hash: 8723d206235c772f45a365bdec227a0577aef047d1071f4de1ff99643d148309
                                • Instruction Fuzzy Hash: 5701B6B6305A4092FA17DB63FE043D86365BB2CBD1F494021EF0953AB4DBB9D996C300