Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Proxy32.exe

Overview

General Information

Sample name:Proxy32.exe
Analysis ID:1545401
MD5:bc50255ce73b64580fcc217e2a3b699a
SHA1:00431c708367a2125ffe6599c5e9a8b47c8ad259
SHA256:5704b15d5a1bc9c2f8b3351169362440bcb6901984050f3bb3824437fca13c68
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Proxy32.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\Proxy32.exe" MD5: BC50255CE73B64580FCC217E2A3B699A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Proxy32.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Proxy32.exeStatic PE information: certificate valid
Source: Proxy32.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Program Files\Tyler Technologies\IMS\Proxy32.pdb source: Proxy32.exe
Source: Proxy32.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Proxy32.exeString found in binary or memory: http://ocsp.thawte.com0
Source: Proxy32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Proxy32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Proxy32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_005165BD0_2_005165BD
Source: C:\Users\user\Desktop\Proxy32.exeCode function: String function: 00516B84 appears 36 times
Source: Proxy32.exe, 00000000.00000000.1722601783.0000000000526000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProxy.exe@ vs Proxy32.exe
Source: Proxy32.exeBinary or memory string: OriginalFilenameProxy.exe@ vs Proxy32.exe
Source: Proxy32.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_005131E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,GetLastError,0_2_005131E0
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00512D40 SleepEx,CreateToolhelp32Snapshot,_memset,Process32FirstW,__wcsicoll,OpenProcess,GetProcessImageFileNameW,__wcsicoll,__wcsicoll,_memset,CloseHandle,GetLastError,Process32NextW,GetLastError,CloseHandle,GetLastError,0_2_00512D40
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_005121B0 CoInitializeEx,_memset,_memset,CoCreateInstance,VariantInit,VariantChangeType,VariantClear,__wcsicoll,SysAllocStringLen,OpenProcess,WaitForSingleObject,_fwprintf,_fwprintf,CloseHandle,SysFreeString,CoUninitialize,_fwprintf,CoUninitialize,CoUninitialize,CoUninitialize,0_2_005121B0
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00513520 OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,GetLastError,ChangeServiceConfigW,GetLastError,CloseServiceHandle,0_2_00513520
Source: Proxy32.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proxy32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\Proxy32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Proxy32.exeStatic PE information: certificate valid
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Proxy32.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Proxy32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Program Files\Tyler Technologies\IMS\Proxy32.pdb source: Proxy32.exe
Source: Proxy32.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Proxy32.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Proxy32.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Proxy32.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Proxy32.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_0051B906 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0051B906
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00516BC9 push ecx; ret 0_2_00516BDC
Source: C:\Users\user\Desktop\Proxy32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-6792
Source: C:\Users\user\Desktop\Proxy32.exeAPI coverage: 4.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00515D07 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00515D07
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_0051B906 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0051B906
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00515D07 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00515D07
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_0051376A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0051376A
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_0051C7FA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0051C7FA
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_005187E0 SetUnhandledExceptionFilter,0_2_005187E0
Source: C:\Users\user\Desktop\Proxy32.exeCode function: GetLocaleInfoA,0_2_0051BE58
Source: C:\Users\user\Desktop\Proxy32.exeCode function: 0_2_00518EE7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00518EE7

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		2
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Proxy32.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.thawte.com/ThawteTimestampingCA.crl0Proxy32.exefalse
  • URL Reputation: safe
unknown
http://ocsp.thawte.com0Proxy32.exefalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545401
Start date and time:2024-10-30 14:15:54 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Proxy32.exe
Detection:CLEAN
Classification:clean5.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 4
  • Number of non-executed functions: 38
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • VT rate limit hit for: Proxy32.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.38494088131935
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Proxy32.exe
File size:110'936 bytes
MD5:bc50255ce73b64580fcc217e2a3b699a
SHA1:00431c708367a2125ffe6599c5e9a8b47c8ad259
SHA256:5704b15d5a1bc9c2f8b3351169362440bcb6901984050f3bb3824437fca13c68
SHA512:1961d7be310d5ca3b211fd39cf5bf38b59034539a152b159187b4c6bce9cae3e418136aafe4bef6f715d3a3dfdbeba48182437d0579a20ec084139c27a117491
SSDEEP:1536:u+EtJVSmgHZ21K2RpLEcynltmHQTQDP7XYxKTUtmPefrN+9PmmldKm7D:VEfVqHnA2YPP2rN+9PmaZ
TLSH:4BB35A523AA3C036E4D155352639C369497EFD301B7B8187BBB536A88F317D06A3A387
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O,...B...B...B..V....B..V....B..V....B..V....B...C.%.B..V....B..V....B..V....B.Rich..B.........................PE..L....p6Q...

File Icon

Icon Hash:a4a1b2ecccb1d949

Static PE Info

General

Entrypoint:0x4045f8
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x513670D1 [Tue Mar 5 22:25:21 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:4aeae02a7f713e6abcac67d29009552a

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 05/08/2013 20:00:00 04/10/2016 19:59:59
Subject Chain
  • CN="Tyler Technologies, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Tyler Technologies, Inc.", L=Yarmouth, S=Maine, C=US
Version:3
Thumbprint MD5:70820E618A6D44FADD9BFA80C0B4AD30
Thumbprint SHA-1:E34C0C279C3E3E3E9025F80C12AF9829A9E4FBA6
Thumbprint SHA-256:4623C8978CDCD49E8AB009AB6148DDDCFCBFFC8FFFB11735E95EDDF769C42835
Serial:24F9494087F23985AA286786D99E1BE7

Entrypoint Preview

Instruction
call 00007F132CAE02AFh
jmp 00007F132CADB83Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00414168h], eax
mov dword ptr [00414164h], ecx
mov dword ptr [00414160h], edx
mov dword ptr [0041415Ch], ebx
mov dword ptr [00414158h], esi
mov dword ptr [00414154h], edi
mov word ptr [00414180h], ss
mov word ptr [00414174h], cs
mov word ptr [00414150h], ds
mov word ptr [0041414Ch], es
mov word ptr [00414148h], fs
mov word ptr [00414144h], gs
pushfd
pop dword ptr [00414178h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041416Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00414170h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041417Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004140B8h], 00010001h
mov eax, dword ptr [00414170h]
mov dword ptr [0041406Ch], eax
mov dword ptr [00414060h], C0000409h
mov dword ptr [00414064h], 00000001h
mov eax, dword ptr [004132DCh]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [004132E0h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C4h]

Rich Headers

Programming Language:
  • [C++] VS2008 SP1 build 30729
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x125340x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x51f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x198000x1958.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xcec.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xf2000x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11ad80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xf0000x1bc.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xd4e20xd6009db56fbfaa11b260ab95f2641dfe4df0False0.5955023364485982data6.572822853592671IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xf0000x3ea00x4000b6d323cf082843e7dc3851d4486eb805False0.340576171875OpenPGP Public Key5.106172179546469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x130000x2c640x120033422bcd39ad9490dd5e331bd47ec4beFalse0.21809895833333334data2.363823419442222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x160000x51f80x520090026650824a4ee905c26f1b1dfec320False0.20922256097560976data5.535892602599179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1c0000x18f60x1a004be560d790d986635b8733f34680fa0eFalse0.42142427884615385data4.176408916442644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x168980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.4698581560283688
RT_ICON0x16d000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.16701244813278007
RT_ICON0x192a80x1588Device independent bitmap graphic, 36 x 72 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.21734397677793904
RT_ICON0x1a8300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.3233606557377049
RT_GROUP_ICON0x1b1b80x3edataEnglishUnited States0.8225806451612904
RT_VERSION0x161800x714dataEnglishUnited States0.36037527593818985

Imports

DLLImport
PSAPI.DLLGetProcessImageFileNameW
KERNEL32.dllGetTickCount, CloseHandle, CreateToolhelp32Snapshot, Process32NextW, QueryDosDeviceW, Process32FirstW, TerminateProcess, TerminateThread, GetSystemDirectoryW, OpenProcess, SleepEx, WaitForSingleObject, GetCurrentProcess, GetProcAddress, GetLastError, LoadLibraryW, FreeLibrary, GetCommandLineW, SetUnhandledExceptionFilter, CreateFileA, SetStdHandle, SetFilePointer, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, FlushFileBuffers, GetConsoleMode, GetConsoleCP, LoadLibraryA, HeapFree, EnterCriticalSection, LeaveCriticalSection, ExitThread, GetCurrentThreadId, CreateThread, GetCommandLineA, GetStartupInfoA, UnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, RaiseException, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapCreate, VirtualFree, DeleteCriticalSection, VirtualAlloc, HeapReAlloc, SetHandleCount, GetStdHandle, GetFileType, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, HeapSize, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount
ADVAPI32.dllQueryServiceConfigW, ControlService, QueryServiceStatusEx, ChangeServiceConfigW, OpenServiceW, OpenSCManagerW, CloseServiceHandle, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken
ole32.dllCoUninitialize, CoInitializeEx, CoCreateInstance
OLEAUT32.dllSysFreeString, VariantChangeType, SysAllocStringLen, VariantInit, VariantClear, SysStringLen, SysAllocString, RegisterTypeLib, UnRegisterTypeLib, LoadTypeLibEx

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:16:50
Start date:30/10/2024
Path:C:\Users\user\Desktop\Proxy32.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Proxy32.exe"
Imagebase:0x510000
File size:110'936 bytes
MD5 hash:BC50255CE73B64580FCC217E2A3B699A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:3.2%
    Total number of Nodes:1328
    Total number of Limit Nodes:14
    execution_graph 8011 514058 8018 5183e3 8011->8018 8014 51406b 8016 513acf _realloc 67 API calls 8014->8016 8017 514076 8016->8017 8031 518309 8018->8031 8020 51405d 8020->8014 8021 517e82 8020->8021 8022 517e8e __ioinit 8021->8022 8023 51608c __lock 67 API calls 8022->8023 8026 517e9a 8023->8026 8024 517f03 8072 517f18 8024->8072 8026->8024 8029 517ed8 DeleteCriticalSection 8026->8029 8059 51ac97 8026->8059 8027 517f0f __ioinit 8027->8014 8030 513acf _realloc 67 API calls 8029->8030 8030->8026 8032 518315 __ioinit 8031->8032 8033 51608c __lock 67 API calls 8032->8033 8040 518324 8033->8040 8034 5183bc 8049 5183da 8034->8049 8037 5183c8 __ioinit 8037->8020 8039 5182c1 105 API calls __fflush_nolock 8039->8040 8040->8034 8040->8039 8041 5140b9 8040->8041 8046 5183ab 8040->8046 8042 5140c6 8041->8042 8043 5140dc EnterCriticalSection 8041->8043 8044 51608c __lock 67 API calls 8042->8044 8043->8040 8045 5140cf 8044->8045 8045->8040 8052 514127 8046->8052 8048 5183b9 8048->8040 8058 515fb2 LeaveCriticalSection 8049->8058 8051 5183e1 8051->8037 8053 514137 8052->8053 8054 51414a LeaveCriticalSection 8052->8054 8057 515fb2 LeaveCriticalSection 8053->8057 8054->8048 8056 514147 8056->8048 8057->8056 8058->8051 8060 51aca3 __ioinit 8059->8060 8061 51acd4 8060->8061 8062 51acb7 8060->8062 8068 51accc __ioinit 8061->8068 8075 514078 8061->8075 8063 515e97 __wsplitpath_s 67 API calls 8062->8063 8065 51acbc 8063->8065 8067 515e2f __wsplitpath_s 6 API calls 8065->8067 8067->8068 8068->8026 8322 515fb2 LeaveCriticalSection 8072->8322 8074 517f1f 8074->8027 8076 51408a 8075->8076 8077 5140ac EnterCriticalSection 8075->8077 8076->8077 8079 514092 8076->8079 8078 5140a2 8077->8078 8081 51ac20 8078->8081 8080 51608c __lock 67 API calls 8079->8080 8080->8078 8082 51ac50 8081->8082 8083 51ac34 8081->8083 8089 51ac49 8082->8089 8100 518259 8082->8100 8084 515e97 __wsplitpath_s 67 API calls 8083->8084 8085 51ac39 8084->8085 8087 515e2f __wsplitpath_s 6 API calls 8085->8087 8087->8089 8097 51ad0b 8089->8097 8095 51ac70 8095->8089 8096 513acf _realloc 67 API calls 8095->8096 8096->8089 8315 5140eb 8097->8315 8099 51ad11 8099->8068 8101 518294 8100->8101 8102 518272 8100->8102 8106 51c7c9 8101->8106 8102->8101 8103 51a647 __fileno 67 API calls 8102->8103 8104 51828d 8103->8104 8139 51b70b 8104->8139 8107 51ac64 8106->8107 8108 51c7d9 8106->8108 8110 51a647 8107->8110 8108->8107 8109 513acf _realloc 67 API calls 8108->8109 8109->8107 8111 51a66b 8110->8111 8112 51a656 8110->8112 8116 51c6fc 8111->8116 8113 515e97 __wsplitpath_s 67 API calls 8112->8113 8114 51a65b 8113->8114 8115 515e2f __wsplitpath_s 6 API calls 8114->8115 8115->8111 8117 51c708 __ioinit 8116->8117 8118 51c710 8117->8118 8121 51c72b 8117->8121 8120 515eaa __free_osfhnd 67 API calls 8118->8120 8119 51c739 8122 515eaa __free_osfhnd 67 API calls 8119->8122 8123 51c715 8120->8123 8121->8119 8125 51c77a 8121->8125 8124 51c73e 8122->8124 8126 515e97 __wsplitpath_s 67 API calls 8123->8126 8127 515e97 __wsplitpath_s 67 API calls 8124->8127 8128 51cca8 ___lock_fhandle 68 API calls 8125->8128 8135 51c71d __ioinit 8126->8135 8129 51c745 8127->8129 8130 51c780 8128->8130 8131 515e2f __wsplitpath_s 6 API calls 8129->8131 8132 51c79b 8130->8132 8133 51c78d 8130->8133 8131->8135 8134 515e97 __wsplitpath_s 67 API calls 8132->8134 8287 51c660 8133->8287 8137 51c795 8134->8137 8135->8095 8302 51c7bf 8137->8302 8140 51b717 __ioinit 8139->8140 8141 51b73a 8140->8141 8142 51b71f 8140->8142 8144 51b748 8141->8144 8147 51b789 8141->8147 8164 515eaa 8142->8164 8146 515eaa __free_osfhnd 67 API calls 8144->8146 8149 51b74d 8146->8149 8167 51cca8 8147->8167 8148 515e97 __wsplitpath_s 67 API calls 8157 51b72c __ioinit 8148->8157 8151 515e97 __wsplitpath_s 67 API calls 8149->8151 8153 51b754 8151->8153 8152 51b78f 8154 51b7b2 8152->8154 8155 51b79c 8152->8155 8156 515e2f __wsplitpath_s 6 API calls 8153->8156 8159 515e97 __wsplitpath_s 67 API calls 8154->8159 8177 51afd8 8155->8177 8156->8157 8157->8101 8161 51b7b7 8159->8161 8160 51b7aa 8236 51b7dd 8160->8236 8162 515eaa __free_osfhnd 67 API calls 8161->8162 8162->8160 8165 515886 __getptd_noexit 67 API calls 8164->8165 8166 515eaf 8165->8166 8166->8148 8168 51ccb4 __ioinit 8167->8168 8169 51cd0f 8168->8169 8172 51608c __lock 67 API calls 8168->8172 8170 51cd31 __ioinit 8169->8170 8171 51cd14 EnterCriticalSection 8169->8171 8170->8152 8171->8170 8173 51cce0 8172->8173 8174 51a0f6 __ioinit InitializeCriticalSectionAndSpinCount 8173->8174 8176 51ccf7 8173->8176 8174->8176 8239 51cd3f 8176->8239 8178 51afe7 __write_nolock 8177->8178 8179 51b040 8178->8179 8180 51b019 8178->8180 8210 51b00e 8178->8210 8183 51b0a8 8179->8183 8184 51b082 8179->8184 8182 515eaa __free_osfhnd 67 API calls 8180->8182 8181 51376a setSBUpLow 5 API calls 8185 51b709 8181->8185 8186 51b01e 8182->8186 8188 51b0bc 8183->8188 8243 51c9d6 8183->8243 8187 515eaa __free_osfhnd 67 API calls 8184->8187 8185->8160 8189 515e97 __wsplitpath_s 67 API calls 8186->8189 8191 51b087 8187->8191 8253 51a5e3 8188->8253 8193 51b025 8189->8193 8195 515e97 __wsplitpath_s 67 API calls 8191->8195 8196 515e2f __wsplitpath_s 6 API calls 8193->8196 8194 51b0c7 8197 51b36d 8194->8197 8202 5158ff __getptd 67 API calls 8194->8202 8198 51b090 8195->8198 8196->8210 8200 51b37d 8197->8200 8201 51b63c WriteFile 8197->8201 8199 515e2f __wsplitpath_s 6 API calls 8198->8199 8199->8210 8203 51b45b 8200->8203 8226 51b391 8200->8226 8205 51b34f 8201->8205 8206 51b66f GetLastError 8201->8206 8204 51b0e2 GetConsoleMode 8202->8204 8224 51b53b 8203->8224 8228 51b46a 8203->8228 8204->8197 8208 51b10d 8204->8208 8207 51b6ba 8205->8207 8205->8210 8212 51b68d 8205->8212 8206->8205 8207->8210 8211 515e97 __wsplitpath_s 67 API calls 8207->8211 8208->8197 8209 51b11f GetConsoleCP 8208->8209 8209->8205 8234 51b142 8209->8234 8210->8181 8216 51b6dd 8211->8216 8213 51b698 8212->8213 8214 51b6ac 8212->8214 8218 515e97 __wsplitpath_s 67 API calls 8213->8218 8265 515ebd 8214->8265 8215 51b3ff WriteFile 8215->8206 8215->8226 8222 515eaa __free_osfhnd 67 API calls 8216->8222 8217 51b5a1 WideCharToMultiByte 8217->8206 8219 51b5d8 WriteFile 8217->8219 8223 51b69d 8218->8223 8219->8224 8225 51b60f GetLastError 8219->8225 8220 51b4df WriteFile 8220->8206 8220->8228 8222->8210 8227 515eaa __free_osfhnd 67 API calls 8223->8227 8224->8205 8224->8207 8224->8217 8224->8219 8225->8224 8226->8205 8226->8207 8226->8215 8227->8210 8228->8205 8228->8207 8228->8220 8230 51c911 11 API calls __write_nolock 8230->8234 8231 51b1ee WideCharToMultiByte 8231->8205 8233 51b21f WriteFile 8231->8233 8232 51a94e 79 API calls __fassign 8232->8234 8233->8206 8233->8234 8234->8205 8234->8206 8234->8230 8234->8231 8234->8232 8235 51b273 WriteFile 8234->8235 8262 51433f 8234->8262 8235->8206 8235->8234 8286 51cd48 LeaveCriticalSection 8236->8286 8238 51b7e5 8238->8157 8242 515fb2 LeaveCriticalSection 8239->8242 8241 51cd46 8241->8169 8242->8241 8270 51cc31 8243->8270 8245 51c9f4 8246 51ca0d SetFilePointer 8245->8246 8247 51c9fc 8245->8247 8248 51ca25 GetLastError 8246->8248 8251 51ca01 8246->8251 8249 515e97 __wsplitpath_s 67 API calls 8247->8249 8250 51ca2f 8248->8250 8248->8251 8249->8251 8252 515ebd __dosmaperr 67 API calls 8250->8252 8251->8188 8252->8251 8254 51a5f0 8253->8254 8255 51a5ff 8253->8255 8256 515e97 __wsplitpath_s 67 API calls 8254->8256 8257 515e97 __wsplitpath_s 67 API calls 8255->8257 8259 51a623 8255->8259 8258 51a5f5 8256->8258 8260 51a613 8257->8260 8258->8194 8259->8194 8261 515e2f __wsplitpath_s 6 API calls 8260->8261 8261->8259 8283 514307 8262->8283 8266 515eaa __free_osfhnd 67 API calls 8265->8266 8267 515ec8 _realloc 8266->8267 8268 515e97 __wsplitpath_s 67 API calls 8267->8268 8269 515edb 8268->8269 8269->8210 8271 51cc3e 8270->8271 8273 51cc56 8270->8273 8272 515eaa __free_osfhnd 67 API calls 8271->8272 8275 51cc43 8272->8275 8274 515eaa __free_osfhnd 67 API calls 8273->8274 8276 51cc9b 8273->8276 8277 51cc84 8274->8277 8278 515e97 __wsplitpath_s 67 API calls 8275->8278 8276->8245 8279 515e97 __wsplitpath_s 67 API calls 8277->8279 8280 51cc4b 8278->8280 8281 51cc8b 8279->8281 8280->8245 8282 515e2f __wsplitpath_s 6 API calls 8281->8282 8282->8276 8284 5138a4 _LocaleUpdate::_LocaleUpdate 77 API calls 8283->8284 8285 51431a 8284->8285 8285->8234 8286->8238 8288 51cc31 __lseeki64_nolock 67 API calls 8287->8288 8289 51c670 8288->8289 8290 51c6c6 8289->8290 8291 51c6a4 8289->8291 8293 51cc31 __lseeki64_nolock 67 API calls 8289->8293 8305 51cbab 8290->8305 8291->8290 8294 51cc31 __lseeki64_nolock 67 API calls 8291->8294 8297 51c69b 8293->8297 8298 51c6b0 CloseHandle 8294->8298 8296 51c6f0 8296->8137 8300 51cc31 __lseeki64_nolock 67 API calls 8297->8300 8298->8290 8301 51c6bc GetLastError 8298->8301 8299 515ebd __dosmaperr 67 API calls 8299->8296 8300->8291 8301->8290 8314 51cd48 LeaveCriticalSection 8302->8314 8304 51c7c7 8304->8135 8306 51cc17 8305->8306 8307 51cbbc 8305->8307 8308 515e97 __wsplitpath_s 67 API calls 8306->8308 8307->8306 8312 51cbe7 8307->8312 8309 51cc1c 8308->8309 8310 515eaa __free_osfhnd 67 API calls 8309->8310 8311 51c6ce 8310->8311 8311->8296 8311->8299 8312->8311 8313 51cc07 SetStdHandle 8312->8313 8313->8311 8314->8304 8316 51411b LeaveCriticalSection 8315->8316 8317 5140fc 8315->8317 8316->8099 8317->8316 8318 514103 8317->8318 8321 515fb2 LeaveCriticalSection 8318->8321 8320 514118 8320->8099 8321->8320 8322->8074 6750 51447a 6789 516b84 6750->6789 6752 514486 GetStartupInfoA 6753 5144a9 6752->6753 6790 515ee0 HeapCreate 6753->6790 6756 5144f9 6792 515ab6 GetModuleHandleW 6756->6792 6760 51450a __RTC_Initialize 6826 517b4f 6760->6826 6761 514451 _fast_error_exit 67 API calls 6761->6760 6763 514518 6764 514524 GetCommandLineA 6763->6764 6926 517f51 6763->6926 6841 518d64 6764->6841 6771 514549 6880 518a31 6771->6880 6772 517f51 __amsg_exit 67 API calls 6772->6771 6775 51455a 6895 518010 6775->6895 6776 517f51 __amsg_exit 67 API calls 6776->6775 6778 514561 6779 51456c 6778->6779 6780 517f51 __amsg_exit 67 API calls 6778->6780 6901 5189d2 6779->6901 6780->6779 6785 51459b 6933 5181ed 6785->6933 6788 5145a0 __ioinit 6789->6752 6791 5144ed 6790->6791 6791->6756 6918 514451 6791->6918 6793 515ad1 6792->6793 6794 515aca 6792->6794 6795 515c39 6793->6795 6796 515adb GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6793->6796 6936 517f21 6794->6936 6995 515762 6795->6995 6798 515b24 TlsAlloc 6796->6798 6802 5144ff 6798->6802 6803 515b72 TlsSetValue 6798->6803 6802->6760 6802->6761 6803->6802 6804 515b83 6803->6804 6940 51820b 6804->6940 6809 5155fb __encode_pointer 6 API calls 6810 515ba3 6809->6810 6811 5155fb __encode_pointer 6 API calls 6810->6811 6812 515bb3 6811->6812 6813 5155fb __encode_pointer 6 API calls 6812->6813 6814 515bc3 6813->6814 6957 515f10 6814->6957 6821 515676 __decode_pointer 6 API calls 6822 515c17 6821->6822 6822->6795 6823 515c1e 6822->6823 6977 51579f 6823->6977 6825 515c26 GetCurrentThreadId 6825->6802 7327 516b84 6826->7327 6828 517b5b GetStartupInfoA 6829 517de8 __calloc_crt 67 API calls 6828->6829 6835 517b7c 6829->6835 6830 517d9a __ioinit 6830->6763 6831 517d17 GetStdHandle 6837 517ce1 6831->6837 6832 517de8 __calloc_crt 67 API calls 6832->6835 6833 517d7c SetHandleCount 6833->6830 6834 517d29 GetFileType 6834->6837 6835->6830 6835->6832 6836 517c64 6835->6836 6835->6837 6836->6830 6836->6837 6838 517c8d GetFileType 6836->6838 6840 51a0f6 __ioinit InitializeCriticalSectionAndSpinCount 6836->6840 6837->6830 6837->6831 6837->6833 6837->6834 6839 51a0f6 __ioinit InitializeCriticalSectionAndSpinCount 6837->6839 6838->6836 6839->6837 6840->6836 6842 518da1 6841->6842 6843 518d82 GetEnvironmentStringsW 6841->6843 6845 518d8a 6842->6845 6846 518e3a 6842->6846 6844 518d96 GetLastError 6843->6844 6843->6845 6844->6842 6847 518dbd GetEnvironmentStringsW 6845->6847 6853 518dcc WideCharToMultiByte 6845->6853 6848 518e43 GetEnvironmentStrings 6846->6848 6850 514534 6846->6850 6847->6850 6847->6853 6848->6850 6852 518e53 6848->6852 6867 518ca9 6850->6867 6851 518e61 6856 517da3 __malloc_crt 67 API calls 6851->6856 6852->6851 6852->6852 6854 518e00 6853->6854 6855 518e2f FreeEnvironmentStringsW 6853->6855 6857 517da3 __malloc_crt 67 API calls 6854->6857 6855->6850 6858 518e6d 6856->6858 6859 518e06 6857->6859 6861 518e80 _realloc 6858->6861 6862 518e74 FreeEnvironmentStringsA 6858->6862 6859->6855 6860 518e0e WideCharToMultiByte 6859->6860 6863 518e20 6860->6863 6864 518e28 6860->6864 6866 518e8a FreeEnvironmentStringsA 6861->6866 6862->6850 6865 513acf _realloc 67 API calls 6863->6865 6864->6855 6865->6864 6866->6850 6868 518cc3 GetModuleFileNameA 6867->6868 6869 518cbe 6867->6869 6871 518cea 6868->6871 7334 5152b8 6869->7334 7328 518b0f 6871->7328 6874 51453e 6874->6771 6874->6772 6875 518d26 6876 517da3 __malloc_crt 67 API calls 6875->6876 6877 518d2c 6876->6877 6877->6874 6878 518b0f _parse_cmdline 77 API calls 6877->6878 6879 518d46 6878->6879 6879->6874 6881 518a3a 6880->6881 6884 518a3f _strlen 6880->6884 6882 5152b8 ___initmbctable 111 API calls 6881->6882 6882->6884 6883 517de8 __calloc_crt 67 API calls 6890 518a74 _strlen 6883->6890 6884->6883 6887 51454f 6884->6887 6885 518ad2 6886 513acf _realloc 67 API calls 6885->6886 6886->6887 6887->6775 6887->6776 6888 517de8 __calloc_crt 67 API calls 6888->6890 6889 518af8 6891 513acf _realloc 67 API calls 6889->6891 6890->6885 6890->6887 6890->6888 6890->6889 6892 518f85 _strcpy_s 67 API calls 6890->6892 6893 518ab9 6890->6893 6891->6887 6892->6890 6893->6890 6894 515d07 __invoke_watson 10 API calls 6893->6894 6894->6893 6896 51801e __IsNonwritableInCurrentImage 6895->6896 7745 51a800 6896->7745 6898 51803c __initterm_e 6900 51805b __IsNonwritableInCurrentImage __initterm 6898->6900 7749 514a40 6898->7749 6900->6778 6902 5189e0 6901->6902 6905 5189e5 6901->6905 6903 5152b8 ___initmbctable 111 API calls 6902->6903 6903->6905 6904 514572 6907 511000 CoInitializeEx 6904->6907 6905->6904 6906 51bb0d __wincmdln 77 API calls 6905->6906 6906->6905 6908 511011 6907->6908 6909 51104d 6907->6909 7849 511930 6908->7849 6909->6785 6915 5181c1 6909->6915 6912 511044 CoUninitialize 6912->6909 7974 518095 6915->7974 6917 5181d2 6917->6785 6919 514464 6918->6919 6920 51445f 6918->6920 6922 5187ee __NMSG_WRITE 67 API calls 6919->6922 6921 518999 __FF_MSGBANNER 67 API calls 6920->6921 6921->6919 6923 51446c 6922->6923 6924 517fa5 _doexit 3 API calls 6923->6924 6925 514476 6924->6925 6925->6756 6927 518999 __FF_MSGBANNER 67 API calls 6926->6927 6928 517f5b 6927->6928 6929 5187ee __NMSG_WRITE 67 API calls 6928->6929 6930 517f63 6929->6930 6931 515676 __decode_pointer 6 API calls 6930->6931 6932 514523 6931->6932 6932->6764 6934 518095 _doexit 67 API calls 6933->6934 6935 5181f8 6934->6935 6935->6788 6937 517f2c Sleep GetModuleHandleW 6936->6937 6938 517f4a 6937->6938 6939 515ad0 6937->6939 6938->6937 6938->6939 6939->6793 7006 51566d 6940->7006 6942 518213 __init_pointers __initp_misc_winsig 7009 51ad97 6942->7009 6945 5155fb __encode_pointer 6 API calls 6946 515b88 6945->6946 6947 5155fb TlsGetValue 6946->6947 6948 515613 6947->6948 6949 515634 GetModuleHandleW 6947->6949 6948->6949 6950 51561d TlsGetValue 6948->6950 6951 515644 6949->6951 6952 51564f GetProcAddress 6949->6952 6955 515628 6950->6955 6953 517f21 __crt_waiting_on_module_handle 2 API calls 6951->6953 6954 51562c 6952->6954 6956 51564a 6953->6956 6954->6809 6955->6949 6955->6954 6956->6952 6956->6954 6958 515f1b 6957->6958 6960 515bd0 6958->6960 7012 51a0f6 6958->7012 6960->6795 6961 515676 TlsGetValue 6960->6961 6962 5156af GetModuleHandleW 6961->6962 6963 51568e 6961->6963 6964 5156ca GetProcAddress 6962->6964 6965 5156bf 6962->6965 6963->6962 6966 515698 TlsGetValue 6963->6966 6968 5156a7 6964->6968 6967 517f21 __crt_waiting_on_module_handle 2 API calls 6965->6967 6970 5156a3 6966->6970 6969 5156c5 6967->6969 6968->6795 6971 517de8 6968->6971 6969->6964 6969->6968 6970->6962 6970->6968 6973 517df1 6971->6973 6974 515bfd 6973->6974 6975 517e0f Sleep 6973->6975 7017 51a4c5 6973->7017 6974->6795 6974->6821 6976 517e24 6975->6976 6976->6973 6976->6974 7306 516b84 6977->7306 6979 5157ab GetModuleHandleW 6980 5157c1 6979->6980 6981 5157bb 6979->6981 6982 5157d9 GetProcAddress GetProcAddress 6980->6982 6983 5157fd 6980->6983 6984 517f21 __crt_waiting_on_module_handle 2 API calls 6981->6984 6982->6983 6985 51608c __lock 63 API calls 6983->6985 6984->6980 6986 51581c InterlockedIncrement 6985->6986 7307 515874 6986->7307 6989 51608c __lock 63 API calls 6990 51583d 6989->6990 7310 51541f InterlockedIncrement 6990->7310 6992 51585b 7322 51587d 6992->7322 6994 515868 __ioinit 6994->6825 6996 51576c 6995->6996 6999 515778 6995->6999 6997 515676 __decode_pointer 6 API calls 6996->6997 6997->6999 6998 51578c TlsFree 7000 51579a 6998->7000 6999->6998 6999->7000 7001 515f77 DeleteCriticalSection 7000->7001 7002 515f8f 7000->7002 7003 513acf _realloc 67 API calls 7001->7003 7004 515fa1 DeleteCriticalSection 7002->7004 7005 515faf 7002->7005 7003->7000 7004->7002 7005->6802 7007 5155fb __encode_pointer 6 API calls 7006->7007 7008 515674 7007->7008 7008->6942 7010 5155fb __encode_pointer 6 API calls 7009->7010 7011 518245 7010->7011 7011->6945 7016 516b84 7012->7016 7014 51a102 InitializeCriticalSectionAndSpinCount 7015 51a146 __ioinit 7014->7015 7015->6958 7016->7014 7018 51a4d1 __ioinit 7017->7018 7019 51a4e9 7018->7019 7024 51a508 _memset 7018->7024 7030 515e97 7019->7030 7023 51a57a HeapAlloc 7023->7024 7024->7023 7027 51a4fe __ioinit 7024->7027 7036 51608c 7024->7036 7043 51689e 7024->7043 7049 51a5c1 7024->7049 7052 514b7f 7024->7052 7027->6973 7055 515886 GetLastError 7030->7055 7032 515e9c 7033 515e2f 7032->7033 7034 515676 __decode_pointer 6 API calls 7033->7034 7035 515e3f __invoke_watson 7034->7035 7037 5160a1 7036->7037 7038 5160b4 EnterCriticalSection 7036->7038 7102 515fc9 7037->7102 7038->7024 7040 5160a7 7040->7038 7041 517f51 __amsg_exit 66 API calls 7040->7041 7042 5160b3 7041->7042 7042->7038 7045 5168cc 7043->7045 7044 516965 7048 51696e 7044->7048 7301 5164b5 7044->7301 7045->7044 7045->7048 7294 516405 7045->7294 7048->7024 7305 515fb2 LeaveCriticalSection 7049->7305 7051 51a5c8 7051->7024 7053 515676 __decode_pointer 6 API calls 7052->7053 7054 514b8f 7053->7054 7054->7024 7069 515711 TlsGetValue 7055->7069 7058 5158f3 SetLastError 7058->7032 7059 517de8 __calloc_crt 64 API calls 7060 5158b1 7059->7060 7060->7058 7061 515676 __decode_pointer 6 API calls 7060->7061 7062 5158cb 7061->7062 7063 5158d2 7062->7063 7064 5158ea 7062->7064 7065 51579f __mtinit 64 API calls 7063->7065 7074 513acf 7064->7074 7068 5158da GetCurrentThreadId 7065->7068 7067 5158f0 7067->7058 7068->7058 7070 515741 7069->7070 7071 515726 7069->7071 7070->7058 7070->7059 7072 515676 __decode_pointer 6 API calls 7071->7072 7073 515731 TlsSetValue 7072->7073 7073->7070 7076 513adb __ioinit 7074->7076 7075 513b54 _realloc __ioinit 7075->7067 7076->7075 7078 51608c __lock 65 API calls 7076->7078 7086 513b1a 7076->7086 7077 513b2f HeapFree 7077->7075 7079 513b41 7077->7079 7082 513af2 ___sbh_find_block 7078->7082 7080 515e97 __wsplitpath_s 65 API calls 7079->7080 7081 513b46 GetLastError 7080->7081 7081->7075 7083 513b0c 7082->7083 7087 5160ef 7082->7087 7094 513b25 7083->7094 7086->7075 7086->7077 7088 51612e 7087->7088 7093 5163d0 7087->7093 7089 51631a VirtualFree 7088->7089 7088->7093 7090 51637e 7089->7090 7091 51638d VirtualFree HeapFree 7090->7091 7090->7093 7097 51a160 7091->7097 7093->7083 7101 515fb2 LeaveCriticalSection 7094->7101 7096 513b2c 7096->7086 7098 51a178 7097->7098 7099 51a19f __VEC_memcpy 7098->7099 7100 51a1a7 7098->7100 7099->7100 7100->7093 7101->7096 7103 515fd5 __ioinit 7102->7103 7104 515ffb 7103->7104 7128 518999 7103->7128 7112 51600b __ioinit 7104->7112 7174 517da3 7104->7174 7110 51601d 7114 515e97 __wsplitpath_s 67 API calls 7110->7114 7111 51602c 7115 51608c __lock 67 API calls 7111->7115 7112->7040 7114->7112 7117 516033 7115->7117 7118 516067 7117->7118 7119 51603b 7117->7119 7120 513acf _realloc 67 API calls 7118->7120 7121 51a0f6 __ioinit InitializeCriticalSectionAndSpinCount 7119->7121 7122 516058 7120->7122 7123 516046 7121->7123 7179 516083 7122->7179 7123->7122 7124 513acf _realloc 67 API calls 7123->7124 7126 516052 7124->7126 7127 515e97 __wsplitpath_s 67 API calls 7126->7127 7127->7122 7182 51ba6f 7128->7182 7131 5189ad 7133 5187ee __NMSG_WRITE 67 API calls 7131->7133 7136 515fea 7131->7136 7132 51ba6f __set_error_mode 67 API calls 7132->7131 7134 5189c5 7133->7134 7135 5187ee __NMSG_WRITE 67 API calls 7134->7135 7135->7136 7137 5187ee 7136->7137 7138 518802 7137->7138 7139 51ba6f __set_error_mode 64 API calls 7138->7139 7170 515ff1 7138->7170 7140 518824 7139->7140 7141 518962 GetStdHandle 7140->7141 7143 51ba6f __set_error_mode 64 API calls 7140->7143 7142 518970 _strlen 7141->7142 7141->7170 7146 518989 WriteFile 7142->7146 7142->7170 7144 518835 7143->7144 7144->7141 7145 518847 7144->7145 7145->7170 7188 518f85 7145->7188 7146->7170 7149 51887d GetModuleFileNameA 7151 51889b 7149->7151 7158 5188be _strlen 7149->7158 7153 518f85 _strcpy_s 64 API calls 7151->7153 7154 5188ab 7153->7154 7156 515d07 __invoke_watson 10 API calls 7154->7156 7154->7158 7155 518901 7213 519b68 7155->7213 7156->7158 7158->7155 7204 519c26 7158->7204 7162 518925 7164 519b68 _strcat_s 64 API calls 7162->7164 7163 515d07 __invoke_watson 10 API calls 7163->7162 7166 518939 7164->7166 7165 515d07 __invoke_watson 10 API calls 7165->7155 7167 51894a 7166->7167 7169 515d07 __invoke_watson 10 API calls 7166->7169 7222 51b906 7167->7222 7169->7167 7171 517fa5 7170->7171 7260 517f7a GetModuleHandleW 7171->7260 7177 517dac 7174->7177 7176 516016 7176->7110 7176->7111 7177->7176 7178 517dc3 Sleep 7177->7178 7264 514aa6 7177->7264 7178->7177 7293 515fb2 LeaveCriticalSection 7179->7293 7181 51608a 7181->7112 7183 51ba7e 7182->7183 7184 515e97 __wsplitpath_s 67 API calls 7183->7184 7186 5189a0 7183->7186 7185 51baa1 7184->7185 7187 515e2f __wsplitpath_s 6 API calls 7185->7187 7186->7131 7186->7132 7187->7186 7189 518f96 7188->7189 7190 518f9d 7188->7190 7189->7190 7193 518fc3 7189->7193 7191 515e97 __wsplitpath_s 67 API calls 7190->7191 7196 518fa2 7191->7196 7192 515e2f __wsplitpath_s 6 API calls 7194 518869 7192->7194 7193->7194 7195 515e97 __wsplitpath_s 67 API calls 7193->7195 7194->7149 7197 515d07 7194->7197 7195->7196 7196->7192 7249 519280 7197->7249 7199 515d34 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7200 515e10 GetCurrentProcess TerminateProcess 7199->7200 7202 515e04 __invoke_watson 7199->7202 7251 51376a 7200->7251 7202->7200 7203 515e2d 7203->7149 7209 519c38 7204->7209 7205 519c3c 7206 5188ee 7205->7206 7207 515e97 __wsplitpath_s 67 API calls 7205->7207 7206->7155 7206->7165 7208 519c58 7207->7208 7210 515e2f __wsplitpath_s 6 API calls 7208->7210 7209->7205 7209->7206 7211 519c82 7209->7211 7210->7206 7211->7206 7212 515e97 __wsplitpath_s 67 API calls 7211->7212 7212->7208 7214 519b80 7213->7214 7217 519b79 7213->7217 7215 515e97 __wsplitpath_s 67 API calls 7214->7215 7216 519b85 7215->7216 7218 515e2f __wsplitpath_s 6 API calls 7216->7218 7217->7214 7219 519bb4 7217->7219 7220 518914 7218->7220 7219->7220 7221 515e97 __wsplitpath_s 67 API calls 7219->7221 7220->7162 7220->7163 7221->7216 7223 51566d _doexit 6 API calls 7222->7223 7224 51b916 7223->7224 7225 51b9b1 7224->7225 7226 51b929 LoadLibraryA 7224->7226 7233 515676 __decode_pointer 6 API calls 7225->7233 7244 51b9db 7225->7244 7227 51ba53 7226->7227 7228 51b93e GetProcAddress 7226->7228 7227->7170 7228->7227 7230 51b954 7228->7230 7229 51ba06 7231 515676 __decode_pointer 6 API calls 7229->7231 7234 5155fb __encode_pointer 6 API calls 7230->7234 7231->7227 7232 515676 __decode_pointer 6 API calls 7243 51ba1e 7232->7243 7235 51b9ce 7233->7235 7236 51b95a GetProcAddress 7234->7236 7237 515676 __decode_pointer 6 API calls 7235->7237 7238 5155fb __encode_pointer 6 API calls 7236->7238 7237->7244 7239 51b96f GetProcAddress 7238->7239 7240 5155fb __encode_pointer 6 API calls 7239->7240 7241 51b984 GetProcAddress 7240->7241 7242 5155fb __encode_pointer 6 API calls 7241->7242 7245 51b999 7242->7245 7243->7229 7246 515676 __decode_pointer 6 API calls 7243->7246 7244->7229 7244->7232 7245->7225 7247 51b9a3 GetProcAddress 7245->7247 7246->7229 7248 5155fb __encode_pointer 6 API calls 7247->7248 7248->7225 7250 51928c __VEC_memzero 7249->7250 7250->7199 7252 513772 7251->7252 7253 513774 IsDebuggerPresent 7251->7253 7252->7203 7259 518f7d 7253->7259 7256 5146cf SetUnhandledExceptionFilter UnhandledExceptionFilter 7257 5146f4 GetCurrentProcess TerminateProcess 7256->7257 7258 5146ec __invoke_watson 7256->7258 7257->7203 7258->7257 7259->7256 7261 517fa3 ExitProcess 7260->7261 7262 517f8e GetProcAddress 7260->7262 7262->7261 7263 517f9e 7262->7263 7263->7261 7265 514b59 7264->7265 7272 514ab8 7264->7272 7266 514b7f _realloc 6 API calls 7265->7266 7267 514b5f 7266->7267 7268 515e97 __wsplitpath_s 66 API calls 7267->7268 7270 514b51 7268->7270 7269 518999 __FF_MSGBANNER 66 API calls 7269->7272 7270->7177 7271 5187ee __NMSG_WRITE 66 API calls 7271->7272 7272->7269 7272->7270 7272->7271 7274 514b15 HeapAlloc 7272->7274 7275 517fa5 _doexit 3 API calls 7272->7275 7276 514b45 7272->7276 7277 514b7f _realloc 6 API calls 7272->7277 7279 514b4a 7272->7279 7281 514a57 7272->7281 7274->7272 7275->7272 7278 515e97 __wsplitpath_s 66 API calls 7276->7278 7277->7272 7278->7279 7280 515e97 __wsplitpath_s 66 API calls 7279->7280 7280->7270 7282 514a63 __ioinit 7281->7282 7283 514a94 __ioinit 7282->7283 7284 51608c __lock 67 API calls 7282->7284 7283->7272 7285 514a79 7284->7285 7286 51689e ___sbh_alloc_block 5 API calls 7285->7286 7287 514a84 7286->7287 7289 514a9d 7287->7289 7292 515fb2 LeaveCriticalSection 7289->7292 7291 514aa4 7291->7283 7292->7291 7293->7181 7295 516418 HeapReAlloc 7294->7295 7296 51644c HeapAlloc 7294->7296 7297 516436 7295->7297 7298 51643a 7295->7298 7296->7297 7299 51646f VirtualAlloc 7296->7299 7297->7044 7298->7296 7299->7297 7300 516489 HeapFree 7299->7300 7300->7297 7302 5164cc VirtualAlloc 7301->7302 7304 516513 7302->7304 7304->7048 7305->7051 7306->6979 7325 515fb2 LeaveCriticalSection 7307->7325 7309 515836 7309->6989 7311 515440 7310->7311 7312 51543d InterlockedIncrement 7310->7312 7313 51544a InterlockedIncrement 7311->7313 7314 51544d 7311->7314 7312->7311 7313->7314 7315 515457 InterlockedIncrement 7314->7315 7316 51545a 7314->7316 7315->7316 7317 515464 InterlockedIncrement 7316->7317 7318 515467 7316->7318 7317->7318 7319 515480 InterlockedIncrement 7318->7319 7320 515490 InterlockedIncrement 7318->7320 7321 51549b InterlockedIncrement 7318->7321 7319->7318 7320->7318 7321->6992 7326 515fb2 LeaveCriticalSection 7322->7326 7324 515884 7324->6994 7325->7309 7326->7324 7327->6828 7330 518b2e 7328->7330 7332 518b9b 7330->7332 7338 51bb0d 7330->7338 7331 518c99 7331->6874 7331->6875 7332->7331 7333 51bb0d 77 API calls __wincmdln 7332->7333 7333->7332 7335 5152c1 7334->7335 7336 5152c8 7334->7336 7560 51511e 7335->7560 7336->6868 7341 51baba 7338->7341 7344 5138a4 7341->7344 7345 5138b7 7344->7345 7351 513904 7344->7351 7352 5158ff 7345->7352 7348 5138e4 7348->7351 7372 514e19 7348->7372 7351->7330 7353 515886 __getptd_noexit 67 API calls 7352->7353 7354 515907 7353->7354 7355 5138bc 7354->7355 7356 517f51 __amsg_exit 67 API calls 7354->7356 7355->7348 7357 515585 7355->7357 7356->7355 7358 515591 __ioinit 7357->7358 7359 5158ff __getptd 67 API calls 7358->7359 7360 515596 7359->7360 7361 5155c4 7360->7361 7363 5155a8 7360->7363 7362 51608c __lock 67 API calls 7361->7362 7364 5155cb 7362->7364 7365 5158ff __getptd 67 API calls 7363->7365 7388 515547 7364->7388 7367 5155ad 7365->7367 7370 517f51 __amsg_exit 67 API calls 7367->7370 7371 5155bb __ioinit 7367->7371 7370->7371 7371->7348 7373 514e25 __ioinit 7372->7373 7374 5158ff __getptd 67 API calls 7373->7374 7375 514e2a 7374->7375 7376 51608c __lock 67 API calls 7375->7376 7379 514e3c 7375->7379 7378 514e5a 7376->7378 7377 514ea3 7556 514eb4 7377->7556 7378->7377 7381 514e71 InterlockedDecrement 7378->7381 7382 514e8b InterlockedIncrement 7378->7382 7380 514e4a __ioinit 7379->7380 7384 517f51 __amsg_exit 67 API calls 7379->7384 7380->7351 7381->7382 7385 514e7c 7381->7385 7382->7377 7384->7380 7385->7382 7386 513acf _realloc 67 API calls 7385->7386 7387 514e8a 7386->7387 7387->7382 7389 51554b 7388->7389 7395 51557d 7388->7395 7390 51541f ___addlocaleref 8 API calls 7389->7390 7389->7395 7391 51555e 7390->7391 7391->7395 7399 5154ae 7391->7399 7396 5155ef 7395->7396 7555 515fb2 LeaveCriticalSection 7396->7555 7398 5155f6 7398->7367 7400 515542 7399->7400 7401 5154bf InterlockedDecrement 7399->7401 7400->7395 7413 5152d6 7400->7413 7402 5154d4 InterlockedDecrement 7401->7402 7403 5154d7 7401->7403 7402->7403 7404 5154e1 InterlockedDecrement 7403->7404 7405 5154e4 7403->7405 7404->7405 7406 5154f1 7405->7406 7407 5154ee InterlockedDecrement 7405->7407 7408 5154fb InterlockedDecrement 7406->7408 7409 5154fe 7406->7409 7407->7406 7408->7409 7410 515517 InterlockedDecrement 7409->7410 7411 515532 InterlockedDecrement 7409->7411 7412 515527 InterlockedDecrement 7409->7412 7410->7409 7411->7400 7412->7409 7414 51535a 7413->7414 7415 5152ed 7413->7415 7416 5153a7 7414->7416 7417 513acf _realloc 67 API calls 7414->7417 7415->7414 7418 515321 7415->7418 7426 513acf _realloc 67 API calls 7415->7426 7430 5153ce 7416->7430 7467 519900 7416->7467 7420 51537b 7417->7420 7428 513acf _realloc 67 API calls 7418->7428 7442 515342 7418->7442 7421 513acf _realloc 67 API calls 7420->7421 7423 51538e 7421->7423 7429 513acf _realloc 67 API calls 7423->7429 7424 513acf _realloc 67 API calls 7431 51534f 7424->7431 7425 515413 7432 513acf _realloc 67 API calls 7425->7432 7433 515316 7426->7433 7427 513acf _realloc 67 API calls 7427->7430 7434 515337 7428->7434 7435 51539c 7429->7435 7430->7425 7436 513acf 67 API calls _realloc 7430->7436 7437 513acf _realloc 67 API calls 7431->7437 7438 515419 7432->7438 7443 519ada 7433->7443 7459 519a95 7434->7459 7441 513acf _realloc 67 API calls 7435->7441 7436->7430 7437->7414 7438->7395 7441->7416 7442->7424 7444 519b64 7443->7444 7445 519ae7 7443->7445 7444->7418 7446 519af8 7445->7446 7447 513acf _realloc 67 API calls 7445->7447 7448 519b0a 7446->7448 7449 513acf _realloc 67 API calls 7446->7449 7447->7446 7450 519b1c 7448->7450 7451 513acf _realloc 67 API calls 7448->7451 7449->7448 7452 519b2e 7450->7452 7454 513acf _realloc 67 API calls 7450->7454 7451->7450 7453 519b40 7452->7453 7455 513acf _realloc 67 API calls 7452->7455 7456 519b52 7453->7456 7457 513acf _realloc 67 API calls 7453->7457 7454->7452 7455->7453 7456->7444 7458 513acf _realloc 67 API calls 7456->7458 7457->7456 7458->7444 7460 519aa2 7459->7460 7461 519ad6 7459->7461 7462 519ab2 7460->7462 7463 513acf _realloc 67 API calls 7460->7463 7461->7442 7464 519ac4 7462->7464 7465 513acf _realloc 67 API calls 7462->7465 7463->7462 7464->7461 7466 513acf _realloc 67 API calls 7464->7466 7465->7464 7466->7461 7468 519911 7467->7468 7469 5153c7 7467->7469 7470 513acf _realloc 67 API calls 7468->7470 7469->7427 7471 519919 7470->7471 7472 513acf _realloc 67 API calls 7471->7472 7473 519921 7472->7473 7474 513acf _realloc 67 API calls 7473->7474 7475 519929 7474->7475 7476 513acf _realloc 67 API calls 7475->7476 7477 519931 7476->7477 7478 513acf _realloc 67 API calls 7477->7478 7479 519939 7478->7479 7480 513acf _realloc 67 API calls 7479->7480 7481 519941 7480->7481 7482 513acf _realloc 67 API calls 7481->7482 7483 519948 7482->7483 7484 513acf _realloc 67 API calls 7483->7484 7485 519950 7484->7485 7486 513acf _realloc 67 API calls 7485->7486 7487 519958 7486->7487 7488 513acf _realloc 67 API calls 7487->7488 7489 519960 7488->7489 7490 513acf _realloc 67 API calls 7489->7490 7491 519968 7490->7491 7492 513acf _realloc 67 API calls 7491->7492 7493 519970 7492->7493 7494 513acf _realloc 67 API calls 7493->7494 7495 519978 7494->7495 7496 513acf _realloc 67 API calls 7495->7496 7497 519980 7496->7497 7498 513acf _realloc 67 API calls 7497->7498 7499 519988 7498->7499 7500 513acf _realloc 67 API calls 7499->7500 7501 519990 7500->7501 7502 513acf _realloc 67 API calls 7501->7502 7503 51999b 7502->7503 7504 513acf _realloc 67 API calls 7503->7504 7505 5199a3 7504->7505 7506 513acf _realloc 67 API calls 7505->7506 7507 5199ab 7506->7507 7508 513acf _realloc 67 API calls 7507->7508 7509 5199b3 7508->7509 7510 513acf _realloc 67 API calls 7509->7510 7511 5199bb 7510->7511 7512 513acf _realloc 67 API calls 7511->7512 7513 5199c3 7512->7513 7514 513acf _realloc 67 API calls 7513->7514 7515 5199cb 7514->7515 7516 513acf _realloc 67 API calls 7515->7516 7517 5199d3 7516->7517 7518 513acf _realloc 67 API calls 7517->7518 7519 5199db 7518->7519 7520 513acf _realloc 67 API calls 7519->7520 7521 5199e3 7520->7521 7522 513acf _realloc 67 API calls 7521->7522 7523 5199eb 7522->7523 7524 513acf _realloc 67 API calls 7523->7524 7525 5199f3 7524->7525 7526 513acf _realloc 67 API calls 7525->7526 7527 5199fb 7526->7527 7528 513acf _realloc 67 API calls 7527->7528 7529 519a03 7528->7529 7530 513acf _realloc 67 API calls 7529->7530 7531 519a0b 7530->7531 7532 513acf _realloc 67 API calls 7531->7532 7533 519a13 7532->7533 7534 513acf _realloc 67 API calls 7533->7534 7535 519a21 7534->7535 7536 513acf _realloc 67 API calls 7535->7536 7537 519a2c 7536->7537 7538 513acf _realloc 67 API calls 7537->7538 7539 519a37 7538->7539 7540 513acf _realloc 67 API calls 7539->7540 7541 519a42 7540->7541 7542 513acf _realloc 67 API calls 7541->7542 7543 519a4d 7542->7543 7544 513acf _realloc 67 API calls 7543->7544 7545 519a58 7544->7545 7546 513acf _realloc 67 API calls 7545->7546 7547 519a63 7546->7547 7548 513acf _realloc 67 API calls 7547->7548 7549 519a6e 7548->7549 7550 513acf _realloc 67 API calls 7549->7550 7551 519a79 7550->7551 7552 513acf _realloc 67 API calls 7551->7552 7553 519a84 7552->7553 7554 513acf _realloc 67 API calls 7553->7554 7554->7469 7555->7398 7559 515fb2 LeaveCriticalSection 7556->7559 7558 514ebb 7558->7379 7559->7558 7561 51512a __ioinit 7560->7561 7562 5158ff __getptd 67 API calls 7561->7562 7563 515133 7562->7563 7564 514e19 _LocaleUpdate::_LocaleUpdate 69 API calls 7563->7564 7565 51513d 7564->7565 7591 514ebd 7565->7591 7568 517da3 __malloc_crt 67 API calls 7569 51515e 7568->7569 7570 51527d __ioinit 7569->7570 7598 514f39 7569->7598 7570->7336 7573 51528a 7573->7570 7578 513acf _realloc 67 API calls 7573->7578 7581 51529d 7573->7581 7574 51518e InterlockedDecrement 7575 5151af InterlockedIncrement 7574->7575 7576 51519e 7574->7576 7575->7570 7577 5151c5 7575->7577 7576->7575 7580 513acf _realloc 67 API calls 7576->7580 7577->7570 7583 51608c __lock 67 API calls 7577->7583 7578->7581 7579 515e97 __wsplitpath_s 67 API calls 7579->7570 7582 5151ae 7580->7582 7581->7579 7582->7575 7585 5151d9 InterlockedDecrement 7583->7585 7586 515255 7585->7586 7587 515268 InterlockedIncrement 7585->7587 7586->7587 7589 513acf _realloc 67 API calls 7586->7589 7608 51527f 7587->7608 7590 515267 7589->7590 7590->7587 7592 5138a4 _LocaleUpdate::_LocaleUpdate 77 API calls 7591->7592 7593 514ed1 7592->7593 7594 514efa 7593->7594 7595 514edc GetOEMCP 7593->7595 7596 514eec 7594->7596 7597 514eff GetACP 7594->7597 7595->7596 7596->7568 7596->7570 7597->7596 7599 514ebd getSystemCP 79 API calls 7598->7599 7600 514f59 7599->7600 7601 514f64 setSBCS 7600->7601 7604 514fa8 IsValidCodePage 7600->7604 7607 514fcd _memset __setmbcp_nolock 7600->7607 7602 51376a setSBUpLow 5 API calls 7601->7602 7603 51511c 7602->7603 7603->7573 7603->7574 7604->7601 7605 514fba GetCPInfo 7604->7605 7605->7601 7605->7607 7611 514c86 GetCPInfo 7607->7611 7744 515fb2 LeaveCriticalSection 7608->7744 7610 515286 7610->7570 7612 514d6c 7611->7612 7614 514cba _memset 7611->7614 7616 51376a setSBUpLow 5 API calls 7612->7616 7621 5198be 7614->7621 7619 514e17 7616->7619 7619->7607 7620 5196bf ___crtLCMapStringA 102 API calls 7620->7612 7622 5138a4 _LocaleUpdate::_LocaleUpdate 77 API calls 7621->7622 7623 5198d1 7622->7623 7631 519704 7623->7631 7626 5196bf 7627 5138a4 _LocaleUpdate::_LocaleUpdate 77 API calls 7626->7627 7628 5196d2 7627->7628 7697 51931a 7628->7697 7632 519725 GetStringTypeW 7631->7632 7633 519750 7631->7633 7634 519745 GetLastError 7632->7634 7635 51973d 7632->7635 7633->7635 7636 519837 7633->7636 7634->7633 7637 519789 MultiByteToWideChar 7635->7637 7652 519831 7635->7652 7659 51be58 GetLocaleInfoA 7636->7659 7643 5197b6 7637->7643 7637->7652 7639 51376a setSBUpLow 5 API calls 7641 514d27 7639->7641 7641->7626 7642 519888 GetStringTypeA 7647 5198a3 7642->7647 7642->7652 7644 514aa6 _malloc 67 API calls 7643->7644 7648 5197cb _memset ___convertcp 7643->7648 7644->7648 7646 519804 MultiByteToWideChar 7649 51982b 7646->7649 7650 51981a GetStringTypeW 7646->7650 7651 513acf _realloc 67 API calls 7647->7651 7648->7646 7648->7652 7655 5192fa 7649->7655 7650->7649 7651->7652 7652->7639 7656 519306 7655->7656 7657 519317 7655->7657 7656->7657 7658 513acf _realloc 67 API calls 7656->7658 7657->7652 7658->7657 7660 51be86 7659->7660 7661 51be8b 7659->7661 7663 51376a setSBUpLow 5 API calls 7660->7663 7690 51bb64 7661->7690 7664 51985b 7663->7664 7664->7642 7664->7652 7665 51bea1 7664->7665 7666 51bee1 GetCPInfo 7665->7666 7670 51bf6b 7665->7670 7667 51bf56 MultiByteToWideChar 7666->7667 7668 51bef8 7666->7668 7667->7670 7674 51bf11 _strlen 7667->7674 7668->7667 7671 51befe GetCPInfo 7668->7671 7669 51376a setSBUpLow 5 API calls 7672 51987c 7669->7672 7670->7669 7671->7667 7673 51bf0b 7671->7673 7672->7642 7672->7652 7673->7667 7673->7674 7675 51bf43 _memset ___convertcp 7674->7675 7676 514aa6 _malloc 67 API calls 7674->7676 7675->7670 7677 51bfa0 MultiByteToWideChar 7675->7677 7676->7675 7678 51bfb8 7677->7678 7682 51bfd7 7677->7682 7680 51bfdc 7678->7680 7681 51bfbf WideCharToMultiByte 7678->7681 7679 5192fa __freea 67 API calls 7679->7670 7683 51bfe7 WideCharToMultiByte 7680->7683 7684 51bffb 7680->7684 7681->7682 7682->7679 7683->7682 7683->7684 7685 517de8 __calloc_crt 67 API calls 7684->7685 7686 51c003 7685->7686 7686->7682 7687 51c00c WideCharToMultiByte 7686->7687 7687->7682 7688 51c01e 7687->7688 7689 513acf _realloc 67 API calls 7688->7689 7689->7682 7693 51cf9e 7690->7693 7694 51cfb7 7693->7694 7695 51cd6f strtoxl 91 API calls 7694->7695 7696 51bb75 7695->7696 7696->7660 7698 51933b LCMapStringW 7697->7698 7701 519356 7697->7701 7699 51935e GetLastError 7698->7699 7698->7701 7699->7701 7700 519554 7704 51be58 ___ansicp 91 API calls 7700->7704 7701->7700 7702 5193b0 7701->7702 7703 5193c9 MultiByteToWideChar 7702->7703 7726 51954b 7702->7726 7711 5193f6 7703->7711 7703->7726 7706 51957c 7704->7706 7705 51376a setSBUpLow 5 API calls 7707 514d47 7705->7707 7708 519670 LCMapStringA 7706->7708 7709 519595 7706->7709 7706->7726 7707->7620 7712 5195cc 7708->7712 7713 51bea1 ___convertcp 74 API calls 7709->7713 7710 519447 MultiByteToWideChar 7714 519460 LCMapStringW 7710->7714 7715 519542 7710->7715 7717 514aa6 _malloc 67 API calls 7711->7717 7724 51940f ___convertcp 7711->7724 7716 519697 7712->7716 7720 513acf _realloc 67 API calls 7712->7720 7718 5195a7 7713->7718 7714->7715 7719 519481 7714->7719 7722 5192fa __freea 67 API calls 7715->7722 7725 513acf _realloc 67 API calls 7716->7725 7716->7726 7717->7724 7721 5195b1 LCMapStringA 7718->7721 7718->7726 7723 51948a 7719->7723 7730 5194b3 7719->7730 7720->7716 7721->7712 7728 5195d3 7721->7728 7722->7726 7723->7715 7727 51949c LCMapStringW 7723->7727 7724->7710 7724->7726 7725->7726 7726->7705 7727->7715 7732 5195e4 _memset ___convertcp 7728->7732 7733 514aa6 _malloc 67 API calls 7728->7733 7729 519502 LCMapStringW 7734 51951a WideCharToMultiByte 7729->7734 7735 51953c 7729->7735 7731 514aa6 _malloc 67 API calls 7730->7731 7736 5194ce ___convertcp 7730->7736 7731->7736 7732->7712 7738 519622 LCMapStringA 7732->7738 7733->7732 7734->7735 7737 5192fa __freea 67 API calls 7735->7737 7736->7715 7736->7729 7737->7715 7739 519642 7738->7739 7740 51963e 7738->7740 7742 51bea1 ___convertcp 74 API calls 7739->7742 7743 5192fa __freea 67 API calls 7740->7743 7742->7740 7743->7712 7744->7610 7746 51a806 7745->7746 7747 5155fb __encode_pointer 6 API calls 7746->7747 7748 51a81e 7746->7748 7747->7746 7748->6898 7752 514a04 7749->7752 7751 514a4d 7751->6900 7753 514a10 __ioinit 7752->7753 7760 517fbd 7753->7760 7759 514a31 __ioinit 7759->7751 7761 51608c __lock 67 API calls 7760->7761 7762 514a15 7761->7762 7763 514919 7762->7763 7764 515676 __decode_pointer 6 API calls 7763->7764 7765 51492d 7764->7765 7766 515676 __decode_pointer 6 API calls 7765->7766 7767 51493d 7766->7767 7768 5149c0 7767->7768 7783 5191cf 7767->7783 7780 514a3a 7768->7780 7770 5155fb __encode_pointer 6 API calls 7771 5149b5 7770->7771 7774 5155fb __encode_pointer 6 API calls 7771->7774 7772 51497f 7772->7768 7776 517e34 __realloc_crt 73 API calls 7772->7776 7777 514995 7772->7777 7773 51495b 7773->7772 7779 5149a7 7773->7779 7796 517e34 7773->7796 7774->7768 7776->7777 7777->7768 7778 5155fb __encode_pointer 6 API calls 7777->7778 7778->7779 7779->7770 7845 517fc6 7780->7845 7784 5191db __ioinit 7783->7784 7785 519208 7784->7785 7786 5191eb 7784->7786 7788 519249 HeapSize 7785->7788 7790 51608c __lock 67 API calls 7785->7790 7787 515e97 __wsplitpath_s 67 API calls 7786->7787 7789 5191f0 7787->7789 7792 519200 __ioinit 7788->7792 7791 515e2f __wsplitpath_s 6 API calls 7789->7791 7793 519218 ___sbh_find_block 7790->7793 7791->7792 7792->7773 7801 519269 7793->7801 7800 517e3d 7796->7800 7798 517e7c 7798->7772 7799 517e5d Sleep 7799->7800 7800->7798 7800->7799 7805 51aa05 7800->7805 7804 515fb2 LeaveCriticalSection 7801->7804 7803 519244 7803->7788 7803->7792 7804->7803 7806 51aa11 __ioinit 7805->7806 7807 51aa26 7806->7807 7808 51aa18 7806->7808 7810 51aa39 7807->7810 7811 51aa2d 7807->7811 7809 514aa6 _malloc 67 API calls 7808->7809 7813 51aa20 _realloc __ioinit 7809->7813 7818 51abab 7810->7818 7840 51aa46 ___sbh_resize_block _realloc ___sbh_find_block 7810->7840 7812 513acf _realloc 67 API calls 7811->7812 7812->7813 7813->7800 7814 51abde 7817 514b7f _realloc 6 API calls 7814->7817 7815 51abb0 HeapReAlloc 7815->7813 7815->7818 7816 51608c __lock 67 API calls 7816->7840 7819 51abe4 7817->7819 7818->7814 7818->7815 7821 51ac02 7818->7821 7822 514b7f _realloc 6 API calls 7818->7822 7825 51abf8 7818->7825 7820 515e97 __wsplitpath_s 67 API calls 7819->7820 7820->7813 7821->7813 7823 515e97 __wsplitpath_s 67 API calls 7821->7823 7822->7818 7824 51ac0b GetLastError 7823->7824 7824->7813 7827 515e97 __wsplitpath_s 67 API calls 7825->7827 7829 51ab79 7827->7829 7828 51aad1 HeapAlloc 7828->7840 7829->7813 7831 51ab7e GetLastError 7829->7831 7830 51ab26 HeapReAlloc 7830->7840 7831->7813 7832 51689e ___sbh_alloc_block 5 API calls 7832->7840 7833 51ab91 7833->7813 7835 515e97 __wsplitpath_s 67 API calls 7833->7835 7834 514b7f _realloc 6 API calls 7834->7840 7837 51ab9e 7835->7837 7836 5160ef VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 7836->7840 7837->7813 7837->7824 7838 51ab74 7839 515e97 __wsplitpath_s 67 API calls 7838->7839 7839->7829 7840->7813 7840->7814 7840->7816 7840->7828 7840->7830 7840->7832 7840->7833 7840->7834 7840->7836 7840->7838 7841 51ab49 7840->7841 7844 515fb2 LeaveCriticalSection 7841->7844 7843 51ab50 7843->7840 7844->7843 7848 515fb2 LeaveCriticalSection 7845->7848 7847 514a3f 7847->7759 7848->7847 7850 51193a 7849->7850 7854 51101c 7849->7854 7859 51383f 7850->7859 7854->6912 7855 5119c0 7854->7855 7856 51102b 7855->7856 7857 5119e2 7855->7857 7856->6912 7857->7856 7858 513a3c __wcsicoll 79 API calls 7857->7858 7858->7857 7862 513849 7859->7862 7860 514aa6 _malloc 67 API calls 7860->7862 7861 511941 7861->7854 7871 511ab0 7861->7871 7862->7860 7862->7861 7863 514b7f _realloc 6 API calls 7862->7863 7865 513865 std::bad_alloc::bad_alloc 7862->7865 7863->7862 7867 514a40 __cinit 74 API calls 7865->7867 7869 51388b 7865->7869 7867->7869 7879 513822 7869->7879 7870 5138a3 7872 511abf 7871->7872 7873 511b07 7872->7873 7874 51383f 75 API calls 7872->7874 7873->7854 7875 511acf 7874->7875 7875->7873 7876 511af5 GetCommandLineW 7875->7876 7891 5112c0 7876->7891 7885 514878 7879->7885 7882 514ba7 7883 514bd0 7882->7883 7884 514bdc RaiseException 7882->7884 7883->7884 7884->7870 7886 514898 _strlen 7885->7886 7887 513832 7885->7887 7886->7887 7888 514aa6 _malloc 67 API calls 7886->7888 7887->7882 7889 5148ab 7888->7889 7889->7887 7890 518f85 _strcpy_s 67 API calls 7889->7890 7890->7887 7892 5112cc 7891->7892 7901 5113bb 7891->7901 7903 5114b0 7892->7903 7894 5112d7 moneypunct 7895 5114b0 75 API calls 7894->7895 7900 5112ea moneypunct _realloc 7895->7900 7896 51383f 75 API calls 7896->7900 7897 5113d0 87 API calls 7897->7900 7898 5113c1 7910 5113d0 7898->7910 7900->7896 7900->7897 7900->7898 7900->7901 7902 5114b0 75 API calls 7900->7902 7901->7854 7902->7900 7904 5114bb 7903->7904 7905 51150c 7904->7905 7906 511579 7904->7906 7909 5114ef _realloc 7904->7909 7907 51383f 75 API calls 7905->7907 7905->7909 7908 51383f 75 API calls 7906->7908 7906->7909 7907->7909 7908->7909 7909->7894 7921 511770 7910->7921 7912 511406 7926 5116a0 7912->7926 7914 511417 moneypunct 7915 51383f 75 API calls 7914->7915 7918 511462 moneypunct 7914->7918 7916 511438 7915->7916 7917 511451 7916->7917 7931 511060 7916->7931 7936 5115f0 7917->7936 7918->7901 7922 5117c9 7921->7922 7923 511779 7921->7923 7922->7912 7924 51383f 75 API calls 7923->7924 7925 5117ab _realloc 7924->7925 7925->7912 7927 511715 7926->7927 7928 5116ab 7926->7928 7927->7914 7929 511707 7928->7929 7943 513a3c 7928->7943 7929->7914 7932 511770 75 API calls 7931->7932 7933 511092 7932->7933 7966 511170 7933->7966 7935 5110a3 moneypunct 7935->7917 7937 511657 7936->7937 7940 5115fa 7936->7940 7938 51383f 75 API calls 7937->7938 7939 51165e 7938->7939 7939->7918 7941 51383f 75 API calls 7940->7941 7942 511612 7941->7942 7942->7918 7944 513a4d 7943->7944 7945 513abc 7943->7945 7947 515e97 __wsplitpath_s 67 API calls 7944->7947 7948 513a69 7944->7948 7951 51392b 7945->7951 7949 513a59 7947->7949 7948->7928 7950 515e2f __wsplitpath_s 6 API calls 7949->7950 7950->7948 7952 5138a4 _LocaleUpdate::_LocaleUpdate 77 API calls 7951->7952 7953 513940 7952->7953 7954 513949 7953->7954 7955 513978 7953->7955 7956 515e97 __wsplitpath_s 67 API calls 7954->7956 7957 513980 7955->7957 7962 5139af 7955->7962 7958 51394e 7956->7958 7959 515e97 __wsplitpath_s 67 API calls 7957->7959 7961 515e2f __wsplitpath_s 6 API calls 7958->7961 7960 513985 7959->7960 7963 515e2f __wsplitpath_s 6 API calls 7960->7963 7965 51395e 7961->7965 7964 515c43 79 API calls __towlower_l 7962->7964 7962->7965 7963->7965 7964->7962 7965->7948 7969 5117f0 7966->7969 7968 5111c3 7968->7935 7971 5117fd moneypunct 7969->7971 7970 51185c 7970->7968 7971->7970 7971->7971 7972 51383f 75 API calls 7971->7972 7973 51183b _realloc 7972->7973 7973->7968 7975 5180a1 __ioinit 7974->7975 7976 51608c __lock 67 API calls 7975->7976 7977 5180a8 7976->7977 7978 518171 __initterm 7977->7978 7980 5180d4 7977->7980 7993 5181ac 7978->7993 7981 515676 __decode_pointer 6 API calls 7980->7981 7984 5180df 7981->7984 7983 5181a9 __ioinit 7983->6917 7986 518161 __initterm 7984->7986 7988 515676 __decode_pointer 6 API calls 7984->7988 7986->7978 7987 5181a0 7989 517fa5 _doexit 3 API calls 7987->7989 7992 5180f4 7988->7992 7989->7983 7990 51566d 6 API calls _doexit 7990->7992 7991 515676 6 API calls __decode_pointer 7991->7992 7992->7986 7992->7990 7992->7991 7994 5181b2 7993->7994 7995 51818d 7993->7995 7998 515fb2 LeaveCriticalSection 7994->7998 7995->7983 7997 515fb2 LeaveCriticalSection 7995->7997 7997->7987 7998->7995 9162 513794 9165 513784 9162->9165 9164 5137a1 moneypunct 9168 514708 9165->9168 9167 513792 9167->9164 9169 514714 __ioinit 9168->9169 9170 51608c __lock 67 API calls 9169->9170 9173 51471b 9170->9173 9171 514754 9178 51476f 9171->9178 9173->9171 9174 51474b 9173->9174 9177 513acf _realloc 67 API calls 9173->9177 9176 513acf _realloc 67 API calls 9174->9176 9175 514765 __ioinit 9175->9167 9176->9171 9177->9174 9181 515fb2 LeaveCriticalSection 9178->9181 9180 514776 9180->9175 9181->9180

    Executed Functions

    Function 00511000 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CoInitializeEx.COMBASE(00000000,00000002), ref: 00511005
    • CoUninitialize.COMBASE ref: 00511044
      • Part of subcall function 005119C0: __wcsicoll.LIBCMT ref: 00511A29
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: InitializeUninitialize__wcsicoll
    • String ID:
    • API String ID: 1787031911-0
    • Opcode ID: bb80aa54e44f9a8bcf7376492dea728472255d4cda8daa97d9d55d8c9de3d6d3
    • Instruction ID: 7e681820796eaa2eef8b80067f74c9cd782e6da4f2c3a6a12265814c1f630608
    • Opcode Fuzzy Hash: bb80aa54e44f9a8bcf7376492dea728472255d4cda8daa97d9d55d8c9de3d6d3
    • Instruction Fuzzy Hash: F5F02036600A0197E2219728CC4DFCB7BA0AFE5B60F158A64FA55CB290DB39CC82C7D4
    Function 00517FA5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 517fa5-517fb6 call 517f7a ExitProcess
    APIs
    • ___crtCorExitProcess.LIBCMT ref: 00517FAD
      • Part of subcall function 00517F7A: GetModuleHandleW.KERNEL32(mscoree.dll,?,00517FB2,0051385E,?,00515FFB,000000FF,0000001E,00522040,0000000C,005160A7,0051385E,?,?,0051A546,00000004), ref: 00517F84
      • Part of subcall function 00517F7A: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00517F94
    • ExitProcess.KERNEL32 ref: 00517FB6
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: ExitProcess$AddressHandleModuleProc___crt
    • String ID:
    • API String ID: 2427264223-0
    • Opcode ID: 8d8b66113266a8b76caa3c95bed312d2bac995e4320b226a36c273bd8dfe081e
    • Instruction ID: e6ae355b77a901cfc496742292e607a99c1cc2610c121b0723017218088aaf14
    • Opcode Fuzzy Hash: 8d8b66113266a8b76caa3c95bed312d2bac995e4320b226a36c273bd8dfe081e
    • Instruction Fuzzy Hash: CDB09B3104410DFBDB113F55DC0D88D3F75FB843507114020F40805031DF71AD96D680
    Function 00515EE0 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 13 515ee0-515f02 HeapCreate 14 515f04-515f05 13->14 15 515f06-515f0f 13->15
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00515EF5
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: 7e84c3561400d35c274891c0a71a174238325e35631e424051fd3337794a2917
    • Instruction ID: f29427436eef876c9773d1fef1ae50f0c6a220af3479e4f0d8249a3d83d8ad49
    • Opcode Fuzzy Hash: 7e84c3561400d35c274891c0a71a174238325e35631e424051fd3337794a2917
    • Instruction Fuzzy Hash: 69D0A776694308AEEB209F74BC487A23FDCEBA83A5F148436F80CC6150F570C981EA00
    Function 005181C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 16 5181c1-5181cd call 518095 18 5181d2-5181d6 16->18
    APIs
    • _doexit.LIBCMT ref: 005181CD
      • Part of subcall function 00518095: __lock.LIBCMT ref: 005180A3
      • Part of subcall function 00518095: __decode_pointer.LIBCMT ref: 005180DA
      • Part of subcall function 00518095: __decode_pointer.LIBCMT ref: 005180EF
      • Part of subcall function 00518095: __decode_pointer.LIBCMT ref: 00518119
      • Part of subcall function 00518095: __decode_pointer.LIBCMT ref: 0051812F
      • Part of subcall function 00518095: __decode_pointer.LIBCMT ref: 0051813C
      • Part of subcall function 00518095: __initterm.LIBCMT ref: 0051816B
      • Part of subcall function 00518095: __initterm.LIBCMT ref: 0051817B
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __decode_pointer$__initterm$__lock_doexit
    • String ID:
    • API String ID: 1597249276-0
    • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
    • Instruction ID: 78bf6ab0b0ffa5dd677a88b02ae5e8590df2a6e50a54cbce0ef93208f6758aeb
    • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
    • Instruction Fuzzy Hash: B8B0923298020C33EA2025A2AC0BF563E0997C0BA0F240020BA1C1D1E1A9A3A9A58089

    Non-executed Functions

    Function 005121B0 Relevance: 49.3, APIs: 20, Strings: 8, Instructions: 317comsynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 131 5121b0-5121cc CoInitializeEx 132 512552-512561 131->132 133 5121d2-51223e call 519280 * 2 call 5132b0 131->133 141 512244-51225c call 512680 133->141 142 51253d-51254f CoUninitialize 133->142 145 512262-51227a call 512680 141->145 146 51251c-51253a CoUninitialize 141->146 150 512280-512289 145->150 151 5124ef-512519 CoUninitialize 145->151 152 5122a1-5122ab 150->152 153 51228b-51229c 150->153 155 5122b1 152->155 156 512494-5124c6 CoUninitialize 152->156 153->152 158 5122b5-5122ba 155->158 158->156 161 5122c0-5122cc 158->161 162 5123b1-5123e0 SysAllocStringLen call 512ab0 161->162 163 5122d2-5122ed call 512720 161->163 169 5123e2-5123e4 162->169 171 5122f3-512310 call 512bd0 163->171 172 5124e9-5124ed 163->172 174 5124e6 169->174 175 5123ea-5123ec 169->175 184 5123a3-5123af 171->184 185 512316-512318 171->185 173 51247a-51248e 172->173 173->156 186 5122b3 173->186 174->172 177 5123f2-5123ff call 512790 175->177 178 5124c9-5124cb 175->178 191 512401-512411 OpenProcess 177->191 192 512413 177->192 182 512477 178->182 183 5124cd-5124e4 call 513fa1 call 513ced 178->183 182->173 183->182 184->169 185->184 189 51231e-51233c VariantInit 185->189 186->158 197 51236d-512381 call 513a3c 189->197 198 51233e-512352 VariantChangeType 189->198 195 512415-512424 191->195 192->195 204 512426-512434 WaitForSingleObject 195->204 205 51246f-512474 195->205 209 512383-512393 197->209 210 512395-51239f 197->210 198->197 200 512354-51236b VariantClear 198->200 200->169 206 512436-51244d call 513fa1 call 513ced 204->206 207 51244f-512465 call 513fa1 call 513ced 204->207 205->182 221 512468-512469 CloseHandle 206->221 207->221 209->169 210->184 221->205
    APIs
    • CoInitializeEx.OLE32(00000000,00000002), ref: 005121C4
    • _memset.LIBCMT ref: 005121E7
    • _memset.LIBCMT ref: 005121FE
    • CoCreateInstance.OLE32(0051F24C,00000000,00000001,0051F21C,?), ref: 00512236
    • CoUninitialize.OLE32 ref: 00512541
      • Part of subcall function 00512680: SysAllocString.OLEAUT32(ApplicationInstances), ref: 005126A2
      • Part of subcall function 00512680: SysFreeString.OLEAUT32(00000000), ref: 005126FA
    • VariantInit.OLEAUT32(?), ref: 00512323
    • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0051234A
    • VariantClear.OLEAUT32(00000008), ref: 00512359
    • __wcsicoll.LIBCMT ref: 00512377
    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00512409
    • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 0051242C
    • _fwprintf.LIBCMT ref: 00512445
    • _fwprintf.LIBCMT ref: 00512460
    • CloseHandle.KERNEL32(00000000), ref: 00512469
    • SysFreeString.OLEAUT32(00000000), ref: 0051247B
    • CoUninitialize.OLE32 ref: 005124B8
    • _fwprintf.LIBCMT ref: 005124DC
    • CoUninitialize.OLE32 ref: 0051250B
    • CoUninitialize.OLE32 ref: 0051252C
    Strings
    • No COM+ application with the name '%s' was found. The shut down request was ignored., xrefs: 005124CE
    • ApplicationInstances, xrefs: 0051226A
    • `<u, xrefs: 0051247B
    • The '%s' application was successfully shut down., xrefs: 00512437
    • Pou, xrefs: 00512236
    • The '%s' COM+ application was sent a shut down request, but the application process did not exit within %lu seconds., xrefs: 00512452
    • Applications, xrefs: 0051224C
    • System Application, xrefs: 00512371
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Uninitialize$StringVariant_fwprintf$Free_memset$AllocChangeClearCloseCreateHandleInitInitializeInstanceObjectOpenProcessSingleTypeWait__wcsicoll
    • String ID: ApplicationInstances$Applications$No COM+ application with the name '%s' was found. The shut down request was ignored.$Pou$System Application$The '%s' COM+ application was sent a shut down request, but the application process did not exit within %lu seconds.$The '%s' application was successfully shut down.$`<u
    • API String ID: 1832995712-4221045137
    • Opcode ID: dcf5ac9a1e8db5fadbeb9a906b58223bccd5b4469c24fd2e3aa4749e9272e882
    • Instruction ID: cb75bb197671e6fadce579ec925262d1deb08833c43e8d6ba6688a39d406811a
    • Opcode Fuzzy Hash: dcf5ac9a1e8db5fadbeb9a906b58223bccd5b4469c24fd2e3aa4749e9272e882
    • Instruction Fuzzy Hash: EFB19D756043019FE700EF64D888E9BBBE8FFD8340F148928F949C7251D674E999CBA2
    Function 00512D40 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 196processCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 345 512d40-512d65 346 512d6b-512d6d 345->346 347 512f9f-512fba call 51376a 345->347 346->347 349 512d73-512d8f call 5131e0 CreateToolhelp32Snapshot 346->349 353 512f73-512f7b GetLastError 349->353 354 512d95-512dd2 call 512fc0 * 2 call 519280 Process32FirstW 349->354 356 512f5b-512f72 call 51376a 353->356 357 512f7d-512f9e call 51376a 353->357 367 512dd8 354->367 368 512f1c-512f25 GetLastError 354->368 369 512de0-512df4 call 513a3c 367->369 370 512f27-512f29 368->370 371 512f39-512f57 call 513779 * 2 CloseHandle 368->371 378 512f05-512f16 Process32NextW 369->378 379 512dfa-512e14 OpenProcess 369->379 373 512f35 370->373 374 512f2b-512f30 370->374 371->356 373->371 374->373 378->368 378->369 381 512e1a-512e2f GetProcessImageFileNameW 379->381 382 512eed-512ef5 GetLastError 379->382 384 512e35-512e3b 381->384 385 512ee4-512eeb CloseHandle 381->385 386 512f01 382->386 387 512ef7-512efc 382->387 388 512e52-512e58 384->388 389 512e3d-512e50 call 513a3c 384->389 385->378 386->378 387->386 388->385 391 512e5e-512e71 call 513a3c 388->391 389->388 394 512e73-512e75 389->394 391->385 391->394 396 512e77-512e9a call 51383f 394->396 397 512ed6-512ee2 394->397 400 512eb6-512ed3 call 519280 396->400 401 512e9c-512eb3 call 519ce0 call 513779 396->401 397->385 400->397 401->400
    APIs
      • Part of subcall function 005131E0: GetCurrentProcess.KERNEL32(00000028,DC2A8B03,?,?,?,00512D7E,74DF30A0,00000000,?), ref: 005131E9
      • Part of subcall function 005131E0: OpenProcessToken.ADVAPI32(00000000,?,?,?,00512D7E,74DF30A0,00000000,?), ref: 005131F0
      • Part of subcall function 005131E0: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0051320B
      • Part of subcall function 005131E0: AdjustTokenPrivileges.ADVAPI32 ref: 00513247
      • Part of subcall function 005131E0: CloseHandle.KERNEL32(00000000), ref: 00513258
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,74DF30A0,00000000,?), ref: 00512D81
    • GetLastError.KERNEL32(00000002,00000000,74DF30A0,00000000,?), ref: 00512F73
      • Part of subcall function 00512FC0: _memset.LIBCMT ref: 00512FF1
      • Part of subcall function 00512FC0: LoadLibraryW.KERNEL32(KERNEL32.DLL,00000000,00000000,?), ref: 00513009
      • Part of subcall function 00512FC0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0051301F
      • Part of subcall function 00512FC0: FreeLibrary.KERNEL32(00000000), ref: 0051303B
      • Part of subcall function 00512FC0: __wsplitpath_s.LIBCMT ref: 005130A4
      • Part of subcall function 00512FC0: _memset.LIBCMT ref: 005130BB
      • Part of subcall function 00512FC0: QueryDosDeviceW.KERNEL32(?,?,00000105), ref: 005130D5
      • Part of subcall function 00512FC0: GetSystemDirectoryW.KERNEL32(?,00000208), ref: 00513050
    • _memset.LIBCMT ref: 00512DB5
    • Process32FirstW.KERNEL32 ref: 00512DCB
    • __wcsicoll.LIBCMT ref: 00512DEA
    • OpenProcess.KERNEL32(00000400,00000000,?,00000000,?,00000002,00000000,74DF30A0,00000000,?), ref: 00512E06
    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104), ref: 00512E28
    • __wcsicoll.LIBCMT ref: 00512E46
    • __wcsicoll.LIBCMT ref: 00512E67
    • _memset.LIBCMT ref: 00512EC7
    • CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 00512EE5
    • GetLastError.KERNEL32 ref: 00512EED
    • Process32NextW.KERNEL32(?,?), ref: 00512F0F
    • GetLastError.KERNEL32(00000000,?,00000002,00000000,74DF30A0,00000000,?), ref: 00512F1C
    • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000,74DF30A0,00000000,?), ref: 00512F51
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Process_memset$CloseErrorHandleLast__wcsicoll$LibraryOpenProcess32Token$AddressAdjustCreateCurrentDeviceDirectoryFileFirstFreeImageLoadLookupNameNextPrivilegePrivilegesProcQuerySnapshotSystemToolhelp32Value__wsplitpath_s
    • String ID: dllhost.exe
    • API String ID: 3212909537-3520973717
    • Opcode ID: a9c1fbaccddfb1dc9766954f9117fd88bf2c8fc698b7bb5b9418a7024cf8caeb
    • Instruction ID: 0e1fcb1e3c7f492230bb01df94597a02bc80a4ab86342df0f72f1cb3e145aa41
    • Opcode Fuzzy Hash: a9c1fbaccddfb1dc9766954f9117fd88bf2c8fc698b7bb5b9418a7024cf8caeb
    • Instruction Fuzzy Hash: CF518FB16042019BE724EB24CC5ABFF7BE8BFC4740F04492DF549C6281EB34DA958B96
    Function 00513520 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 66serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FCD,00000004), ref: 00513531
    • OpenServiceW.ADVAPI32(00000000,COMSysApp,00000002,?,00000000,?,?,00511FCD,00000004), ref: 00513545
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FCD,00000004), ref: 0051355A
    • GetLastError.KERNEL32(?,00000000,?,?,00511FCD,00000004), ref: 00513562
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FCD,00000004), ref: 00513567
    • GetLastError.KERNEL32(?,00000000,?,?,00511FCD,00000004), ref: 00513575
    • ChangeServiceConfigW.ADVAPI32(00511FCD,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00511FCD), ref: 00513597
    • GetLastError.KERNEL32(?,00000000,?,?,00511FCD,00000004), ref: 005135A1
    • CloseServiceHandle.ADVAPI32(00511FCD), ref: 005135B0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Service$CloseErrorHandleLast$Open$ChangeConfigManager
    • String ID: COMSysApp$ServicesActive
    • API String ID: 71225020-884190028
    • Opcode ID: d64ad0f50d6cacec79397270fd0368de69eb866fd183f0cd20236ce4c480f3e6
    • Instruction ID: c0c7b5824a53cba13d600522cd73fc4dbd6a042608fa9e545c5a9047a0f3f8d9
    • Opcode Fuzzy Hash: d64ad0f50d6cacec79397270fd0368de69eb866fd183f0cd20236ce4c480f3e6
    • Instruction Fuzzy Hash: 8501DB7160431167E3205729AC4DEA77F99FB56B71F124634F927D22D1DB50CE446260
    Function 005131E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028,DC2A8B03,?,?,?,00512D7E,74DF30A0,00000000,?), ref: 005131E9
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00512D7E,74DF30A0,00000000,?), ref: 005131F0
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0051320B
    • AdjustTokenPrivileges.ADVAPI32 ref: 00513247
    • CloseHandle.KERNEL32(00000000), ref: 00513258
    • GetLastError.KERNEL32(?,?,?,00512D7E,74DF30A0,00000000,?), ref: 00513265
    • CloseHandle.KERNEL32(?,?,?,?,00512D7E,74DF30A0,00000000,?), ref: 00513280
    • GetLastError.KERNEL32(?,?,?,00512D7E,74DF30A0,00000000,?), ref: 0051328D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CloseErrorHandleLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
    • String ID: SeDebugPrivilege
    • API String ID: 3403152165-2896544425
    • Opcode ID: 54e0903bbd1cd0120bed7ea8c0be033c4cc5783e1ccd8fe70f7d299ac0fee734
    • Instruction ID: 75bfdd9e5aa9a0c7f56c267d2248704d9b2d399d2db5c171eb0c5ab3637f81b1
    • Opcode Fuzzy Hash: 54e0903bbd1cd0120bed7ea8c0be033c4cc5783e1ccd8fe70f7d299ac0fee734
    • Instruction Fuzzy Hash: 55118675704301AFE310EF58DC4DBAB7BE8BF58B40F508528F549C2191E778D9089762
    Function 0051376A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 005146BD
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005146D2
    • UnhandledExceptionFilter.KERNEL32(`@R), ref: 005146DD
    • GetCurrentProcess.KERNEL32(C0000409), ref: 005146F9
    • TerminateProcess.KERNEL32(00000000), ref: 00514700
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID: `@R
    • API String ID: 2579439406-3263852015
    • Opcode ID: e26b13abeb6950f8dd9219b98b21ed3b9edc2d2487004cc27ada735c777a035a
    • Instruction ID: c9178e141ca4b4b681ddef37f05286451c025e2d56d4964205946d66e8eaec18
    • Opcode Fuzzy Hash: e26b13abeb6950f8dd9219b98b21ed3b9edc2d2487004cc27ada735c777a035a
    • Instruction Fuzzy Hash: E321DFB8900244DFE720DF65F8496843BA0BF7A304F41412AE60987371E7B499DAEF15
    Function 005187E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0000879E), ref: 005187E5
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 316409ba89c301580aa65e38df57272520944770324d33b2d8daee929e7ad405
    • Instruction ID: ec9739b0553709f55a60c70044f553401c6bf3257378f4ca5e7f283d90d10699
    • Opcode Fuzzy Hash: 316409ba89c301580aa65e38df57272520944770324d33b2d8daee929e7ad405
    • Instruction Fuzzy Hash: FE9002696511009696202B706D0D5993A90BB6C6127524AA06252C4095DE914044A611
    Function 00511FA0 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 168synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00513350: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FB5,?), ref: 00513361
      • Part of subcall function 00513350: OpenServiceW.ADVAPI32(00000000,COMSysApp,00000001,?,?,00000000,?,?,00511FB5,?), ref: 00513375
      • Part of subcall function 00513350: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,00511FB5,?), ref: 0051338A
      • Part of subcall function 00513350: QueryServiceConfigW.ADVAPI32(00511FB5,00000000,00000000,00511FB5,?,?,00000000,?,?,00511FB5,?), ref: 005133C1
      • Part of subcall function 00513350: GetLastError.KERNEL32(?,?,00000000,?,?,00511FB5,?), ref: 005133C7
      • Part of subcall function 00513350: QueryServiceConfigW.ADVAPI32(00511FB5,00000000,?,?), ref: 005133F3
      • Part of subcall function 00513350: CloseServiceHandle.ADVAPI32(00511FB5), ref: 00513400
    • _fwprintf.LIBCMT ref: 00512191
      • Part of subcall function 00513520: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FCD,00000004), ref: 00513531
      • Part of subcall function 00513520: OpenServiceW.ADVAPI32(00000000,COMSysApp,00000002,?,00000000,?,?,00511FCD,00000004), ref: 00513545
      • Part of subcall function 00513520: CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FCD,00000004), ref: 0051355A
      • Part of subcall function 00513520: ChangeServiceConfigW.ADVAPI32(00511FCD,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00511FCD), ref: 00513597
      • Part of subcall function 00513520: GetLastError.KERNEL32(?,00000000,?,?,00511FCD,00000004), ref: 005135A1
      • Part of subcall function 00513520: CloseServiceHandle.ADVAPI32(00511FCD), ref: 005135B0
      • Part of subcall function 00513450: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FD9), ref: 00513463
      • Part of subcall function 00513450: OpenServiceW.ADVAPI32(00000000,COMSysApp,00000004,?,00000000,?,?,00511FD9), ref: 00513477
      • Part of subcall function 00513450: CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 00513486
      • Part of subcall function 00513450: QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000,?,00000000,?,?,00511FD9), ref: 005134D9
      • Part of subcall function 00513450: CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 005134E6
    • OpenProcess.KERNEL32(00100001,00000000,?), ref: 00512004
    • WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00512025
    • _fwprintf.LIBCMT ref: 00512039
    • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00512046
    • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00512052
    • _fwprintf.LIBCMT ref: 00512064
    • _fwprintf.LIBCMT ref: 0051207C
    • CloseHandle.KERNEL32(00000000), ref: 00512085
    • OpenProcess.KERNEL32(00100001,00000000,?), ref: 005120CC
    • TerminateProcess.KERNEL32(00000000,000000FF), ref: 005120DB
    • WaitForSingleObject.KERNEL32(00000000,00002710), ref: 005120E7
    • _fwprintf.LIBCMT ref: 00512100
    • CloseHandle.KERNEL32(00000000), ref: 00512109
    • _fwprintf.LIBCMT ref: 00512122
    • CloseHandle.KERNEL32(00000000), ref: 0051212B
    • _fwprintf.LIBCMT ref: 00512142
    Strings
    • The service process was terminated but did not exit within %lu seconds., xrefs: 0051206E
    • The COM+ system service was sent a shut down request, but the service process did not exit within %lu seconds., xrefs: 00512056
    • A handle to DLLHOST process ID %lu could not be obtained to request process termination., xrefs: 00512134
    • DLLHOST process ID %lu was terminated but did not exit within %lu seconds., xrefs: 00512114
    • The COM+ system application (%s) service configuration could not be retrieved., xrefs: 00512183
    • The COM+ system service was stopped., xrefs: 0051202B
    • DLLHOST process ID %lu was terminated., xrefs: 005120F2
    • COMSysApp, xrefs: 0051217E
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Service$CloseHandle$Open$_fwprintf$Process$ConfigManagerObjectQuerySingleWait$ErrorLastTerminate$ChangeStatus
    • String ID: A handle to DLLHOST process ID %lu could not be obtained to request process termination.$COMSysApp$DLLHOST process ID %lu was terminated but did not exit within %lu seconds.$DLLHOST process ID %lu was terminated.$The COM+ system application (%s) service configuration could not be retrieved.$The COM+ system service was sent a shut down request, but the service process did not exit within %lu seconds.$The COM+ system service was stopped.$The service process was terminated but did not exit within %lu seconds.
    • API String ID: 3797398603-3397523116
    • Opcode ID: 69f4505ad2c243c63daf1db6f3bd0d0f740273c0fc25153594ad490fc1394007
    • Instruction ID: 2679d623823f58e9c1b9dc08a664e2a2653bcaf01e18d69d55d401984e85a61a
    • Opcode Fuzzy Hash: 69f4505ad2c243c63daf1db6f3bd0d0f740273c0fc25153594ad490fc1394007
    • Instruction Fuzzy Hash: 714109B29403026BF710BB649C4EEDF3E64BFA5750F040924F906A2192F765DAD982A7
    Function 00511D30 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 163synchronizationthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • WaitForSingleObject.KERNEL32(00000000,00003A98,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511D6F
    • _fwprintf.LIBCMT ref: 00511D85
    • TerminateThread.KERNEL32(00000000,000000FF,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511D90
    • WaitForSingleObject.KERNEL32(00000000,00003A98,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511DD5
    • WaitForSingleObject.KERNEL32(00000000,00003A98,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511DF0
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511DF7
    • WaitForSingleObject.KERNEL32(00000000,0001D4C0,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511E76
    • _fwprintf.LIBCMT ref: 00511E8C
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511E95
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000004,00000000,?,00511B43,?), ref: 00511E9C
    • _fwprintf.LIBCMT ref: 00511EE5
    Strings
    • Failed to create COM+ shutdown thread, xrefs: 00511E2D
    • The COM+ administration system failed to shut down one or more applications in the time allotted (%lu seconds), xrefs: 00511E01
    • Failed to create health check thread, xrefs: 00511ED7
    • The COM+ reset did not complete within the time allotted (%lu seconds). A system restart is recommended., xrefs: 00511E7E
    • Failed to create COM+ reset thread, xrefs: 00511EAE
    • The COM+ health check did not complete within the time allotted (%lu seconds), xrefs: 00511D77
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: ObjectSingleWait$CloseHandle_fwprintf$TerminateThread
    • String ID: Failed to create COM+ reset thread$Failed to create COM+ shutdown thread$Failed to create health check thread$The COM+ administration system failed to shut down one or more applications in the time allotted (%lu seconds)$The COM+ health check did not complete within the time allotted (%lu seconds)$The COM+ reset did not complete within the time allotted (%lu seconds). A system restart is recommended.
    • API String ID: 831982598-1474398732
    • Opcode ID: 255944f734eac7089b1c4e011f612df53fcc18464cc67e9c8a8a1c3e87063022
    • Instruction ID: 336a6aebd10f0ff49f276466af8a4afeceab2c75540b6f69875f2282a5760c3f
    • Opcode Fuzzy Hash: 255944f734eac7089b1c4e011f612df53fcc18464cc67e9c8a8a1c3e87063022
    • Instruction Fuzzy Hash: 9F41BD729403066BF310BBA59C0EFFB3FECBFD1790F044428F919A1181E635E989426A
    Function 005135C0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 131serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 408 5135c0-5135e6 GetTickCount OpenSCManagerW 409 513618-513622 GetLastError 408->409 410 5135e8-5135fa OpenServiceW 408->410 413 513624-51362c 409->413 411 513607-513616 GetLastError CloseServiceHandle 410->411 412 5135fc-513605 CloseServiceHandle 410->412 411->413 412->413 414 513632-513633 413->414 415 51374a-513750 413->415 416 513635-513675 QueryServiceStatusEx 414->416 417 513734-51373a GetLastError 416->417 418 51367b-513682 416->418 420 51373e-513749 CloseServiceHandle 417->420 419 513688-513692 418->419 418->420 421 513694 419->421 422 513696-513698 419->422 420->415 421->422 423 51369a-51369c 422->423 424 51369e-5136a1 422->424 423->424 425 5136d1-5136d7 423->425 424->425 426 5136a3-5136a6 424->426 427 513712-513717 425->427 428 5136d9-5136df 425->428 426->425 429 5136a8-5136ab 426->429 431 5136e6-5136f5 GetTickCount 427->431 430 5136e1 428->430 428->431 429->425 432 5136ad-5136b0 429->432 430->431 433 5136f7-513700 431->433 434 513719-513733 CloseServiceHandle 431->434 432->425 435 5136b2-5136c2 ControlService 432->435 437 513702 433->437 438 513704-51370d SleepEx 433->438 435->417 436 5136c4-5136c9 435->436 436->420 439 5136cb-5136cf 436->439 437->438 438->416 439->425
    APIs
    • GetTickCount.KERNEL32 ref: 005135C6
    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001), ref: 005135DC
    • OpenServiceW.ADVAPI32(00000000,COMSysApp,00000024), ref: 005135F0
    • CloseServiceHandle.ADVAPI32(00000000), ref: 005135FF
    • GetLastError.KERNEL32 ref: 00513607
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00513610
    • GetLastError.KERNEL32 ref: 00513618
    • QueryServiceStatusEx.ADVAPI32(?,00000000,?,00000024,?), ref: 0051366D
    • ControlService.ADVAPI32(?,00000001,?), ref: 005136BA
    • GetTickCount.KERNEL32 ref: 005136E6
    • SleepEx.KERNEL32(00007530,00000000), ref: 00513707
    • CloseServiceHandle.ADVAPI32 ref: 00513722
    • GetLastError.KERNEL32 ref: 00513734
    • CloseServiceHandle.ADVAPI32(?), ref: 0051373F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Service$CloseHandle$ErrorLast$CountOpenTick$ControlManagerQuerySleepStatus
    • String ID: COMSysApp$ServicesActive
    • API String ID: 593920158-884190028
    • Opcode ID: 07aaa0984aaa65300501bbe91155b83e7a3457d733925e0eef78e7da024b3db6
    • Instruction ID: 99185697f8b0767527efbe700b72372bf1d58d2b7790960d987e14a1f12bca1e
    • Opcode Fuzzy Hash: 07aaa0984aaa65300501bbe91155b83e7a3457d733925e0eef78e7da024b3db6
    • Instruction Fuzzy Hash: 9F4170B59083409FE720DF68D85C6AABFE5FB98310F054829F54AD3350E774DA88DB52
    Function 00512790 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 147memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 440 512790-5127eb VariantInit SysAllocString * 2 443 5127f1 440->443 444 512900-512929 SysFreeString * 2 VariantClear 440->444 445 5127f5-5127f7 443->445 445->444 446 5127fd-512815 445->446 448 5128f5-5128fa 446->448 449 51281b-512840 446->449 448->444 450 5127f3 448->450 449->448 453 512846-512873 VariantInit 449->453 450->445 455 512875-51287a 453->455 456 5128de-5128f2 VariantClear 453->456 455->456 457 51287c-512890 call 513a3c 455->457 456->448 457->456 460 512892-5128b1 VariantInit 457->460 462 5128d1-5128dc VariantClear 460->462 463 5128b3-5128c7 VariantChangeType 460->463 462->456 463->462 464 5128c9-5128cd 463->464 464->462
    APIs
    • VariantInit.OLEAUT32(?), ref: 005127A3
    • SysAllocString.OLEAUT32(ProcessID), ref: 005127D2
    • SysAllocString.OLEAUT32(Application), ref: 005127DD
    • VariantInit.OLEAUT32(?), ref: 00512851
    • __wcsicoll.LIBCMT ref: 00512886
    • VariantInit.OLEAUT32(?), ref: 00512897
    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005128BF
    • VariantClear.OLEAUT32(?), ref: 005128D6
    • VariantClear.OLEAUT32(?), ref: 005128E3
    • SysFreeString.OLEAUT32(?), ref: 0051290B
    • SysFreeString.OLEAUT32(?), ref: 00512912
    • VariantClear.OLEAUT32(?), ref: 00512919
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Variant$String$ClearInit$AllocFree$ChangeType__wcsicoll
    • String ID: Application$ProcessID$`<u
    • API String ID: 3008952963-8180839
    • Opcode ID: eab7c2431f478ecdf785824c4a138485905cd3ed9f4485b8ca2f4035a67f53eb
    • Instruction ID: 027f5e48327a68d5364ce3676f9c35ffa8e245ae8d78d53bfeb1624539c547be
    • Opcode Fuzzy Hash: eab7c2431f478ecdf785824c4a138485905cd3ed9f4485b8ca2f4035a67f53eb
    • Instruction Fuzzy Hash: 045104B5608345AFD700DF68D8809ABBBE8BFC8744F004A1DF58597250D735E989CBA2
    Function 00513350 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 106serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FB5,?), ref: 00513361
    • OpenServiceW.ADVAPI32(00000000,COMSysApp,00000001,?,?,00000000,?,?,00511FB5,?), ref: 00513375
    • CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,00511FB5,?), ref: 0051338A
    • GetLastError.KERNEL32(?,?,00000000,?,?,00511FB5,?), ref: 00513392
    • CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,00511FB5,?), ref: 00513397
    • GetLastError.KERNEL32(?,?,00000000,?,?,00511FB5,?), ref: 005133A5
    • QueryServiceConfigW.ADVAPI32(00511FB5,00000000,00000000,00511FB5,?,?,00000000,?,?,00511FB5,?), ref: 005133C1
    • GetLastError.KERNEL32(?,?,00000000,?,?,00511FB5,?), ref: 005133C7
    • QueryServiceConfigW.ADVAPI32(00511FB5,00000000,?,?), ref: 005133F3
    • CloseServiceHandle.ADVAPI32(00511FB5), ref: 00513400
    • GetLastError.KERNEL32 ref: 0051340E
    • CloseServiceHandle.ADVAPI32(00511FB5), ref: 00513424
    • CloseServiceHandle.ADVAPI32(00511FB5,?,?,00000000,?,?,00511FB5,?), ref: 00513438
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Service$CloseHandle$ErrorLast$ConfigOpenQuery$Manager
    • String ID: COMSysApp$ServicesActive
    • API String ID: 3555699149-884190028
    • Opcode ID: 15ba060a2d4faed710a8bc2859695295c6d1a9d2234158c03523c00105d27bb8
    • Instruction ID: 66ff91ac5eae7baf95b3541cc305b6e82f08d229570f057d1b03612bb5e93dca
    • Opcode Fuzzy Hash: 15ba060a2d4faed710a8bc2859695295c6d1a9d2234158c03523c00105d27bb8
    • Instruction Fuzzy Hash: 6121F5722053159BE7109B69FC8CAEBBBA8FF95762B100539F506C3211DF60CE4897A1
    Function 00512FC0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 155libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 483 512fc0-513002 call 519280 486 513043-513056 GetSystemDirectoryW 483->486 487 513004-513013 LoadLibraryW 483->487 490 513058-51305a 486->490 488 513019-513027 GetProcAddress 487->488 489 5131b8-5131d1 call 51376a 487->489 492 513029-513038 488->492 493 51303a-513041 FreeLibrary 488->493 490->489 494 513060-513070 490->494 492->493 493->490 496 513072-513077 494->496 497 51307a-51311c call 513d81 call 519280 QueryDosDeviceW 494->497 496->497 503 513120-513129 497->503 503->503 504 51312b-51313b 503->504 505 513140-513149 504->505 505->505 506 51314b-513172 call 51383f 505->506 509 513174-51319b call 5143e2 call 514365 * 2 506->509 510 51319e-5131b7 call 51376a 506->510 509->510
    APIs
    • _memset.LIBCMT ref: 00512FF1
    • LoadLibraryW.KERNEL32(KERNEL32.DLL,00000000,00000000,?), ref: 00513009
    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0051301F
    • FreeLibrary.KERNEL32(00000000), ref: 0051303B
    • GetSystemDirectoryW.KERNEL32(?,00000208), ref: 00513050
    • __wsplitpath_s.LIBCMT ref: 005130A4
    • _memset.LIBCMT ref: 005130BB
    • QueryDosDeviceW.KERNEL32(?,?,00000105), ref: 005130D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Library_memset$AddressDeviceDirectoryFreeLoadProcQuerySystem__wsplitpath_s
    • String ID: GetSystemWow64DirectoryW$KERNEL32.DLL$\$dllhost.exe
    • API String ID: 347389601-3091817508
    • Opcode ID: 520e2e69f3e41173f7b3ef65095980148f13d77f91ffb3fa7a5da7a531f5fe12
    • Instruction ID: 73ae34f55fbaed3ebef23d3081b1fa008a73b80da9c61cbb674457ac58e1cd39
    • Opcode Fuzzy Hash: 520e2e69f3e41173f7b3ef65095980148f13d77f91ffb3fa7a5da7a531f5fe12
    • Instruction Fuzzy Hash: 8051A175604701ABE324DB54DC55BEBB7E4FFD8700F00892DF94997280EB749A48CB96
    Function 00513450 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 82serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,80000001,?,?,00000000,?,?,00511FD9), ref: 00513463
    • OpenServiceW.ADVAPI32(00000000,COMSysApp,00000004,?,00000000,?,?,00511FD9), ref: 00513477
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 00513486
    • GetLastError.KERNEL32(?,00000000,?,?,00511FD9), ref: 0051348E
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 00513497
    • GetLastError.KERNEL32(?,00000000,?,?,00511FD9), ref: 0051349F
    • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000,?,00000000,?,?,00511FD9), ref: 005134D9
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 005134E6
    • GetLastError.KERNEL32(?,00000000,?,?,00511FD9), ref: 005134F4
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00511FD9), ref: 005134FD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Service$CloseHandle$ErrorLast$Open$ManagerQueryStatus
    • String ID: COMSysApp$ServicesActive
    • API String ID: 3512290387-884190028
    • Opcode ID: 4d6485a702bf8092fa07cd77c8fb5b93b8293b15304266f6b74159dbb0d8cbee
    • Instruction ID: 7b38b76d6269735a8383a7aa2125a09e8100aab93c652fe4b9564363116f785c
    • Opcode Fuzzy Hash: 4d6485a702bf8092fa07cd77c8fb5b93b8293b15304266f6b74159dbb0d8cbee
    • Instruction Fuzzy Hash: C021A4726043059FD3209F79AC4C697FBE8FB58722B10493EF64BC2611EB70D948AB90
    Function 0051579F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00521FF0,0000000C,005158DA,00000000,00000000,?,0051385E,?,00000000,?,00000000,?,?,00512598,?), ref: 005157B1
    • __crt_waiting_on_module_handle.LIBCMT ref: 005157BC
      • Part of subcall function 00517F21: Sleep.KERNEL32(000003E8,?,?,005156C5,KERNEL32.DLL,?,00514B8F,?,00514B5F,0051385E,00000000,?,0051385E,?,00000000), ref: 00517F2D
      • Part of subcall function 00517F21: GetModuleHandleW.KERNEL32(0051385E,?,005156C5,KERNEL32.DLL,?,00514B8F,?,00514B5F,0051385E,00000000,?,0051385E,?,00000000,?,00000000), ref: 00517F36
    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 005157E5
    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 005157F5
    • __lock.LIBCMT ref: 00515817
    • InterlockedIncrement.KERNEL32(044E8968), ref: 00515824
    • __lock.LIBCMT ref: 00515838
    • ___addlocaleref.LIBCMT ref: 00515856
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
    • String ID: (8R$DecodePointer$EncodePointer$KERNEL32.DLL
    • API String ID: 1028249917-432893533
    • Opcode ID: cf1f18e8046ac5dea175b9df7716dd596a120cf4f6aaf9b36d633b5af65b4cef
    • Instruction ID: 28aae54886305324ad44ab425d14ada9a0670aa833fc67e5ea8a33ed6ef01a66
    • Opcode Fuzzy Hash: cf1f18e8046ac5dea175b9df7716dd596a120cf4f6aaf9b36d633b5af65b4cef
    • Instruction Fuzzy Hash: 4A11A571801B02EAE720EF759849BCABFE0BF54314F10852DE4AA93291DBB49A81CB54
    Function 00512BD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(Application), ref: 00512C05
    • VariantInit.OLEAUT32(?), ref: 00512C12
    • SysFreeString.OLEAUT32(00000000), ref: 00512C27
    • VariantInit.OLEAUT32(?), ref: 00512C7C
    • __wcsicoll.LIBCMT ref: 00512CB8
    • VariantClear.OLEAUT32(?), ref: 00512CE1
    • VariantClear.OLEAUT32(?), ref: 00512CF7
    • VariantClear.OLEAUT32(?), ref: 00512D11
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Variant$Clear$InitString$AllocFree__wcsicoll
    • String ID: Application$`<u
    • API String ID: 3535822021-3416457488
    • Opcode ID: 7bfaa1c4c16ad06c3e5a8987363db5b52b9a2bac6019a0cd049cbf0efc737512
    • Instruction ID: 469e015c9efecbb6ab55b8f0a99d5cb210f8b373172059103cd8b2e9c01340d8
    • Opcode Fuzzy Hash: 7bfaa1c4c16ad06c3e5a8987363db5b52b9a2bac6019a0cd049cbf0efc737512
    • Instruction Fuzzy Hash: 53414C7A204305AFD710DF64E8849EBBBA4FBD8354F54492DF94983210D730EA99CBD2
    Function 00512930 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 138memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00512680: SysAllocString.OLEAUT32(ApplicationInstances), ref: 005126A2
      • Part of subcall function 00512680: SysFreeString.OLEAUT32(00000000), ref: 005126FA
      • Part of subcall function 0051383F: _malloc.LIBCMT ref: 00513859
    • SysAllocString.OLEAUT32(ProcessID), ref: 005129BA
    • VariantInit.OLEAUT32(?), ref: 005129F0
    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00512A19
    • VariantClear.OLEAUT32(?), ref: 00512A44
    • SysFreeString.OLEAUT32(00000000), ref: 00512A62
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: String$Variant$AllocFree$ChangeClearInitType_malloc
    • String ID: ApplicationInstances$ProcessID$`<u
    • API String ID: 432088159-693366622
    • Opcode ID: af2901e3f271c017732fc9629b2576662d7fd29011f5e4fd377800d98104ae68
    • Instruction ID: 9b9136e3ed82949e0aaf065502cae9aab88c02eaa03c2bbed456d04ac714a83a
    • Opcode Fuzzy Hash: af2901e3f271c017732fc9629b2576662d7fd29011f5e4fd377800d98104ae68
    • Instruction Fuzzy Hash: 4D413CB66042069FC314DF68E88489BBBE5FFC8350F14496DF94AD7310D635ED858B92
    Function 00511B70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?), ref: 00511B76
    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00511B89
    • FreeLibrary.KERNEL32(00000000), ref: 00511B98
    • GetLastError.KERNEL32 ref: 00511BA3
    • FreeLibrary.KERNEL32(00000000), ref: 00511BBA
    • GetLastError.KERNEL32 ref: 00511BC5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Library$ErrorFreeLast$AddressLoadProc
    • String ID: DllRegisterServer
    • API String ID: 1397630947-1663957109
    • Opcode ID: 04d75ab6c2e56be4658b764959adfcebbbe34273da3319003811f3b31f769527
    • Instruction ID: 68d62f6042efea00e8934ea9b2eb870f5733da636c979b10c1e4f81ab590bafa
    • Opcode Fuzzy Hash: 04d75ab6c2e56be4658b764959adfcebbbe34273da3319003811f3b31f769527
    • Instruction Fuzzy Hash: 19F0E936B086125BD72017BEBC0C7BAAEA8EFE6BB27148575F906C2165E62CC844D354
    Function 00511BE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?), ref: 00511BE6
    • GetProcAddress.KERNEL32(00000000,DllUnregisterServer), ref: 00511BF9
    • FreeLibrary.KERNEL32(00000000), ref: 00511C08
    • GetLastError.KERNEL32 ref: 00511C13
    • FreeLibrary.KERNEL32(00000000), ref: 00511C2A
    • GetLastError.KERNEL32 ref: 00511C35
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Library$ErrorFreeLast$AddressLoadProc
    • String ID: DllUnregisterServer
    • API String ID: 1397630947-2930405159
    • Opcode ID: c859d91a165231d6d41285c46b75fbafaddb63348894d05fd166548fb87fa327
    • Instruction ID: e18fa3ad5d474c67a01892954532a0b7763939d669ca9dff08b3faaa4a9d7d8d
    • Opcode Fuzzy Hash: c859d91a165231d6d41285c46b75fbafaddb63348894d05fd166548fb87fa327
    • Instruction Fuzzy Hash: 56F0BB367446125BD720176EFC0C7A66EA8AFA57B17108575F906C2151D62CCC44D394
    Function 005141D4 Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 005141DA
      • Part of subcall function 00515711: TlsGetValue.KERNEL32(0051385E,0051589D,?,0051385E,?,00000000,?,00000000,?,?,00512598,?,?,74DF30A0,00000000), ref: 0051571A
      • Part of subcall function 00515711: __decode_pointer.LIBCMT ref: 0051572C
      • Part of subcall function 00515711: TlsSetValue.KERNEL32(00000000,0051385E,?,00000000,?,00000000,?,?,00512598,?,?,74DF30A0,00000000,?,?,?), ref: 0051573B
    • ___fls_getvalue@4.LIBCMT ref: 005141E5
      • Part of subcall function 005156F1: TlsGetValue.KERNEL32(?,?,005141EA,00000000), ref: 005156FF
    • ___fls_setvalue@8.LIBCMT ref: 005141F8
      • Part of subcall function 00515745: __decode_pointer.LIBCMT ref: 00515756
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00514201
    • ExitThread.KERNEL32 ref: 00514208
    • GetCurrentThreadId.KERNEL32 ref: 0051420E
    • __freefls@4.LIBCMT ref: 0051422E
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00514241
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
    • String ID:
    • API String ID: 1925773019-0
    • Opcode ID: 2c657ff1762a582e598bf31dc180294107a902d7819943f297f0ae00e4148b3e
    • Instruction ID: 57975f0ae7966f9fff2fc04f0652c9e7e03a356c837c4a8e25788ebf81221370
    • Opcode Fuzzy Hash: 2c657ff1762a582e598bf31dc180294107a902d7819943f297f0ae00e4148b3e
    • Instruction Fuzzy Hash: FA018438401602EBE714AF74D94E9DD3FA9BFC9354B208424F41597252EB34C8C6DFA1
    Function 00514257 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 00514288
    • __calloc_crt.LIBCMT ref: 00514294
    • __getptd.LIBCMT ref: 005142A1
    • CreateThread.KERNEL32(?,?,005141D4,00000000,?,?), ref: 005142D8
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 005142E2
    • __dosmaperr.LIBCMT ref: 005142FA
      • Part of subcall function 00515E97: __getptd_noexit.LIBCMT ref: 00515E97
      • Part of subcall function 00515E2F: __decode_pointer.LIBCMT ref: 00515E3A
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
    • String ID:
    • API String ID: 1803633139-0
    • Opcode ID: 98cc717ffaa7a405442c3a3e3972e966990c1bf5925e46d48e18fc031ebe1c92
    • Instruction ID: 405ee56fa138de3bc51373a4ac5c1700803e535cda1c3ac00d2aaace37da4f51
    • Opcode Fuzzy Hash: 98cc717ffaa7a405442c3a3e3972e966990c1bf5925e46d48e18fc031ebe1c92
    • Instruction Fuzzy Hash: D311C872500606FFEB10BFA4DC868DE7FA9FF84320B214539F52197151EB319AC09B60
    Function 0051C911 Relevance: 9.1, APIs: 6, Instructions: 69COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___initconout.LIBCMT ref: 0051C937
      • Part of subcall function 0051D132: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0051C93C,00000000,?,00000002,00000000), ref: 0051D145
    • WriteConsoleW.KERNEL32(FFFFFFFE,00000000,00000001,?,00000000,00000000,?,00000002,00000000), ref: 0051C959
    • GetLastError.KERNEL32 ref: 0051C96C
    • GetConsoleOutputCP.KERNEL32(00000000,00000000,00000001,00000002,00000005,00000000,00000000,00000000,?,00000002,00000000), ref: 0051C98C
    • WideCharToMultiByte.KERNEL32(00000000), ref: 0051C993
    • WriteConsoleA.KERNEL32(FFFFFFFE,?,00000000,?,00000000), ref: 0051C9AF
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide___initconout
    • String ID:
    • API String ID: 3734994816-0
    • Opcode ID: cb32ecbcd91c1c4f2ceb83520165cf36637a18870ae1333dbcecf18ac4c98ed8
    • Instruction ID: 12c1d610b3392431e6a84415fb05b7cd8e9a7a83223304e82c691f0a424a071a
    • Opcode Fuzzy Hash: cb32ecbcd91c1c4f2ceb83520165cf36637a18870ae1333dbcecf18ac4c98ed8
    • Instruction Fuzzy Hash: 08219F71A41104EBE7209B64EE48EFA7F6CFF1A720F104659F512C21D0DB74AE89DB91
    Function 0051D99A Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __CreateFrameInfo.LIBCMT ref: 0051D9C2
      • Part of subcall function 0051D535: __getptd.LIBCMT ref: 0051D543
      • Part of subcall function 0051D535: __getptd.LIBCMT ref: 0051D551
    • __getptd.LIBCMT ref: 0051D9CC
      • Part of subcall function 005158FF: __getptd_noexit.LIBCMT ref: 00515902
      • Part of subcall function 005158FF: __amsg_exit.LIBCMT ref: 0051590F
    • __getptd.LIBCMT ref: 0051D9DA
    • __getptd.LIBCMT ref: 0051D9E8
    • __getptd.LIBCMT ref: 0051D9F3
    • _CallCatchBlock2.LIBCMT ref: 0051DA19
      • Part of subcall function 0051D5DA: __CallSettingFrame@12.LIBCMT ref: 0051D626
      • Part of subcall function 0051DAC0: __getptd.LIBCMT ref: 0051DACF
      • Part of subcall function 0051DAC0: __getptd.LIBCMT ref: 0051DADD
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
    • String ID:
    • API String ID: 1602911419-0
    • Opcode ID: 48cbe14e6e056739cdcd7830ea57447cd4c8fe834665187e1c26562f712c6fc9
    • Instruction ID: fb45185a5aa106a0be5b601e1487dd4338df3fb4c325a8339c241157fb886ab6
    • Opcode Fuzzy Hash: 48cbe14e6e056739cdcd7830ea57447cd4c8fe834665187e1c26562f712c6fc9
    • Instruction Fuzzy Hash: 1B11C971D0034AEFEB00EFA4D449ADD7BB1FF48314F10846AF815A7252DB389A559B60
    Function 00511F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55comCOMMON
    Download Yara Rule
    APIs
    • CoInitializeEx.OLE32(00000000,00000002), ref: 00511F0F
    • CoCreateInstance.OLE32 ref: 00511F34
    • CoUninitialize.OLE32 ref: 00511F87
      • Part of subcall function 00512570: _fwprintf.LIBCMT ref: 0051260B
    • SleepEx.KERNEL32(00001388,00000000,?), ref: 00511F6A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CreateInitializeInstanceSleepUninitialize_fwprintf
    • String ID: Pou
    • API String ID: 371748533-1565865998
    • Opcode ID: cd0f111f9f80aa8db4b06b3f179aac043694e9381a9102e7df3707240756a28e
    • Instruction ID: 2dd7c5c20f71a5f9e31931d080329f47a9b11671d750cdca9fd1aad5a98efa31
    • Opcode Fuzzy Hash: cd0f111f9f80aa8db4b06b3f179aac043694e9381a9102e7df3707240756a28e
    • Instruction Fuzzy Hash: DF012635684700ABE310AB68DC89FCABBA8BB95720F008165FA58D71D1C7B0D886C7A5
    Function 0051383F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00513859
      • Part of subcall function 00514AA6: __FF_MSGBANNER.LIBCMT ref: 00514AC9
      • Part of subcall function 00514AA6: __NMSG_WRITE.LIBCMT ref: 00514AD0
      • Part of subcall function 00514AA6: HeapAlloc.KERNEL32(00000000,0051384F,?,?,00000000,?,0051385E,?,00000000,?,00000000,?,?,00512598,?,?), ref: 00514B1D
    • std::bad_alloc::bad_alloc.LIBCMT ref: 0051387C
      • Part of subcall function 005137D5: std::exception::exception.LIBCMT ref: 005137E1
    • std::bad_exception::bad_exception.LIBCMT ref: 00513890
    • __CxxThrowException@8.LIBCMT ref: 0051389E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: AllocException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
    • String ID: @@R
    • API String ID: 3622535130-4207356687
    • Opcode ID: 1c8cb910fbc96e7a3a208395e8aa739d2bd812694ceb41f97e6f3b1b197b1c48
    • Instruction ID: 76c49b5b0ac1de14f411ce47cfa8eeff100bc16124a2ff6e1a0252d92c0b968e
    • Opcode Fuzzy Hash: 1c8cb910fbc96e7a3a208395e8aa739d2bd812694ceb41f97e6f3b1b197b1c48
    • Instruction Fuzzy Hash: EBF0E230505206B6FF24B761EC2EADD3F59BF81324F104024FC05564D1DB64CBC58E64
    Function 00515585 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00515591
      • Part of subcall function 005158FF: __getptd_noexit.LIBCMT ref: 00515902
      • Part of subcall function 005158FF: __amsg_exit.LIBCMT ref: 0051590F
    • __getptd.LIBCMT ref: 005155A8
    • __amsg_exit.LIBCMT ref: 005155B6
    • __lock.LIBCMT ref: 005155C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID: (8R
    • API String ID: 3521780317-1541751401
    • Opcode ID: 5af83fe6f1e5c6fa7d8e50f0cf906d9d70dba822430af02b29368b43e841b64a
    • Instruction ID: 1d2efb5c585316f514cbbe4a5809108cda427bbb6124c35bce346587732c2954
    • Opcode Fuzzy Hash: 5af83fe6f1e5c6fa7d8e50f0cf906d9d70dba822430af02b29368b43e841b64a
    • Instruction Fuzzy Hash: 61F06D31901B06DAF720BB68840EBC97EA27FC5720F124519B4519B2D2EB3899C1DB51
    Function 0051D6E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 0051D703
      • Part of subcall function 005158FF: __getptd_noexit.LIBCMT ref: 00515902
      • Part of subcall function 005158FF: __amsg_exit.LIBCMT ref: 0051590F
    • __getptd.LIBCMT ref: 0051D714
    • __getptd.LIBCMT ref: 0051D722
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __getptd$__amsg_exit__getptd_noexit
    • String ID: MOC$csm
    • API String ID: 803148776-1389381023
    • Opcode ID: a04410697f92662307cff3d2e5d81a79e6eb3f8e45002c25e8713751769f6b93
    • Instruction ID: d01083aa4b9e34ffd6eac59bfba81f9340221a33eecbba1c2ec874f80da94a26
    • Opcode Fuzzy Hash: a04410697f92662307cff3d2e5d81a79e6eb3f8e45002c25e8713751769f6b93
    • Instruction Fuzzy Hash: E8E01A355006049FE720AA68C08ABE83BA4FB88314F2504A2A409CB263DB38D8C096A2
    Function 00514E19 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00514E25
      • Part of subcall function 005158FF: __getptd_noexit.LIBCMT ref: 00515902
      • Part of subcall function 005158FF: __amsg_exit.LIBCMT ref: 0051590F
    • __amsg_exit.LIBCMT ref: 00514E45
    • __lock.LIBCMT ref: 00514E55
    • InterlockedDecrement.KERNEL32(?), ref: 00514E72
    • InterlockedIncrement.KERNEL32(010D1678), ref: 00514E9D
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID:
    • API String ID: 4271482742-0
    • Opcode ID: 92afbb574e17cb4a54b8c8b9638dd2331871dee817aa975a7c1f43e15db98bf4
    • Instruction ID: 974e41880a819314e21f140847ec2560c94a88b1db9a5f00dfd616563ad4fd28
    • Opcode Fuzzy Hash: 92afbb574e17cb4a54b8c8b9638dd2331871dee817aa975a7c1f43e15db98bf4
    • Instruction Fuzzy Hash: 8C01C435900612ABEF21AB6494497DE7FA8BF48710F184215F414A7291C7385EC6DFD2
    Function 00513ACF Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 00513AED
      • Part of subcall function 0051608C: __mtinitlocknum.LIBCMT ref: 005160A2
      • Part of subcall function 0051608C: __amsg_exit.LIBCMT ref: 005160AE
      • Part of subcall function 0051608C: EnterCriticalSection.KERNEL32(?,?,?,0051A546,00000004,00522148,0000000C,00517DFE,0051385E,?,00000000,00000000,00000000,?,005158B1,00000001), ref: 005160B6
    • ___sbh_find_block.LIBCMT ref: 00513AF8
    • ___sbh_free_block.LIBCMT ref: 00513B07
    • HeapFree.KERNEL32(00000000,0051385E,00521EA8,0000000C,0051606D,00000000,00522040,0000000C,005160A7,0051385E,?,?,0051A546,00000004,00522148,0000000C), ref: 00513B37
    • GetLastError.KERNEL32(?,0051A546,00000004,00522148,0000000C,00517DFE,0051385E,?,00000000,00000000,00000000,?,005158B1,00000001,00000214), ref: 00513B48
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
    • String ID:
    • API String ID: 2714421763-0
    • Opcode ID: 928b942b1bb1f36465095d1a1cc3cebefdb60085a15937fe07f4696a64c18b29
    • Instruction ID: 1289c12e989059f97cce15ca23f4bee2ea5cb80a67a63764e2c979c24475fba4
    • Opcode Fuzzy Hash: 928b942b1bb1f36465095d1a1cc3cebefdb60085a15937fe07f4696a64c18b29
    • Instruction Fuzzy Hash: 6A01AD31909306AAFF34AB759C1EBDE3FA8BF54320F204619F404A7091EB348AC4DA50
    Function 005141C8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005181D7: _doexit.LIBCMT ref: 005181E3
    • ___set_flsgetvalue.LIBCMT ref: 005141DA
      • Part of subcall function 00515711: TlsGetValue.KERNEL32(0051385E,0051589D,?,0051385E,?,00000000,?,00000000,?,?,00512598,?,?,74DF30A0,00000000), ref: 0051571A
      • Part of subcall function 00515711: __decode_pointer.LIBCMT ref: 0051572C
      • Part of subcall function 00515711: TlsSetValue.KERNEL32(00000000,0051385E,?,00000000,?,00000000,?,?,00512598,?,?,74DF30A0,00000000,?,?,?), ref: 0051573B
    • ___fls_getvalue@4.LIBCMT ref: 005141E5
      • Part of subcall function 005156F1: TlsGetValue.KERNEL32(?,?,005141EA,00000000), ref: 005156FF
    • ___fls_setvalue@8.LIBCMT ref: 005141F8
      • Part of subcall function 00515745: __decode_pointer.LIBCMT ref: 00515756
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00514201
    • ExitThread.KERNEL32 ref: 00514208
    • GetCurrentThreadId.KERNEL32 ref: 0051420E
    • __freefls@4.LIBCMT ref: 0051422E
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00514241
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
    • String ID:
    • API String ID: 132634196-0
    • Opcode ID: c9eb21824ade7d5522b06ef55fff2710576c197e11b654715585ced4d803b679
    • Instruction ID: f59f945c78e81be4905084205bd3c548194f3b346a747fbdf7b8e92f94d8361f
    • Opcode Fuzzy Hash: c9eb21824ade7d5522b06ef55fff2710576c197e11b654715585ced4d803b679
    • Instruction Fuzzy Hash: 5BE09A25800A16E7AE113BB19C5F9EE3E5DBED6390B114410BA25A3152EA3899D186A1
    Function 00512680 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(ApplicationInstances), ref: 005126A2
    • SysFreeString.OLEAUT32(00000000), ref: 005126FA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: ApplicationInstances$`<u
    • API String ID: 344208780-1176231285
    • Opcode ID: 8accf3ebb85067623a81b919a9f4e5b6fd88ec9a65b8742f2836a0cfba05e63f
    • Instruction ID: 9d16bc0ec78bb0526750dda043ea214ab3af4bdaf3edaf75895fadb54ca9d7ac
    • Opcode Fuzzy Hash: 8accf3ebb85067623a81b919a9f4e5b6fd88ec9a65b8742f2836a0cfba05e63f
    • Instruction Fuzzy Hash: 1B11BF766016129FE314DB68D884A97B7E8FF88361F254159E90ACB3A0DB34DC90D791
    Function 00513FA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __calloc_crt
    • String ID: `LR$h0R
    • API String ID: 3494438863-522478077
    • Opcode ID: e368c38a69da5cce63417eb5ea51ad6f3d96c627a3fafa252580f5ddac4713fe
    • Instruction ID: 3d806f332c881d8e99da34da1555053a1eafad47481155eb5f90faae1c66195e
    • Opcode Fuzzy Hash: e368c38a69da5cce63417eb5ea51ad6f3d96c627a3fafa252580f5ddac4713fe
    • Instruction Fuzzy Hash: 6A110A3274861557F7388A1D7C996F12AA5BF9A330B28052AF700DB2D0FA38CDC79A44
    Function 0051DD47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___BuildCatchObject.LIBCMT ref: 0051DD5A
      • Part of subcall function 0051DCB5: ___BuildCatchObjectHelper.LIBCMT ref: 0051DCEB
    • _UnwindNestedFrames.LIBCMT ref: 0051DD71
    • ___FrameUnwindToState.LIBCMT ref: 0051DD7F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
    • String ID: csm
    • API String ID: 2163707966-1018135373
    • Opcode ID: 6d3746d3ca6c973960a6f094acf11f376ddc08dfa563c4b4360553dce42de5f6
    • Instruction ID: 77209edd00ed6dc7e00ff29d6f26b4d4b0d4d945ca5fded63ab2c52a379ad965
    • Opcode Fuzzy Hash: 6d3746d3ca6c973960a6f094acf11f376ddc08dfa563c4b4360553dce42de5f6
    • Instruction Fuzzy Hash: 9501D27600010ABBEF126F51DC89EEA7E7AFF48394F148110BD1815161D736D9A1EAA1
    Function 00515547 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___addlocaleref.LIBCMT ref: 00515559
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(0051385E), ref: 00515431
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(48831475), ref: 0051543E
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(0AEB010C), ref: 0051544B
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(46C60270), ref: 00515458
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(8904408B), ref: 00515465
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(8904408B), ref: 00515481
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(75C08500), ref: 00515491
      • Part of subcall function 0051541F: InterlockedIncrement.KERNEL32(FF56525C), ref: 005154A7
    • ___removelocaleref.LIBCMT ref: 00515564
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(00521E50), ref: 005154C8
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(005141C8), ref: 005154D5
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(FFFFFFFE), ref: 005154E2
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(00000000), ref: 005154EF
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(FFFFFF88), ref: 005154FC
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(FFFFFF88), ref: 00515518
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(00000000), ref: 00515528
      • Part of subcall function 005154AE: InterlockedDecrement.KERNEL32(FFFFFF4A), ref: 0051553E
    • ___freetlocinfo.LIBCMT ref: 00515578
      • Part of subcall function 005152D6: ___free_lconv_mon.LIBCMT ref: 0051531C
      • Part of subcall function 005152D6: ___free_lconv_num.LIBCMT ref: 0051533D
      • Part of subcall function 005152D6: ___free_lc_time.LIBCMT ref: 005153C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
    • String ID: (8R
    • API String ID: 467427115-1541751401
    • Opcode ID: d2a30a756b2bef97ab572db6b6a8c9d2d2743bf8ce95915402ad1c7b2da83a58
    • Instruction ID: d96a07ea6755197e4d1eb2d2fd195610697374caba8d89eac068990a4424e455
    • Opcode Fuzzy Hash: d2a30a756b2bef97ab572db6b6a8c9d2d2743bf8ce95915402ad1c7b2da83a58
    • Instruction Fuzzy Hash: 0EE0DF36901E22DFEA313A3C24802EA9E873FC2321B6B011AF810A7554FB744EC090A0
    Function 0051A837 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0051A86B
    • __isleadbyte_l.LIBCMT ref: 0051A89F
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,?,00000000,00000000,?,?,?,?,00000002,00000000), ref: 0051A8D0
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,?,?,?,00000002,00000000), ref: 0051A93E
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: c2c1f2c6fe252fbf3fc6ca79371b47af8708d7fddda003ff7049d74f9828f468
    • Instruction ID: 04b2d513d68fcb4dbf55ed7b70449277e1392ef6bdc77dff63444718d003c030
    • Opcode Fuzzy Hash: c2c1f2c6fe252fbf3fc6ca79371b47af8708d7fddda003ff7049d74f9828f468
    • Instruction Fuzzy Hash: BF31A031A02286FFEF12DF64C8849EA3FA5BF41310F1589A9E4659B192E730DDC1DB52
    Function 00512AB0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: Variant$ClearInitString__wcsnicmp
    • String ID:
    • API String ID: 855804650-0
    • Opcode ID: d4ed179d001384f1c4e07f02e4a08692a5d916738f3f5401308a05a9c1105295
    • Instruction ID: 442466a1a6835db6d80651ab1b7426dbd2779fb5a32d9c0af9ac8435487e634a
    • Opcode Fuzzy Hash: d4ed179d001384f1c4e07f02e4a08692a5d916738f3f5401308a05a9c1105295
    • Instruction Fuzzy Hash: 08315EB1508306AFD714EF54D8849ABBBE4FFD8300F00492DF89987210D730D999CB92
    Function 00514156 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
    Download Yara Rule
    APIs
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00514169
      • Part of subcall function 00518480: __FindPESection.LIBCMT ref: 005184DB
    • __getptd_noexit.LIBCMT ref: 00514179
    • __freeptd.LIBCMT ref: 00514183
    • ExitThread.KERNEL32 ref: 0051418C
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
    • String ID:
    • API String ID: 3182216644-0
    • Opcode ID: e0a1f68e69d4467b7699c15569d87e0e071d1b2869450b051ae98a41dc0bc9f0
    • Instruction ID: 44a762d32c41fb237b809cc8b17f59fca03f76251c0eba492310997a08082d51
    • Opcode Fuzzy Hash: e0a1f68e69d4467b7699c15569d87e0e071d1b2869450b051ae98a41dc0bc9f0
    • Instruction Fuzzy Hash: 27D012300D1607BBF6293766FD0E6963E59BFA1366F184120F400920A1DF70CCC5DD61
    Function 00518728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID:
    • String ID: (8R
    • API String ID: 0-1541751401
    • Opcode ID: 40886ec60d52b12cef470d1a70592f4132401a0b8f8c58f48579077b4d8dd135
    • Instruction ID: 883ba28356677b33ca713a0512767d7df2e4c679f538498cf2326a9efec8a448
    • Opcode Fuzzy Hash: 40886ec60d52b12cef470d1a70592f4132401a0b8f8c58f48579077b4d8dd135
    • Instruction Fuzzy Hash: B0F08C72600108BAEF219F50DC42BB93FA4FB65744F108021F9199A1D1EBB6CAD5E790
    Function 0051DAC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0051D588: __getptd.LIBCMT ref: 0051D58E
      • Part of subcall function 0051D588: __getptd.LIBCMT ref: 0051D59E
    • __getptd.LIBCMT ref: 0051DACF
      • Part of subcall function 005158FF: __getptd_noexit.LIBCMT ref: 00515902
      • Part of subcall function 005158FF: __amsg_exit.LIBCMT ref: 0051590F
    • __getptd.LIBCMT ref: 0051DADD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1723210529.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
    • Associated: 00000000.00000002.1723195583.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723235845.000000000051F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723261572.0000000000523000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1723426757.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_510000_Proxy32.jbxd
    Similarity
    • API ID: __getptd$__amsg_exit__getptd_noexit
    • String ID: csm
    • API String ID: 803148776-1018135373
    • Opcode ID: 2f3b0001851d3dfe9b4dfb890fb2b704a8445f5e3a79629807afdac473aa86d6
    • Instruction ID: 29856cba6323c787112b6d4504de79e8e677aaff4dd1131025ec0f3dbc456708
    • Opcode Fuzzy Hash: 2f3b0001851d3dfe9b4dfb890fb2b704a8445f5e3a79629807afdac473aa86d6
    • Instruction Fuzzy Hash: 17018B3080520AEAEF349F24D448AECBBF5BF54311F65052EE8825A251DF34A9C1DF60