Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
reup.exe

Overview

General Information

Sample name:reup.exe
Analysis ID:1545842
MD5:30fd08b6909e7c61ab934da1c9bb8e40
SHA1:26f97535f923195475166c3fa7bc197aced503a4
SHA256:63aa7252e7e0fb3da2dad75515190be17087dd67b592d3f6212a9e8f9825ab01
Tags:exeuser-lontze7
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • reup.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\reup.exe" MD5: 30FD08B6909E7C61AB934DA1C9BB8E40)
    • WerFault.exe (PID: 7552 cmdline: C:\Windows\system32\WerFault.exe -u -p 7384 -s 240 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: reup.exeReversingLabs: Detection: 28%
Source: reup.exeVirustotal: Detection: 30%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Machine Learning detection for sample
Source: reup.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05E14CB CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,0_2_00007FF7F05E14CB
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05F3290 CryptDeriveKey,0_2_00007FF7F05F3290
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05F32A8 CryptHashData,0_2_00007FF7F05F32A8
Source: reup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\reup.exeCode function: 4x nop then sub rsp, 58h0_2_00007FF7F05E1A80
Source: C:\Users\user\Desktop\reup.exeCode function: 4x nop then push rbx0_2_00007FF7F05E1E24
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05E7E10 FreeConsole,GetModuleHandleA,GetModuleHandleA,VirtualAlloc,Sleep,SleepEx,GetModuleHandleA,GetCurrentProcess,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,NtProtectVirtualMemory,GetModuleHandleA,GetCurrentThread,NtQueueApcThread,0_2_00007FF7F05E7E10
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05E4FF00_2_00007FF7F05E4FF0
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05E3DF00_2_00007FF7F05E3DF0
Source: C:\Users\user\Desktop\reup.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 240
Source: reup.exeStatic PE information: Number of sections : 20 > 10
Source: classification engineClassification label: mal60.evad.winEXE@2/5@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c442b6f-c67d-4627-8e59-968eb6e033abJump to behavior
Source: reup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\reup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: reup.exeReversingLabs: Detection: 28%
Source: reup.exeVirustotal: Detection: 30%
Source: unknownProcess created: C:\Users\user\Desktop\reup.exe "C:\Users\user\Desktop\reup.exe"
Source: C:\Users\user\Desktop\reup.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 240
Source: C:\Users\user\Desktop\reup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\reup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\reup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\reup.exeSection loaded: cryptbase.dllJump to behavior
Source: reup.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: reup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: reup.exeStatic PE information: section name: .xdata
Source: reup.exeStatic PE information: section name: /4
Source: reup.exeStatic PE information: section name: /19
Source: reup.exeStatic PE information: section name: /31
Source: reup.exeStatic PE information: section name: /45
Source: reup.exeStatic PE information: section name: /57
Source: reup.exeStatic PE information: section name: /70
Source: reup.exeStatic PE information: section name: /81
Source: reup.exeStatic PE information: section name: /97
Source: reup.exeStatic PE information: section name: /113
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\reup.exeCode function: 0_2_00007FF7F05E1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,0_2_00007FF7F05E1180

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\reup.exeNtProtectVirtualMemory: Indirect: 0x7FF7F05E7F6CJump to behavior
Source: C:\Users\user\Desktop\reup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Abuse Elevation Control Mechanism		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
reup.exe29%ReversingLabs
reup.exe31%VirustotalBrowse
reup.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545842
Start date and time:2024-10-31 06:48:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:reup.exe
Detection:MAL
Classification:mal60.evad.winEXE@2/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 17
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.73.29
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
01:49:04API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_reup.exe_c4144ddf6f397eebaa24f1e81185ec95be2cdb_160b166d_3001f786-4fd1-4962-a087-70279a89038a\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.6945482826442844
Encrypted:false
SSDEEP:96:xsFLNnbBbRs/hTod7JfUQXIDcQqc6mcEKcw34e4Jd+HbHg/opAnQsZnRmZAX/d5M:GrhRP0kigMJJ6jCzuiFlZ24lO81i
MD5:62DBBC6AC23D88A2D2E20C973B91605F
SHA1:933A4EF690F1356A3253647A129C7332CE7E12D6
SHA-256:AFC08398A79FBCEC379D45167FB04E15B824C3DF4D336FE161522EBAF180E680
SHA-512:EBC1B9316B4086EFA561EF5ED6EEE7B5B3EF0AEFADE6DF36A42E5E113C79258A99BA7FC948706DDE892F573A69193831D22B352F4816BD3364B8F09ABCC55DE4
Malicious:true
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.2.7.3.3.9.6.2.4.2.1.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.2.7.3.4.0.0.3.0.4.5.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.0.1.f.7.8.6.-.4.f.d.1.-.4.9.6.2.-.a.0.8.7.-.7.0.2.7.9.a.8.9.0.3.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.b.b.0.b.2.4.-.f.f.8.7.-.4.f.2.1.-.a.7.4.c.-.a.f.8.4.3.7.f.8.b.a.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.e.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.8.-.0.0.0.1.-.0.0.1.4.-.6.9.d.9.-.2.0.9.3.5.8.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.f.a.7.0.0.0.5.7.6.3.e.e.c.d.a.c.4.2.1.6.9.d.0.1.2.a.d.f.b.3.e.0.0.0.0.f.f.f.f.!.0.0.0.0.2.6.f.9.7.5.3.5.f.9.2.3.1.9.5.4.7.5.1.6.6.c.3.f.a.7.b.c.1.9.7.a.c.e.d.5.0.3.a.4.!.r.e.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.2.9.:.1.7.:.4.7.:.0.8.!.5.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0F5.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 31 05:48:59 2024, 0x1205a4 type
Category:dropped
Size (bytes):68029
Entropy (8bit):1.482221170888909
Encrypted:false
SSDEEP:192:FVU2b/NUlO6I3O5SUZnBu+ShpppESOR4SSKc:/zUI6I3oSULkxORVSp
MD5:1EABAA83AD66C6EF7941392EA98C1C78
SHA1:AA85FD3B7FB023FC28A2E1B9BE70B7D6349E2059
SHA-256:2D4EEDAB21D1356AF28124177B458B42526274222578720BB117400698785547
SHA-512:7C5BE136F82FE4228E3C84876A74144020CB93BCF83B591E9CE40566C2BA9F4C9551A52B9E9603746E46EFF5D42D726E32625ABF6FF01D495CF7BE64871C9C63
Malicious:false
Reputation:low
Preview:MDMP..a..... .......K.#g.........................................$..........T.......8...........T.......................................t...............................................................................eJ..............Lw......................T...........H.#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD182.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8538
Entropy (8bit):3.7015144529425097
Encrypted:false
SSDEEP:192:R6l7wVeJKWgsF6YcDROS2jgmfpb4bhpDa89bYrCfi4Im:R6lXJEsF6YmOS2jgmf1EYufiO
MD5:FE61E8E66A8F9B86237E53349F7319E5
SHA1:974E5D5533F5B448AF97B60C539733B9FF85CD25
SHA-256:E2A45FF26F5F427C4780347E0351B58B620ED488088CA407AA16A765B06377B1
SHA-512:75F3CD6F5BF896BA7AC11250B8C582061ED654F0EA061DFA3D03C619883519FDBAF3B9C363F355B819C9F4793D8230194B2A77073E6D870955EE5E85C28962DD
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1C2.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4655
Entropy (8bit):4.473018487448725
Encrypted:false
SSDEEP:48:cvIwWl8zsdJg771I9fkWpW8VYLYm8M4JEEOKFtryq85l/Oxm0JAuKXd:uIjf3I7A97VXJlt0KmFuKXd
MD5:5D93BF7270ED60804251683574B1F73A
SHA1:86D803FB25F3BD0283CD6F070547D242F7876CA1
SHA-256:C1141405CA796AC95853844464E0705DF4817D7F30CE70C3A7D9A6559B933C58
SHA-512:33FA3976F0517F5E5A2F7C991FB0A5D84E1D46D5B2048A3BDCA229EF893E9FC5856C974D04AFD0FC5B26F6533975FCFE8F3A1C6933978BDAAE3A07BCFBD72F00
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567171" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.393800889715689
Encrypted:false
SSDEEP:6144:+l4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNA4OBSqa:+4vF0MYQUMM6VFYS4U
MD5:C9BCBE0CA7D082ACC351625709BC63F1
SHA1:DBA35C4640A7ADC47F64C417108E17CF55E966DB
SHA-256:36FB8F80BB6593C5D129838F241FABB0335960CF0D6A8A484D1B523E30FE9AB9
SHA-512:2FC2B3DAA7B8D292FECB856F0779CD871AC9A58908B83C3AE5491B40547A1E6D92BEF22EA242A30BE37C63A371ADF516CC831938CCCDC002F146E095433E79A8
Malicious:false
Reputation:low
Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.y..X+..............................................................................................................................................................................................................................................................................................................................................`X..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.124123890938614
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:reup.exe
File size:338'318 bytes
MD5:30fd08b6909e7c61ab934da1c9bb8e40
SHA1:26f97535f923195475166c3fa7bc197aced503a4
SHA256:63aa7252e7e0fb3da2dad75515190be17087dd67b592d3f6212a9e8f9825ab01
SHA512:17dbfeee669fd54a7d2b01b5e17d1575aa347959f200548abb8767422b6dcd42b44232a5599ba6d039fd81118a825ab4da0054dec48a5ded2228cd95338093b4
SSDEEP:3072:cbXCXysrkPMZ3zzsYL134BXg/BMVrbQRSbAJAQx418PWZ8m1Xf+QYE+ultEkIhRa:NXPY6z4Yd42iyRS0dJB0
TLSH:F0745C82B7849CD6DD04473688AB836D2734EE9016C247235A347E763D27ED0AEBE536
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....!g.z..).....&....+.r.....................@.............................P............`... ............................

File Icon

Icon Hash:8b8bcd4d4466661c

Static PE Info

General

Entrypoint:0x1400013d0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x67211F9C [Tue Oct 29 17:47:08 2024 UTC]
TLS Callbacks:0x400016f0, 0x1, 0x400016c0, 0x1
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a46365168056a76c08378ce735e03699

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000E1C5h]
mov dword ptr [eax], 00000001h
call 00007FDC14BCB04Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000E1A5h]
mov dword ptr [eax], 00000000h
call 00007FDC14BCB02Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FDC14BD1AECh
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FDC14BCB289h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc ecx
push ebp
inc ecx
push esp
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 28h
xor esi, esi
dec eax
arpl word ptr [ecx+3Ch], ax
mov edi, dword ptr [ecx+eax+00000088h]
dec eax
add edi, ecx
dec eax
mov ebx, ecx
dec eax
mov ebp, edx
inc esp
mov esp, dword ptr [edi+20h]
inc esp
mov ebp, dword ptr [edi+18h]
dec ecx
add esp, ecx
inc esp
cmp esi, ebp
jnc 00007FDC14BCB2ECh
inc ecx
mov edx, dword ptr [esp+esi*4]
dec eax
mov ecx, ebp
dec eax
add edx, ebx
call 00007FDC14BD1AE4h
mov edx, eax
dec eax
lea eax, dword ptr [esi+01h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x130000x978.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x108f0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x100000x48c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000x8c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xee600x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x132780x210.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x70300x720081983784d0054ca9fb1979b1b4caf690False0.5813802083333334data6.255832411504136IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x90000x1700x200e902d00d7502b1b486746406be430f7dFalse0.357421875data2.464444533067383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xa0000x5bc00x5c00f8b980a7fce7ec5352f907df92d4df6cFalse0.8996688179347826data7.796645638561551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata0x100000x48c0x6005c29d5c83664633b4feeca808c7ffe13False0.423828125data3.7078689033535497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata0x110000x4600x600be96f61e42302debf9c91901ce63c3e6False0.2766927083333333data3.596735019069027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss0x120000xb800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x130000x9780xa0021f6af842212d313e208ef549ac743a6False0.34765625data4.23874734634815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x140000x600x20052ba692cfc960d61d99b93747e9721f1False0.068359375data0.28655982431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x150000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x160000x108f00x10a0030d59ffdbef6f726d68665616d41b299False0.12379581766917293data4.99054537026602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x270000x8c0x2004085b2e7905e34335884376f6395367aFalse0.259765625data1.6148727460268462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/40x280000x6200x800d5ce403f3eafadd81cbc7e429e757867False0.181640625data1.468706124286173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x290000x1207c0x1220048ea14599ea1f17141fac03ca2bceb1bFalse0.42386853448275863data5.787988171783133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/310x3c0000x321c0x3400335de062d2872a1053913069789fc304False0.24466646634615385data4.77587302511516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/450x400000x6d6d0x6e0053872e9d9f24b640d1da85807a63476aFalse0.5143110795454545data5.052045464909125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/570x470000x16c00x1800c8b523cc2417521af7c60fa104f9ed9cFalse0.2882486979166667data4.427054931057493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/700x490000x39d0x4007525f1145b47b06d73d7667bb1386b5fFalse0.435546875data4.6233906248986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/810x4a0000x15fa0x1600b15394a328eca738bc353b3ca53f2a1eFalse0.16352982954545456data4.685680000488948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/970x4c0000x78250x7a007abc4e0c6ce7709f237d68a1f4ee8b42False0.5157210553278688data5.811377309786459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/1130x540000x52b0x600c8f735d4379e14fc5ae61b34491dffc7False0.63671875data5.310144103808594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x160b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.12324026972672424
RT_GROUP_ICON0x268d80x14dataEnglishUnited States1.15

Imports

DLLImport
ADVAPI32.dllCryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDeriveKey, CryptDestroyHash, CryptDestroyKey, CryptHashData, CryptReleaseContext
KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, FreeConsole, GetCurrentProcess, GetCurrentThread, GetLastError, GetModuleHandleA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WideCharToMultiByte
msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, memcpy, memset, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcslen
ntdll.dllNtProtectVirtualMemory

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:48:56
Start date:31/10/2024
Path:C:\Users\user\Desktop\reup.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\reup.exe"
Imagebase:0x7ff7f05e0000
File size:338'318 bytes
MD5 hash:30FD08B6909E7C61AB934DA1C9BB8E40
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:01:48:59
Start date:31/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7384 -s 240
Imagebase:0x7ff7c2670000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:15.6%
    Total number of Nodes:570
    Total number of Limit Nodes:2
    execution_graph 2715 7ff7f05e4900 2716 7ff7f05e490f 2715->2716 2719 7ff7f05e2840 2716->2719 2718 7ff7f05e4932 2718->2718 2729 7ff7f05e7770 2719->2729 2721 7ff7f05e295a 2721->2718 2722 7ff7f05e286f 2723 7ff7f05e27e0 fputc 2722->2723 2726 7ff7f05e2889 2722->2726 2723->2722 2724 7ff7f05e7770 2 API calls 2724->2726 2725 7ff7f05e27e0 fputc 2728 7ff7f05e292d 2725->2728 2726->2721 2726->2724 2727 7ff7f05e2906 fputc 2726->2727 2726->2728 2727->2726 2728->2721 2728->2725 2730 7ff7f05e778d 2729->2730 2733 7ff7f05e76e0 2730->2733 2732 7ff7f05e77a5 2732->2722 2734 7ff7f05e76f4 2733->2734 2735 7ff7f05e7710 WideCharToMultiByte 2733->2735 2736 7ff7f05e7754 _errno 2734->2736 2737 7ff7f05e76fb 2734->2737 2735->2734 2735->2736 2736->2732 2737->2732 2738 7ff7f05e1e80 signal 2739 7ff7f05e1fd4 signal 2738->2739 2740 7ff7f05e1e96 2738->2740 2739->2740 2741 7ff7f05e4480 2743 7ff7f05e44d2 2741->2743 2744 7ff7f05e4492 2741->2744 2742 7ff7f05e4cf6 2763 7ff7f05e3140 2743->2763 2744->2742 2744->2743 2747 7ff7f05e2c10 2744->2747 2748 7ff7f05e2c34 2747->2748 2752 7ff7f05e2cea 2747->2752 2750 7ff7f05e2cd1 memset 2748->2750 2748->2752 2749 7ff7f05e2ddb 2754 7ff7f05e2e05 2749->2754 2756 7ff7f05e30db memset 2749->2756 2757 7ff7f05e3050 2749->2757 2762 7ff7f05e2e3e 2749->2762 2750->2752 2751 7ff7f05e2d06 2759 7ff7f05e2e82 fputc 2751->2759 2760 7ff7f05e2e95 2751->2760 2751->2762 2752->2749 2752->2751 2753 7ff7f05e2fd9 2752->2753 2753->2754 2755 7ff7f05e2ff4 memset 2753->2755 2754->2751 2758 7ff7f05e27e0 fputc 2754->2758 2755->2762 2756->2762 2757->2756 2757->2762 2758->2754 2759->2751 2759->2760 2761 7ff7f05e2ed5 fputc 2760->2761 2760->2762 2761->2760 2761->2762 2762->2743 2765 7ff7f05e3173 2763->2765 2764 7ff7f05e325a memset 2766 7ff7f05e3270 2764->2766 2765->2764 2765->2766 2767 7ff7f05e32b7 2766->2767 2768 7ff7f05e3451 2766->2768 2773 7ff7f05e32ab 2766->2773 2769 7ff7f05e331a fputc 2767->2769 2772 7ff7f05e32d8 2767->2772 2768->2767 2770 7ff7f05e3462 memset 2768->2770 2769->2767 2769->2772 2770->2767 2771 7ff7f05e3388 2771->2742 2772->2771 2775 7ff7f05e3370 fputc 2772->2775 2773->2767 2774 7ff7f05e27e0 fputc 2773->2774 2774->2773 2775->2772 2776 7ff7f05e7a80 ___lc_codepage_func ___mb_cur_max_func 2777 7ff7f05e7ad9 2776->2777 2778 7ff7f05e7ac0 2776->2778 2778->2777 2779 7ff7f05e7ad1 2778->2779 2782 7ff7f05e7b40 2778->2782 2779->2777 2783 7ff7f05e78b0 2779->2783 2781 7ff7f05e78b0 4 API calls 2781->2782 2782->2777 2782->2781 2784 7ff7f05e78c5 2783->2784 2792 7ff7f05e7988 2783->2792 2785 7ff7f05e7968 2784->2785 2786 7ff7f05e78f9 IsDBCSLeadByteEx 2784->2786 2791 7ff7f05e7914 2784->2791 2784->2792 2787 7ff7f05e7973 2785->2787 2788 7ff7f05e79c0 MultiByteToWideChar 2785->2788 2786->2785 2786->2791 2787->2779 2788->2787 2790 7ff7f05e79ec _errno 2788->2790 2789 7ff7f05e793e MultiByteToWideChar 2789->2790 2793 7ff7f05e7958 2789->2793 2790->2792 2791->2789 2791->2792 2792->2779 2793->2779 2794 7ff7f05e7400 2797 7ff7f05e69f0 2794->2797 2804 7ff7f05e68c0 2797->2804 2800 7ff7f05e6a5c malloc 2802 7ff7f05e6a79 2800->2802 2803 7ff7f05e6a17 2800->2803 2801 7ff7f05e6a27 LeaveCriticalSection 2801->2802 2803->2801 2803->2802 2806 7ff7f05e68d8 2804->2806 2807 7ff7f05e68dc 2804->2807 2805 7ff7f05e6956 EnterCriticalSection 2805->2807 2806->2807 2809 7ff7f05e6927 InitializeCriticalSection InitializeCriticalSection 2806->2809 2807->2805 2808 7ff7f05e690b 2807->2808 2810 7ff7f05e68f0 Sleep 2807->2810 2808->2800 2808->2803 2809->2807 2810->2807 2810->2810 2815 7ff7f05e44f8 2816 7ff7f05e4c5f 2815->2816 2818 7ff7f05e450e 2815->2818 2817 7ff7f05e3140 5 API calls 2817->2818 2818->2817 2819 7ff7f05e4594 2820 7ff7f05e45a0 2819->2820 2823 7ff7f05e2b20 2820->2823 2824 7ff7f05e2b45 2823->2824 2825 7ff7f05e2b60 strlen 2823->2825 2824->2825 2825->2824 2826 7ff7f05e4b16 2828 7ff7f05e4b1a 2826->2828 2827 7ff7f05e4b55 2829 7ff7f05e2840 4 API calls 2827->2829 2828->2827 2830 7ff7f05e2840 4 API calls 2828->2830 2831 7ff7f05e4c88 2829->2831 2830->2827 2831->2831 2836 7ff7f05e1790 2837 7ff7f05e17af 2836->2837 2838 7ff7f05e17ed fprintf 2837->2838 2839 7ff7f05e7b90 ___mb_cur_max_func ___lc_codepage_func 2840 7ff7f05e78b0 4 API calls 2839->2840 2841 7ff7f05e7bdd 2840->2841 2842 7ff7f05e1010 2843 7ff7f05e104b 2842->2843 2844 7ff7f05e106d __set_app_type 2843->2844 2845 7ff7f05e1077 2843->2845 2844->2845 2846 7ff7f05e478c 2847 7ff7f05e47a3 2846->2847 2848 7ff7f05e4978 2846->2848 2855 7ff7f05e3b90 2847->2855 2850 7ff7f05e3b90 29 API calls 2848->2850 2851 7ff7f05e4994 2850->2851 2852 7ff7f05e4780 2853 7ff7f05e3140 5 API calls 2852->2853 2854 7ff7f05e4cf6 2853->2854 2856 7ff7f05e3ba4 2855->2856 2866 7ff7f05e26f0 2856->2866 2859 7ff7f05e3be4 2870 7ff7f05e3640 2859->2870 2860 7ff7f05e3c50 2901 7ff7f05e2b70 2860->2901 2863 7ff7f05e3c5f 2863->2852 2864 7ff7f05e3bf3 2864->2863 2865 7ff7f05e3c38 fputc 2864->2865 2865->2864 2867 7ff7f05e2714 2866->2867 2905 7ff7f05e4ff0 2867->2905 2869 7ff7f05e277d 2869->2859 2869->2860 2885 7ff7f05e3660 2870->2885 2871 7ff7f05e37d6 2873 7ff7f05e27e0 fputc 2871->2873 2872 7ff7f05e36eb 2874 7ff7f05e38d0 2872->2874 2875 7ff7f05e36f7 2872->2875 2887 7ff7f05e3709 2873->2887 2877 7ff7f05e27e0 fputc 2874->2877 2879 7ff7f05e27e0 fputc 2875->2879 2875->2887 2876 7ff7f05e36e3 2876->2871 2876->2872 2877->2887 2878 7ff7f05e372c 2880 7ff7f05e3840 2878->2880 2889 7ff7f05e3734 2878->2889 2879->2887 2881 7ff7f05e27e0 fputc 2880->2881 2883 7ff7f05e378f 2881->2883 2882 7ff7f05e27e0 fputc 2882->2885 2888 7ff7f05e34f0 10 API calls 2883->2888 2891 7ff7f05e3860 2883->2891 2895 7ff7f05e3799 2883->2895 2884 7ff7f05e27e0 fputc 2884->2887 2885->2871 2885->2872 2885->2876 2885->2882 2885->2887 2886 7ff7f05e27e0 fputc 2886->2889 2887->2878 2887->2884 2888->2891 2889->2886 2892 7ff7f05e3788 2889->2892 2900 7ff7f05e2840 4 API calls 2889->2900 2890 7ff7f05e3a11 2890->2890 2891->2890 2894 7ff7f05e3800 2891->2894 2898 7ff7f05e27e0 fputc 2891->2898 2892->2883 2893 7ff7f05e37f8 2892->2893 2975 7ff7f05e34f0 2893->2975 2896 7ff7f05e3830 2894->2896 2899 7ff7f05e27e0 fputc 2894->2899 2895->2864 2896->2864 2898->2891 2899->2894 2900->2889 2902 7ff7f05e2b84 2901->2902 2902->2902 2993 7ff7f05e29d0 2902->2993 2906 7ff7f05e5288 2905->2906 2909 7ff7f05e5059 2905->2909 2907 7ff7f05e52f2 2906->2907 2937 7ff7f05e6ae0 2906->2937 2907->2869 2908 7ff7f05e52d0 2943 7ff7f05e4dc0 2908->2943 2909->2906 2909->2908 2909->2909 2911 7ff7f05e69f0 6 API calls 2909->2911 2913 7ff7f05e508f 2911->2913 2913->2906 2921 7ff7f05e514c 2913->2921 2914 7ff7f05e4d80 6 API calls 2914->2921 2915 7ff7f05e5a15 2915->2869 2916 7ff7f05e6c10 6 API calls 2936 7ff7f05e5603 2916->2936 2917 7ff7f05e6ae0 5 API calls 2920 7ff7f05e59a8 2917->2920 2918 7ff7f05e5629 2919 7ff7f05e6ae0 5 API calls 2918->2919 2919->2907 2920->2918 2923 7ff7f05e6ae0 5 API calls 2920->2923 2921->2914 2921->2915 2921->2918 2922 7ff7f05e56dd 2921->2922 2925 7ff7f05e5703 2921->2925 2921->2936 2922->2915 2922->2918 2922->2925 2947 7ff7f05e6b50 2922->2947 2923->2918 2925->2915 2925->2917 2926 7ff7f05e6e30 11 API calls 2926->2936 2928 7ff7f05e641a 2929 7ff7f05e69f0 6 API calls 2928->2929 2930 7ff7f05e6427 memcpy 2929->2930 2967 7ff7f05e6fb0 2930->2967 2932 7ff7f05e6fb0 8 API calls 2932->2936 2934 7ff7f05e6ae0 Sleep InitializeCriticalSection InitializeCriticalSection EnterCriticalSection LeaveCriticalSection 2934->2936 2935 7ff7f05e6b50 8 API calls 2935->2936 2936->2915 2936->2916 2936->2918 2936->2922 2936->2926 2936->2928 2936->2932 2936->2934 2936->2935 2954 7ff7f05e7110 2936->2954 2961 7ff7f05e6cd0 2936->2961 2938 7ff7f05e6b26 2937->2938 2939 7ff7f05e6aed 2937->2939 2938->2908 2940 7ff7f05e68c0 4 API calls 2939->2940 2941 7ff7f05e6b07 2940->2941 2941->2938 2942 7ff7f05e6b30 LeaveCriticalSection 2941->2942 2944 7ff7f05e4dd3 2943->2944 2945 7ff7f05e69f0 6 API calls 2944->2945 2946 7ff7f05e4df4 2945->2946 2946->2907 2949 7ff7f05e6b70 2947->2949 2948 7ff7f05e6b9b 2948->2925 2949->2948 2950 7ff7f05e69f0 6 API calls 2949->2950 2951 7ff7f05e6bcb 2950->2951 2951->2948 2952 7ff7f05e6bd3 memcpy 2951->2952 2953 7ff7f05e6ae0 5 API calls 2952->2953 2953->2948 2955 7ff7f05e712f 2954->2955 2956 7ff7f05e7167 2954->2956 2955->2956 2957 7ff7f05e72a0 2955->2957 2958 7ff7f05e69f0 6 API calls 2956->2958 2959 7ff7f05e69f0 6 API calls 2957->2959 2960 7ff7f05e7181 2958->2960 2959->2960 2960->2936 2962 7ff7f05e6cf3 2961->2962 2963 7ff7f05e69f0 6 API calls 2962->2963 2964 7ff7f05e6d18 2963->2964 2965 7ff7f05e6d34 memset 2964->2965 2966 7ff7f05e6d57 2964->2966 2965->2966 2966->2936 2968 7ff7f05e6fdf 2967->2968 2969 7ff7f05e69f0 6 API calls 2968->2969 2970 7ff7f05e6fee 2969->2970 2971 7ff7f05e709e 2970->2971 2972 7ff7f05e7002 memset 2970->2972 2973 7ff7f05e7016 2970->2973 2971->2925 2972->2973 2974 7ff7f05e6ae0 5 API calls 2973->2974 2974->2971 2976 7ff7f05e35e0 2975->2976 2977 7ff7f05e350c 2975->2977 2990 7ff7f05e7a10 ___mb_cur_max_func ___lc_codepage_func 2976->2990 2978 7ff7f05e35c0 2977->2978 2979 7ff7f05e3519 2977->2979 2980 7ff7f05e27e0 fputc 2978->2980 2983 7ff7f05e7770 2 API calls 2979->2983 2982 7ff7f05e35cd 2980->2982 2982->2894 2984 7ff7f05e3549 2983->2984 2985 7ff7f05e3606 2984->2985 2987 7ff7f05e3551 2984->2987 2986 7ff7f05e27e0 fputc 2985->2986 2988 7ff7f05e35ab 2986->2988 2987->2988 2989 7ff7f05e3595 fputc 2987->2989 2988->2894 2989->2987 2989->2988 2991 7ff7f05e78b0 4 API calls 2990->2991 2992 7ff7f05e7a6b 2991->2992 2992->2985 2995 7ff7f05e29fb 2993->2995 2997 7ff7f05e2ab8 2993->2997 2994 7ff7f05e2aa5 2994->2863 2995->2994 2998 7ff7f05e2a55 fputc 2995->2998 3000 7ff7f05e2a60 2995->3000 2996 7ff7f05e27e0 fputc 2996->2997 2997->2995 2997->2996 2998->2995 2999 7ff7f05e2a96 fputc 2999->3000 3000->2994 3000->2999 3005 7ff7f05e46e5 3006 7ff7f05e4706 3005->3006 3007 7ff7f05e4724 3005->3007 3009 7ff7f05e29d0 3 API calls 3006->3009 3008 7ff7f05e2840 4 API calls 3007->3008 3010 7ff7f05e4932 3008->3010 3009->3007 3010->3010 3014 7ff7f05e44e0 3017 7ff7f05e4368 3014->3017 3015 7ff7f05e27e0 fputc 3015->3017 3016 7ff7f05e445f 3017->3015 3017->3016 3018 7ff7f05e22e0 strlen 3019 7ff7f05e2370 3018->3019 3021 7ff7f05e22f5 3018->3021 3020 7ff7f05e235e 3021->3019 3021->3020 3022 7ff7f05e2349 strncmp 3021->3022 3022->3020 3022->3021 3023 7ff7f05e49e1 3024 7ff7f05e49ea localeconv 3023->3024 3028 7ff7f05e4368 3023->3028 3025 7ff7f05e7a10 6 API calls 3024->3025 3025->3028 3026 7ff7f05e445f 3027 7ff7f05e27e0 fputc 3027->3028 3028->3026 3028->3027 3029 7ff7f05e205b 3030 7ff7f05e2076 3029->3030 3031 7ff7f05e2080 3029->3031 3031->3030 3032 7ff7f05e2097 EnterCriticalSection LeaveCriticalSection 3031->3032 3032->3030 3033 7ff7f05e4858 3034 7ff7f05e466e 3033->3034 3035 7ff7f05e4868 3033->3035 3036 7ff7f05e4b81 3034->3036 3040 7ff7f05e46b7 3034->3040 3035->3036 3037 7ff7f05e4894 3035->3037 3038 7ff7f05e2b70 3 API calls 3036->3038 3037->3040 3041 7ff7f05e48e2 3037->3041 3043 7ff7f05e46db 3038->3043 3039 7ff7f05e4bff 3046 7ff7f05e2b70 3 API calls 3039->3046 3040->3039 3040->3043 3044 7ff7f05e2b70 3 API calls 3041->3044 3048 7ff7f05e3df0 3043->3048 3044->3043 3047 7ff7f05e4d78 3046->3047 3047->3047 3052 7ff7f05e3e0b 3048->3052 3049 7ff7f05e428b 3050 7ff7f05e27e0 fputc 3050->3052 3051 7ff7f05e34f0 10 API calls 3051->3052 3052->3049 3052->3050 3052->3051 3053 7ff7f05e2840 4 API calls 3052->3053 3053->3052 3054 7ff7f05e4657 3055 7ff7f05e466e 3054->3055 3056 7ff7f05e4868 3054->3056 3057 7ff7f05e4b81 3055->3057 3061 7ff7f05e46b7 3055->3061 3056->3057 3058 7ff7f05e4894 3056->3058 3059 7ff7f05e2b70 3 API calls 3057->3059 3058->3061 3062 7ff7f05e48e2 3058->3062 3064 7ff7f05e46db 3059->3064 3060 7ff7f05e4bff 3067 7ff7f05e2b70 3 API calls 3060->3067 3061->3060 3061->3064 3065 7ff7f05e2b70 3 API calls 3062->3065 3063 7ff7f05e3df0 11 API calls 3066 7ff7f05e4b11 3063->3066 3064->3063 3065->3064 3066->3066 3068 7ff7f05e4d78 3067->3068 3068->3068 3072 7ff7f05e13f0 3073 7ff7f05e1180 38 API calls 3072->3073 3074 7ff7f05e1406 3073->3074 3075 7ff7f05e16f0 3076 7ff7f05e1702 3075->3076 3078 7ff7f05e1712 3076->3078 3080 7ff7f05e2160 3076->3080 3079 7ff7f05e1765 3081 7ff7f05e216e 3080->3081 3082 7ff7f05e2220 3080->3082 3083 7ff7f05e2174 3081->3083 3084 7ff7f05e2182 3081->3084 3086 7ff7f05e21c0 3081->3086 3082->3079 3083->3084 3085 7ff7f05e2240 InitializeCriticalSection 3083->3085 3084->3079 3085->3084 3086->3084 3087 7ff7f05e21f9 DeleteCriticalSection 3086->3087 3088 7ff7f05e21e8 free 3086->3088 3087->3084 3088->3087 3088->3088 3089 7ff7f05e7cf2 3090 7ff7f05e7df1 3089->3090 3091 7ff7f05e26a0 fputc 3090->3091 3092 7ff7f05e7e01 3091->3092 3093 7ff7f05e4968 3094 7ff7f05e47a3 3093->3094 3095 7ff7f05e4978 3093->3095 3096 7ff7f05e3b90 29 API calls 3094->3096 3097 7ff7f05e3b90 29 API calls 3095->3097 3099 7ff7f05e4780 3096->3099 3098 7ff7f05e4994 3097->3098 3100 7ff7f05e3140 5 API calls 3099->3100 3101 7ff7f05e4cf6 3100->3101 3106 7ff7f05e4543 3108 7ff7f05e4548 3106->3108 3107 7ff7f05e2c10 6 API calls 3107->3108 3108->3107 3115 7ff7f05e16c0 3116 7ff7f05e16c9 3115->3116 3117 7ff7f05e16cd 3116->3117 3118 7ff7f05e2160 3 API calls 3116->3118 3119 7ff7f05e16e5 3118->3119 3120 7ff7f05e7fc1 GetModuleHandleA 3125 7ff7f05e4937 3126 7ff7f05e47d1 3125->3126 3127 7ff7f05e4947 3125->3127 3134 7ff7f05e3af0 3126->3134 3129 7ff7f05e3af0 28 API calls 3127->3129 3130 7ff7f05e4963 3129->3130 3131 7ff7f05e4780 3132 7ff7f05e3140 5 API calls 3131->3132 3133 7ff7f05e4cf6 3132->3133 3135 7ff7f05e3b04 3134->3135 3136 7ff7f05e26f0 15 API calls 3135->3136 3137 7ff7f05e3b2a 3136->3137 3138 7ff7f05e3b70 3137->3138 3139 7ff7f05e3b3b 3137->3139 3140 7ff7f05e2b70 3 API calls 3138->3140 3144 7ff7f05e3a20 3139->3144 3143 7ff7f05e3b7f 3140->3143 3143->3131 3145 7ff7f05e3a4e 3144->3145 3146 7ff7f05e3640 11 API calls 3145->3146 3147 7ff7f05e3ab3 3146->3147 3148 7ff7f05e27e0 fputc 3147->3148 3149 7ff7f05e3ad4 3148->3149 3150 7ff7f05e47ba 3151 7ff7f05e47d1 3150->3151 3152 7ff7f05e4947 3150->3152 3153 7ff7f05e3af0 28 API calls 3151->3153 3154 7ff7f05e3af0 28 API calls 3152->3154 3156 7ff7f05e4780 3153->3156 3155 7ff7f05e4963 3154->3155 3157 7ff7f05e3140 5 API calls 3156->3157 3158 7ff7f05e4cf6 3157->3158 3159 7ff7f05e4754 3160 7ff7f05e476b 3159->3160 3161 7ff7f05e49a9 3159->3161 3165 7ff7f05e4780 3160->3165 3168 7ff7f05e3c70 3160->3168 3163 7ff7f05e3c70 30 API calls 3161->3163 3164 7ff7f05e49c5 3163->3164 3166 7ff7f05e3140 5 API calls 3165->3166 3167 7ff7f05e4cf6 3166->3167 3169 7ff7f05e3d88 3168->3169 3170 7ff7f05e3c89 3168->3170 3172 7ff7f05e2b70 3 API calls 3169->3172 3171 7ff7f05e26f0 15 API calls 3170->3171 3173 7ff7f05e3cb1 3171->3173 3174 7ff7f05e3daf 3172->3174 3173->3169 3175 7ff7f05e3cc4 3173->3175 3174->3165 3176 7ff7f05e3d30 3175->3176 3177 7ff7f05e3cd8 3175->3177 3178 7ff7f05e3d34 strlen 3176->3178 3179 7ff7f05e3d3f 3176->3179 3180 7ff7f05e3dc0 strlen 3177->3180 3181 7ff7f05e3ce0 3177->3181 3178->3179 3182 7ff7f05e3a20 11 API calls 3179->3182 3180->3181 3183 7ff7f05e3640 11 API calls 3181->3183 3184 7ff7f05e3d54 3182->3184 3185 7ff7f05e3cf7 3183->3185 3184->3165 3186 7ff7f05e3d1a 3185->3186 3187 7ff7f05e27e0 fputc 3185->3187 3186->3165 3187->3185 2587 7ff7f05e13d0 2590 7ff7f05e1180 2587->2590 2589 7ff7f05e13e6 2591 7ff7f05e11b0 2590->2591 2592 7ff7f05e11b9 Sleep 2591->2592 2595 7ff7f05e11cd 2591->2595 2592->2591 2593 7ff7f05e1200 2605 7ff7f05e1a80 2593->2605 2594 7ff7f05e134c _initterm 2594->2593 2595->2593 2595->2594 2604 7ff7f05e12ee 2595->2604 2597 7ff7f05e1228 SetUnhandledExceptionFilter 2598 7ff7f05e124b 2597->2598 2599 7ff7f05e1250 malloc 2598->2599 2600 7ff7f05e127a 2599->2600 2599->2604 2601 7ff7f05e1280 strlen malloc memcpy 2600->2601 2601->2601 2602 7ff7f05e12b2 2601->2602 2622 7ff7f05e7e10 2602->2622 2604->2589 2606 7ff7f05e1aa1 2605->2606 2615 7ff7f05e1ab8 2605->2615 2606->2597 2607 7ff7f05e1d90 2607->2606 2608 7ff7f05e1d99 2607->2608 2612 7ff7f05e1dbd 2608->2612 2664 7ff7f05e1910 2608->2664 2610 7ff7f05e1dd0 2611 7ff7f05e18a0 8 API calls 2610->2611 2613 7ff7f05e1ddc 2611->2613 2619 7ff7f05e18a0 8 API calls 2612->2619 2613->2597 2614 7ff7f05e1910 8 API calls 2617 7ff7f05e1b9e 2614->2617 2615->2606 2615->2607 2615->2610 2615->2612 2615->2617 2620 7ff7f05e1c90 2615->2620 2617->2614 2617->2615 2618 7ff7f05e1c8a 2617->2618 2640 7ff7f05e18a0 2617->2640 2618->2620 2619->2610 2620->2606 2621 7ff7f05e1cc2 VirtualProtect 2620->2621 2621->2620 2623 7ff7f05e7e26 2622->2623 2624 7ff7f05e7e3c FreeConsole GetModuleHandleA 2623->2624 2688 7ff7f05e1450 2624->2688 2629 7ff7f05e7eb5 2699 7ff7f05e7dc0 2629->2699 2630 7ff7f05e7ecb VirtualAlloc Sleep GetModuleHandleA 2632 7ff7f05e1450 strcmp 2630->2632 2634 7ff7f05e7f0d 2632->2634 2633 7ff7f05e7ec6 2633->2604 2635 7ff7f05e7f3c GetCurrentProcess NtProtectVirtualMemory GetModuleHandleA 2634->2635 2636 7ff7f05e7f1c GetCurrentProcess WriteProcessMemory 2634->2636 2637 7ff7f05e1450 strcmp 2635->2637 2636->2635 2638 7ff7f05e7f86 2637->2638 2638->2633 2639 7ff7f05e7f8e GetCurrentThread NtQueueApcThread 2638->2639 2639->2633 2646 7ff7f05e18cc 2640->2646 2641 7ff7f05e19de 2641->2617 2642 7ff7f05e1a62 2643 7ff7f05e18a0 4 API calls 2642->2643 2660 7ff7f05e1a71 2643->2660 2644 7ff7f05e199d VirtualQuery 2645 7ff7f05e1a47 2644->2645 2644->2646 2645->2642 2647 7ff7f05e18a0 4 API calls 2645->2647 2646->2641 2646->2642 2646->2644 2649 7ff7f05e19f0 VirtualProtect 2646->2649 2647->2642 2648 7ff7f05e1aa1 2648->2617 2649->2641 2650 7ff7f05e1a28 GetLastError 2649->2650 2651 7ff7f05e18a0 4 API calls 2650->2651 2651->2646 2652 7ff7f05e1910 4 API calls 2654 7ff7f05e1d90 2652->2654 2653 7ff7f05e1dd0 2655 7ff7f05e18a0 4 API calls 2653->2655 2654->2648 2654->2652 2656 7ff7f05e1dbd 2654->2656 2657 7ff7f05e1ddc 2655->2657 2659 7ff7f05e18a0 4 API calls 2656->2659 2657->2617 2658 7ff7f05e18a0 4 API calls 2658->2660 2659->2653 2660->2648 2660->2653 2660->2654 2660->2656 2660->2658 2661 7ff7f05e1c8a 2660->2661 2662 7ff7f05e1910 VirtualQuery VirtualProtect GetLastError VirtualProtect 2660->2662 2661->2648 2663 7ff7f05e1cc2 VirtualProtect 2661->2663 2662->2660 2663->2661 2670 7ff7f05e1929 2664->2670 2665 7ff7f05e19de 2665->2608 2666 7ff7f05e1a62 2667 7ff7f05e18a0 4 API calls 2666->2667 2675 7ff7f05e1a71 2667->2675 2668 7ff7f05e199d VirtualQuery 2669 7ff7f05e1a47 2668->2669 2668->2670 2669->2666 2671 7ff7f05e18a0 4 API calls 2669->2671 2670->2665 2670->2666 2670->2668 2672 7ff7f05e19f0 VirtualProtect 2670->2672 2671->2666 2672->2665 2673 7ff7f05e1a28 GetLastError 2672->2673 2674 7ff7f05e18a0 4 API calls 2673->2674 2674->2670 2677 7ff7f05e1dd0 2675->2677 2678 7ff7f05e1d90 2675->2678 2680 7ff7f05e1dbd 2675->2680 2681 7ff7f05e18a0 4 API calls 2675->2681 2684 7ff7f05e1910 VirtualQuery VirtualProtect GetLastError VirtualProtect 2675->2684 2685 7ff7f05e1c8a 2675->2685 2687 7ff7f05e1aa1 2675->2687 2676 7ff7f05e1910 4 API calls 2676->2678 2679 7ff7f05e18a0 4 API calls 2677->2679 2678->2676 2678->2680 2678->2687 2683 7ff7f05e1ddc 2679->2683 2682 7ff7f05e18a0 4 API calls 2680->2682 2681->2675 2682->2677 2683->2608 2684->2675 2686 7ff7f05e1cc2 VirtualProtect 2685->2686 2685->2687 2686->2685 2687->2608 2691 7ff7f05e147d 2688->2691 2689 7ff7f05e1482 strcmp 2690 7ff7f05e149b 2689->2690 2689->2691 2692 7ff7f05e14cb CryptAcquireContextW 2690->2692 2691->2689 2691->2690 2693 7ff7f05e1501 2692->2693 2694 7ff7f05e1509 CryptCreateHash 2692->2694 2693->2629 2693->2630 2694->2693 2695 7ff7f05e152d CryptHashData 2694->2695 2695->2693 2696 7ff7f05e1545 CryptDeriveKey 2695->2696 2696->2693 2697 7ff7f05e156b CryptDecrypt 2696->2697 2697->2693 2698 7ff7f05e1595 CryptReleaseContext CryptDestroyHash CryptDestroyKey 2697->2698 2698->2693 2700 7ff7f05e7df1 2699->2700 2703 7ff7f05e26a0 2700->2703 2702 7ff7f05e7e01 2702->2633 2704 7ff7f05e26b5 2703->2704 2707 7ff7f05e42b0 2704->2707 2706 7ff7f05e26cd 2706->2702 2710 7ff7f05e42db 2707->2710 2709 7ff7f05e445f 2709->2706 2710->2709 2711 7ff7f05e27e0 2710->2711 2712 7ff7f05e27f0 2711->2712 2713 7ff7f05e2800 2712->2713 2714 7ff7f05e2820 fputc 2712->2714 2713->2710 2714->2710 3191 7ff7f05e20d0 3192 7ff7f05e20f0 EnterCriticalSection 3191->3192 3193 7ff7f05e20e2 3191->3193 3194 7ff7f05e2133 LeaveCriticalSection 3192->3194 3195 7ff7f05e210c 3192->3195 3195->3194 3196 7ff7f05e212e free 3195->3196 3196->3194 3200 7ff7f05e49ca 3201 7ff7f05e27e0 fputc 3200->3201 3202 7ff7f05e49dc 3201->3202 3202->3202 3203 7ff7f05e1e24 3204 7ff7f05e1e51 3203->3204 3205 7ff7f05e1e5f 3204->3205 3206 7ff7f05e1f70 3204->3206 3207 7ff7f05e1ecb 3204->3207 3206->3205 3208 7ff7f05e1fac signal 3206->3208 3207->3205 3209 7ff7f05e1edb signal 3207->3209 3208->3205 3209->3205 3210 7ff7f05e1fc0 signal 3209->3210 3210->3205 3211 7ff7f05e69a0 3212 7ff7f05e69b5 3211->3212 3213 7ff7f05e69c0 DeleteCriticalSection 3211->3213 3214 7ff7f05e4999 3215 7ff7f05e476b 3214->3215 3216 7ff7f05e49a9 3214->3216 3217 7ff7f05e3c70 30 API calls 3215->3217 3220 7ff7f05e4780 3215->3220 3218 7ff7f05e3c70 30 API calls 3216->3218 3217->3220 3219 7ff7f05e49c5 3218->3219 3221 7ff7f05e3140 5 API calls 3220->3221 3222 7ff7f05e4cf6 3221->3222 3226 7ff7f05e77b0 ___lc_codepage_func ___mb_cur_max_func 3227 7ff7f05e77e1 3226->3227 3230 7ff7f05e77eb 3226->3230 3228 7ff7f05e77e6 3227->3228 3229 7ff7f05e7840 3227->3229 3228->3230 3231 7ff7f05e76e0 2 API calls 3228->3231 3229->3230 3232 7ff7f05e76e0 2 API calls 3229->3232 3231->3228 3232->3229 3233 7ff7f05e45b2 3234 7ff7f05e4cb0 3233->3234 3235 7ff7f05e45c8 3233->3235 3235->3234 3236 7ff7f05e3140 5 API calls 3235->3236 3237 7ff7f05e4cf6 3236->3237 3242 7ff7f05e4729 3243 7ff7f05e473f 3242->3243 3246 7ff7f05e474f 3242->3246 3244 7ff7f05e2b20 strlen 3243->3244 3244->3246 3245 7ff7f05e4b55 3247 7ff7f05e2840 4 API calls 3245->3247 3246->3245 3248 7ff7f05e2840 4 API calls 3246->3248 3249 7ff7f05e4c88 3247->3249 3248->3245 3249->3249

    Executed Functions

    Function 00007FF7F05E7E10 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 109nativethreadsleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: CurrentHandleModuleProcess$MemoryThreadVirtual$AcquireAllocConsoleContextCryptFreeProtectQueueSleepWritestrcmp
    • String ID: Data decryption failed$NtQueueApcThread$NtTestAlert$WriteProcessMemory$kernel32.dll$ntdll.dll
    • API String ID: 416474137-3137615674
    • Opcode ID: 229d6fc247ab7d4ce4a5b5db93f96d95b52fed5b2a74bd24de551488d26e7f98
    • Instruction ID: 027d862cfd832c4bb189d8f591360b354babca98be1168b57194a8da064ad10b
    • Opcode Fuzzy Hash: 229d6fc247ab7d4ce4a5b5db93f96d95b52fed5b2a74bd24de551488d26e7f98
    • Instruction Fuzzy Hash: EE416F75B19A4241EB10EB11F804AAAA3A1BB847C4F804435EEAE07BD4DEBCE546C795
    Function 00007FF7F05E14CB Relevance: 12.1, APIs: 8, Instructions: 66encryptionCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataDecryptDeriveRelease
    • String ID:
    • API String ID: 1089615719-0
    • Opcode ID: 304eee59d264ed6e1a47fb55f276d38f3e8d3918458381701061066960d2e41e
    • Instruction ID: 2fe8b2ffc20b65dae6f85803f2ec1413a0ada94cf1d1bc5dd1e8992847a17529
    • Opcode Fuzzy Hash: 304eee59d264ed6e1a47fb55f276d38f3e8d3918458381701061066960d2e41e
    • Instruction Fuzzy Hash: 4721B93570894185FB509F61F844E2BA7A0FBC5B91F944131EA9E87BA4DF3DD0408B50
    Function 00007FF7F05E1180 Relevance: 10.6, APIs: 7, Instructions: 138sleepstringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
    • String ID:
    • API String ID: 3806033187-0
    • Opcode ID: be1463fdfd596bcdd2fc5144fc7cfc53a048e2afbdd7c39a6ad9add1e5ef1454
    • Instruction ID: 3141615b3b80ef0d2904dca213717c3caa36f0ef712ed1f833d0904eb9a77593
    • Opcode Fuzzy Hash: be1463fdfd596bcdd2fc5144fc7cfc53a048e2afbdd7c39a6ad9add1e5ef1454
    • Instruction Fuzzy Hash: 4F518D36F0860286FB10BF15E844E79A3A5AF84780F944431CABD473D1DEACF840C3A6

    Non-executed Functions

    Function 00007FF7F05E4FF0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 1390COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID: $ $Infinity$NaN
    • API String ID: 0-3274152445
    • Opcode ID: 3651d51e860882d26989f330b52fe57ec2d765ad09fe8574cc91e30b53bd889f
    • Instruction ID: 584cd2c7fc85e2db7ad50bd8249239e1b8fe64e01cb8ec5531e1f366608fefac
    • Opcode Fuzzy Hash: 3651d51e860882d26989f330b52fe57ec2d765ad09fe8574cc91e30b53bd889f
    • Instruction Fuzzy Hash: 99D2C632A1C2818BEB619F25A050B6AF791FB857C0F944135EADA43BC5DB7CF4408F91
    Function 00007FF7F05E1A80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 649 7ff7f05e1a80-7ff7f05e1a9f 650 7ff7f05e1aa1-7ff7f05e1ab1 649->650 651 7ff7f05e1ab8-7ff7f05e1b0f call 7ff7f05e2400 call 7ff7f05e2660 649->651 651->650 656 7ff7f05e1b11-7ff7f05e1b17 651->656 657 7ff7f05e1c20-7ff7f05e1c22 656->657 658 7ff7f05e1b1d-7ff7f05e1b21 656->658 659 7ff7f05e1d90-7ff7f05e1d93 657->659 661 7ff7f05e1c28-7ff7f05e1c30 657->661 658->659 660 7ff7f05e1b27 658->660 659->650 662 7ff7f05e1d99 659->662 663 7ff7f05e1b2a-7ff7f05e1b2c 660->663 661->663 664 7ff7f05e1c36 661->664 665 7ff7f05e1da0-7ff7f05e1dbb call 7ff7f05e1910 662->665 663->659 666 7ff7f05e1b32-7ff7f05e1b38 663->666 667 7ff7f05e1c40-7ff7f05e1c4c 664->667 678 7ff7f05e1dbd 665->678 669 7ff7f05e1dd0-7ff7f05e1df2 call 7ff7f05e18a0 666->669 670 7ff7f05e1b3e-7ff7f05e1b45 666->670 671 7ff7f05e1c52-7ff7f05e1c61 667->671 672 7ff7f05e1d78-7ff7f05e1d80 667->672 687 7ff7f05e1df4-7ff7f05e1e18 669->687 688 7ff7f05e1e19-7ff7f05e1e1d 669->688 670->650 675 7ff7f05e1b4b-7ff7f05e1b58 670->675 676 7ff7f05e1c63-7ff7f05e1c6a 671->676 677 7ff7f05e1c72-7ff7f05e1c84 call 7ff7f05e1910 671->677 672->676 681 7ff7f05e1d86 672->681 680 7ff7f05e1bbf-7ff7f05e1bd6 675->680 682 7ff7f05e1c03-7ff7f05e1c19 call 7ff7f05e18a0 676->682 683 7ff7f05e1c6c-7ff7f05e1c70 676->683 677->680 698 7ff7f05e1c8a 677->698 692 7ff7f05e1dc2-7ff7f05e1dcb call 7ff7f05e18a0 678->692 685 7ff7f05e1bdc 680->685 686 7ff7f05e1ce8-7ff7f05e1cf2 680->686 681->677 682->657 683->677 683->682 693 7ff7f05e1b60-7ff7f05e1b63 685->693 694 7ff7f05e1bde-7ff7f05e1be1 685->694 689 7ff7f05e1cf4-7ff7f05e1d09 686->689 690 7ff7f05e1d68-7ff7f05e1d70 686->690 687->688 696 7ff7f05e1d0b-7ff7f05e1d0e 689->696 697 7ff7f05e1d27-7ff7f05e1d2f call 7ff7f05e1910 689->697 690->696 703 7ff7f05e1d72 690->703 692->669 693->667 701 7ff7f05e1b69-7ff7f05e1b6c 693->701 694->692 700 7ff7f05e1be7-7ff7f05e1bf8 694->700 696->682 705 7ff7f05e1d14-7ff7f05e1d21 696->705 708 7ff7f05e1d40-7ff7f05e1d4b call 7ff7f05e1910 697->708 707 7ff7f05e1c90-7ff7f05e1c98 698->707 700->708 709 7ff7f05e1bfe-7ff7f05e1c01 700->709 701->692 710 7ff7f05e1b72-7ff7f05e1b7e 701->710 703->697 705->682 705->697 707->650 713 7ff7f05e1c9e-7ff7f05e1cab 707->713 714 7ff7f05e1bb2-7ff7f05e1bb9 708->714 709->682 709->714 715 7ff7f05e1b84-7ff7f05e1b93 710->715 716 7ff7f05e1d50-7ff7f05e1d58 710->716 718 7ff7f05e1cb0-7ff7f05e1cc0 713->718 714->680 714->707 719 7ff7f05e1b95-7ff7f05e1b9c 715->719 721 7ff7f05e1ba7-7ff7f05e1baf call 7ff7f05e1910 715->721 716->719 720 7ff7f05e1d5e 716->720 724 7ff7f05e1ccf-7ff7f05e1cde 718->724 725 7ff7f05e1cc2-7ff7f05e1ccd VirtualProtect 718->725 719->682 722 7ff7f05e1b9e-7ff7f05e1ba5 719->722 720->721 721->714 722->682 722->721 724->718 727 7ff7f05e1ce0 724->727 725->724 727->650
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7F05E1DD0
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7F05E1C0D
    • Unknown pseudo relocation bit size %d., xrefs: 00007FF7F05E1DC4
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: 707b814e65c0927c0a939c08ff902a35765f6cb4c7a5ff95b79a0d1a94518205
    • Instruction ID: 8eeccd7bc96d800bed204e7032533486753320442e0ef3b219a3b8caaff3fd86
    • Opcode Fuzzy Hash: 707b814e65c0927c0a939c08ff902a35765f6cb4c7a5ff95b79a0d1a94518205
    • Instruction Fuzzy Hash: F391D632F4950286EF106B24D900E79A3A1BF557A4F948231CDBD577C8DEACF84287A6
    Function 00007FF7F05E1E24 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 728 7ff7f05e1e24-7ff7f05e1e4b 729 7ff7f05e1f10-7ff7f05e1f14 728->729 730 7ff7f05e1e51-7ff7f05e1e56 728->730 729->730 731 7ff7f05e1f1a 729->731 732 7ff7f05e1e9f-7ff7f05e1ea9 730->732 733 7ff7f05e1e58-7ff7f05e1e5d 730->733 734 7ff7f05e1f00-7ff7f05e1f05 731->734 737 7ff7f05e1f20 732->737 738 7ff7f05e1eab-7ff7f05e1eb2 732->738 735 7ff7f05e1ec0-7ff7f05e1ec5 733->735 736 7ff7f05e1e5f-7ff7f05e1e67 733->736 740 7ff7f05e1f22-7ff7f05e1f27 734->740 741 7ff7f05e1f70-7ff7f05e1f80 call 7ff7f05e7cb8 735->741 742 7ff7f05e1ecb 735->742 736->734 739 7ff7f05e1e6d-7ff7f05e1e78 736->739 737->740 738->734 739->732 749 7ff7f05e1f82-7ff7f05e1f85 741->749 750 7ff7f05e1fac-7ff7f05e1fbb signal 741->750 744 7ff7f05e1f30-7ff7f05e1f35 742->744 745 7ff7f05e1ecd-7ff7f05e1ed2 742->745 744->732 746 7ff7f05e1f3b 744->746 745->734 748 7ff7f05e1ed4-7ff7f05e1ed9 745->748 746->734 748->732 751 7ff7f05e1edb-7ff7f05e1eeb signal 748->751 749->732 752 7ff7f05e1f8b-7ff7f05e1f92 749->752 750->734 753 7ff7f05e1fc0-7ff7f05e1fcf signal 751->753 754 7ff7f05e1ef1-7ff7f05e1ef4 751->754 752->734 753->734 754->732 755 7ff7f05e1ef6-7ff7f05e1efd 754->755 755->734
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: signal
    • String ID: CCG
    • API String ID: 1946981877-1584390748
    • Opcode ID: 38cbdb9df70b0cd2d1d4d15e3cebddffd7a42ec4d9567ac10add89b971a3a6c2
    • Instruction ID: 8f2ad83dc5173049eed0477ef836c9618ac32978cf3b346a19314db833089e19
    • Opcode Fuzzy Hash: 38cbdb9df70b0cd2d1d4d15e3cebddffd7a42ec4d9567ac10add89b971a3a6c2
    • Instruction Fuzzy Hash: 84218B31E0C10646FF6836648450B7D96868F49394FA88936D9BE833D5CE9CF88182FB
    Function 00007FF7F05E3DF0 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: b1cc8295f4589949e1a95339fcec62e27a85a0d60d03e1e284163e2cea26f545
    • Instruction ID: 31aa804ff684227aaaf65cb379ec87abe76692b0400db746388ad54bd1f7cc03
    • Opcode Fuzzy Hash: b1cc8295f4589949e1a95339fcec62e27a85a0d60d03e1e284163e2cea26f545
    • Instruction Fuzzy Hash: ECB1EB22E1C24346F7696E259518F79E651EF40B84F848134DEAE4B7C8DEECF940C7A2
    Function 00007FF7F05F32A8 Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 92fdf99e67d50528087659c48e7e8a2ee44962eb579421a8b013c99af0864db5
    • Instruction ID: 8de46a081db9d539fd4417dd8fd0a86d8bbf63e118996209ca49364ba155e0ac
    • Opcode Fuzzy Hash: 92fdf99e67d50528087659c48e7e8a2ee44962eb579421a8b013c99af0864db5
    • Instruction Fuzzy Hash: 33E0B65B90EAC50EF7531B381D6686C6F709BA2B51B8DC0A7C7E48B3C3D94D29099371
    Function 00007FF7F05F3290 Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cd39d028e5a834b95e695ac6a8485020f0a5d4ac7b08371110a5aec9f50fa8cb
    • Instruction ID: 7314d98a0897bd1b32a502bf90e588466c856466513b64d20da8e0dc1ae8396a
    • Opcode Fuzzy Hash: cd39d028e5a834b95e695ac6a8485020f0a5d4ac7b08371110a5aec9f50fa8cb
    • Instruction Fuzzy Hash: 2DD0C76FC0D4851DF7516A3816968685F50DB51792B884134C7B44F3C1A55E3A165260
    Function 00007FF7F05E18A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 7ff7f05e18a0-7ff7f05e1923 call 7ff7f05e76c0 call 7ff7f05e7c90 call 7ff7f05e76c0 call 7ff7f05e7ce0 call 7ff7f05e7c60 87 7ff7f05e1a40-7ff7f05e1a42 75->87 88 7ff7f05e1929-7ff7f05e1937 75->88 89 7ff7f05e1968-7ff7f05e1976 call 7ff7f05e2380 87->89 90 7ff7f05e1940-7ff7f05e1946 88->90 96 7ff7f05e1a62-7ff7f05e1a9f call 7ff7f05e18a0 89->96 97 7ff7f05e197c-7ff7f05e19c4 call 7ff7f05e24c0 VirtualQuery 89->97 92 7ff7f05e195b-7ff7f05e1966 90->92 93 7ff7f05e1948-7ff7f05e1955 90->93 92->89 92->90 93->92 95 7ff7f05e19e5-7ff7f05e19ec 93->95 108 7ff7f05e1aa1-7ff7f05e1ab1 96->108 109 7ff7f05e1ab8-7ff7f05e1b0f call 7ff7f05e2400 call 7ff7f05e2660 96->109 102 7ff7f05e1a47-7ff7f05e1a58 97->102 103 7ff7f05e19ca-7ff7f05e19d4 97->103 102->96 105 7ff7f05e1a5d call 7ff7f05e18a0 102->105 106 7ff7f05e19d6-7ff7f05e19dc 103->106 107 7ff7f05e19de 103->107 105->96 106->107 111 7ff7f05e19f0-7ff7f05e1a26 VirtualProtect 106->111 107->95 109->108 118 7ff7f05e1b11-7ff7f05e1b17 109->118 111->107 113 7ff7f05e1a28-7ff7f05e1a3c GetLastError call 7ff7f05e18a0 111->113 113->87 119 7ff7f05e1c20-7ff7f05e1c22 118->119 120 7ff7f05e1b1d-7ff7f05e1b21 118->120 121 7ff7f05e1d90-7ff7f05e1d93 119->121 123 7ff7f05e1c28-7ff7f05e1c30 119->123 120->121 122 7ff7f05e1b27 120->122 121->108 124 7ff7f05e1d99 121->124 125 7ff7f05e1b2a-7ff7f05e1b2c 122->125 123->125 126 7ff7f05e1c36 123->126 127 7ff7f05e1da0-7ff7f05e1dbb call 7ff7f05e1910 124->127 125->121 128 7ff7f05e1b32-7ff7f05e1b38 125->128 129 7ff7f05e1c40-7ff7f05e1c4c 126->129 140 7ff7f05e1dbd 127->140 131 7ff7f05e1dd0-7ff7f05e1df2 call 7ff7f05e18a0 128->131 132 7ff7f05e1b3e-7ff7f05e1b45 128->132 133 7ff7f05e1c52-7ff7f05e1c61 129->133 134 7ff7f05e1d78-7ff7f05e1d80 129->134 149 7ff7f05e1df4-7ff7f05e1e18 131->149 150 7ff7f05e1e19-7ff7f05e1e1d 131->150 132->108 137 7ff7f05e1b4b-7ff7f05e1b58 132->137 138 7ff7f05e1c63-7ff7f05e1c6a 133->138 139 7ff7f05e1c72-7ff7f05e1c84 call 7ff7f05e1910 133->139 134->138 143 7ff7f05e1d86 134->143 142 7ff7f05e1bbf-7ff7f05e1bd6 137->142 144 7ff7f05e1c03-7ff7f05e1c19 call 7ff7f05e18a0 138->144 145 7ff7f05e1c6c-7ff7f05e1c70 138->145 139->142 160 7ff7f05e1c8a 139->160 154 7ff7f05e1dc2-7ff7f05e1dcb call 7ff7f05e18a0 140->154 147 7ff7f05e1bdc 142->147 148 7ff7f05e1ce8-7ff7f05e1cf2 142->148 143->139 144->119 145->139 145->144 155 7ff7f05e1b60-7ff7f05e1b63 147->155 156 7ff7f05e1bde-7ff7f05e1be1 147->156 151 7ff7f05e1cf4-7ff7f05e1d09 148->151 152 7ff7f05e1d68-7ff7f05e1d70 148->152 149->150 158 7ff7f05e1d0b-7ff7f05e1d0e 151->158 159 7ff7f05e1d27-7ff7f05e1d2f call 7ff7f05e1910 151->159 152->158 165 7ff7f05e1d72 152->165 154->131 155->129 163 7ff7f05e1b69-7ff7f05e1b6c 155->163 156->154 162 7ff7f05e1be7-7ff7f05e1bf8 156->162 158->144 167 7ff7f05e1d14-7ff7f05e1d21 158->167 170 7ff7f05e1d40-7ff7f05e1d4b call 7ff7f05e1910 159->170 169 7ff7f05e1c90-7ff7f05e1c98 160->169 162->170 171 7ff7f05e1bfe-7ff7f05e1c01 162->171 163->154 172 7ff7f05e1b72-7ff7f05e1b7e 163->172 165->159 167->144 167->159 169->108 175 7ff7f05e1c9e-7ff7f05e1cab 169->175 176 7ff7f05e1bb2-7ff7f05e1bb9 170->176 171->144 171->176 177 7ff7f05e1b84-7ff7f05e1b93 172->177 178 7ff7f05e1d50-7ff7f05e1d58 172->178 180 7ff7f05e1cb0-7ff7f05e1cc0 175->180 176->142 176->169 181 7ff7f05e1b95-7ff7f05e1b9c 177->181 183 7ff7f05e1ba7-7ff7f05e1baf call 7ff7f05e1910 177->183 178->181 182 7ff7f05e1d5e 178->182 186 7ff7f05e1ccf-7ff7f05e1cde 180->186 187 7ff7f05e1cc2-7ff7f05e1ccd VirtualProtect 180->187 181->144 184 7ff7f05e1b9e-7ff7f05e1ba5 181->184 182->183 183->176 184->144 184->183 186->180 189 7ff7f05e1ce0 186->189 187->186 189->108
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 1804819252-1534286854
    • Opcode ID: 20d9624ecf9f028208786233a238fd775843d5a8464e776ca3e41638734fbe35
    • Instruction ID: a887c21f4f4780fd15a472c4eb945088927dd44fd65b4d256a1d5309df221e86
    • Opcode Fuzzy Hash: 20d9624ecf9f028208786233a238fd775843d5a8464e776ca3e41638734fbe35
    • Instruction Fuzzy Hash: 7B51B272A09A4696EB10AB11E840EA9F760FF84B94FC44131DEAD073D5DEBCF545C7A0
    Function 00007FF7F05E2C10 Relevance: 7.8, APIs: 5, Instructions: 340COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 557 7ff7f05e2c10-7ff7f05e2c2e 558 7ff7f05e2c34-7ff7f05e2c4e 557->558 559 7ff7f05e2f00-7ff7f05e2f1a 557->559 560 7ff7f05e2c54-7ff7f05e2c5e 558->560 561 7ff7f05e2d38-7ff7f05e2d68 call 7ff7f05e2660 558->561 562 7ff7f05e2f60-7ff7f05e2f88 call 7ff7f05e2660 559->562 563 7ff7f05e2f1c 559->563 565 7ff7f05e2c74-7ff7f05e2cac call 7ff7f05e2660 560->565 566 7ff7f05e2c60-7ff7f05e2c71 560->566 572 7ff7f05e2d6e-7ff7f05e2d78 561->572 573 7ff7f05e2cb8-7ff7f05e2cc4 561->573 577 7ff7f05e2f98 562->577 570 7ff7f05e2f30-7ff7f05e2f34 563->570 565->572 579 7ff7f05e2cb2 565->579 566->565 575 7ff7f05e3018-7ff7f05e301e 570->575 576 7ff7f05e2f3a-7ff7f05e2f45 570->576 578 7ff7f05e2d80-7ff7f05e2daa 572->578 573->577 580 7ff7f05e2cca-7ff7f05e2cce 573->580 581 7ff7f05e3024-7ff7f05e302f 575->581 582 7ff7f05e30b8-7ff7f05e30bf 575->582 583 7ff7f05e3080 576->583 584 7ff7f05e2f4b-7ff7f05e2f55 576->584 585 7ff7f05e2f9b-7ff7f05e2f9e 577->585 578->578 587 7ff7f05e2dac-7ff7f05e2daf 578->587 579->573 589 7ff7f05e2cd1-7ff7f05e2ce5 memset 580->589 590 7ff7f05e2fc4-7ff7f05e2fd3 581->590 591 7ff7f05e3031-7ff7f05e3038 581->591 588 7ff7f05e2cea-7ff7f05e2ced 582->588 586 7ff7f05e3087-7ff7f05e3096 583->586 592 7ff7f05e2df0-7ff7f05e2df6 584->592 593 7ff7f05e2fa4-7ff7f05e2fbb 585->593 594 7ff7f05e2cf3-7ff7f05e2d00 585->594 595 7ff7f05e3068-7ff7f05e306b 586->595 596 7ff7f05e3098-7ff7f05e30a9 586->596 587->573 598 7ff7f05e2db5-7ff7f05e2db8 587->598 588->585 588->594 589->588 590->592 597 7ff7f05e2fd9-7ff7f05e2fdc 590->597 599 7ff7f05e2d17-7ff7f05e2d1a 591->599 600 7ff7f05e3050-7ff7f05e3057 592->600 601 7ff7f05e2dfc-7ff7f05e2dff 592->601 607 7ff7f05e2d06-7ff7f05e2d11 593->607 608 7ff7f05e2fc1 593->608 594->607 594->608 605 7ff7f05e2eee-7ff7f05e2efe 595->605 606 7ff7f05e3071-7ff7f05e3078 595->606 596->595 609 7ff7f05e2e05-7ff7f05e2e0f 597->609 610 7ff7f05e2fe2-7ff7f05e2fee 597->610 598->570 611 7ff7f05e2dbe-7ff7f05e2dcb 598->611 604 7ff7f05e2d20-7ff7f05e2d2f 599->604 599->605 602 7ff7f05e3114-7ff7f05e3117 600->602 603 7ff7f05e305d-7ff7f05e3064 600->603 601->609 612 7ff7f05e30c9-7ff7f05e30d5 601->612 621 7ff7f05e3129-7ff7f05e3135 602->621 622 7ff7f05e3119-7ff7f05e3120 602->622 603->595 616 7ff7f05e2e60-7ff7f05e2e6a 604->616 606->583 607->599 613 7ff7f05e30c4-7ff7f05e30c7 607->613 608->590 614 7ff7f05e2e15-7ff7f05e2e18 609->614 615 7ff7f05e3040-7ff7f05e3043 609->615 610->609 617 7ff7f05e2ff4-7ff7f05e3007 memset 610->617 618 7ff7f05e30b0-7ff7f05e30b3 611->618 619 7ff7f05e2dd1-7ff7f05e2dd5 611->619 612->609 620 7ff7f05e30db-7ff7f05e30f8 memset 612->620 613->586 623 7ff7f05e2e20-7ff7f05e2e31 call 7ff7f05e27e0 614->623 615->616 630 7ff7f05e3049 615->630 626 7ff7f05e2e74-7ff7f05e2e80 616->626 627 7ff7f05e2e6c-7ff7f05e2e72 616->627 625 7ff7f05e300b-7ff7f05e3011 617->625 618->589 619->575 628 7ff7f05e2ddb-7ff7f05e2de0 619->628 620->625 629 7ff7f05e30fe-7ff7f05e310f 620->629 621->622 624 7ff7f05e3137 621->624 622->621 642 7ff7f05e2e33-7ff7f05e2e3c 623->642 624->620 625->595 633 7ff7f05e2e82-7ff7f05e2e93 fputc 626->633 634 7ff7f05e2e48-7ff7f05e2e4f 626->634 627->626 632 7ff7f05e2e52-7ff7f05e2e5b 627->632 628->583 635 7ff7f05e2de6-7ff7f05e2dec 628->635 629->595 636 7ff7f05e2eba-7ff7f05e2ec0 630->636 640 7ff7f05e2e95-7ff7f05e2e98 632->640 641 7ff7f05e2e5d 632->641 633->640 633->641 634->632 635->592 638 7ff7f05e2ec2-7ff7f05e2ec8 636->638 639 7ff7f05e2eca-7ff7f05e2ed3 636->639 638->639 643 7ff7f05e2eab-7ff7f05e2eb5 638->643 644 7ff7f05e2ed5-7ff7f05e2eec fputc 639->644 645 7ff7f05e2ea0-7ff7f05e2ea8 639->645 646 7ff7f05e2eb7 640->646 647 7ff7f05e2e9a 640->647 641->616 642->641 648 7ff7f05e2e3e 642->648 643->605 643->646 644->605 644->646 645->643 646->636 647->605 648->605
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fputcmemset
    • String ID:
    • API String ID: 947785774-0
    • Opcode ID: da3c285661c426b02d7bb0ec014253430d73f74fbfff98cab1b4f34172564aeb
    • Instruction ID: ca1c58676bfe84c50686fdc676b58d66519d642a26073f7f8a0eed840cf984e5
    • Opcode Fuzzy Hash: da3c285661c426b02d7bb0ec014253430d73f74fbfff98cab1b4f34172564aeb
    • Instruction Fuzzy Hash: 22D1FA73F1855186E724AF34C504B3DA6A1BB44B68FA48234CABD577C8CA7CF941C7A2
    Function 00007FF7F05E3140 Relevance: 6.2, APIs: 4, Instructions: 246COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 758 7ff7f05e3140-7ff7f05e3171 759 7ff7f05e3173-7ff7f05e3178 758->759 760 7ff7f05e317e-7ff7f05e31a1 call 7ff7f05e2660 758->760 759->760 761 7ff7f05e33e0-7ff7f05e33f2 759->761 764 7ff7f05e31b3-7ff7f05e31b6 760->764 765 7ff7f05e31a3-7ff7f05e31a6 760->765 761->760 768 7ff7f05e34d0-7ff7f05e34de 764->768 769 7ff7f05e31bc-7ff7f05e31dd 764->769 766 7ff7f05e3420-7ff7f05e3423 765->766 767 7ff7f05e31ac-7ff7f05e31b0 765->767 766->769 767->764 770 7ff7f05e34e4 768->770 771 7ff7f05e325a-7ff7f05e326b memset 768->771 772 7ff7f05e31e0-7ff7f05e31e3 769->772 773 7ff7f05e3276-7ff7f05e3279 770->773 776 7ff7f05e3270-7ff7f05e3273 771->776 774 7ff7f05e31e5-7ff7f05e31e8 772->774 775 7ff7f05e3210-7ff7f05e3235 772->775 777 7ff7f05e3283-7ff7f05e3285 773->777 778 7ff7f05e327b-7ff7f05e327d 773->778 774->775 779 7ff7f05e31ea-7ff7f05e31ef 774->779 780 7ff7f05e3240-7ff7f05e3243 775->780 781 7ff7f05e3237-7ff7f05e323d 775->781 776->773 783 7ff7f05e32c0-7ff7f05e32c4 777->783 784 7ff7f05e3287-7ff7f05e3294 777->784 778->777 782 7ff7f05e34c2-7ff7f05e34c5 778->782 779->775 785 7ff7f05e31f1-7ff7f05e31fe 779->785 780->776 786 7ff7f05e3245-7ff7f05e3254 780->786 781->772 787 7ff7f05e340c-7ff7f05e3413 782->787 789 7ff7f05e33a0-7ff7f05e33a6 783->789 790 7ff7f05e32ca-7ff7f05e32cf 783->790 784->783 788 7ff7f05e3296-7ff7f05e329c 784->788 785->775 791 7ff7f05e3200-7ff7f05e3208 785->791 786->771 792 7ff7f05e3400-7ff7f05e3403 786->792 787->777 794 7ff7f05e3430-7ff7f05e3439 788->794 795 7ff7f05e32a2-7ff7f05e32a5 788->795 797 7ff7f05e33c0-7ff7f05e33c7 789->797 798 7ff7f05e33a8-7ff7f05e33b1 789->798 796 7ff7f05e32d3-7ff7f05e32d6 790->796 791->775 792->777 793 7ff7f05e3409 792->793 793->787 799 7ff7f05e343f-7ff7f05e344b 794->799 800 7ff7f05e32ab-7ff7f05e32b1 794->800 795->799 795->800 801 7ff7f05e32f8-7ff7f05e3302 796->801 802 7ff7f05e32d8 796->802 797->796 803 7ff7f05e33cd-7ff7f05e33d6 797->803 798->796 799->800 806 7ff7f05e3451-7ff7f05e345c 799->806 807 7ff7f05e3488-7ff7f05e3493 800->807 808 7ff7f05e32b7 800->808 804 7ff7f05e3304-7ff7f05e330a 801->804 805 7ff7f05e330c-7ff7f05e3318 801->805 809 7ff7f05e332d-7ff7f05e3330 802->809 803->796 804->805 810 7ff7f05e32ea-7ff7f05e32f3 804->810 811 7ff7f05e32e0-7ff7f05e32e7 805->811 812 7ff7f05e331a-7ff7f05e332b fputc 805->812 806->783 814 7ff7f05e3462-7ff7f05e347f memset 806->814 807->783 815 7ff7f05e3499 807->815 808->783 813 7ff7f05e334c-7ff7f05e3356 809->813 810->809 816 7ff7f05e32f5 810->816 811->810 812->809 812->816 817 7ff7f05e3388-7ff7f05e3398 813->817 818 7ff7f05e3358-7ff7f05e335e 813->818 814->783 819 7ff7f05e34a0-7ff7f05e34b8 call 7ff7f05e27e0 815->819 816->801 820 7ff7f05e3360-7ff7f05e3366 818->820 821 7ff7f05e3368-7ff7f05e336e 818->821 827 7ff7f05e34ba-7ff7f05e34bd 819->827 820->821 823 7ff7f05e3346-7ff7f05e3349 820->823 824 7ff7f05e3370-7ff7f05e3380 fputc 821->824 825 7ff7f05e3338-7ff7f05e3343 821->825 823->813 824->823 825->823 827->783
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3ea7c3da68f83a21f651fba5fd714f987f39fb7b2b10eaa3ab35943c9a8b1726
    • Instruction ID: bc6d967360e6b118bc210d05037cb92227b597ef3f741ea898abfbe18b12fdb9
    • Opcode Fuzzy Hash: 3ea7c3da68f83a21f651fba5fd714f987f39fb7b2b10eaa3ab35943c9a8b1726
    • Instruction Fuzzy Hash: A491F976F0825286E765AF29C208F39AA91AB44B54F958134CFAC5B3C4CB7CF841C7A1
    Function 00007FF7F05E78B0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: e03050c30f18c24fa5dcc3351e31bd7e7ad72f99cf085e855522ae638b88029d
    • Instruction ID: 9ea7edab1b650a2457da50059df056207fc3517f88c92c492068df504592594a
    • Opcode Fuzzy Hash: e03050c30f18c24fa5dcc3351e31bd7e7ad72f99cf085e855522ae638b88029d
    • Instruction Fuzzy Hash: 6B31D272A0C2858AE3709F24F400B69B6A0FF94784F948134EAE8877D6DFBDE445CB51
    Function 00007FF7F05E1790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-3474627141
    • Opcode ID: aebd9311fc89dde6a5940af1e0a0525750b95a9bbdf4680b8b37aabebd9ab4a6
    • Instruction ID: ca723c0e351be39db23a85f1c90a9e30a40562438b5abd690f3a1c86f8ebec28
    • Opcode Fuzzy Hash: aebd9311fc89dde6a5940af1e0a0525750b95a9bbdf4680b8b37aabebd9ab4a6
    • Instruction Fuzzy Hash: F4019E22C1CE8882D7019F18E8005AAB331FB6E748F659325EACC263A5DF68E5828700
    Function 00007FF7F05E1860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 867 7ff7f05e1860-7ff7f05e1867 call 7ff7f05e76c0 fprintf
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2187435201
    • Opcode ID: e2f5d011fee0467edccf5175e1823d1f7b8d1e7c977933f128d19f29c1654296
    • Instruction ID: beea0589598bd79f9c86fd5c4095836247d4515676c7a635da7ac3baceae88d4
    • Opcode Fuzzy Hash: e2f5d011fee0467edccf5175e1823d1f7b8d1e7c977933f128d19f29c1654296
    • Instruction Fuzzy Hash: C7F04F22818E8882D7129F1CA4005AAB371FB5DB88F645325EADD26395DF69E5828750
    Function 00007FF7F05E1870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4273532761
    • Opcode ID: bbc40371ef3aa1044c130e7f2ff04ce9029d6dae37edfdb144930c62b3003a67
    • Instruction ID: df8729d405bfdf41ca7c9585ddef7c9d93b9547cba6edb15423939b314f39fdd
    • Opcode Fuzzy Hash: bbc40371ef3aa1044c130e7f2ff04ce9029d6dae37edfdb144930c62b3003a67
    • Instruction Fuzzy Hash: 2CF0AF22808E8882D3029F1CA4000AAB331FB4DB88F645325EACC26391DF68F5828310
    Function 00007FF7F05E1840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 859 7ff7f05e1840-7ff7f05e1847 call 7ff7f05e76c0 fprintf
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4283191376
    • Opcode ID: 5ea3434662c021d503e7b7b163a4bb26d1960d4a018860e43aa3dc63db1405a4
    • Instruction ID: 22bc5f47dd7819a296b936c640c8f835505835be23d16ef068b0128557cd3838
    • Opcode Fuzzy Hash: 5ea3434662c021d503e7b7b163a4bb26d1960d4a018860e43aa3dc63db1405a4
    • Instruction Fuzzy Hash: 55F04F22818E8882D7129F1CA4005AAB371FB4DB88F645325EADD26395DF69F5828750
    Function 00007FF7F05E1850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 863 7ff7f05e1850-7ff7f05e1857 call 7ff7f05e76c0 fprintf
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4064033741
    • Opcode ID: a0da3d28bd5d6a08110ce6d2fb87386a3964d9525e60d5aa56a36adc9f26231b
    • Instruction ID: 011ebbc5612fb952c995c0a69370cbc64413d27aa9aaf9b7b98cd8bfce272ede
    • Opcode Fuzzy Hash: a0da3d28bd5d6a08110ce6d2fb87386a3964d9525e60d5aa56a36adc9f26231b
    • Instruction Fuzzy Hash: FAF04F22818E8882D7129F1CA4005AAB375FB4DB88F645325EACD263A5DF69E5828750
    Function 00007FF7F05E1830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 855 7ff7f05e1830-7ff7f05e1837 call 7ff7f05e76c0 fprintf
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2713391170
    • Opcode ID: e4e1877e0d865bf28fd455034e041e9dd37c03c9d04bcca5f18ea6dacc9115cb
    • Instruction ID: 45c77c8694fee76ef88f0096750312e5fd0dbdd8ddef45e33dd04c88245cebf7
    • Opcode Fuzzy Hash: e4e1877e0d865bf28fd455034e041e9dd37c03c9d04bcca5f18ea6dacc9115cb
    • Instruction Fuzzy Hash: 4DF04F22C18E8886D7129F2CA4005AAB375FB4DB88F645325EACD26395DF69E5828750
    Function 00007FF7F05E17C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1411402789.00007FF7F05E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F05E0000, based on PE: true
    • Associated: 00000000.00000002.1411380882.00007FF7F05E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411421340.00007FF7F05E9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411441520.00007FF7F05EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411457671.00007FF7F05F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F05F6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F0606000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1411472194.00007FF7F061C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7f05e0000_reup.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2468659920
    • Opcode ID: 32be479702281cc5ce71a768fbb2b8428d468b92f09d40936d187439912a51d4
    • Instruction ID: b90af178b2c9c8d7604725e32d9a3c2a641ff8f73bd7be53aa6d88bd7c89ef8f
    • Opcode Fuzzy Hash: 32be479702281cc5ce71a768fbb2b8428d468b92f09d40936d187439912a51d4
    • Instruction Fuzzy Hash: 41F06212818E8882D3129F1CE8001ABB335FB4D788F549325EFCC2A255DF69E5828710