Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jwJP7IUDX3.exe

Overview

General Information

Sample name:jwJP7IUDX3.exe
renamed because original name is a hash value
Original sample name:3403126f9657859c42f0e1dd6d317bc3dae3871d.exe
Analysis ID:1546810
MD5:3e0bca337790aa542d011fbd5939f260
SHA1:3403126f9657859c42f0e1dd6d317bc3dae3871d
SHA256:b676ad7b0faaffff944eae7018735ab3691dcf5573dbb3807211c3ac0fc56c26
Tags:exeReversingLabsuser-NDA0E
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • jwJP7IUDX3.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\jwJP7IUDX3.exe" MD5: 3E0BCA337790AA542D011FBD5939F260)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: jwJP7IUDX3.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: jwJP7IUDX3.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: jwJP7IUDX3.exeJoe Sandbox ML: detected
Source: jwJP7IUDX3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jwJP7IUDX3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000812E8 FindFirstFileExW,0_2_000812E8
Source: jwJP7IUDX3.exeString found in binary or memory: https://code.visualstudio.com/0
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000710000_2_00071000
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007184E0_2_0007184E
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007CAC20_2_0007CAC2
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00073F3E0_2_00073F3E
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000875CD0_2_000875CD
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000711D30_2_000711D3
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00079E600_2_00079E60
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000716920_2_00071692
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007BF6C0_2_0007BF6C
Source: jwJP7IUDX3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal68.evad.winEXE@1/0@0/0
Source: jwJP7IUDX3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: jwJP7IUDX3.exeReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jwJP7IUDX3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: jwJP7IUDX3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jwJP7IUDX3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jwJP7IUDX3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jwJP7IUDX3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jwJP7IUDX3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jwJP7IUDX3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: jwJP7IUDX3.exeStatic PE information: section name: .text entropy: 6.873548869979149
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_000812E8 FindFirstFileExW,0_2_000812E8
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeAPI call chain: ExitProcess graph end nodegraph_0-6445

Anti Debugging

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007CAC2 CheckRemoteDebuggerPresent,0_2_0007CAC2
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00080C30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00080C30
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007165B mov eax, dword ptr fs:[00000030h]0_2_0007165B
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00082375 mov eax, dword ptr fs:[00000030h]0_2_00082375
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007FBCD mov eax, dword ptr fs:[00000030h]0_2_0007FBCD
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00083442 GetProcessHeap,0_2_00083442
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007DC0B SetUnhandledExceptionFilter,0_2_0007DC0B
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_00080C30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00080C30
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007DA77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0007DA77
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007DF36 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0007DF36
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007DD46 cpuid 0_2_0007DD46
Source: C:\Users\user\Desktop\jwJP7IUDX3.exeCode function: 0_2_0007D95E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0007D95E

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Software Packing		LSASS Memory13
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
jwJP7IUDX3.exe45%ReversingLabsWin32.Trojan.Generic
jwJP7IUDX3.exe100%AviraTR/Agent.bzndg
jwJP7IUDX3.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://code.visualstudio.com/0jwJP7IUDX3.exefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1546810
    Start date and time:2024-11-01 16:04:09 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 56s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:jwJP7IUDX3.exe
    renamed because original name is a hash value
    Original Sample Name:3403126f9657859c42f0e1dd6d317bc3dae3871d.exe
    Detection:MAL
    Classification:mal68.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 9
    • Number of non-executed functions: 33
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • VT rate limit hit for: jwJP7IUDX3.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.084948931776907
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:jwJP7IUDX3.exe
    File size:207'872 bytes
    MD5:3e0bca337790aa542d011fbd5939f260
    SHA1:3403126f9657859c42f0e1dd6d317bc3dae3871d
    SHA256:b676ad7b0faaffff944eae7018735ab3691dcf5573dbb3807211c3ac0fc56c26
    SHA512:9a7a479cf3ebd9241779a0752970118c87584950aa576055604acce63ae76140be0a402cf9ee3fc2e647c9e4d96593e988d1e1dd5d1da06b473f8e971a7ecc7e
    SSDEEP:3072:LqHhy4Sq29h3YZRp/W9g2thjCVTEDsmXGkmOE6rF9r5m3pB:uHQ31YZaQV5mXdmZB
    TLSH:93146BC876E2C0A3DC69C53C98B88A609E2DBC75D5D05C776FC431285FB3AC8B515D2A
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.]...3...3...3...0...3...6...3...7...3...2...3...2.B.3...5...3.A.6.;.3.A.7...3.A.0...3...3...3.......3...1...3.Rich..3........

    File Icon

    Icon Hash:0c17627cb1130347

    Static PE Info

    General

    Entrypoint:0x40d5ec
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x62FE153C [Thu Aug 18 10:32:28 2022 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:57e36b0b488d418a4cac6c0928a6c9a1

    Authenticode Signature

    Signature Valid:
    Signature Issuer:
    Signature Validation Error:
    Error Number:
    Not Before, Not After
      Subject Chain
        Version:
        Thumbprint MD5:
        Thumbprint SHA-1:
        Thumbprint SHA-256:
        Serial:

        Entrypoint Preview

        Instruction
        call 00007F0CA47C7BDFh
        jmp 00007F0CA47C769Fh
        push ebp
        mov ebp, esp
        push esi
        push dword ptr [ebp+08h]
        mov esi, ecx
        call 00007F0CA47C787Dh
        mov dword ptr [esi], 00419B28h
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00419B30h
        mov dword ptr [ecx], 00419B28h
        ret
        push ebp
        mov ebp, esp
        push esi
        push dword ptr [ebp+08h]
        mov esi, ecx
        call 00007F0CA47C784Ah
        mov dword ptr [esi], 00419B44h
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00419B4Ch
        mov dword ptr [ecx], 00419B44h
        ret
        push ebp
        mov ebp, esp
        push esi
        mov esi, ecx
        lea eax, dword ptr [esi+04h]
        mov dword ptr [esi], 00419B08h
        and dword ptr [eax], 00000000h
        and dword ptr [eax+04h], 00000000h
        push eax
        mov eax, dword ptr [ebp+08h]
        add eax, 04h
        push eax
        call 00007F0CA47C85D4h
        pop ecx
        pop ecx
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        lea eax, dword ptr [ecx+04h]
        mov dword ptr [ecx], 00419B08h
        push eax
        call 00007F0CA47C861Fh
        pop ecx
        ret
        push ebp
        mov ebp, esp
        push esi
        mov esi, ecx
        lea eax, dword ptr [esi+04h]
        mov dword ptr [esi], 00419B08h
        push eax
        call 00007F0CA47C8608h
        test byte ptr [ebp+08h], 00000001h
        pop ecx

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1ef9c0x28.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000xbc80.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x2c4000x2378
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000x127c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1e61c0x1c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e6380x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x180000x104.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x16d980x16e0086827a8efa9a7afa4f4746745a0156b2False0.6250213456284153data6.873548869979149IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x180000x75740x7600aa3fad4daeb45452a4a810edab086020False0.4001920021186441data5.3579256918734535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x200000x13280xa005dbaccd0292e248b7caadcf75e29755cFalse0.164453125DOS executable (block device driver \277DN)2.134414895160893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x220000xbc800xbe00b776b9eee015ae29e8cf9a234fae24acFalse0.15814144736842106data3.203886489523052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x2e0000x127c0x1400fb039fc15ef36d554fc7e30284293751False0.7388671875data6.369812098668984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0x222100x126ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8736752861381941
        RT_ICON0x234800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.05892772791686349
        RT_ICON0x276a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.07354771784232365
        RT_ICON0x29c500x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.09571005917159764
        RT_ICON0x2b6b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.11045966228893059
        RT_ICON0x2c7600x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.14918032786885246
        RT_ICON0x2d0e80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.18372093023255814
        RT_ICON0x2d7a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2801418439716312
        RT_GROUP_ICON0x2dc080x76dataEnglishUnited States0.7457627118644068

        Imports

        DLLImport
        KERNEL32.dllLoadLibraryA, GetProcAddress, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, WriteConsoleW, RtlUnwind, RaiseException, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:11:05:00
        Start date:01/11/2024
        Path:C:\Users\user\Desktop\jwJP7IUDX3.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\jwJP7IUDX3.exe"
        Imagebase:0x70000
        File size:207'872 bytes
        MD5 hash:3E0BCA337790AA542D011FBD5939F260
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:41.6%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:11.4%
          Total number of Nodes:1883
          Total number of Limit Nodes:4
          execution_graph 7457 84509 7460 8423e 7457->7460 7458 7df23 _ValidateLocalCookies 5 API calls 7459 8424b 7458->7459 7460->7458 7460->7460 7958 84489 7959 8423e 7958->7959 7960 7df23 _ValidateLocalCookies 5 API calls 7959->7960 7961 8424b 7960->7961 6395 71000 LoadLibraryA 7962 83a8f 7963 83a9c 7962->7963 7964 80eac _free 14 API calls 7963->7964 7965 83ab6 7964->7965 7966 80f09 _free 14 API calls 7965->7966 7967 83ac2 7966->7967 7968 80eac _free 14 API calls 7967->7968 7972 83ae8 7967->7972 7969 83adc 7968->7969 7971 80f09 _free 14 API calls 7969->7971 7971->7972 7973 83af4 7972->7973 7974 8329b 7972->7974 7975 830ba _free 5 API calls 7974->7975 7976 832b7 7975->7976 7977 832d5 InitializeCriticalSectionAndSpinCount 7976->7977 7978 832c0 7976->7978 7977->7978 7978->7972 7979 85f8f 7980 85f98 7979->7980 7981 8603e 7980->7981 7983 85fbf 7980->7983 7984 86d27 20 API calls 7981->7984 7982 86c50 7983->7982 7986 86d27 20 API calls 7983->7986 7985 8604e 7984->7985 7987 86c4e 7986->7987 7988 86480 7991 8649e 7988->7991 7990 86496 7995 864a3 7991->7995 7992 86d63 15 API calls 7993 866cf 7992->7993 7993->7990 7994 86538 7994->7990 7995->7992 7995->7994 7996 7d688 7999 7e491 7996->7999 8000 7d697 7999->8000 8001 7e49e 7999->8001 8002 803ae ___std_exception_copy 14 API calls 8001->8002 8002->8000 7461 7dc17 7462 7dc4e 7461->7462 7463 7dc29 7461->7463 7463->7462 7470 7e658 7463->7470 7482 7e686 7470->7482 7473 7e661 7474 7e686 76 API calls 7473->7474 7475 7dc65 7474->7475 7476 80372 7475->7476 7477 8037e ___scrt_is_nonwritable_in_current_image 7476->7477 7478 809de __fassign 66 API calls 7477->7478 7481 80383 7478->7481 7479 803c9 __fassign 66 API calls 7480 803ad 7479->7480 7481->7479 7496 7e694 7482->7496 7484 7e68b 7485 7dc5b 7484->7485 7486 835c4 __fassign 2 API calls 7484->7486 7485->7473 7487 803ce 7486->7487 7488 803d9 7487->7488 7489 83609 __fassign 66 API calls 7487->7489 7490 803e3 IsProcessorFeaturePresent 7488->7490 7495 80402 7488->7495 7489->7488 7492 803ef 7490->7492 7491 7fc8f __fassign 23 API calls 7494 8040c 7491->7494 7493 80c30 __fassign 8 API calls 7492->7493 7493->7495 7495->7491 7497 7e6a0 GetLastError 7496->7497 7498 7e69d 7496->7498 7510 7eadb 7497->7510 7498->7484 7501 7e71a SetLastError 7501->7484 7502 7eb16 ___vcrt_FlsSetValue 6 API calls 7503 7e6ce 7502->7503 7505 7eb16 ___vcrt_FlsSetValue 6 API calls 7503->7505 7506 7e6f6 7503->7506 7509 7e6d4 7503->7509 7504 7eb16 ___vcrt_FlsSetValue 6 API calls 7507 7e70a 7504->7507 7505->7506 7506->7504 7506->7507 7515 803ae 7507->7515 7509->7501 7511 7ea1c ___vcrt_FlsFree 5 API calls 7510->7511 7512 7eaf5 7511->7512 7513 7eb0d TlsGetValue 7512->7513 7514 7e6b5 7512->7514 7513->7514 7514->7501 7514->7502 7514->7509 7516 80f09 _free 14 API calls 7515->7516 7517 803c6 7516->7517 7517->7509 6218 71692 6219 716af __fassign 6218->6219 6219->6219 6226 7165b GetPEB 6219->6226 6221 71812 _wcschr 6230 7184e 6221->6230 6223 71839 6284 73f3e 6223->6284 6227 71678 GetProcAddress 6226->6227 6228 71682 6227->6228 6229 71688 6227->6229 6228->6227 6228->6229 6229->6221 6231 7186e __fassign 6230->6231 6232 7165b 2 API calls 6231->6232 6233 7196c 6232->6233 6234 7165b 2 API calls 6233->6234 6235 71b75 6234->6235 6236 7165b 2 API calls 6235->6236 6237 71ec3 6236->6237 6238 7165b 2 API calls 6237->6238 6239 71fc9 6238->6239 6240 7165b 2 API calls 6239->6240 6241 72322 GetFileAttributesW 6240->6241 6242 725a0 6241->6242 6243 7232e 6241->6243 6245 7165b 2 API calls 6242->6245 6244 7165b 2 API calls 6243->6244 6246 7259d DeleteFileW 6244->6246 6247 726cb 6245->6247 6246->6242 6248 7165b 2 API calls 6247->6248 6249 727de 6248->6249 6250 7165b 2 API calls 6249->6250 6251 72b55 6250->6251 6252 7165b 2 API calls 6251->6252 6253 72cc5 6252->6253 6348 7bf6c 6253->6348 6256 7165b 2 API calls 6257 72df1 GetFileAttributesW 6256->6257 6258 72e01 6257->6258 6259 73228 LoadLibraryA 6257->6259 6262 7165b 2 API calls 6258->6262 6261 73380 6259->6261 6261->6261 6264 7165b 2 API calls 6261->6264 6263 72f91 DeleteFileW 6262->6263 6265 72fae 6263->6265 6266 73451 FindWindowW 6264->6266 6265->6265 6267 7165b 2 API calls 6265->6267 6268 7347b 6266->6268 6269 73082 CreateDirectoryW 6267->6269 6268->6268 6270 7361f LoadLibraryA 6268->6270 6271 730a8 6269->6271 6272 73657 6270->6272 6271->6271 6274 7165b 2 API calls 6271->6274 6272->6272 6273 7165b 2 API calls 6272->6273 6275 7372d ShellExecuteW 6273->6275 6276 7321f SetFileAttributesW 6274->6276 6277 7165b 2 API calls 6275->6277 6276->6259 6278 73bfa Sleep 6277->6278 6279 73c09 6278->6279 6283 73d95 6278->6283 6282 7165b 2 API calls 6279->6282 6280 7165b 2 API calls 6281 73f2b Sleep 6280->6281 6281->6223 6282->6283 6283->6280 6285 73f4c ___scrt_uninitialize_crt __fassign 6284->6285 6286 7165b 2 API calls 6285->6286 6287 740d9 6286->6287 6288 7165b 2 API calls 6287->6288 6289 74224 6288->6289 6290 7165b 2 API calls 6289->6290 6291 7466a 6290->6291 6292 7165b 2 API calls 6291->6292 6293 74acd 6292->6293 6294 7bf6c 2 API calls 6293->6294 6295 74ad4 6294->6295 6296 7165b 2 API calls 6295->6296 6297 74c35 6296->6297 6298 7165b 2 API calls 6297->6298 6299 74fe3 __fassign 6298->6299 6300 7165b 2 API calls 6299->6300 6301 75330 6300->6301 6302 7165b 2 API calls 6301->6302 6303 754b6 6302->6303 6304 7165b 2 API calls 6303->6304 6305 7580f 6304->6305 6306 7165b 2 API calls 6305->6306 6307 75ae7 6306->6307 6308 7165b 2 API calls 6307->6308 6309 75f35 6308->6309 6310 7165b 2 API calls 6309->6310 6311 7617c 6310->6311 6312 7165b 2 API calls 6311->6312 6313 768fd 6312->6313 6314 7165b 2 API calls 6313->6314 6315 76bb4 __fassign 6314->6315 6316 7165b 2 API calls 6315->6316 6317 77150 6316->6317 6318 7165b 2 API calls 6317->6318 6319 7774b 6318->6319 6320 7165b 2 API calls 6319->6320 6321 77946 6320->6321 6322 7165b 2 API calls 6321->6322 6323 780d7 6322->6323 6324 7165b 2 API calls 6323->6324 6325 7825a 6324->6325 6326 7165b 2 API calls 6325->6326 6327 78a50 6326->6327 6328 7165b 2 API calls 6327->6328 6329 78b52 6328->6329 6330 7165b 2 API calls 6329->6330 6331 790bd 6330->6331 6332 7165b 2 API calls 6331->6332 6333 7932b 6332->6333 6334 7165b 2 API calls 6333->6334 6335 7972b CopyFileW 6334->6335 6336 7165b 2 API calls 6335->6336 6337 798b7 CopyFileW 6336->6337 6338 7165b 2 API calls 6337->6338 6339 79a63 CopyFileW 6338->6339 6340 7165b 2 API calls 6339->6340 6341 79c0b CopyFileW 6340->6341 6342 79c42 6341->6342 6342->6342 6343 7165b 2 API calls 6342->6343 6344 79e3c GetFileAttributesW 6343->6344 6345 71841 6344->6345 6346 79e4b 6344->6346 6366 79e60 6346->6366 6349 7bf87 __fassign 6348->6349 6350 7165b 2 API calls 6349->6350 6351 7c11f 6350->6351 6351->6351 6352 7165b 2 API calls 6351->6352 6353 7c3ab 6352->6353 6354 7165b 2 API calls 6353->6354 6355 7c85a 6354->6355 6356 7165b 2 API calls 6355->6356 6357 7ca9d 6356->6357 6360 711d3 6357->6360 6359 72ccc 6359->6256 6361 711fc 6360->6361 6361->6361 6362 7165b 2 API calls 6361->6362 6363 71472 _strlen 6362->6363 6364 7165b 2 API calls 6363->6364 6365 7162f _strlen 6364->6365 6365->6359 6367 79eb4 6366->6367 6367->6367 6368 7a10c LoadLibraryA 6367->6368 6369 7a13e 6368->6369 6369->6369 6370 7165b 2 API calls 6369->6370 6371 7a22f 6370->6371 6372 7165b 2 API calls 6371->6372 6373 7bd75 6371->6373 6374 7a50e 6372->6374 6373->6373 6376 7165b 2 API calls 6373->6376 6375 7165b 2 API calls 6374->6375 6378 7a67c 6375->6378 6377 7bf55 6376->6377 6377->6345 6378->6373 6379 7165b 2 API calls 6378->6379 6380 7aa45 6379->6380 6380->6373 6380->6380 6381 7165b 2 API calls 6380->6381 6382 7ab90 6381->6382 6383 7165b 2 API calls 6382->6383 6384 7b03b 6383->6384 6384->6373 6385 7165b 2 API calls 6384->6385 6386 7ba60 6385->6386 6387 7165b 2 API calls 6386->6387 6388 7bba4 6387->6388 6389 7165b 2 API calls 6388->6389 6389->6373 7518 7f912 7519 7f924 7518->7519 7520 7f92a 7518->7520 7522 7f89f 7519->7522 7526 7f8c9 7522->7526 7527 7f8ac 7522->7527 7523 7f8c3 7525 80f09 _free 14 API calls 7523->7525 7524 80f09 _free 14 API calls 7524->7527 7525->7526 7526->7520 7527->7523 7527->7524 8003 7d591 8006 7f27e 8003->8006 8007 80b35 _free 14 API calls 8006->8007 8008 7d5a2 8007->8008 8009 8039e 8010 803a1 8009->8010 8011 803c9 __fassign 66 API calls 8010->8011 8012 803ad 8011->8012 8013 8339f 8015 833aa 8013->8015 8016 833d0 8013->8016 8014 833ba FreeLibrary 8014->8015 8015->8014 8015->8016 7528 82815 7531 8281a 7528->7531 7530 8283d 7531->7530 7532 82421 7531->7532 7533 8242e 7532->7533 7534 82450 7532->7534 7535 8244a 7533->7535 7536 8243c DeleteCriticalSection 7533->7536 7534->7531 7537 80f09 _free 14 API calls 7535->7537 7536->7535 7536->7536 7537->7534 8017 7d699 8018 7e491 ___std_exception_destroy 14 API calls 8017->8018 8019 7d6ae 8018->8019 8024 7d5a5 8025 7dbc8 __fassign GetModuleHandleW 8024->8025 8026 7d5ad 8025->8026 8027 7d5e3 8026->8027 8028 7d5b1 8026->8028 8029 7fc8f __fassign 23 API calls 8027->8029 8030 7d5bc 8028->8030 8033 7fc71 8028->8033 8031 7d5eb 8029->8031 8034 7fb69 __fassign 23 API calls 8033->8034 8035 7fc7c 8034->8035 8035->8030 8036 7d3ab 8037 7d3b3 8036->8037 8053 7fce1 8037->8053 8039 7d3be 8060 7d7bc 8039->8060 8041 7d430 8042 7da77 4 API calls 8041->8042 8052 7d44d 8041->8052 8044 7d455 8042->8044 8043 7d3d3 __RTC_Initialize 8043->8041 8066 7d949 8043->8066 8046 7d3ec 8046->8041 8069 7da03 InitializeSListHead 8046->8069 8048 7d402 8070 7da12 8048->8070 8050 7d425 8076 7fde0 8050->8076 8054 7fd13 8053->8054 8055 7fcf0 8053->8055 8054->8039 8055->8054 8056 80e99 _free 14 API calls 8055->8056 8057 7fd03 8056->8057 8058 80ddc ___std_exception_copy 25 API calls 8057->8058 8059 7fd0e 8058->8059 8059->8039 8061 7d7cc 8060->8061 8062 7d7c8 8060->8062 8063 7da77 4 API calls 8061->8063 8065 7d7d9 ___scrt_release_startup_lock 8061->8065 8062->8043 8064 7d842 8063->8064 8065->8043 8083 7d91c 8066->8083 8069->8048 8146 80313 8070->8146 8072 7da23 8073 7da2a 8072->8073 8074 7da77 4 API calls 8072->8074 8073->8050 8075 7da32 8074->8075 8077 809de __fassign 66 API calls 8076->8077 8078 7fdeb 8077->8078 8079 7fe23 8078->8079 8080 80e99 _free 14 API calls 8078->8080 8079->8041 8081 7fe18 8080->8081 8082 80ddc ___std_exception_copy 25 API calls 8081->8082 8082->8079 8084 7d932 8083->8084 8085 7d92b 8083->8085 8092 801a3 8084->8092 8089 80137 8085->8089 8088 7d930 8088->8046 8090 801a3 28 API calls 8089->8090 8091 80149 8090->8091 8091->8088 8095 7fed9 8092->8095 8096 7fee5 ___scrt_is_nonwritable_in_current_image 8095->8096 8103 805f3 EnterCriticalSection 8096->8103 8098 7fef3 8104 7ff34 8098->8104 8100 7ff00 8114 7ff28 8100->8114 8103->8098 8105 7ff50 8104->8105 8107 7ffc7 _free 8104->8107 8106 7ffa7 8105->8106 8105->8107 8117 833d5 8105->8117 8106->8107 8109 833d5 28 API calls 8106->8109 8107->8100 8111 7ffbd 8109->8111 8110 7ff9d 8112 80f09 _free 14 API calls 8110->8112 8113 80f09 _free 14 API calls 8111->8113 8112->8106 8113->8107 8145 8063b LeaveCriticalSection 8114->8145 8116 7ff11 8116->8088 8118 833fd 8117->8118 8119 833e2 8117->8119 8123 8340c 8118->8123 8126 84b91 8118->8126 8119->8118 8120 833ee 8119->8120 8121 80e99 _free 14 API calls 8120->8121 8125 833f3 __fassign 8121->8125 8133 84bc4 8123->8133 8125->8110 8127 84b9c 8126->8127 8128 84bb1 HeapSize 8126->8128 8129 80e99 _free 14 API calls 8127->8129 8128->8123 8130 84ba1 8129->8130 8131 80ddc ___std_exception_copy 25 API calls 8130->8131 8132 84bac 8131->8132 8132->8123 8134 84bdc 8133->8134 8135 84bd1 8133->8135 8137 84be4 8134->8137 8143 84bed _free 8134->8143 8136 80652 15 API calls 8135->8136 8141 84bd9 8136->8141 8138 80f09 _free 14 API calls 8137->8138 8138->8141 8139 84bf2 8142 80e99 _free 14 API calls 8139->8142 8140 84c17 HeapReAlloc 8140->8141 8140->8143 8141->8125 8142->8141 8143->8139 8143->8140 8144 7f1ea _free 2 API calls 8143->8144 8144->8143 8145->8116 8147 80331 8146->8147 8151 80351 8146->8151 8148 80e99 _free 14 API calls 8147->8148 8149 80347 8148->8149 8150 80ddc ___std_exception_copy 25 API calls 8149->8150 8150->8151 8151->8072 8152 808a5 8153 808b0 8152->8153 8154 808c0 8152->8154 8158 808c6 8153->8158 8157 80f09 _free 14 API calls 8157->8154 8159 808db 8158->8159 8162 808e1 8158->8162 8160 80f09 _free 14 API calls 8159->8160 8160->8162 8161 80f09 _free 14 API calls 8163 808ed 8161->8163 8162->8161 8164 80f09 _free 14 API calls 8163->8164 8165 808f8 8164->8165 8166 80f09 _free 14 API calls 8165->8166 8167 80903 8166->8167 8168 80f09 _free 14 API calls 8167->8168 8169 8090e 8168->8169 8170 80f09 _free 14 API calls 8169->8170 8171 80919 8170->8171 8172 80f09 _free 14 API calls 8171->8172 8173 80924 8172->8173 8174 80f09 _free 14 API calls 8173->8174 8175 8092f 8174->8175 8176 80f09 _free 14 API calls 8175->8176 8177 8093a 8176->8177 8178 80f09 _free 14 API calls 8177->8178 8179 80948 8178->8179 8184 806f2 8179->8184 8185 806fe ___scrt_is_nonwritable_in_current_image 8184->8185 8200 805f3 EnterCriticalSection 8185->8200 8187 80732 8201 80751 8187->8201 8189 80708 8189->8187 8191 80f09 _free 14 API calls 8189->8191 8191->8187 8192 8075d 8193 80769 ___scrt_is_nonwritable_in_current_image 8192->8193 8205 805f3 EnterCriticalSection 8193->8205 8195 80773 8196 80993 _free 14 API calls 8195->8196 8197 80786 8196->8197 8206 807a6 8197->8206 8200->8189 8204 8063b LeaveCriticalSection 8201->8204 8203 8073f 8203->8192 8204->8203 8205->8195 8209 8063b LeaveCriticalSection 8206->8209 8208 80794 8208->8157 8209->8208 7538 7d629 7541 7d65c 7538->7541 7544 7e42e 7541->7544 7545 7e43b 7544->7545 7551 7d637 7544->7551 7545->7551 7552 7f273 7545->7552 7548 7e468 7550 803ae ___std_exception_copy 14 API calls 7548->7550 7550->7551 7557 80652 _free 7552->7557 7553 80690 7555 80e99 _free 14 API calls 7553->7555 7554 8067b HeapAlloc 7556 7e458 7554->7556 7554->7557 7555->7556 7556->7548 7559 8040d 7556->7559 7557->7553 7557->7554 7558 7f1ea _free 2 API calls 7557->7558 7558->7557 7560 8041a 7559->7560 7561 80428 7559->7561 7560->7561 7566 8043f 7560->7566 7562 80e99 _free 14 API calls 7561->7562 7563 80430 7562->7563 7564 80ddc ___std_exception_copy 25 API calls 7563->7564 7565 8043a 7564->7565 7565->7548 7566->7565 7567 80e99 _free 14 API calls 7566->7567 7567->7563 7568 8023c 7571 802a3 7568->7571 7572 8024f 7571->7572 7573 802b7 7571->7573 7573->7572 7574 80f09 _free 14 API calls 7573->7574 7574->7572 8210 7e5b2 8213 7e600 8210->8213 8214 7e5bd 8213->8214 8215 7e609 8213->8215 8215->8214 8216 7e686 76 API calls 8215->8216 8217 7e644 8216->8217 8218 7e686 76 API calls 8217->8218 8219 7e64f 8218->8219 8220 80372 66 API calls 8219->8220 8221 7e657 8220->8221 7451 81e30 7452 81e39 7451->7452 7456 81e6b 7451->7456 7453 80a9b 66 API calls 7452->7453 7454 81e5c 7453->7454 7455 81c7c 75 API calls 7454->7455 7455->7456 8222 805b2 8224 805bd 8222->8224 8223 8329b 6 API calls 8223->8224 8224->8223 8225 805e6 8224->8225 8226 805e2 8224->8226 8228 8060a 8225->8228 8229 80636 8228->8229 8230 80617 8228->8230 8229->8226 8231 80621 DeleteCriticalSection 8230->8231 8231->8229 8231->8231 7575 80233 7576 7e53b ___scrt_uninitialize_crt 7 API calls 7575->7576 7577 8023a 7576->7577 8232 827b5 8233 827c1 ___scrt_is_nonwritable_in_current_image 8232->8233 8244 805f3 EnterCriticalSection 8233->8244 8235 827c8 8245 82456 8235->8245 8238 827e6 8269 8280c 8238->8269 8244->8235 8246 82462 ___scrt_is_nonwritable_in_current_image 8245->8246 8247 8246b 8246->8247 8248 8248c 8246->8248 8249 80e99 _free 14 API calls 8247->8249 8272 805f3 EnterCriticalSection 8248->8272 8251 82470 8249->8251 8252 80ddc ___std_exception_copy 25 API calls 8251->8252 8253 8247a 8252->8253 8253->8238 8258 8264b GetStartupInfoW 8253->8258 8254 824c4 8280 824eb 8254->8280 8256 82498 8256->8254 8273 823a6 8256->8273 8259 82668 8258->8259 8261 826fc 8258->8261 8260 82456 26 API calls 8259->8260 8259->8261 8262 82690 8260->8262 8264 82701 8261->8264 8262->8261 8263 826c0 GetFileType 8262->8263 8263->8262 8265 82708 8264->8265 8266 8274b GetStdHandle 8265->8266 8267 827b1 8265->8267 8268 8275e GetFileType 8265->8268 8266->8265 8267->8238 8268->8265 8284 8063b LeaveCriticalSection 8269->8284 8271 827f7 8272->8256 8274 80eac _free 14 API calls 8273->8274 8275 823b8 8274->8275 8277 8329b 6 API calls 8275->8277 8279 823c5 8275->8279 8276 80f09 _free 14 API calls 8278 8241a 8276->8278 8277->8275 8278->8256 8279->8276 8283 8063b LeaveCriticalSection 8280->8283 8282 824f2 8282->8253 8283->8282 8284->8271 8285 7fdb9 8288 7fd1e 8285->8288 8289 7fd2a ___scrt_is_nonwritable_in_current_image 8288->8289 8296 805f3 EnterCriticalSection 8289->8296 8291 7fd34 8292 7fd62 8291->8292 8297 82f55 8291->8297 8301 7fd80 8292->8301 8296->8291 8298 82f70 8297->8298 8299 82f63 _free 8297->8299 8298->8291 8299->8298 8300 82c88 _free 14 API calls 8299->8300 8300->8298 8304 8063b LeaveCriticalSection 8301->8304 8303 7fd6e 8304->8303 8305 84ab7 8306 81e30 75 API calls 8305->8306 8307 84abc 8306->8307 6390 7cac2 6391 7165b 2 API calls 6390->6391 6392 7cdf2 6391->6392 6393 7165b 2 API calls 6392->6393 6394 7d014 CheckRemoteDebuggerPresent 6393->6394 7578 85f41 7579 85f61 7578->7579 7582 85f98 7579->7582 7581 85f8b 7583 85f9f 7582->7583 7584 8603e 7583->7584 7586 85fbf 7583->7586 7591 86d27 7584->7591 7585 86c50 7585->7581 7586->7581 7586->7585 7589 86d27 20 API calls 7586->7589 7590 86c4e 7589->7590 7590->7581 7592 86d30 7591->7592 7595 8719f 7592->7595 7596 871de __startOneArgErrorHandling 7595->7596 7600 87260 __startOneArgErrorHandling 7596->7600 7603 875aa 7596->7603 7599 87295 7601 7df23 _ValidateLocalCookies 5 API calls 7599->7601 7600->7599 7606 878c3 7600->7606 7602 8604e 7601->7602 7602->7581 7613 875cd 7603->7613 7607 878d0 7606->7607 7608 878e5 7606->7608 7609 878ea 7607->7609 7611 80e99 _free 14 API calls 7607->7611 7610 80e99 _free 14 API calls 7608->7610 7609->7599 7610->7609 7612 878dd 7611->7612 7612->7599 7614 875f8 __raise_exc 7613->7614 7615 877f1 RaiseException 7614->7615 7616 875c8 7615->7616 7616->7600 7617 83442 GetProcessHeap 7618 7fb4d 7619 80372 66 API calls 7618->7619 7620 7fb55 7619->7620 7621 7e850 7622 7e862 7621->7622 7624 7e870 7621->7624 7623 7df23 _ValidateLocalCookies 5 API calls 7622->7623 7623->7624 8308 7e2d0 8309 7e2ee 8308->8309 8320 7e290 8309->8320 8321 7e2a2 8320->8321 8322 7e2af 8320->8322 8323 7df23 _ValidateLocalCookies 5 API calls 8321->8323 8323->8322 7625 7d45e 7630 7dc0b SetUnhandledExceptionFilter 7625->7630 7627 7d463 7631 7fe49 7627->7631 7629 7d46e 7630->7627 7632 7fe55 7631->7632 7633 7fe6f 7631->7633 7632->7633 7634 80e99 _free 14 API calls 7632->7634 7633->7629 7635 7fe5f 7634->7635 7636 80ddc ___std_exception_copy 25 API calls 7635->7636 7637 7fe6a 7636->7637 7637->7629 7638 86051 7639 86075 7638->7639 7640 8608e 7639->7640 7642 86f57 __startOneArgErrorHandling 7639->7642 7643 860d8 7640->7643 7646 86d63 7640->7646 7645 86f99 __startOneArgErrorHandling 7642->7645 7654 872f1 7642->7654 7647 86d86 7646->7647 7648 86d76 DecodePointer 7646->7648 7649 86e11 7647->7649 7650 86dca 7647->7650 7651 86db5 7647->7651 7648->7647 7649->7643 7650->7649 7652 80e99 _free 14 API calls 7650->7652 7651->7649 7653 80e99 _free 14 API calls 7651->7653 7652->7649 7653->7649 7655 8732a __startOneArgErrorHandling 7654->7655 7656 875cd __raise_exc RaiseException 7655->7656 7657 87351 __startOneArgErrorHandling 7655->7657 7656->7657 7658 87394 7657->7658 7659 8736f 7657->7659 7660 878c3 __startOneArgErrorHandling 14 API calls 7658->7660 7665 878f2 7659->7665 7662 8738f __startOneArgErrorHandling 7660->7662 7663 7df23 _ValidateLocalCookies 5 API calls 7662->7663 7664 873b8 7663->7664 7664->7645 7666 87901 7665->7666 7667 87975 __startOneArgErrorHandling 7666->7667 7668 87920 __startOneArgErrorHandling 7666->7668 7669 878c3 __startOneArgErrorHandling 14 API calls 7667->7669 7671 8796e 7668->7671 7672 878c3 __startOneArgErrorHandling 14 API calls 7668->7672 7670 8798a 7669->7670 7670->7662 7671->7662 7672->7671 7673 80253 7674 80f09 _free 14 API calls 7673->7674 7675 80261 7674->7675 7676 80f09 _free 14 API calls 7675->7676 7677 80274 7676->7677 7678 80f09 _free 14 API calls 7677->7678 7679 80285 7678->7679 7680 80f09 _free 14 API calls 7679->7680 7681 80296 7680->7681 7682 86c55 7684 86c7d 7682->7684 7683 86cb5 7684->7683 7685 86cae 7684->7685 7686 86ca7 7684->7686 7691 86d10 7685->7691 7687 86d27 20 API calls 7686->7687 7689 86cac 7687->7689 7692 86d30 7691->7692 7693 8719f __startOneArgErrorHandling 20 API calls 7692->7693 7694 86cb3 7693->7694 7695 86f57 7696 86f70 __startOneArgErrorHandling 7695->7696 7697 872f1 20 API calls 7696->7697 7698 86f99 __startOneArgErrorHandling 7696->7698 7697->7698 7699 83b57 7700 83a86 ___scrt_uninitialize_crt 66 API calls 7699->7700 7701 83b5f 7700->7701 7709 85793 7701->7709 7703 83b64 7719 8583e 7703->7719 7706 83b8e 7707 80f09 _free 14 API calls 7706->7707 7708 83b99 7707->7708 7710 8579f ___scrt_is_nonwritable_in_current_image 7709->7710 7723 805f3 EnterCriticalSection 7710->7723 7712 85816 7737 85835 7712->7737 7714 857aa 7714->7712 7716 857ea DeleteCriticalSection 7714->7716 7724 85d14 7714->7724 7718 80f09 _free 14 API calls 7716->7718 7718->7714 7720 83b73 DeleteCriticalSection 7719->7720 7721 85855 7719->7721 7720->7703 7720->7706 7721->7720 7722 80f09 _free 14 API calls 7721->7722 7722->7720 7723->7714 7725 85d20 ___scrt_is_nonwritable_in_current_image 7724->7725 7726 85d2a 7725->7726 7727 85d3f 7725->7727 7728 80e99 _free 14 API calls 7726->7728 7736 85d3a 7727->7736 7740 83ba3 EnterCriticalSection 7727->7740 7730 85d2f 7728->7730 7732 80ddc ___std_exception_copy 25 API calls 7730->7732 7731 85d5c 7741 85c9d 7731->7741 7732->7736 7734 85d67 7757 85d8e 7734->7757 7736->7714 7816 8063b LeaveCriticalSection 7737->7816 7739 85822 7739->7703 7740->7731 7742 85caa 7741->7742 7743 85cbf 7741->7743 7744 80e99 _free 14 API calls 7742->7744 7745 839d9 ___scrt_uninitialize_crt 66 API calls 7743->7745 7749 85cba 7743->7749 7746 85caf 7744->7746 7747 85cd4 7745->7747 7748 80ddc ___std_exception_copy 25 API calls 7746->7748 7750 8583e 14 API calls 7747->7750 7748->7749 7749->7734 7751 85cdc 7750->7751 7752 841c7 ___scrt_uninitialize_crt 25 API calls 7751->7752 7753 85ce2 7752->7753 7760 86307 7753->7760 7756 80f09 _free 14 API calls 7756->7749 7815 83bb7 LeaveCriticalSection 7757->7815 7759 85d96 7759->7736 7761 86318 7760->7761 7762 8632d 7760->7762 7764 80e86 __dosmaperr 14 API calls 7761->7764 7763 86376 7762->7763 7767 86354 7762->7767 7765 80e86 __dosmaperr 14 API calls 7763->7765 7766 8631d 7764->7766 7768 8637b 7765->7768 7769 80e99 _free 14 API calls 7766->7769 7775 8627b 7767->7775 7771 80e99 _free 14 API calls 7768->7771 7772 85ce8 7769->7772 7773 86383 7771->7773 7772->7749 7772->7756 7774 80ddc ___std_exception_copy 25 API calls 7773->7774 7774->7772 7776 86287 ___scrt_is_nonwritable_in_current_image 7775->7776 7786 824f4 EnterCriticalSection 7776->7786 7778 86295 7779 862bc 7778->7779 7780 862c7 7778->7780 7787 86394 7779->7787 7781 80e99 _free 14 API calls 7780->7781 7783 862c2 7781->7783 7802 862fb 7783->7802 7786->7778 7788 825cb ___scrt_uninitialize_crt 25 API calls 7787->7788 7790 863a4 7788->7790 7789 863aa 7805 8253a 7789->7805 7790->7789 7791 863dc 7790->7791 7793 825cb ___scrt_uninitialize_crt 25 API calls 7790->7793 7791->7789 7794 825cb ___scrt_uninitialize_crt 25 API calls 7791->7794 7796 863d3 7793->7796 7797 863e8 CloseHandle 7794->7797 7799 825cb ___scrt_uninitialize_crt 25 API calls 7796->7799 7797->7789 7800 863f4 GetLastError 7797->7800 7798 86424 7798->7783 7799->7791 7800->7789 7801 80e63 __dosmaperr 14 API calls 7801->7798 7814 82517 LeaveCriticalSection 7802->7814 7804 862e4 7804->7772 7806 82549 7805->7806 7807 825b0 7805->7807 7806->7807 7812 82573 7806->7812 7808 80e99 _free 14 API calls 7807->7808 7809 825b5 7808->7809 7810 80e86 __dosmaperr 14 API calls 7809->7810 7811 825a0 7810->7811 7811->7798 7811->7801 7812->7811 7813 8259a SetStdHandle 7812->7813 7813->7811 7814->7804 7815->7759 7816->7739 8324 80bea 8332 8319c 8324->8332 8327 80b35 _free 14 API calls 8328 80c06 8327->8328 8329 80c13 8328->8329 8337 80c16 8328->8337 8331 80bfe 8333 830ba _free 5 API calls 8332->8333 8334 831b8 8333->8334 8335 831d0 TlsAlloc 8334->8335 8336 80bf4 8334->8336 8335->8336 8336->8327 8336->8331 8338 80c26 8337->8338 8339 80c20 8337->8339 8338->8331 8341 831db 8339->8341 8342 830ba _free 5 API calls 8341->8342 8343 831f7 8342->8343 8344 83212 TlsFree 8343->8344 8345 83200 8343->8345 8345->8338 7817 8646b IsProcessorFeaturePresent 7818 8216e GetCommandLineA GetCommandLineW 8346 847e0 8349 847f7 8346->8349 8348 847f2 8350 84819 8349->8350 8351 84805 8349->8351 8353 84821 8350->8353 8354 84833 8350->8354 8352 80e99 _free 14 API calls 8351->8352 8355 8480a 8352->8355 8356 80e99 _free 14 API calls 8353->8356 8357 80472 __fassign 66 API calls 8354->8357 8361 84831 8354->8361 8358 80ddc ___std_exception_copy 25 API calls 8355->8358 8359 84826 8356->8359 8357->8361 8362 84815 8358->8362 8360 80ddc ___std_exception_copy 25 API calls 8359->8360 8360->8361 8361->8348 8362->8348 8363 7d5ec 8366 7d9ab 8363->8366 8365 7d5f1 8365->8365 8367 7d9c1 8366->8367 8368 7d9ca 8367->8368 8370 7d95e GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8367->8370 8368->8365 8370->8368 8371 816e3 8372 816f1 8371->8372 8373 816f5 8371->8373 8374 816fa 8373->8374 8375 81720 8373->8375 8376 80eac _free 14 API calls 8374->8376 8375->8372 8378 833d5 28 API calls 8375->8378 8377 81703 8376->8377 8379 80f09 _free 14 API calls 8377->8379 8380 81740 8378->8380 8379->8372 8381 80f09 _free 14 API calls 8380->8381 8381->8372 7819 7e66a 7820 7e674 7819->7820 7821 7e681 7819->7821 7820->7821 7822 803ae ___std_exception_copy 14 API calls 7820->7822 7822->7821 8382 7f8f7 8383 7f90f 8382->8383 8384 7f909 8382->8384 8385 7f89f 14 API calls 8384->8385 8385->8383 8386 810f9 8387 81109 8386->8387 8396 8111d 8386->8396 8388 80e99 _free 14 API calls 8387->8388 8389 8110e 8388->8389 8390 80ddc ___std_exception_copy 25 API calls 8389->8390 8403 81118 8390->8403 8391 7f722 14 API calls 8393 811f9 8391->8393 8392 81194 8392->8391 8392->8392 8395 81202 8393->8395 8401 812dd 8393->8401 8425 84791 8393->8425 8397 80f09 _free 14 API calls 8395->8397 8396->8392 8398 8120d 8396->8398 8407 812e8 8396->8407 8397->8398 8402 80f09 _free 14 API calls 8398->8402 8406 812c9 8398->8406 8400 80f09 _free 14 API calls 8400->8403 8404 80dec ___std_exception_copy 11 API calls 8401->8404 8402->8398 8405 812e7 8404->8405 8406->8400 8408 812f4 8407->8408 8408->8408 8409 80eac _free 14 API calls 8408->8409 8410 81322 8409->8410 8411 84791 25 API calls 8410->8411 8412 8134e 8411->8412 8413 80dec ___std_exception_copy 11 API calls 8412->8413 8414 81398 8413->8414 8415 815f0 66 API calls 8414->8415 8416 81460 8415->8416 8434 810dc 8416->8434 8419 814ae 8420 815f0 66 API calls 8419->8420 8421 814eb 8420->8421 8437 8100d 8421->8437 8424 812e8 70 API calls 8427 846de 8425->8427 8426 846f6 8428 8470a 8426->8428 8429 80e99 _free 14 API calls 8426->8429 8427->8426 8427->8428 8432 8472e 8427->8432 8428->8393 8430 84700 8429->8430 8431 80ddc ___std_exception_copy 25 API calls 8430->8431 8431->8428 8432->8428 8433 80e99 _free 14 API calls 8432->8433 8433->8430 8460 80f5b 8434->8460 8438 8101b 8437->8438 8439 81037 8437->8439 8442 8162f 14 API calls 8438->8442 8440 8105e 8439->8440 8441 8103e 8439->8441 8443 82203 ___scrt_uninitialize_crt WideCharToMultiByte 8440->8443 8456 81025 8441->8456 8490 81649 8441->8490 8442->8456 8445 8106e 8443->8445 8446 8108b 8445->8446 8447 81075 GetLastError 8445->8447 8448 8109c 8446->8448 8450 81649 15 API calls 8446->8450 8449 80e63 __dosmaperr 14 API calls 8447->8449 8451 82203 ___scrt_uninitialize_crt WideCharToMultiByte 8448->8451 8448->8456 8452 81081 8449->8452 8450->8448 8453 810b4 8451->8453 8454 80e99 _free 14 API calls 8452->8454 8455 810bb GetLastError 8453->8455 8453->8456 8454->8456 8457 80e63 __dosmaperr 14 API calls 8455->8457 8456->8424 8458 810c7 8457->8458 8459 80e99 _free 14 API calls 8458->8459 8459->8456 8461 80f69 8460->8461 8462 80f83 8460->8462 8478 8162f 8461->8478 8464 80fa9 8462->8464 8465 80f8a 8462->8465 8466 82187 __fassign MultiByteToWideChar 8464->8466 8470 80f73 FindFirstFileExW 8465->8470 8482 81685 8465->8482 8467 80fb8 8466->8467 8469 80fbf GetLastError 8467->8469 8472 80fe5 8467->8472 8474 81685 15 API calls 8467->8474 8471 80e63 __dosmaperr 14 API calls 8469->8471 8470->8419 8473 80fcb 8471->8473 8472->8470 8475 82187 __fassign MultiByteToWideChar 8472->8475 8476 80e99 _free 14 API calls 8473->8476 8474->8472 8477 80ffc 8475->8477 8476->8470 8477->8469 8477->8470 8479 8163a 8478->8479 8480 81642 8478->8480 8481 80f09 _free 14 API calls 8479->8481 8480->8470 8481->8480 8483 8162f 14 API calls 8482->8483 8484 81693 8483->8484 8487 816c4 8484->8487 8488 80652 15 API calls 8487->8488 8489 816a4 8488->8489 8489->8470 8491 8162f 14 API calls 8490->8491 8492 81657 8491->8492 8493 816c4 15 API calls 8492->8493 8494 81665 8493->8494 8494->8456 8495 7d5f6 8496 7d65c std::exception::exception 26 API calls 8495->8496 8497 7d604 8496->8497 8498 801fd 8501 7f92d 8498->8501 8502 7f93c 8501->8502 8503 7f89f 14 API calls 8502->8503 8504 7f956 8503->8504 8505 7f89f 14 API calls 8504->8505 8506 7f961 8505->8506 6396 7d470 6397 7d47c ___scrt_is_nonwritable_in_current_image 6396->6397 6423 7d783 6397->6423 6399 7d483 6400 7d5d6 6399->6400 6411 7d4ad ___scrt_is_nonwritable_in_current_image __fassign ___scrt_release_startup_lock 6399->6411 6458 7da77 IsProcessorFeaturePresent 6400->6458 6402 7d5dd 6462 7fccb 6402->6462 6407 7d4cc 6408 7d54d 6438 7db92 6408->6438 6411->6407 6411->6408 6413 7d546 6411->6413 6431 7fca5 6413->6431 6418 7d573 6419 7d57c 6418->6419 6449 7fc80 6418->6449 6452 7d8f4 6419->6452 6424 7d78c 6423->6424 6468 7dd46 IsProcessorFeaturePresent 6424->6468 6428 7d79d 6429 7d7a1 6428->6429 6478 7e53b 6428->6478 6429->6399 6432 80372 ___scrt_is_nonwritable_in_current_image 6431->6432 6433 7fcbb _free 6431->6433 6540 809de GetLastError 6432->6540 6433->6408 7153 7e060 6438->7153 6441 7d553 6442 7f969 6441->6442 7155 81e30 6442->7155 6444 7f972 6445 7d55b ExitProcess 6444->6445 7161 82156 6444->7161 6447 7dbc8 GetModuleHandleW 6445->6447 6448 7d56f 6447->6448 6448->6402 6448->6418 7375 7fb69 6449->7375 6453 7d900 6452->6453 6457 7d584 6453->6457 7443 802e3 6453->7443 6455 7d90e 6456 7e53b ___scrt_uninitialize_crt 7 API calls 6455->6456 6456->6457 6457->6407 6459 7da8d __fassign 6458->6459 6460 7db38 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6459->6460 6461 7db83 __fassign 6460->6461 6461->6402 6463 7fb69 __fassign 23 API calls 6462->6463 6464 7d5e3 6463->6464 6465 7fc8f 6464->6465 6466 7fb69 __fassign 23 API calls 6465->6466 6467 7d5eb 6466->6467 6469 7d798 6468->6469 6470 7e51c 6469->6470 6484 7e917 6470->6484 6473 7e525 6473->6428 6475 7e52d 6476 7e538 6475->6476 6498 7e953 6475->6498 6476->6428 6479 7e544 6478->6479 6480 7e54e 6478->6480 6481 7e759 ___vcrt_uninitialize_ptd 6 API calls 6479->6481 6480->6429 6482 7e549 6481->6482 6483 7e953 ___vcrt_uninitialize_locks DeleteCriticalSection 6482->6483 6483->6480 6486 7e920 6484->6486 6487 7e949 6486->6487 6488 7e521 6486->6488 6502 7eb54 6486->6502 6489 7e953 ___vcrt_uninitialize_locks DeleteCriticalSection 6487->6489 6488->6473 6490 7e726 6488->6490 6489->6488 6521 7ea65 6490->6521 6495 7e756 6495->6475 6497 7e73b 6497->6475 6499 7e97d 6498->6499 6500 7e95e 6498->6500 6499->6473 6501 7e968 DeleteCriticalSection 6500->6501 6501->6499 6501->6501 6507 7ea1c 6502->6507 6505 7eb77 6505->6486 6506 7eb8c InitializeCriticalSectionAndSpinCount 6506->6505 6508 7ea34 6507->6508 6512 7ea57 6507->6512 6508->6512 6513 7e982 6508->6513 6511 7ea49 GetProcAddress 6511->6512 6512->6505 6512->6506 6518 7e98e ___vcrt_FlsFree 6513->6518 6514 7e9a4 LoadLibraryExW 6516 7e9c2 GetLastError 6514->6516 6517 7ea09 6514->6517 6515 7ea02 6515->6511 6515->6512 6516->6518 6517->6515 6519 7ea11 FreeLibrary 6517->6519 6518->6514 6518->6515 6520 7e9e4 LoadLibraryExW 6518->6520 6519->6515 6520->6517 6520->6518 6522 7ea1c ___vcrt_FlsFree 5 API calls 6521->6522 6523 7ea7f 6522->6523 6524 7ea98 TlsAlloc 6523->6524 6525 7e730 6523->6525 6525->6497 6526 7eb16 6525->6526 6527 7ea1c ___vcrt_FlsFree 5 API calls 6526->6527 6528 7eb30 6527->6528 6529 7eb4b TlsSetValue 6528->6529 6530 7e749 6528->6530 6529->6530 6530->6495 6531 7e759 6530->6531 6532 7e763 6531->6532 6534 7e769 6531->6534 6535 7eaa0 6532->6535 6534->6497 6536 7ea1c ___vcrt_FlsFree 5 API calls 6535->6536 6537 7eaba 6536->6537 6538 7ead2 TlsFree 6537->6538 6539 7eac6 6537->6539 6538->6539 6539->6534 6541 809fb 6540->6541 6542 809f5 6540->6542 6564 80a01 SetLastError 6541->6564 6583 83259 6541->6583 6578 8321a 6542->6578 6549 80a48 6555 83259 _free 6 API calls 6549->6555 6550 80a31 6553 83259 _free 6 API calls 6550->6553 6551 80383 6567 803c9 6551->6567 6552 80a95 6554 803c9 __fassign 64 API calls 6552->6554 6558 80a3f 6553->6558 6556 80a9a 6554->6556 6557 80a54 6555->6557 6559 80a58 6557->6559 6560 80a69 6557->6560 6595 80f09 6558->6595 6562 83259 _free 6 API calls 6559->6562 6601 8080c 6560->6601 6562->6558 6564->6551 6564->6552 6566 80f09 _free 14 API calls 6566->6564 6802 835c4 6567->6802 6570 803d9 6572 803e3 IsProcessorFeaturePresent 6570->6572 6573 80402 6570->6573 6575 803ef 6572->6575 6574 7fc8f __fassign 23 API calls 6573->6574 6577 8040c 6574->6577 6838 80c30 6575->6838 6606 830ba 6578->6606 6581 8323f 6581->6541 6582 83251 TlsGetValue 6584 830ba _free 5 API calls 6583->6584 6585 83275 6584->6585 6586 80a19 6585->6586 6587 83293 TlsSetValue 6585->6587 6586->6564 6588 80eac 6586->6588 6589 80eb9 _free 6588->6589 6590 80ef9 6589->6590 6591 80ee4 HeapAlloc 6589->6591 6620 7f1ea 6589->6620 6623 80e99 6590->6623 6591->6589 6592 80a29 6591->6592 6592->6549 6592->6550 6596 80f3d _free 6595->6596 6597 80f14 HeapFree 6595->6597 6596->6564 6597->6596 6598 80f29 6597->6598 6599 80e99 _free 12 API calls 6598->6599 6600 80f2f GetLastError 6599->6600 6600->6596 6660 806a0 6601->6660 6607 830e8 6606->6607 6612 830e4 6606->6612 6607->6612 6613 82ff3 6607->6613 6610 83102 GetProcAddress 6611 83112 _free 6610->6611 6610->6612 6611->6612 6612->6581 6612->6582 6618 83004 ___vcrt_FlsFree 6613->6618 6614 83022 LoadLibraryExW 6616 8303d GetLastError 6614->6616 6614->6618 6615 830af 6615->6610 6615->6612 6616->6618 6617 83098 FreeLibrary 6617->6618 6618->6614 6618->6615 6618->6617 6619 83070 LoadLibraryExW 6618->6619 6619->6618 6626 7f217 6620->6626 6637 80b35 GetLastError 6623->6637 6625 80e9e 6625->6592 6627 7f223 ___scrt_is_nonwritable_in_current_image 6626->6627 6632 805f3 EnterCriticalSection 6627->6632 6629 7f22e 6633 7f26a 6629->6633 6632->6629 6636 8063b LeaveCriticalSection 6633->6636 6635 7f1f5 6635->6589 6636->6635 6638 80b4c 6637->6638 6642 80b52 6637->6642 6640 8321a _free 6 API calls 6638->6640 6639 83259 _free 6 API calls 6641 80b70 6639->6641 6640->6642 6643 80eac _free 12 API calls 6641->6643 6659 80b58 SetLastError 6641->6659 6642->6639 6642->6659 6645 80b80 6643->6645 6646 80b88 6645->6646 6647 80b9f 6645->6647 6648 83259 _free 6 API calls 6646->6648 6649 83259 _free 6 API calls 6647->6649 6651 80b96 6648->6651 6650 80bab 6649->6650 6652 80baf 6650->6652 6653 80bc0 6650->6653 6656 80f09 _free 12 API calls 6651->6656 6654 83259 _free 6 API calls 6652->6654 6655 8080c _free 12 API calls 6653->6655 6654->6651 6657 80bcb 6655->6657 6656->6659 6658 80f09 _free 12 API calls 6657->6658 6658->6659 6659->6625 6661 806ac ___scrt_is_nonwritable_in_current_image 6660->6661 6674 805f3 EnterCriticalSection 6661->6674 6663 806b6 6675 806e6 6663->6675 6666 807b2 6667 807be ___scrt_is_nonwritable_in_current_image 6666->6667 6679 805f3 EnterCriticalSection 6667->6679 6669 807c8 6680 80993 6669->6680 6671 807e0 6684 80800 6671->6684 6674->6663 6678 8063b LeaveCriticalSection 6675->6678 6677 806d4 6677->6666 6678->6677 6679->6669 6681 809c9 _free 6680->6681 6682 809a2 _free 6680->6682 6681->6671 6682->6681 6687 82c88 6682->6687 6801 8063b LeaveCriticalSection 6684->6801 6686 807ee 6686->6566 6689 82d08 6687->6689 6690 82c9e 6687->6690 6691 80f09 _free 14 API calls 6689->6691 6713 82d56 6689->6713 6690->6689 6693 82cd1 6690->6693 6697 80f09 _free 14 API calls 6690->6697 6692 82d2a 6691->6692 6695 80f09 _free 14 API calls 6692->6695 6694 82cf3 6693->6694 6699 80f09 _free 14 API calls 6693->6699 6696 80f09 _free 14 API calls 6694->6696 6698 82d3d 6695->6698 6701 82cfd 6696->6701 6703 82cc6 6697->6703 6700 80f09 _free 14 API calls 6698->6700 6705 82ce8 6699->6705 6706 82d4b 6700->6706 6707 80f09 _free 14 API calls 6701->6707 6702 82dc4 6708 80f09 _free 14 API calls 6702->6708 6715 82841 6703->6715 6704 82d64 6704->6702 6714 80f09 14 API calls _free 6704->6714 6743 8293f 6705->6743 6711 80f09 _free 14 API calls 6706->6711 6707->6689 6712 82dca 6708->6712 6711->6713 6712->6681 6755 82df9 6713->6755 6714->6704 6716 8293b 6715->6716 6717 82852 6715->6717 6716->6693 6718 82863 6717->6718 6719 80f09 _free 14 API calls 6717->6719 6720 82875 6718->6720 6721 80f09 _free 14 API calls 6718->6721 6719->6718 6722 82887 6720->6722 6723 80f09 _free 14 API calls 6720->6723 6721->6720 6724 82899 6722->6724 6726 80f09 _free 14 API calls 6722->6726 6723->6722 6725 828ab 6724->6725 6727 80f09 _free 14 API calls 6724->6727 6728 828bd 6725->6728 6729 80f09 _free 14 API calls 6725->6729 6726->6724 6727->6725 6730 828cf 6728->6730 6731 80f09 _free 14 API calls 6728->6731 6729->6728 6732 828e1 6730->6732 6734 80f09 _free 14 API calls 6730->6734 6731->6730 6733 828f3 6732->6733 6735 80f09 _free 14 API calls 6732->6735 6736 82905 6733->6736 6737 80f09 _free 14 API calls 6733->6737 6734->6732 6735->6733 6738 82917 6736->6738 6739 80f09 _free 14 API calls 6736->6739 6737->6736 6740 82929 6738->6740 6741 80f09 _free 14 API calls 6738->6741 6739->6738 6740->6716 6742 80f09 _free 14 API calls 6740->6742 6741->6740 6742->6716 6744 8294c 6743->6744 6754 829a4 6743->6754 6745 8295c 6744->6745 6746 80f09 _free 14 API calls 6744->6746 6747 80f09 _free 14 API calls 6745->6747 6751 8296e 6745->6751 6746->6745 6747->6751 6748 80f09 _free 14 API calls 6749 82980 6748->6749 6750 82992 6749->6750 6752 80f09 _free 14 API calls 6749->6752 6753 80f09 _free 14 API calls 6750->6753 6750->6754 6751->6748 6751->6749 6752->6750 6753->6754 6754->6694 6756 82e06 6755->6756 6757 82e25 6755->6757 6756->6757 6761 829e0 6756->6761 6757->6704 6760 80f09 _free 14 API calls 6760->6757 6762 82abe 6761->6762 6763 829f1 6761->6763 6762->6760 6797 829a8 6763->6797 6766 829a8 _free 14 API calls 6767 82a04 6766->6767 6768 829a8 _free 14 API calls 6767->6768 6769 82a0f 6768->6769 6770 829a8 _free 14 API calls 6769->6770 6771 82a1a 6770->6771 6772 829a8 _free 14 API calls 6771->6772 6773 82a28 6772->6773 6774 80f09 _free 14 API calls 6773->6774 6775 82a33 6774->6775 6776 80f09 _free 14 API calls 6775->6776 6777 82a3e 6776->6777 6778 80f09 _free 14 API calls 6777->6778 6779 82a49 6778->6779 6780 829a8 _free 14 API calls 6779->6780 6781 82a57 6780->6781 6782 829a8 _free 14 API calls 6781->6782 6783 82a65 6782->6783 6784 829a8 _free 14 API calls 6783->6784 6785 82a76 6784->6785 6786 829a8 _free 14 API calls 6785->6786 6787 82a84 6786->6787 6788 829a8 _free 14 API calls 6787->6788 6789 82a92 6788->6789 6790 80f09 _free 14 API calls 6789->6790 6791 82a9d 6790->6791 6792 80f09 _free 14 API calls 6791->6792 6793 82aa8 6792->6793 6794 80f09 _free 14 API calls 6793->6794 6795 82ab3 6794->6795 6796 80f09 _free 14 API calls 6795->6796 6796->6762 6798 829db 6797->6798 6799 829cb 6797->6799 6798->6766 6799->6798 6800 80f09 _free 14 API calls 6799->6800 6800->6799 6801->6686 6844 834f6 6802->6844 6805 83609 6806 83615 ___scrt_is_nonwritable_in_current_image 6805->6806 6807 80b35 _free 14 API calls 6806->6807 6811 83642 __fassign 6806->6811 6814 8363c __fassign 6806->6814 6807->6814 6808 83689 6810 80e99 _free 14 API calls 6808->6810 6809 83673 6809->6570 6812 8368e 6810->6812 6813 836b5 6811->6813 6858 805f3 EnterCriticalSection 6811->6858 6855 80ddc 6812->6855 6818 837e8 6813->6818 6819 836f7 6813->6819 6828 83726 6813->6828 6814->6808 6814->6809 6814->6811 6822 837f3 6818->6822 6863 8063b LeaveCriticalSection 6818->6863 6824 809de __fassign 66 API calls 6819->6824 6819->6828 6820 7fc8f __fassign 23 API calls 6829 837fb ___scrt_is_nonwritable_in_current_image 6820->6829 6822->6820 6826 8371b 6824->6826 6825 809de __fassign 66 API calls 6831 8377b 6825->6831 6827 809de __fassign 66 API calls 6826->6827 6827->6828 6859 83795 6828->6859 6864 83ba3 EnterCriticalSection 6829->6864 6831->6809 6832 809de __fassign 66 API calls 6831->6832 6832->6809 6833 83812 ___scrt_uninitialize_crt 6834 8384b 6833->6834 6865 83a3e 6833->6865 6875 8387c 6834->6875 6839 80c4c __fassign 6838->6839 6840 80c78 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6839->6840 6843 80d49 __fassign 6840->6843 6841 7df23 _ValidateLocalCookies 5 API calls 6842 80d67 6841->6842 6842->6573 6843->6841 6845 83502 ___scrt_is_nonwritable_in_current_image 6844->6845 6850 805f3 EnterCriticalSection 6845->6850 6847 83510 6851 8354e 6847->6851 6850->6847 6854 8063b LeaveCriticalSection 6851->6854 6853 803ce 6853->6570 6853->6805 6854->6853 6878 80d78 6855->6878 6857 80de8 6857->6809 6858->6813 6860 8379b 6859->6860 6861 8376c 6859->6861 6890 8063b LeaveCriticalSection 6860->6890 6861->6809 6861->6825 6861->6831 6863->6822 6864->6833 6866 83a4b 6865->6866 6867 83a54 6865->6867 6891 83934 6866->6891 6894 839d9 6867->6894 6872 83a70 6907 84ccf 6872->6907 6874 83a51 6874->6834 7152 83bb7 LeaveCriticalSection 6875->7152 6877 8386a 6877->6570 6879 80b35 _free 14 API calls 6878->6879 6880 80d83 6879->6880 6881 80d91 6880->6881 6886 80dec IsProcessorFeaturePresent 6880->6886 6881->6857 6883 80ddb 6884 80d78 ___std_exception_copy 25 API calls 6883->6884 6885 80de8 6884->6885 6885->6857 6887 80df8 6886->6887 6888 80c30 __fassign 8 API calls 6887->6888 6889 80e0d GetCurrentProcess TerminateProcess 6888->6889 6889->6883 6890->6861 6918 83888 6891->6918 6895 839f1 6894->6895 6896 83a16 6894->6896 6895->6896 6897 841c7 ___scrt_uninitialize_crt 25 API calls 6895->6897 6896->6874 6900 841c7 6896->6900 6898 83a0f 6897->6898 6940 854c7 6898->6940 6901 841e8 6900->6901 6902 841d3 6900->6902 6901->6872 6903 80e99 _free 14 API calls 6902->6903 6904 841d8 6903->6904 6905 80ddc ___std_exception_copy 25 API calls 6904->6905 6906 841e3 6905->6906 6906->6872 6908 84ce0 6907->6908 6911 84ced 6907->6911 6909 80e99 _free 14 API calls 6908->6909 6917 84ce5 6909->6917 6910 84d36 6912 80e99 _free 14 API calls 6910->6912 6911->6910 6913 84d14 6911->6913 6914 84d3b 6912->6914 7133 84c2d 6913->7133 6916 80ddc ___std_exception_copy 25 API calls 6914->6916 6916->6917 6917->6874 6919 83894 ___scrt_is_nonwritable_in_current_image 6918->6919 6926 805f3 EnterCriticalSection 6919->6926 6921 8390a 6935 83928 6921->6935 6925 8389e ___scrt_uninitialize_crt 6925->6921 6927 837fc 6925->6927 6926->6925 6928 83808 ___scrt_is_nonwritable_in_current_image 6927->6928 6938 83ba3 EnterCriticalSection 6928->6938 6930 83812 ___scrt_uninitialize_crt 6931 8384b 6930->6931 6934 83a3e ___scrt_uninitialize_crt 66 API calls 6930->6934 6932 8387c ___scrt_uninitialize_crt LeaveCriticalSection 6931->6932 6933 8386a 6932->6933 6933->6925 6934->6931 6939 8063b LeaveCriticalSection 6935->6939 6937 83916 6937->6874 6938->6930 6939->6937 6941 854d3 ___scrt_is_nonwritable_in_current_image 6940->6941 6942 854db 6941->6942 6946 854f3 6941->6946 6965 80e86 6942->6965 6944 8558e 6947 80e86 __dosmaperr 14 API calls 6944->6947 6946->6944 6949 85525 6946->6949 6950 85593 6947->6950 6948 80e99 _free 14 API calls 6964 854e8 6948->6964 6968 824f4 EnterCriticalSection 6949->6968 6952 80e99 _free 14 API calls 6950->6952 6954 8559b 6952->6954 6953 8552b 6955 8555c 6953->6955 6956 85547 6953->6956 6957 80ddc ___std_exception_copy 25 API calls 6954->6957 6969 855b9 6955->6969 6958 80e99 _free 14 API calls 6956->6958 6957->6964 6960 8554c 6958->6960 6962 80e86 __dosmaperr 14 API calls 6960->6962 6961 85557 7011 85586 6961->7011 6962->6961 6964->6896 6966 80b35 _free 14 API calls 6965->6966 6967 80e8b 6966->6967 6967->6948 6968->6953 6970 855db 6969->6970 7007 855f7 6969->7007 6971 855df 6970->6971 6974 8562f 6970->6974 6972 80e86 __dosmaperr 14 API calls 6971->6972 6973 855e4 6972->6973 6975 80e99 _free 14 API calls 6973->6975 6976 85645 6974->6976 7014 85c50 6974->7014 6977 855ec 6975->6977 7017 85160 6976->7017 6981 80ddc ___std_exception_copy 25 API calls 6977->6981 6981->7007 6982 8568c 6986 856a0 6982->6986 6987 856e6 WriteFile 6982->6987 6983 85653 6984 85679 6983->6984 6985 85657 6983->6985 7029 84d4c GetConsoleOutputCP 6984->7029 6988 85753 6985->6988 7024 850f8 6985->7024 6991 856a8 6986->6991 6992 856d6 6986->6992 6990 85709 GetLastError 6987->6990 6995 8566f 6987->6995 6999 80e99 _free 14 API calls 6988->6999 6988->7007 6990->6995 6996 856ad 6991->6996 6997 856c6 6991->6997 7057 851d1 6992->7057 6995->6988 7001 85729 6995->7001 6995->7007 6996->6988 7042 852ac 6996->7042 7049 85395 6997->7049 7000 85774 6999->7000 7003 80e86 __dosmaperr 14 API calls 7000->7003 7004 85730 7001->7004 7005 85747 7001->7005 7003->7007 7008 80e99 _free 14 API calls 7004->7008 7064 80e63 7005->7064 7007->6961 7009 85735 7008->7009 7010 80e86 __dosmaperr 14 API calls 7009->7010 7010->7007 7132 82517 LeaveCriticalSection 7011->7132 7013 8558c 7013->6964 7069 85bd4 7014->7069 7091 8587e 7017->7091 7019 85171 7020 809de __fassign 65 API calls 7019->7020 7023 851c7 7019->7023 7022 85194 7020->7022 7021 851ae GetConsoleMode 7021->7023 7022->7021 7022->7023 7023->6982 7023->6983 7025 8511a 7024->7025 7028 8514f 7024->7028 7026 85c6b 5 API calls ___scrt_uninitialize_crt 7025->7026 7027 85151 GetLastError 7025->7027 7025->7028 7026->7025 7027->7028 7028->6995 7100 80472 7029->7100 7033 84da8 ___scrt_uninitialize_crt 7035 84153 62 API calls __fassign 7033->7035 7036 8504e 7033->7036 7038 84fd1 WriteFile 7033->7038 7040 85a9e 19 API calls ___scrt_uninitialize_crt 7033->7040 7041 85009 WriteFile 7033->7041 7108 82ac4 7033->7108 7113 82203 7033->7113 7034 850f6 7034->6995 7035->7033 7116 7df23 7036->7116 7038->7033 7039 850c6 GetLastError 7038->7039 7039->7036 7040->7033 7041->7033 7041->7039 7044 852bb ___scrt_uninitialize_crt 7042->7044 7043 8537a 7046 7df23 _ValidateLocalCookies 5 API calls 7043->7046 7044->7043 7045 85330 WriteFile 7044->7045 7045->7044 7047 8537c GetLastError 7045->7047 7048 85393 7046->7048 7047->7043 7048->6995 7055 853a4 ___scrt_uninitialize_crt 7049->7055 7050 7df23 _ValidateLocalCookies 5 API calls 7051 854c5 7050->7051 7051->6995 7052 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7052->7055 7053 854ae GetLastError 7056 854ac 7053->7056 7054 85463 WriteFile 7054->7053 7054->7055 7055->7052 7055->7053 7055->7054 7055->7056 7056->7050 7062 851e0 ___scrt_uninitialize_crt 7057->7062 7058 85291 7059 7df23 _ValidateLocalCookies 5 API calls 7058->7059 7060 852aa 7059->7060 7060->6995 7061 85250 WriteFile 7061->7062 7063 85293 GetLastError 7061->7063 7062->7058 7062->7061 7063->7058 7065 80e86 __dosmaperr 14 API calls 7064->7065 7066 80e6e _free 7065->7066 7067 80e99 _free 14 API calls 7066->7067 7068 80e81 7067->7068 7068->7007 7078 825cb 7069->7078 7071 85be6 7072 85bee 7071->7072 7073 85bff SetFilePointerEx 7071->7073 7074 80e99 _free 14 API calls 7072->7074 7075 85bf3 7073->7075 7076 85c17 GetLastError 7073->7076 7074->7075 7075->6976 7077 80e63 __dosmaperr 14 API calls 7076->7077 7077->7075 7079 825d8 7078->7079 7080 825ed 7078->7080 7081 80e86 __dosmaperr 14 API calls 7079->7081 7083 80e86 __dosmaperr 14 API calls 7080->7083 7085 82612 7080->7085 7082 825dd 7081->7082 7084 80e99 _free 14 API calls 7082->7084 7086 8261d 7083->7086 7087 825e5 7084->7087 7085->7071 7088 80e99 _free 14 API calls 7086->7088 7087->7071 7089 82625 7088->7089 7090 80ddc ___std_exception_copy 25 API calls 7089->7090 7090->7087 7092 85898 7091->7092 7093 8588b 7091->7093 7095 858a4 7092->7095 7096 80e99 _free 14 API calls 7092->7096 7094 80e99 _free 14 API calls 7093->7094 7097 85890 7094->7097 7095->7019 7098 858c5 7096->7098 7097->7019 7099 80ddc ___std_exception_copy 25 API calls 7098->7099 7099->7097 7101 80492 7100->7101 7107 80489 7100->7107 7102 809de __fassign 66 API calls 7101->7102 7101->7107 7103 804b2 7102->7103 7123 8416d 7103->7123 7107->7033 7109 809de __fassign 66 API calls 7108->7109 7110 82acf 7109->7110 7111 8416d __fassign 66 API calls 7110->7111 7112 82adf 7111->7112 7112->7033 7114 8221a WideCharToMultiByte 7113->7114 7114->7033 7117 7df2c IsProcessorFeaturePresent 7116->7117 7118 7df2b 7116->7118 7120 7df73 7117->7120 7118->7034 7131 7df36 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7120->7131 7122 7e056 7122->7034 7124 84180 7123->7124 7125 804c8 7123->7125 7124->7125 7126 82ed4 __fassign 66 API calls 7124->7126 7127 8419a 7125->7127 7126->7125 7128 841ad 7127->7128 7129 841c2 7127->7129 7128->7129 7130 81e78 __fassign 66 API calls 7128->7130 7129->7107 7130->7129 7131->7122 7132->7013 7134 84c39 ___scrt_is_nonwritable_in_current_image 7133->7134 7147 824f4 EnterCriticalSection 7134->7147 7136 84c48 7137 84c8f 7136->7137 7138 825cb ___scrt_uninitialize_crt 25 API calls 7136->7138 7139 80e99 _free 14 API calls 7137->7139 7140 84c74 FlushFileBuffers 7138->7140 7141 84c94 7139->7141 7140->7141 7142 84c80 7140->7142 7148 84cc3 7141->7148 7144 80e86 __dosmaperr 14 API calls 7142->7144 7146 84c85 GetLastError 7144->7146 7146->7137 7147->7136 7151 82517 LeaveCriticalSection 7148->7151 7150 84cac 7150->6917 7151->7150 7152->6877 7154 7dba5 GetStartupInfoW 7153->7154 7154->6441 7156 81e39 7155->7156 7160 81e6b 7155->7160 7164 80a9b 7156->7164 7160->6444 7372 820ff 7161->7372 7165 80aac 7164->7165 7166 80aa6 7164->7166 7167 83259 _free 6 API calls 7165->7167 7170 80ab2 7165->7170 7168 8321a _free 6 API calls 7166->7168 7169 80ac6 7167->7169 7168->7165 7169->7170 7171 80aca 7169->7171 7173 803c9 __fassign 66 API calls 7170->7173 7178 80b2b 7170->7178 7172 80eac _free 14 API calls 7171->7172 7174 80ad6 7172->7174 7175 80b34 7173->7175 7176 80ade 7174->7176 7177 80af3 7174->7177 7180 83259 _free 6 API calls 7176->7180 7179 83259 _free 6 API calls 7177->7179 7192 81c7c 7178->7192 7181 80aff 7179->7181 7182 80aea 7180->7182 7183 80b12 7181->7183 7184 80b03 7181->7184 7187 80f09 _free 14 API calls 7182->7187 7186 8080c _free 14 API calls 7183->7186 7185 83259 _free 6 API calls 7184->7185 7185->7182 7188 80b1d 7186->7188 7189 80af0 7187->7189 7190 80f09 _free 14 API calls 7188->7190 7189->7170 7191 80b24 7190->7191 7191->7170 7211 81d90 7192->7211 7196 81ca8 7196->7160 7200 81ceb 7203 80f09 _free 14 API calls 7200->7203 7205 81cf9 7203->7205 7204 81ce6 7206 80e99 _free 14 API calls 7204->7206 7205->7160 7206->7200 7207 81d2d 7207->7200 7249 81918 7207->7249 7208 81d01 7208->7207 7209 80f09 _free 14 API calls 7208->7209 7209->7207 7212 81d9c ___scrt_is_nonwritable_in_current_image 7211->7212 7214 81db6 7212->7214 7257 805f3 EnterCriticalSection 7212->7257 7215 81c8f 7214->7215 7217 803c9 __fassign 66 API calls 7214->7217 7222 81a26 7215->7222 7216 81df2 7258 81e0f 7216->7258 7219 81e2f 7217->7219 7220 81dc6 7220->7216 7221 80f09 _free 14 API calls 7220->7221 7221->7216 7223 80472 __fassign 66 API calls 7222->7223 7224 81a38 7223->7224 7225 81a59 7224->7225 7226 81a47 GetOEMCP 7224->7226 7227 81a70 7225->7227 7228 81a5e GetACP 7225->7228 7226->7227 7227->7196 7229 80652 7227->7229 7228->7227 7230 80690 7229->7230 7231 80660 7229->7231 7233 80e99 _free 14 API calls 7230->7233 7232 8067b HeapAlloc 7231->7232 7236 80664 _free 7231->7236 7234 8068e 7232->7234 7232->7236 7235 80695 7233->7235 7234->7235 7235->7200 7238 81e8b 7235->7238 7236->7230 7236->7232 7237 7f1ea _free 2 API calls 7236->7237 7237->7236 7239 81a26 68 API calls 7238->7239 7240 81eab 7239->7240 7242 81ee5 IsValidCodePage 7240->7242 7246 81f21 __fassign 7240->7246 7241 7df23 _ValidateLocalCookies 5 API calls 7243 81cde 7241->7243 7244 81ef7 7242->7244 7242->7246 7243->7204 7243->7208 7245 81f26 GetCPInfo 7244->7245 7248 81f00 __fassign 7244->7248 7245->7246 7245->7248 7246->7241 7262 81afc 7248->7262 7250 81924 ___scrt_is_nonwritable_in_current_image 7249->7250 7346 805f3 EnterCriticalSection 7250->7346 7252 8192e 7347 81965 7252->7347 7257->7220 7261 8063b LeaveCriticalSection 7258->7261 7260 81e16 7260->7214 7261->7260 7263 81b24 GetCPInfo 7262->7263 7272 81bed 7262->7272 7269 81b3c 7263->7269 7263->7272 7264 7df23 _ValidateLocalCookies 5 API calls 7265 81c7a 7264->7265 7265->7246 7273 82ae8 7269->7273 7271 84a6e 69 API calls 7271->7272 7272->7264 7274 80472 __fassign 66 API calls 7273->7274 7275 82b08 7274->7275 7293 82187 7275->7293 7277 82bc6 7278 7df23 _ValidateLocalCookies 5 API calls 7277->7278 7280 81ba4 7278->7280 7279 82b35 7279->7277 7282 80652 15 API calls 7279->7282 7284 82b5b __fassign 7279->7284 7288 84a6e 7280->7288 7281 82bc0 7296 82beb 7281->7296 7282->7284 7284->7281 7285 82187 __fassign MultiByteToWideChar 7284->7285 7286 82ba9 7285->7286 7286->7281 7287 82bb0 GetStringTypeW 7286->7287 7287->7281 7289 80472 __fassign 66 API calls 7288->7289 7290 84a81 7289->7290 7300 84884 7290->7300 7294 82198 MultiByteToWideChar 7293->7294 7294->7279 7297 82c08 7296->7297 7298 82bf7 7296->7298 7297->7277 7298->7297 7299 80f09 _free 14 API calls 7298->7299 7299->7297 7301 8489f 7300->7301 7302 82187 __fassign MultiByteToWideChar 7301->7302 7306 848e3 7302->7306 7303 84a48 7304 7df23 _ValidateLocalCookies 5 API calls 7303->7304 7305 81bc5 7304->7305 7305->7271 7306->7303 7307 80652 15 API calls 7306->7307 7310 84908 7306->7310 7307->7310 7308 849ad 7312 82beb __freea 14 API calls 7308->7312 7309 82187 __fassign MultiByteToWideChar 7311 8494e 7309->7311 7310->7308 7310->7309 7311->7308 7328 832e6 7311->7328 7312->7303 7315 849bc 7319 80652 15 API calls 7315->7319 7322 849ce 7315->7322 7316 84984 7316->7308 7318 832e6 7 API calls 7316->7318 7317 84a39 7321 82beb __freea 14 API calls 7317->7321 7318->7308 7319->7322 7320 832e6 7 API calls 7323 84a16 7320->7323 7321->7308 7322->7317 7322->7320 7323->7317 7324 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7323->7324 7325 84a30 7324->7325 7325->7317 7326 84a65 7325->7326 7327 82beb __freea 14 API calls 7326->7327 7327->7308 7337 82fbf 7328->7337 7331 8331e 7340 83343 7331->7340 7332 832f7 LCMapStringEx 7336 8333e 7332->7336 7335 83337 LCMapStringW 7335->7336 7336->7308 7336->7315 7336->7316 7338 830ba _free 5 API calls 7337->7338 7339 82fd5 7338->7339 7339->7331 7339->7332 7343 82fd9 7340->7343 7342 8334e 7342->7335 7344 830ba _free 5 API calls 7343->7344 7345 82fef 7344->7345 7345->7342 7346->7252 7357 8207e 7347->7357 7349 81987 7350 8207e 25 API calls 7349->7350 7351 819a6 7350->7351 7352 80f09 _free 14 API calls 7351->7352 7353 8193b 7351->7353 7352->7353 7354 81959 7353->7354 7371 8063b LeaveCriticalSection 7354->7371 7356 81947 7356->7200 7358 8208f 7357->7358 7362 8208b ___scrt_uninitialize_crt 7357->7362 7359 82096 7358->7359 7364 820a9 __fassign 7358->7364 7360 80e99 _free 14 API calls 7359->7360 7361 8209b 7360->7361 7363 80ddc ___std_exception_copy 25 API calls 7361->7363 7362->7349 7363->7362 7364->7362 7365 820e0 7364->7365 7366 820d7 7364->7366 7365->7362 7369 80e99 _free 14 API calls 7365->7369 7367 80e99 _free 14 API calls 7366->7367 7368 820dc 7367->7368 7370 80ddc ___std_exception_copy 25 API calls 7368->7370 7369->7368 7370->7362 7371->7356 7373 80472 __fassign 66 API calls 7372->7373 7374 82113 7373->7374 7374->6444 7376 7fb77 7375->7376 7384 7fb88 7375->7384 7377 7dbc8 __fassign GetModuleHandleW 7376->7377 7380 7fb7c 7377->7380 7380->7384 7386 7fc0f GetModuleHandleExW 7380->7386 7381 7fbc2 7381->6419 7391 7fa2f 7384->7391 7387 7fc2e GetProcAddress 7386->7387 7388 7fc43 7386->7388 7387->7388 7389 7fc57 FreeLibrary 7388->7389 7390 7fc60 7388->7390 7389->7390 7390->7384 7392 7fa3b ___scrt_is_nonwritable_in_current_image 7391->7392 7407 805f3 EnterCriticalSection 7392->7407 7394 7fa45 7408 7fa7c 7394->7408 7396 7fa52 7412 7fa70 7396->7412 7399 7fbcd 7436 82375 GetPEB 7399->7436 7402 7fbfc 7405 7fc0f __fassign 3 API calls 7402->7405 7403 7fbdc GetPEB 7403->7402 7404 7fbec GetCurrentProcess TerminateProcess 7403->7404 7404->7402 7406 7fc04 ExitProcess 7405->7406 7407->7394 7409 7fa88 ___scrt_is_nonwritable_in_current_image 7408->7409 7411 7fae9 __fassign 7409->7411 7415 8014d 7409->7415 7411->7396 7435 8063b LeaveCriticalSection 7412->7435 7414 7fa5e 7414->7381 7414->7399 7418 7fe7e 7415->7418 7419 7fe8a ___scrt_is_nonwritable_in_current_image 7418->7419 7426 805f3 EnterCriticalSection 7419->7426 7421 7fe98 7427 8005d 7421->7427 7426->7421 7428 7fea5 7427->7428 7430 8007c 7427->7430 7431 7fecd 7428->7431 7429 80f09 _free 14 API calls 7429->7428 7430->7428 7430->7429 7434 8063b LeaveCriticalSection 7431->7434 7433 7feb6 7433->7411 7434->7433 7435->7414 7437 7fbd7 7436->7437 7438 8238f 7436->7438 7437->7402 7437->7403 7440 8313d 7438->7440 7441 830ba _free 5 API calls 7440->7441 7442 83159 7441->7442 7442->7437 7444 802ee 7443->7444 7445 80300 ___scrt_uninitialize_crt 7443->7445 7446 802fc 7444->7446 7448 83a86 7444->7448 7445->6455 7446->6455 7449 83934 ___scrt_uninitialize_crt 66 API calls 7448->7449 7450 83a8d 7449->7450 7450->7446 8507 841f0 8508 8422a 8507->8508 8509 80e99 _free 14 API calls 8508->8509 8514 8423e 8508->8514 8510 84233 8509->8510 8511 80ddc ___std_exception_copy 25 API calls 8510->8511 8511->8514 8512 7df23 _ValidateLocalCookies 5 API calls 8513 8424b 8512->8513 8514->8512 7823 7f77d 7824 81e30 75 API calls 7823->7824 7825 7f78f 7824->7825 7834 822f1 GetEnvironmentStringsW 7825->7834 7829 80f09 _free 14 API calls 7831 7f7c9 7829->7831 7832 80f09 _free 14 API calls 7833 7f79a 7832->7833 7833->7829 7835 82308 7834->7835 7836 8235e 7834->7836 7839 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7835->7839 7837 7f794 7836->7837 7838 82367 FreeEnvironmentStringsW 7836->7838 7837->7833 7846 7f7cf 7837->7846 7838->7837 7840 82321 7839->7840 7840->7836 7841 80652 15 API calls 7840->7841 7842 82331 7841->7842 7843 82349 7842->7843 7844 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7842->7844 7845 80f09 _free 14 API calls 7843->7845 7844->7843 7845->7836 7847 7f7e4 7846->7847 7848 80eac _free 14 API calls 7847->7848 7859 7f80b 7848->7859 7849 7f870 7850 80f09 _free 14 API calls 7849->7850 7851 7f7a5 7850->7851 7851->7832 7852 80eac _free 14 API calls 7852->7859 7853 7f872 7854 7f89f 14 API calls 7853->7854 7856 7f878 7854->7856 7855 8040d ___std_exception_copy 25 API calls 7855->7859 7857 80f09 _free 14 API calls 7856->7857 7857->7849 7858 7f892 7860 80dec ___std_exception_copy 11 API calls 7858->7860 7859->7849 7859->7852 7859->7853 7859->7855 7859->7858 7861 80f09 _free 14 API calls 7859->7861 7862 7f89e 7860->7862 7861->7859 7863 7d37b 7865 7d380 7863->7865 7864 7f273 ___std_exception_copy 15 API calls 7864->7865 7865->7864 7866 7d39a 7865->7866 7867 7f1ea _free 2 API calls 7865->7867 7869 7d39c 7865->7869 7867->7865 7868 7d6e2 7870 7e4b0 RaiseException 7868->7870 7869->7868 7873 7e4b0 7869->7873 7871 7d6ff 7870->7871 7874 7e4f7 RaiseException 7873->7874 7875 7e4ca 7873->7875 7874->7868 7875->7874 7876 7f478 7877 7f48f 7876->7877 7887 7f488 7876->7887 7878 7f4b0 7877->7878 7880 7f49a 7877->7880 7879 81e30 75 API calls 7878->7879 7881 7f4b6 7879->7881 7882 80e99 _free 14 API calls 7880->7882 7900 81877 GetModuleFileNameW 7881->7900 7884 7f49f 7882->7884 7886 80ddc ___std_exception_copy 25 API calls 7884->7886 7886->7887 7892 7f514 7894 80e99 _free 14 API calls 7892->7894 7893 7f520 7895 7f5ae 66 API calls 7893->7895 7899 7f519 7894->7899 7896 7f538 7895->7896 7898 80f09 _free 14 API calls 7896->7898 7896->7899 7897 80f09 _free 14 API calls 7897->7887 7898->7899 7899->7897 7901 818a6 GetLastError 7900->7901 7902 818b7 7900->7902 7903 80e63 __dosmaperr 14 API calls 7901->7903 7922 815f0 7902->7922 7907 818b2 7903->7907 7908 7df23 _ValidateLocalCookies 5 API calls 7907->7908 7909 7f4c9 7908->7909 7910 7f5ae 7909->7910 7912 7f5d3 7910->7912 7911 82156 66 API calls 7911->7912 7912->7911 7914 7f633 7912->7914 7913 7f4fe 7916 7f722 7913->7916 7914->7913 7915 82156 66 API calls 7914->7915 7915->7914 7917 7f50b 7916->7917 7918 7f733 7916->7918 7917->7892 7917->7893 7918->7917 7919 80eac _free 14 API calls 7918->7919 7920 7f75c 7919->7920 7921 80f09 _free 14 API calls 7920->7921 7921->7917 7923 80472 __fassign 66 API calls 7922->7923 7924 81602 7923->7924 7925 81614 7924->7925 7948 8317d 7924->7948 7927 81775 7925->7927 7928 81791 7927->7928 7929 81782 7927->7929 7930 81799 7928->7930 7931 817be 7928->7931 7929->7907 7930->7929 7954 8183c 7930->7954 7932 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7931->7932 7934 817ce 7932->7934 7935 817eb 7934->7935 7936 817d5 GetLastError 7934->7936 7937 817fc 7935->7937 7939 8183c 14 API calls 7935->7939 7938 80e63 __dosmaperr 14 API calls 7936->7938 7937->7929 7940 82203 ___scrt_uninitialize_crt WideCharToMultiByte 7937->7940 7941 817e1 7938->7941 7939->7937 7942 81814 7940->7942 7943 80e99 _free 14 API calls 7941->7943 7942->7929 7944 8181b GetLastError 7942->7944 7943->7929 7945 80e63 __dosmaperr 14 API calls 7944->7945 7946 81827 7945->7946 7947 80e99 _free 14 API calls 7946->7947 7947->7929 7951 82fa5 7948->7951 7952 830ba _free 5 API calls 7951->7952 7953 82fbb 7952->7953 7953->7925 7955 81847 7954->7955 7956 80e99 _free 14 API calls 7955->7956 7957 81850 7956->7957 7957->7929

          Executed Functions

          Function 00073F3E Relevance: 72.2, APIs: 5, Strings: 32, Instructions: 7499fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 73f3e-73f94 call 7d350 call 7e060 5 73f96-740c1 0->5 5->5 6 740c7-7410d call 7165b 5->6 10 7410f-7420d 6->10 10->10 11 74213-7425e call 7165b 10->11 14 74262-7450a 11->14 14->14 15 74510-7455b 14->15 17 7455d-74655 15->17 17->17 18 7465b-74946 call 7165b 17->18 22 74948-74ab8 18->22 22->22 23 74abe-74b08 call 7165b call 7bf6c 22->23 29 74b0a-74c19 23->29 29->29 30 74c1f-74eb7 call 7165b 29->30 34 74eb9-74fce 30->34 34->34 35 74fd4-75238 call 7165b call 7e060 * 4 34->35 47 7523a-75318 35->47 47->47 48 7531e-75364 call 7165b 47->48 52 75366-7549f 48->52 52->52 53 754a5-754e7 call 7165b 52->53 56 754eb-7559e 53->56 56->56 57 755a4-755ec 56->57 59 755ee-757fa 57->59 59->59 60 75800-7584a call 7165b 59->60 64 7584c-75acc 60->64 64->64 65 75ad2-75b19 call 7165b 64->65 68 75b1d-75d0f 65->68 68->68 69 75d15-75d5d 68->69 71 75d5f-75f20 69->71 71->71 72 75f26-75f70 call 7165b 71->72 76 75f72-76161 72->76 76->76 77 76167-761cd call 7165b 76->77 80 761ce-7672f 77->80 80->80 81 76735-76780 80->81 83 76782-768e8 81->83 83->83 84 768ee-76938 call 7165b 83->84 88 7693a-76b99 84->88 88->88 89 76b9f-76be9 call 7165b 88->89 92 76bed-76f48 89->92 92->92 93 76f4e-77003 call 7e060 * 5 92->93 105 77005-77139 93->105 105->105 106 7713f-77174 call 7165b 105->106 109 77178-774e6 106->109 109->109 110 774ec-77524 109->110 112 77526-77739 110->112 112->112 113 7773f-77788 call 7165b 112->113 117 7778f-7792f 113->117 117->117 118 77935-77fd3 call 7165b 117->118 122 77fd5-780c5 118->122 122->122 123 780cb-78112 call 7165b 122->123 127 78114-78245 123->127 127->127 128 7824b-78803 call 7165b 127->128 132 78805-78a3e 128->132 132->132 133 78a44-78a8b call 7165b 132->133 137 78a8d-78b3e 133->137 137->137 138 78b44-78b97 call 7165b 137->138 141 78b98-78fc5 138->141 141->141 142 78fcb-79007 141->142 144 79009-790ab 142->144 144->144 145 790b1-790fa call 7165b 144->145 149 79101-79317 145->149 149->149 150 7931d-7936b call 7165b 149->150 153 7936f-79494 150->153 153->153 154 7949a-79c40 call 7165b CopyFileW call 7165b CopyFileW call 7165b CopyFileW call 7165b CopyFileW 153->154 164 79c42-79e2b 154->164 164->164 165 79e31-79e49 call 7165b GetFileAttributesW 164->165 168 79e51-79e5d 165->168 169 79e4b-79e4c call 79e60 165->169 169->168
          APIs
            • Part of subcall function 0007165B: GetProcAddress.KERNEL32(?,?), ref: 0007167C
          • CopyFileW.KERNELBASE(?,?,00000000,00000057), ref: 00079740
          • CopyFileW.KERNELBASE(?,?,00000000,00000057), ref: 000798C8
          • CopyFileW.KERNELBASE(?,?,00000000,00000057), ref: 00079A76
          • CopyFileW.KERNELBASE(?,?,00000000,00000057), ref: 00079C1E
          • GetFileAttributesW.KERNELBASE(?,00000057), ref: 00079E44
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: File$Copy$AddressAttributesProc
          • String ID: 'k[p$.&.9$5$@m$@m$ADTH$ADTH$ADTH$ADTY$ADTY$ADTY$ADTY$EOqQ$EOqQ$EOqQ$EOqQ$G$Mm$Mm$Mm$Mm$U_l$U_l$U_l$U_l$\$lG$lG$lG$lG$lG$lG
          • API String ID: 3188739461-2449091054
          • Opcode ID: 713b68d0b52d6e3c5dbd476ab9ba4553f68d160eb445319366b8c50783320d9d
          • Instruction ID: a440deeb6420de57b529ddc9e4d1a5ab4ab32c2412c8699796c34ac09372676f
          • Opcode Fuzzy Hash: 713b68d0b52d6e3c5dbd476ab9ba4553f68d160eb445319366b8c50783320d9d
          • Instruction Fuzzy Hash: 10B35B2AE25B904BF3024A3DAC523D757D19FF7314F04FB1A99E8735E1EB1A420AA744
          Function 0007184E Relevance: 47.3, APIs: 12, Strings: 13, Instructions: 3577sleepfilelibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 171 7184e-718a1 call 7e060 * 2 176 718a3-71957 171->176 176->176 177 7195d-71993 call 7165b 176->177 181 71995-71b61 177->181 181->181 182 71b67-71b9e call 7165b 181->182 185 71ba2-71cd4 182->185 185->185 186 71cda-71d10 185->186 188 71d12-71eb1 186->188 188->188 189 71eb7-71eea call 7165b 188->189 193 71eee-71fb8 189->193 193->193 194 71fbe-71ff2 call 7165b 193->194 197 71ff6-7216b 194->197 197->197 198 72171-721a9 197->198 200 721ab-72311 198->200 200->200 201 72317-72328 call 7165b GetFileAttributesW 200->201 204 725a0-725c0 201->204 205 7232e-7234f 201->205 207 725c4-726b5 204->207 206 72351-72588 205->206 206->206 208 7258e-7259e call 7165b DeleteFileW 206->208 207->207 209 726bb-726f2 call 7165b 207->209 208->204 215 726f4-727cd 209->215 215->215 216 727d3-72807 call 7165b 215->216 219 7280b-72915 216->219 219->219 220 7291b-72951 219->220 222 72953-72b43 220->222 222->222 223 72b49-72b7a call 7165b 222->223 227 72b7c-72cb3 223->227 227->227 228 72cb9-72cef call 7165b call 7bf6c 227->228 234 72cf1-72ddc 228->234 234->234 235 72de2-72dfb call 7165b GetFileAttributesW 234->235 238 72e01-72e22 235->238 239 73228-73247 235->239 241 72e24-72f7f 238->241 240 73249-73330 239->240 240->240 242 73336-7337b LoadLibraryA 240->242 241->241 243 72f85-72fac call 7165b DeleteFileW 241->243 244 73380-7343e 242->244 249 72fae-7306e 243->249 244->244 246 73444-73479 call 7165b FindWindowW 244->246 253 7347b-73619 246->253 249->249 251 73074-730a6 call 7165b CreateDirectoryW 249->251 256 730a8-7320c 251->256 253->253 255 7361f-73655 LoadLibraryA 253->255 257 73657-73719 255->257 256->256 259 73212-73224 call 7165b SetFileAttributesW 256->259 257->257 258 7371f-73c03 call 7165b ShellExecuteW call 7165b Sleep 257->258 266 73d9e-73f3b call 7165b Sleep 258->266 267 73c09-73c2f 258->267 259->239 268 73c31-73d84 267->268 268->268 270 73d8a-73d9b call 7165b 268->270 270->266
          APIs
          • GetFileAttributesW.KERNELBASE(?,00000055), ref: 00072323
          • DeleteFileW.KERNELBASE(?,00005144), ref: 0007259E
          • GetFileAttributesW.KERNELBASE(?,00000047), ref: 00072DF2
          • DeleteFileW.KERNELBASE(?,00000047), ref: 00072F92
            • Part of subcall function 0007165B: GetProcAddress.KERNEL32(?,?), ref: 0007167C
          • CreateDirectoryW.KERNELBASE(?,00000000,00000047), ref: 00073085
          • SetFileAttributesW.KERNELBASE(?,00000007,00000047), ref: 00073222
          • LoadLibraryA.KERNEL32(00000047), ref: 0007333C
          • FindWindowW.USER32(00000047,00000000,0000476C), ref: 00073454
          • LoadLibraryA.KERNELBASE(0000476C), ref: 00073627
          • ShellExecuteW.SHELL32(00000000,0000476C,?,00000000,00000000,00000001,00005C53), ref: 00073A8F
          • Sleep.KERNELBASE(000000C8,0000476C), ref: 00073BFF
          • Sleep.KERNELBASE(00000064,0000476C), ref: 00073F2D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: File$Attributes$DeleteLibraryLoadSleep$AddressCreateDirectoryExecuteFindProcShellWindow
          • String ID: A_XI$I[h$JIZ[$Mm$PSG$PZ[}$SX$S\$Xi$YSC]$[Rz]$j$uG
          • API String ID: 3833981728-3842990132
          • Opcode ID: 3077f97bd71203b394c43e83fbb066aa2ca559726bddd92bc3360a1e896423fc
          • Instruction ID: ca19c1027e3b8a09c77250face6f62e7e9037e14bf8dbab4e4e02dba978aa6c9
          • Opcode Fuzzy Hash: 3077f97bd71203b394c43e83fbb066aa2ca559726bddd92bc3360a1e896423fc
          • Instruction Fuzzy Hash: 5523695BB64B504FF70249389CE53C75BD28BF3334F45BB1A95A8936E2DA0B420E9B44
          Function 00071000 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 101libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 274 71000-711d2 LoadLibraryA
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID: $11111111$????????$IIIIIIII$ZZZZZZZZ$]VW$eeeeeeee$wwwwwwww$
          • API String ID: 1029625771-416292116
          • Opcode ID: 3df92339a9c6aa30a2ff52f9c9afb55058f2f5d6a328aa7e2248fe6096408cf0
          • Instruction ID: ebb37e1f616c07fc55dfe3968eb7e2cb40e49fc598d94c74b7707ad040324a2b
          • Opcode Fuzzy Hash: 3df92339a9c6aa30a2ff52f9c9afb55058f2f5d6a328aa7e2248fe6096408cf0
          • Instruction Fuzzy Hash: 0441EA39C2AF9956EB03673EB807292A7147FF3688784EB17BD9431871EF1642456348
          Function 0007CAC2 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 405COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 350 7cac2-7ce1e call 7165b 354 7ce20-7d003 350->354 354->354 355 7d009-7d025 call 7165b CheckRemoteDebuggerPresent 354->355
          APIs
            • Part of subcall function 0007165B: GetProcAddress.KERNEL32(?,?), ref: 0007167C
          • CheckRemoteDebuggerPresent.KERNELBASE(00000000,00000000,?), ref: 0007D01A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: AddressCheckDebuggerPresentProcRemote
          • String ID: 5-:/
          • API String ID: 3825363277-1482481948
          • Opcode ID: 68028fb52b9f62c6cf5bfb000491c6d8d944745d41f2e1aa290a3e1445092012
          • Instruction ID: 792de962bef1aae8f2ee3c75dbff180ee5a0828884350ca5dedc5707b399246c
          • Opcode Fuzzy Hash: 68028fb52b9f62c6cf5bfb000491c6d8d944745d41f2e1aa290a3e1445092012
          • Instruction Fuzzy Hash: 4BD1F729E25FA55BE303163DBC533D35B906FF3364E04E70BA9E432DA1EB0A4245A784
          Function 00084884 Relevance: 4.7, APIs: 3, Instructions: 199COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 278 84884-8489d 279 8489f-848af call 85bb8 278->279 280 848b3-848b8 278->280 279->280 286 848b1 279->286 282 848ba-848c2 280->282 283 848c5-848ed call 82187 280->283 282->283 288 84a4b-84a5c call 7df23 283->288 289 848f3-848ff 283->289 286->280 291 84901-84906 289->291 292 84936 289->292 295 84908-84911 call 87cf0 291->295 296 8491b-84926 call 80652 291->296 294 84938-8493a 292->294 298 84a40 294->298 299 84940-84953 call 82187 294->299 306 84931-84934 295->306 309 84913-84919 295->309 305 84928 296->305 296->306 303 84a42-84a49 call 82beb 298->303 299->298 311 84959-8496b call 832e6 299->311 303->288 310 8492e 305->310 306->294 309->310 310->306 314 84970-84974 311->314 314->298 315 8497a-84982 314->315 316 849bc-849c8 315->316 317 84984-84989 315->317 318 849f9 316->318 319 849ca-849cc 316->319 317->303 320 8498f-84991 317->320 321 849fb-849fd 318->321 323 849ce-849d7 call 87cf0 319->323 324 849e1-849ec call 80652 319->324 320->298 322 84997-849b1 call 832e6 320->322 325 84a39-84a3f call 82beb 321->325 326 849ff-84a18 call 832e6 321->326 322->303 336 849b7 322->336 323->325 337 849d9-849df 323->337 324->325 339 849ee 324->339 325->298 326->325 340 84a1a-84a21 326->340 336->298 341 849f4-849f7 337->341 339->341 342 84a5d-84a63 340->342 343 84a23-84a24 340->343 341->321 344 84a25-84a37 call 82203 342->344 343->344 344->325 347 84a65-84a6c call 82beb 344->347 347->303
          APIs
          • __freea.LIBCMT ref: 00084A3A
            • Part of subcall function 00080652: HeapAlloc.KERNEL32(00000000,?,?,?,0007D395,?), ref: 00080684
          • __freea.LIBCMT ref: 00084A43
          • __freea.LIBCMT ref: 00084A66
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: __freea$AllocHeap
          • String ID:
          • API String ID: 85559729-0
          • Opcode ID: 08cf0c8aaf0dc99e0ad94f53e3934cc91891f3e3b9e0981ad8d6a803c52754ae
          • Instruction ID: 69829702bc2c769515fad0ced3a35c3c3afd5b1752e28dcf5a9997e2f62ef266
          • Opcode Fuzzy Hash: 08cf0c8aaf0dc99e0ad94f53e3934cc91891f3e3b9e0981ad8d6a803c52754ae
          • Instruction Fuzzy Hash: D151CF72500217ABEB24AF94CC82EEF36E9FF84750F250129FD84AB241EB74DD1097A5
          Function 00081AFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 358 81afc-81b1e 359 81c30-81c37 358->359 360 81b24-81b36 GetCPInfo 358->360 362 81c39-81c42 359->362 360->359 361 81b3c-81b43 360->361 363 81b45-81b4f 361->363 364 81c4e-81c51 362->364 365 81c44-81c4c 362->365 363->363 366 81b51-81b64 363->366 368 81c5f 364->368 369 81c53-81c5d 364->369 367 81c61-81c6b 365->367 371 81b85-81b87 366->371 367->362 370 81c6d-81c7b call 7df23 367->370 368->367 369->367 373 81b89-81bc0 call 82ae8 call 84a6e 371->373 374 81b66-81b6d 371->374 383 81bc5-81bf0 call 84a6e 373->383 376 81b7c-81b7e 374->376 378 81b6f-81b71 376->378 379 81b80-81b83 376->379 378->379 382 81b73-81b7b 378->382 379->371 382->376 386 81bf2-81bfd 383->386 387 81c0d-81c10 386->387 388 81bff-81c0b 386->388 390 81c20 387->390 391 81c12-81c1e 387->391 389 81c22-81c2c 388->389 389->386 392 81c2e 389->392 390->389 391->389 392->370
          APIs
          • GetCPInfo.KERNEL32(E8458D00,?,00084DB4,00084DA8,00000000), ref: 00081B2E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: Info
          • String ID:
          • API String ID: 1807457897-3916222277
          • Opcode ID: 2f7f004b68000235bfa7b407cbe5e71b081894595d5f78b20398c103023d1605
          • Instruction ID: 210fd3bbedc255236c4fec74de9c951208434df3be34b36a9599c880e16cab63
          • Opcode Fuzzy Hash: 2f7f004b68000235bfa7b407cbe5e71b081894595d5f78b20398c103023d1605
          • Instruction Fuzzy Hash: 0D4136715042589BDB35AB58CC84BFBBBEDBF54704F2408ADE5CA87143D2349E469B60
          Function 00081E8B Relevance: 3.2, APIs: 2, Instructions: 166COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 393 81e8b-81eb0 call 81a26 396 82066-82067 call 81a97 393->396 397 81eb6-81ebc 393->397 400 8206c-8206e 396->400 399 81ebf-81ec5 397->399 401 81ecb-81ed7 399->401 402 81fbe-81fdd call 7e060 399->402 404 8206f-8207d call 7df23 400->404 401->399 405 81ed9-81edf 401->405 410 81fe0-81fe5 402->410 408 81ee5-81ef1 IsValidCodePage 405->408 409 81fb6-81fb9 405->409 408->409 412 81ef7-81efe 408->412 409->404 413 8201c-82026 410->413 414 81fe7-81fec 410->414 415 81f00-81f0c 412->415 416 81f26-81f33 GetCPInfo 412->416 413->410 417 82028-8204f call 819e8 413->417 421 82019 414->421 422 81fee-81ff4 414->422 418 81f10-81f1c call 81afc 415->418 419 81faa-81fb0 416->419 420 81f35-81f54 call 7e060 416->420 432 82050-8205f 417->432 428 81f21 418->428 419->396 419->409 420->418 433 81f56-81f5d 420->433 421->413 426 8200d-8200f 422->426 430 82011-82017 426->430 431 81ff6-81ffc 426->431 428->400 430->414 430->421 431->430 434 81ffe-82009 431->434 432->432 435 82061 432->435 436 81f5f-81f64 433->436 437 81f80-81f83 433->437 434->426 435->396 436->437 438 81f66-81f6c 436->438 439 81f88-81f8f 437->439 440 81f74-81f76 438->440 439->439 441 81f91-81fa5 call 819e8 439->441 443 81f78-81f7e 440->443 444 81f6e-81f73 440->444 441->418 443->436 443->437 444->440
          APIs
            • Part of subcall function 00081A26: GetOEMCP.KERNEL32(00000000,00081C97,00084DA8,00000000,00000000,00000000,00000000,?,00084DA8), ref: 00081A51
          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00081CDE,?,00000000,00084DA8,00013385,?,?,?,?,00000000), ref: 00081EE9
          • GetCPInfo.KERNEL32(00000000,00081CDE,?,?,00081CDE,?,00000000,00084DA8,00013385,?,?,?,?,00000000,00000000), ref: 00081F2B
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: CodeInfoPageValid
          • String ID:
          • API String ID: 546120528-0
          • Opcode ID: 4c5ce16ffef625b8cdd39d1ab731baed6b418f9908e2976de20b01853f73e13e
          • Instruction ID: 87d2a257b4e1804f97691b09d1fd844079a87c7177a70e8a6ddee8ad810da49a
          • Opcode Fuzzy Hash: 4c5ce16ffef625b8cdd39d1ab731baed6b418f9908e2976de20b01853f73e13e
          • Instruction Fuzzy Hash: 36512E70A002459EDB20AF75C841AEBBBE9FF50304F14847EE1C68B253E7789A46CF91
          Function 00081C7C Relevance: 3.1, APIs: 2, Instructions: 99COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 446 81c7c-81ca6 call 81d90 call 81a26 451 81ca8-81cab 446->451 452 81cac-81cc1 call 80652 446->452 455 81cf1 452->455 456 81cc3-81cd9 call 81e8b 452->456 458 81cf3-81d00 call 80f09 455->458 459 81cde-81ce4 456->459 461 81d01-81d05 459->461 462 81ce6-81ceb call 80e99 459->462 464 81d0c-81d17 461->464 465 81d07 call 7fdae 461->465 462->455 468 81d19-81d23 464->468 469 81d2e-81d4c 464->469 465->464 468->469 471 81d25-81d2d call 80f09 468->471 469->458 472 81d4e-81d7b call 81918 469->472 471->469 472->458 477 81d81-81d8b 472->477 477->458
          APIs
            • Part of subcall function 00081A26: GetOEMCP.KERNEL32(00000000,00081C97,00084DA8,00000000,00000000,00000000,00000000,?,00084DA8), ref: 00081A51
          • _free.LIBCMT ref: 00081CF4
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free
          • String ID:
          • API String ID: 269201875-0
          • Opcode ID: 507f740b21d9e12a9040295641ead58b1b4d9e76bfc865b2abdebfb869d06d37
          • Instruction ID: b7c8c1b33a92ef844d51cc8dd813a2a0d7de8f520375695e14c74c915071638f
          • Opcode Fuzzy Hash: 507f740b21d9e12a9040295641ead58b1b4d9e76bfc865b2abdebfb869d06d37
          • Instruction Fuzzy Hash: D8319E71900209AFDB51EF58D880ADE77F9FF84310F11416AF9549B292EB72DD52CB50
          Function 000832E6 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 478 832e6-832f5 call 82fbf 481 8331e-83338 call 83343 LCMapStringW 478->481 482 832f7-8331c LCMapStringEx 478->482 486 8333e-83340 481->486 482->486
          APIs
          • LCMapStringEx.KERNELBASE(?,00084970,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0008331A
          • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00084970,?,?,00000000,?,00000000), ref: 00083338
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: String
          • String ID:
          • API String ID: 2568140703-0
          • Opcode ID: e6ca224e173b02a6862fd96d1bd2989c0b37411419d733c00b18093bcd009fca
          • Instruction ID: 88c584f1228b525a287ffc75ae232a467c8b4a14197a5879c51f09c3cc38d009
          • Opcode Fuzzy Hash: e6ca224e173b02a6862fd96d1bd2989c0b37411419d733c00b18093bcd009fca
          • Instruction Fuzzy Hash: 99F07A3200011ABBCF126F91DD05DDE3F66FF58760F058110FA5825121CB36CA71AB90

          Non-executed Functions

          Function 00079E60 Relevance: 27.5, APIs: 1, Strings: 13, Instructions: 3023libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 561 79e60-79eb2 562 79eb4-7a106 561->562 562->562 563 7a10c-7a13c LoadLibraryA 562->563 564 7a13e-7a21e 563->564 564->564 565 7a224-7a237 call 7165b 564->565 569 7bd7d-7bd81 565->569 570 7a23d-7a25e 565->570 571 7bd93-7bd99 569->571 572 7a260-7a4fc 570->572 574 7bda1-7bda7 571->574 575 7bd9b-7bd9d 571->575 572->572 573 7a502-7a54a call 7165b 572->573 589 7a54c-7a66b 573->589 577 7bdaf-7bdb5 574->577 578 7bda9-7bdab 574->578 575->574 580 7bdb7-7bdb9 577->580 581 7bdbd-7bdc3 577->581 578->577 580->581 582 7bdc5-7bdc7 581->582 583 7bdcb-7bdd4 581->583 582->583 584 7bdd6-7bdd8 583->584 585 7bddc-7bde2 583->585 584->585 587 7bde4-7bde6 585->587 588 7bdea-7be11 585->588 587->588 590 7be13-7bf44 588->590 589->589 591 7a671-7a696 call 7165b 589->591 590->590 592 7bf4a-7bf69 call 7165b 590->592 591->569 599 7a69c-7a6d3 591->599 600 7a6d7-7a8c9 599->600 600->600 601 7a8cf-7a909 600->601 603 7a90f-7aa6f call 7165b 601->603 604 7bd8d-7bd91 601->604 608 7aa75-7aa9c 603->608 609 7bd83 603->609 604->571 611 7aa9e-7ab7c 608->611 610 7bd87-7bd8b 609->610 610->571 611->611 612 7ab82-7abc9 call 7165b 611->612 615 7abcd-7ada7 612->615 615->615 616 7adad-7ade8 615->616 618 7adea-7b026 616->618 618->618 619 7b02c-7b06b call 7165b 618->619 622 7b06f-7b38f 619->622 622->622 623 7b395-7b3c4 622->623 623->609 626 7b3ca-7b3de 623->626 626->609 628 7b3e4-7b3fb 626->628 628->569 630 7b401-7b44e 628->630 631 7b452-7b662 630->631 631->631 632 7b668-7b68c 631->632 632->609 634 7b692-7b6b5 632->634 634->609 636 7b6bb-7b6f0 634->636 637 7b6f4-7b908 636->637 637->637 638 7b90e-7b937 637->638 638->610 640 7b93d-7b963 638->640 641 7b965-7ba4b 640->641 641->641 642 7ba51-7ba85 call 7165b 641->642 646 7ba87-7bb8f 642->646 646->646 647 7bb95-7bbcc call 7165b 646->647 651 7bbce-7bd64 647->651 651->651 652 7bd6a-7bd7b call 7165b 651->652 652->571
          APIs
          • LoadLibraryA.KERNEL32(0000584F), ref: 0007A116
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID: 1-1?$7$C[$Fw[T$G[z8$OWQ'$PNR]$P[WU$QWE%$SM$VYhH$`X^V$|X^L
          • API String ID: 1029625771-3186825982
          • Opcode ID: 9dbcc42350408015d08454136084157a504eb3c20f1d26c221d21788e5343504
          • Instruction ID: df62327b03bdb0288848535b815a007018383a7d148d6ba8a93fbfc43158779e
          • Opcode Fuzzy Hash: 9dbcc42350408015d08454136084157a504eb3c20f1d26c221d21788e5343504
          • Instruction Fuzzy Hash: 74135367F24A104FF7058939DCE13D76BD38BE6320F19AB3D95A8C33D1DA29850A8B45
          Function 000711D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 484COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _strlen
          • String ID: +%7$+%7$M
          • API String ID: 4218353326-1604245145
          • Opcode ID: 290be95da57546100249b6474669f6285cfd8691e2677d15b88b0f01a9797082
          • Instruction ID: eaf6e734d7e11f4ba1a14b79c120e2e89ccec23285b269a9d90ace20f953ff6b
          • Opcode Fuzzy Hash: 290be95da57546100249b6474669f6285cfd8691e2677d15b88b0f01a9797082
          • Instruction Fuzzy Hash: 96C1D44BB646405FFB0249389CE53D71FC287B3335F05BB2981A9872E2D50B860FAB21
          Function 0007BF6C Relevance: 7.4, Strings: 5, Instructions: 1180COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID: ADTY$ADTY$M{$lG$ve
          • API String ID: 0-3438711870
          • Opcode ID: 847cdafda52aa9bf7f5619d23948570fb8d6201a14acfb8c7450218a932d47cd
          • Instruction ID: 70e269766f7ed91897590b71e53a673a9eafd752520123f1fe384c7d8fd0fa39
          • Opcode Fuzzy Hash: 847cdafda52aa9bf7f5619d23948570fb8d6201a14acfb8c7450218a932d47cd
          • Instruction Fuzzy Hash: 3462C34BBA56505FFB024938D8F53CB1BC287B3335F19BB1982B8472E2D50A420EEB55
          Function 0007DA77 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0007DA83
          • IsDebuggerPresent.KERNEL32 ref: 0007DB4F
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0007DB6F
          • UnhandledExceptionFilter.KERNEL32(?), ref: 0007DB79
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
          • String ID:
          • API String ID: 254469556-0
          • Opcode ID: ab2a70f9c6a4efdf98d15f94a0320faf5b761efe89eda33cbee0ebfad813d0b9
          • Instruction ID: db5efe339501eb7f9f1e8c5c748726ed804dcb500d3490c9da553663963f1b18
          • Opcode Fuzzy Hash: ab2a70f9c6a4efdf98d15f94a0320faf5b761efe89eda33cbee0ebfad813d0b9
          • Instruction Fuzzy Hash: 8C313A75D4121CDBDB61DF64D989BCCBBF8BF08300F10809AE44CAB250EB749A848F45
          Function 00080C30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00080D28
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00080D32
          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00080D3F
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: d02b04c1015f007494f2fef676867889a338aa0d6a6e54ed179a80177d197a1b
          • Instruction ID: 70c43b80e92d342cf5d822b89b31aec92595239f0c80e898262721556ff8c345
          • Opcode Fuzzy Hash: d02b04c1015f007494f2fef676867889a338aa0d6a6e54ed179a80177d197a1b
          • Instruction Fuzzy Hash: 9131B2749012189BCB61DF64DD89BCDBBB8BF08310F5081EAE41CA7251EB749B858F44
          Function 0007FBCD Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(?,?,0007FBCC,?,?,?,?,?,0008564E), ref: 0007FBEF
          • TerminateProcess.KERNEL32(00000000,?,0007FBCC,?,?,?,?,?,0008564E), ref: 0007FBF6
          • ExitProcess.KERNEL32 ref: 0007FC08
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: 547d8c56a848431eed034f2fd50103a3d2dbe65650a6a7525de25b1bdc93e845
          • Instruction ID: 9708d1e6718abc13306c88f478d35dcc29e21bba7e32b066650c77e9368486fb
          • Opcode Fuzzy Hash: 547d8c56a848431eed034f2fd50103a3d2dbe65650a6a7525de25b1bdc93e845
          • Instruction Fuzzy Hash: 8CE04631400548AFCF923B14CE189983BB8FB04381B508420F948CA232CF3DDE82CB44
          Function 000875CD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000875C8,?,?,00000008,?,?,00087260,00000000), ref: 000877FA
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: 98de14dd39492f1a0ff71b1c4cb7158bf693f9b9658a8c7fd9ac7385f4095402
          • Instruction ID: f7cb3efca358d8bb6b3cba4d304d53520cf30c034e444ee5018feb33488b595f
          • Opcode Fuzzy Hash: 98de14dd39492f1a0ff71b1c4cb7158bf693f9b9658a8c7fd9ac7385f4095402
          • Instruction Fuzzy Hash: 08B15935614609CFD768DF28C48AA647BE0FF05364F298658E8DACF2A5C735E992CB40
          Function 00071692 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _wcschr
          • String ID:
          • API String ID: 2691759472-0
          • Opcode ID: 91942673756e8046d99182957dae5a4bf6d5c0af1f4a372a163e7874d34918d0
          • Instruction ID: 7d5b51ba28e25fa0b4ad5d797f5dfc67154f2df9b2938a1f5d49184fe8fc95be
          • Opcode Fuzzy Hash: 91942673756e8046d99182957dae5a4bf6d5c0af1f4a372a163e7874d34918d0
          • Instruction Fuzzy Hash: FA412557BA15104FF60104389CFA7DB1BD687B3731F197B2A85A9472E2E94F020DDBA4
          Function 0007DD46 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0007DD5C
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: FeaturePresentProcessor
          • String ID:
          • API String ID: 2325560087-0
          • Opcode ID: 4a106cfab52e002eb9992bfbd003de6802a2a1c9b706cab8fe6547ffbec1e5e9
          • Instruction ID: 75ecfa007935656dbe85b020df28d39ad356a1a26b09de647e5e57e27307d58d
          • Opcode Fuzzy Hash: 4a106cfab52e002eb9992bfbd003de6802a2a1c9b706cab8fe6547ffbec1e5e9
          • Instruction Fuzzy Hash: 75518FB1E05219CFEB65CF54D9857AAB7F0FF88310F24852BD40AEB251D3B99911CB90
          Function 000812E8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b5f68a04a0772c77162b63502380510a6aeee6a74e5b92f9962bd1c2e904e178
          • Instruction ID: 2d43a4aef11e2e625efe9bc70aa9cc9b64244150970ff06fee621c585706dc40
          • Opcode Fuzzy Hash: b5f68a04a0772c77162b63502380510a6aeee6a74e5b92f9962bd1c2e904e178
          • Instruction Fuzzy Hash: BC4193B5804219AFDB60EF69CC89AEABBBDFF45300F1442D9E49DD3211DA359E858F10
          Function 0007165B Relevance: 1.5, APIs: 1, Instructions: 24libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetProcAddress.KERNEL32(?,?), ref: 0007167C
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: AddressProc
          • String ID:
          • API String ID: 190572456-0
          • Opcode ID: c4698dda73b51300503463b27043d410eef60211480745ec9e67159772ed4ce2
          • Instruction ID: e7c1ef4a473ac36f3487d4e759798894a0ea2651334a25b966c34d1bf631bf99
          • Opcode Fuzzy Hash: c4698dda73b51300503463b27043d410eef60211480745ec9e67159772ed4ce2
          • Instruction Fuzzy Hash: 36E04F362516549BDB51CB49EC80D43B7ADFB856A47564021EA0487211D235EC10CB74
          Function 0007DC0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(Function_0000DC17,0007D463), ref: 0007DC10
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 4e0164fda22037bc255e88593763162b5538fdb61c62af9019d6c88f59b714c3
          • Instruction ID: 2167100a0c5fe93db66e11140ffaa4935d31dd73c257d4a4998d9544f4ff5ad1
          • Opcode Fuzzy Hash: 4e0164fda22037bc255e88593763162b5538fdb61c62af9019d6c88f59b714c3
          • Instruction Fuzzy Hash:
          Function 00083442 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: HeapProcess
          • String ID:
          • API String ID: 54951025-0
          • Opcode ID: 16a4cf66e438e89b2b3e4f6a1981fbb7d1600e0ceeb460d23183a4656240bedb
          • Instruction ID: 1371c67cde3d337697d340c52c6b0482e8138dee86ef3bcd9617121949c2e2c4
          • Opcode Fuzzy Hash: 16a4cf66e438e89b2b3e4f6a1981fbb7d1600e0ceeb460d23183a4656240bedb
          • Instruction Fuzzy Hash: D0A012302001018B63404F31A9442093694770018070481159004C0070DA3840946B00
          Function 00082375 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9eb60c714974d7fee1c8dc0ddcb71d80e46c67cd971b9bf34179830d757fb95a
          • Instruction ID: 033adfdd275a32c0cd8f7d6aaa9bec9969296dbed16b5ce6b1c6c4866215bc28
          • Opcode Fuzzy Hash: 9eb60c714974d7fee1c8dc0ddcb71d80e46c67cd971b9bf34179830d757fb95a
          • Instruction Fuzzy Hash: 66E04632911228EBCB15EB88891498AB3ECFB85F40B5100A6B581E3201C2B4DF00CBD0
          Function 00082C88 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • ___free_lconv_mon.LIBCMT ref: 00082CCC
            • Part of subcall function 00082841: _free.LIBCMT ref: 0008285E
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082870
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082882
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082894
            • Part of subcall function 00082841: _free.LIBCMT ref: 000828A6
            • Part of subcall function 00082841: _free.LIBCMT ref: 000828B8
            • Part of subcall function 00082841: _free.LIBCMT ref: 000828CA
            • Part of subcall function 00082841: _free.LIBCMT ref: 000828DC
            • Part of subcall function 00082841: _free.LIBCMT ref: 000828EE
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082900
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082912
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082924
            • Part of subcall function 00082841: _free.LIBCMT ref: 00082936
          • _free.LIBCMT ref: 00082CC1
            • Part of subcall function 00080F09: HeapFree.KERNEL32(00000000,00000000,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?), ref: 00080F1F
            • Part of subcall function 00080F09: GetLastError.KERNEL32(?,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?,?), ref: 00080F31
          • _free.LIBCMT ref: 00082CE3
          • _free.LIBCMT ref: 00082CF8
          • _free.LIBCMT ref: 00082D03
          • _free.LIBCMT ref: 00082D25
          • _free.LIBCMT ref: 00082D38
          • _free.LIBCMT ref: 00082D46
          • _free.LIBCMT ref: 00082D51
          • _free.LIBCMT ref: 00082D89
          • _free.LIBCMT ref: 00082D90
          • _free.LIBCMT ref: 00082DAD
          • _free.LIBCMT ref: 00082DC5
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
          • String ID:
          • API String ID: 161543041-0
          • Opcode ID: b077f79f8380fc768f2967d98c2c9af31992814ad4a59cf9b6b87e7bc98516ed
          • Instruction ID: 913f53709de447da1d156ca703f92ccdd0fb8caef0c8d1397ab8d1c968cbe967
          • Opcode Fuzzy Hash: b077f79f8380fc768f2967d98c2c9af31992814ad4a59cf9b6b87e7bc98516ed
          • Instruction Fuzzy Hash: AC315D31508B019FEBB0BA78D845B9A7BE4BB40310F108429E1C9D7563EF70E8848B14
          Function 000808C6 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
          Download Yara Rule
          APIs
          • _free.LIBCMT ref: 000808DC
            • Part of subcall function 00080F09: HeapFree.KERNEL32(00000000,00000000,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?), ref: 00080F1F
            • Part of subcall function 00080F09: GetLastError.KERNEL32(?,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?,?), ref: 00080F31
          • _free.LIBCMT ref: 000808E8
          • _free.LIBCMT ref: 000808F3
          • _free.LIBCMT ref: 000808FE
          • _free.LIBCMT ref: 00080909
          • _free.LIBCMT ref: 00080914
          • _free.LIBCMT ref: 0008091F
          • _free.LIBCMT ref: 0008092A
          • _free.LIBCMT ref: 00080935
          • _free.LIBCMT ref: 00080943
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: a4bbec75a421979c6f6462c0ebcb06fa0c50651f78ffa25dd3b72fb6b2414406
          • Instruction ID: f87c0b22076065f7810e691bcaeb44cf1857afbf5fcc55f886c8245927f1ddcf
          • Opcode Fuzzy Hash: a4bbec75a421979c6f6462c0ebcb06fa0c50651f78ffa25dd3b72fb6b2414406
          • Instruction Fuzzy Hash: 40219676904108EFCB91EF95D881DDE7BB9BF08340B1181A6F6559B523FB31EA58CB80
          Function 0007E2D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
          Download Yara Rule
          APIs
          • _ValidateLocalCookies.LIBCMT ref: 0007E307
          • ___except_validate_context_record.LIBVCRUNTIME ref: 0007E30F
          • _ValidateLocalCookies.LIBCMT ref: 0007E398
          • __IsNonwritableInCurrentImage.LIBCMT ref: 0007E3C3
          • _ValidateLocalCookies.LIBCMT ref: 0007E418
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
          • String ID: csm
          • API String ID: 1170836740-1018135373
          • Opcode ID: 5a412012b5f3cef06f25e61ae5047a680536982bd277ee7f492882e3b818f266
          • Instruction ID: 47c2c0c242de360d8cb3e2f07d5c5202698f4cc98fb815aadb1d76658002a82a
          • Opcode Fuzzy Hash: 5a412012b5f3cef06f25e61ae5047a680536982bd277ee7f492882e3b818f266
          • Instruction Fuzzy Hash: EF41C230E012489BCF50DF68C889A9EBBF5BF49328F14C495E81C9B353D739AA01CB95
          Function 00082FF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID: api-ms-$ext-ms-
          • API String ID: 0-537541572
          • Opcode ID: 9a8eaca12f9a0729541443cb45a533f71cc5d5dac6fc5d55e5123bd3081edf95
          • Instruction ID: a0ad575b6f3c668a3837cb62ea7d7670146ca6fbd6efa48c293265881a7f414e
          • Opcode Fuzzy Hash: 9a8eaca12f9a0729541443cb45a533f71cc5d5dac6fc5d55e5123bd3081edf95
          • Instruction Fuzzy Hash: 2E21EB31E01624A7DBB17B749C54B5A3798BF81F60F250220EDD6A7291DA75EE04CFE0
          Function 000829E0 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
          Download Yara Rule
          APIs
            • Part of subcall function 000829A8: _free.LIBCMT ref: 000829CD
          • _free.LIBCMT ref: 00082A2E
            • Part of subcall function 00080F09: HeapFree.KERNEL32(00000000,00000000,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?), ref: 00080F1F
            • Part of subcall function 00080F09: GetLastError.KERNEL32(?,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?,?), ref: 00080F31
          • _free.LIBCMT ref: 00082A39
          • _free.LIBCMT ref: 00082A44
          • _free.LIBCMT ref: 00082A98
          • _free.LIBCMT ref: 00082AA3
          • _free.LIBCMT ref: 00082AAE
          • _free.LIBCMT ref: 00082AB9
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 04646944c7fafe64dacf3c00833f378f1ae823a9dda3dd6f71df57f78d4bdcf1
          • Instruction ID: b70d4b110f3e4bfe631df11e0706a8082f1ce7194251f18106bd68f373dcee7a
          • Opcode Fuzzy Hash: 04646944c7fafe64dacf3c00833f378f1ae823a9dda3dd6f71df57f78d4bdcf1
          • Instruction Fuzzy Hash: 13114971945B14AADA70BBB0DC07FCBB79CBF00700F414C25B2DAA6093EB65B51A8B91
          Function 00084D4C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00084D94
          • __fassign.LIBCMT ref: 00084F79
          • __fassign.LIBCMT ref: 00084F96
          • WriteFile.KERNEL32(?,00083902,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00084FDE
          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0008501E
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 000850C6
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: FileWrite__fassign$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 1735259414-0
          • Opcode ID: 2f4d5e0afb279bc634d249650038818432e9d9c1ba2924486d8b2c84d5e06510
          • Instruction ID: 63291f8facac591c59bcd0be46c65447f820febd3ec417b99a0568037e8d6cf1
          • Opcode Fuzzy Hash: 2f4d5e0afb279bc634d249650038818432e9d9c1ba2924486d8b2c84d5e06510
          • Instruction Fuzzy Hash: 2EC18C71D002598FCF15DFA8C8809EDBBB5BF49314F28416AE895BB342D631AE46CF60
          Function 0007E694 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,0007E68B,0007E65D,0007DC5B), ref: 0007E6A2
          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0007E6B0
          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0007E6C9
          • SetLastError.KERNEL32(00000000,0007E68B,0007E65D,0007DC5B), ref: 0007E71B
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ErrorLastValue___vcrt_
          • String ID:
          • API String ID: 3852720340-0
          • Opcode ID: bc23849bca661bf9c9c66aa3c0b981a342f9f01eae935b5d71982e6dd0e66123
          • Instruction ID: 245b20fcc19015884360f3de8134d88b642a48d9099a0b16f9b3491cdf690216
          • Opcode Fuzzy Hash: bc23849bca661bf9c9c66aa3c0b981a342f9f01eae935b5d71982e6dd0e66123
          • Instruction Fuzzy Hash: AE012832F0B3955EF6742678EC89A5B2B98FB5D774B20827AF128450E3EF6D4C04920C
          Function 00081775 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
          Download Yara Rule
          Strings
          • C:\Users\user\Desktop\jwJP7IUDX3.exe, xrefs: 0008177A
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID: C:\Users\user\Desktop\jwJP7IUDX3.exe
          • API String ID: 0-1044066300
          • Opcode ID: 386ca7da4908808c8004ae5cc445baf0c6acdb9d9ed24377f4d3a5defd3a49b1
          • Instruction ID: 0d8adb073bbef81c24b3ba5bd96a53cb59f2754603bc9635262ea88c3fd685d0
          • Opcode Fuzzy Hash: 386ca7da4908808c8004ae5cc445baf0c6acdb9d9ed24377f4d3a5defd3a49b1
          • Instruction Fuzzy Hash: 1021CF71604205EFDB60BF618C829EB77ACFF117687144A29F9B897242DB30EC42C7A0
          Function 0007E982 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FreeLibrary.KERNEL32(00000000,?,?,?,0007EA43,?,?,00090C90,00000000,?,0007EB6E,00000004,InitializeCriticalSectionEx,0008A62C,InitializeCriticalSectionEx,00000000), ref: 0007EA12
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID: api-ms-
          • API String ID: 3664257935-2084034818
          • Opcode ID: 49c68916837a7ae69375d3968bbe70e1667118b714406db0210918ac7df94025
          • Instruction ID: 3673b9537b387ef3d46b12a2f91e6ef7fe85c1bd38dc4d2b6959ab863c052f42
          • Opcode Fuzzy Hash: 49c68916837a7ae69375d3968bbe70e1667118b714406db0210918ac7df94025
          • Instruction Fuzzy Hash: E511CD32E42565B7EBB15768DC4475D33D4BF06760F148390EA49EB180D678FD008BDA
          Function 0007FC0F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0007FC04,?,?,0007FBCC,?,?,?), ref: 0007FC24
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0007FC37
          • FreeLibrary.KERNEL32(00000000,?,?,0007FC04,?,?,0007FBCC,?,?,?), ref: 0007FC5A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 4e93e5a066bd64c4f53982bff3b32b85218fcc00ca3ebcea20361752e9f17d4d
          • Instruction ID: aa1c6ef475567cbc3f02b96b7562751a6e103c44e58fad6dc5c332a8b5da8ebd
          • Opcode Fuzzy Hash: 4e93e5a066bd64c4f53982bff3b32b85218fcc00ca3ebcea20361752e9f17d4d
          • Instruction Fuzzy Hash: 85F08230A4051DFBEB52AB50DE49B9D7BB8FB00755F244060E944E20A0CF789E14EB94
          Function 0008293F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • _free.LIBCMT ref: 00082957
            • Part of subcall function 00080F09: HeapFree.KERNEL32(00000000,00000000,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?), ref: 00080F1F
            • Part of subcall function 00080F09: GetLastError.KERNEL32(?,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?,?), ref: 00080F31
          • _free.LIBCMT ref: 00082969
          • _free.LIBCMT ref: 0008297B
          • _free.LIBCMT ref: 0008298D
          • _free.LIBCMT ref: 0008299F
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 2c2e1a40b961282e71a6066ea27139344b8b92d1efac7a714c439ca505d949fc
          • Instruction ID: 0b7e1d49ab7b71c8f02a31e55cbd703c85c9d34d761a1a1f51b11019e3280178
          • Opcode Fuzzy Hash: 2c2e1a40b961282e71a6066ea27139344b8b92d1efac7a714c439ca505d949fc
          • Instruction Fuzzy Hash: E1F06272519600AFD6A0FB64F885C5A73E9BB44320B64481AF1C9D7913EB34FC808B68
          Function 000810F9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free
          • String ID: *?
          • API String ID: 269201875-2564092906
          • Opcode ID: d719b8992f3948aaa58d9d378e949c2a5c3290287479fcfce0c31d6fc8ffbb94
          • Instruction ID: 3caef791f9ccbcf91ff7992eafb3d807aa0014425a2486c25f8cd7f13c958628
          • Opcode Fuzzy Hash: d719b8992f3948aaa58d9d378e949c2a5c3290287479fcfce0c31d6fc8ffbb94
          • Instruction Fuzzy Hash: 45612EB5D002199FDF14DFA9C8815EEFBF9FF48310B24816AE955E7301E635AE428B90
          Function 0008100D Relevance: 6.1, APIs: 4, Instructions: 86COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0008162F: _free.LIBCMT ref: 0008163D
            • Part of subcall function 00082203: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,00083902,000856D4,0000FDE9,00000000,?,?,?,0008544D,0000FDE9,00000000,?), ref: 000822AF
          • GetLastError.KERNEL32 ref: 00081075
          • __dosmaperr.LIBCMT ref: 0008107C
          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 000810BB
          • __dosmaperr.LIBCMT ref: 000810C2
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
          • String ID:
          • API String ID: 167067550-0
          • Opcode ID: 721ffde5095d6fd8d21e6a9cba57cb1c5b8429332fb089e80176083551616bd7
          • Instruction ID: b7e006eb7202f848ccc992b96be33b9891c211e0660253f063cb5ea9af1cb6c8
          • Opcode Fuzzy Hash: 721ffde5095d6fd8d21e6a9cba57cb1c5b8429332fb089e80176083551616bd7
          • Instruction Fuzzy Hash: DB21C4B1600245AFDB60BFA69C818EBB7ACFF053647104615F9E8D3142D771EC929F90
          Function 000809DE Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,00085194,?,00000001,00083973,?,0008564E,00000001,?,?,?,00083902,?,?), ref: 000809E3
          • _free.LIBCMT ref: 00080A40
          • _free.LIBCMT ref: 00080A76
          • SetLastError.KERNEL32(00000000,00000002,000000FF,?,0008564E,00000001,?,?,?,00083902,?,?,?,0008EEA0,0000002C,00083973), ref: 00080A81
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ErrorLast_free
          • String ID:
          • API String ID: 2283115069-0
          • Opcode ID: 6fc070591ec65b54387831f2e1e1f36e36be75c7f716e62d031ba55ea9fedd3d
          • Instruction ID: 42be2e4e69d7561cd5a5acccc84d3790b1ae4eb7a049c821546c27dca499a482
          • Opcode Fuzzy Hash: 6fc070591ec65b54387831f2e1e1f36e36be75c7f716e62d031ba55ea9fedd3d
          • Instruction Fuzzy Hash: 14110E32200B016EE7E477B56C82FAF2299BBC1774F240224F2E4961E3EE758D0C5722
          Function 00080B35 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,00080E9E,00080695,?,?,0007D395,?), ref: 00080B3A
          • _free.LIBCMT ref: 00080B97
          • _free.LIBCMT ref: 00080BCD
          • SetLastError.KERNEL32(00000000,00000002,000000FF,?,?,?,00080E9E,00080695,?,?,0007D395,?), ref: 00080BD8
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ErrorLast_free
          • String ID:
          • API String ID: 2283115069-0
          • Opcode ID: 4d48d3ac62436d98c6fa69c939b78f6b9560e3e2786b557bc2ab887fe7292173
          • Instruction ID: 91a55a8a980649912f5fbec4fa96dd09b169d563c3f8c7dadfa9ecc234ee0014
          • Opcode Fuzzy Hash: 4d48d3ac62436d98c6fa69c939b78f6b9560e3e2786b557bc2ab887fe7292173
          • Instruction Fuzzy Hash: 2611E1323046016EE7E136B99C82FAF2799BBC1778F240235F2A4921E3EF258D095720
          Function 00086226 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00085C89,?,00000001,?,00000001,?,00085123,?,?,00000001), ref: 0008623D
          • GetLastError.KERNEL32(?,00085C89,?,00000001,?,00000001,?,00085123,?,?,00000001,?,00000001,?,0008566F,00083902), ref: 00086249
            • Part of subcall function 0008620F: CloseHandle.KERNEL32(FFFFFFFE,00086259,?,00085C89,?,00000001,?,00000001,?,00085123,?,?,00000001,?,00000001), ref: 0008621F
          • ___initconout.LIBCMT ref: 00086259
            • Part of subcall function 000861D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00086200,00085C76,00000001,?,00085123,?,?,00000001,?), ref: 000861E4
          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00085C89,?,00000001,?,00000001,?,00085123,?,?,00000001,?), ref: 0008626E
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
          • String ID:
          • API String ID: 2744216297-0
          • Opcode ID: fea607c4385889d6b1d4d957120ccb70fa49fa3d1c4f51305f4b39eb61886fe6
          • Instruction ID: d5aafbaf56ac1905a8baac7741f479999c4e22ebc7d3cd934de0956858efeed4
          • Opcode Fuzzy Hash: fea607c4385889d6b1d4d957120ccb70fa49fa3d1c4f51305f4b39eb61886fe6
          • Instruction Fuzzy Hash: 19F01536140528BBDF622F91DC08D8A7F66FB093A0F068051FE9885232CA378820EF91
          Function 00080253 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
          Download Yara Rule
          APIs
          • _free.LIBCMT ref: 0008025C
            • Part of subcall function 00080F09: HeapFree.KERNEL32(00000000,00000000,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?), ref: 00080F1F
            • Part of subcall function 00080F09: GetLastError.KERNEL32(?,?,000829D2,?,00000000,?,?,?,000829F9,?,00000007,?,?,00082E1F,?,?), ref: 00080F31
          • _free.LIBCMT ref: 0008026F
          • _free.LIBCMT ref: 00080280
          • _free.LIBCMT ref: 00080291
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 897e3a0baa51051e0f132e9eee0475856779851749524d6a799b7449d1c1fb70
          • Instruction ID: 3338a87e4b2bc34d724864a4b44f2b3b19daf32695b391d1eebb88ea13f68e08
          • Opcode Fuzzy Hash: 897e3a0baa51051e0f132e9eee0475856779851749524d6a799b7449d1c1fb70
          • Instruction Fuzzy Hash: C8E046B58099639EE7627F11BC018C93A31B744700B024027F42052B33E77942629FC4
          Function 0007F478 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID:
          • String ID: C:\Users\user\Desktop\jwJP7IUDX3.exe
          • API String ID: 0-1044066300
          • Opcode ID: 73fdc4210e9bfe0542ea0c05585c3521b5068fcdd2dc1500af54ef8ce906e8ee
          • Instruction ID: a9a1e934ecab373ce992522f89c4465983c9de972218d8e3d38625c0db03bb0e
          • Opcode Fuzzy Hash: 73fdc4210e9bfe0542ea0c05585c3521b5068fcdd2dc1500af54ef8ce906e8ee
          • Instruction Fuzzy Hash: 9C418271E00615AFDB61EF99DC819EEBBF8FF84310F108076E508A7252E7789A41CB54
          Function 0007DF23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0007DF69
          • ___raise_securityfailure.LIBCMT ref: 0007E051
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1347383699.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
          • Associated: 00000000.00000002.1347363243.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347406047.0000000000088000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347422690.0000000000090000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000092000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1347441770.0000000000097000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_70000_jwJP7IUDX3.jbxd
          Similarity
          • API ID: FeaturePresentProcessor___raise_securityfailure
          • String ID: H
          • API String ID: 3761405300-701892231
          • Opcode ID: 4f2d28c9b25f777d93eac9c81e23cdcf15873ed9b615a0dda09f9d5ac5124ef6
          • Instruction ID: dd2bf92a8f73cf9c5411cf5cb639297d2dc5fb1325dfdd38834b8757b748b886
          • Opcode Fuzzy Hash: 4f2d28c9b25f777d93eac9c81e23cdcf15873ed9b615a0dda09f9d5ac5124ef6
          • Instruction Fuzzy Hash: D921C4B65113049EF750CF15FD85B543BA4BB48324F10502BE5098ABB1D3BC5585CF8A