Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RemoteDelProf.exe

Overview

General Information

Sample name:RemoteDelProf.exe
Analysis ID:1566857
MD5:8614f771d622fd11ecf75a01fa2373b1
SHA1:8425e4813d0fe74f30f4dfbbad9721a3fca7b143
SHA256:a32555ec55b0918b0d67e2cd28c29b7dd55571535ec63bfa0c683851a6f4a0db
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RemoteDelProf.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\RemoteDelProf.exe" MD5: 8614F771D622FD11ECF75A01FA2373B1)
    • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: RemoteDelProf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RemoteDelProf.exeStatic PE information: certificate valid
Source: RemoteDelProf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RemoteDelProf.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: RemoteDelProf.exeString found in binary or memory: http://www.autoitscript.com/atools/
Source: RemoteDelProf.exe, ConDrv.0.drString found in binary or memory: http://www.autoitscript.com/tools
Source: RemoteDelProf.exeString found in binary or memory: http://www.autoitscript.com/tools:
Source: RemoteDelProf.exeString found in binary or memory: http://www.autoitscript.com/toolsB
Source: RemoteDelProf.exeString found in binary or memory: http://www.autoitscript.com/toolsThis
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB93810_2_00BB9381
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BC155F0_2_00BC155F
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB86CC0_2_00BB86CC
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB97A10_2_00BB97A1
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BBEAA00_2_00BBEAA0
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BA1AE90_2_00BA1AE9
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB8BA10_2_00BB8BA1
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB8F750_2_00BB8F75
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: String function: 00BBA6CE appears 36 times
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: String function: 00BBF6E4 appears 49 times
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: String function: 00BA7D43 appears 34 times
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: String function: 00BBA69B appears 177 times
Source: RemoteDelProf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: RemoteDelProf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RemoteDelProf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RemoteDelProf.exeString found in binary or memory: ERROR: exception of unknown type! Try --help
Source: RemoteDelProf.exeString found in binary or memory: ERROR: exception of unknown type! Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: RemoteDelProf.exeString found in binary or memory: Try --help
Source: unknownProcess created: C:\Users\user\Desktop\RemoteDelProf.exe "C:\Users\user\Desktop\RemoteDelProf.exe"
Source: C:\Users\user\Desktop\RemoteDelProf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RemoteDelProf.exeSection loaded: apphelp.dllJump to behavior
Source: RemoteDelProf.exeStatic PE information: certificate valid
Source: RemoteDelProf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RemoteDelProf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RemoteDelProf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RemoteDelProf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RemoteDelProf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RemoteDelProf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BC6133 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00BC6133
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BBB000 push dword ptr [ecx-75h]; iretd 0_2_00BBB008
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BBF729 push ecx; ret 0_2_00BBF73C
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BBA773 push ecx; ret 0_2_00BBA786
Source: C:\Users\user\Desktop\RemoteDelProf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-23715
Source: C:\Users\user\Desktop\RemoteDelProf.exeAPI coverage: 9.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RemoteDelProf.exeAPI call chain: ExitProcess graph end nodegraph_0-24530
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB8554 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BB8554
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BC6133 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00BC6133
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BC04DA SetUnhandledExceptionFilter,0_2_00BC04DA
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BBD4C1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BBD4C1
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB8554 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BB8554
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BAB6F9 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BAB6F9
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BB7FAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BB7FAA
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_00BC00E1
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_00BC5065
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_00BC62E7
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,0_2_00BC72C5
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_00BC631B
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_00BC54FD
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00BC645A
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_00BC56AC
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_00BC5614
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00BC479F
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_00BC5720
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_00BC58F2
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoA,0_2_00BBE87F
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00BC59B3
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00BC5A1A
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_00BC5A56
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_00BBBBAE
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_00BC4E0D
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: GetLocaleInfoA,0_2_00BC3F6A
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BC0C52 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00BC0C52
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BA204B LookupAccountNameW,GetLastError,LookupAccountNameW,IsValidSid,ConvertSidToStringSidW,LocalFree,0_2_00BA204B
Source: C:\Users\user\Desktop\RemoteDelProf.exeCode function: 0_2_00BA81A0 GetVersionExW,0_2_00BA81A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1566857 Sample: RemoteDelProf.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 5 5 RemoteDelProf.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RemoteDelProf.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.autoitscript.com/toolsBRemoteDelProf.exefalse
    		high
    http://www.autoitscript.com/atools/RemoteDelProf.exefalse
      		high
      http://www.autoitscript.com/tools:RemoteDelProf.exefalse
        		high
        http://www.autoitscript.com/toolsRemoteDelProf.exe, ConDrv.0.drfalse
          		high
          http://www.autoitscript.com/toolsThisRemoteDelProf.exefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1566857
            Start date and time:2024-12-02 18:58:27 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 1m 57s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:2
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:RemoteDelProf.exe
            Detection:CLEAN
            Classification:clean5.winEXE@2/1@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 13
            • Number of non-executed functions: 50
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: RemoteDelProf.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            \Device\ConDrv

            Download File
            Process:C:\Users\user\Desktop\RemoteDelProf.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):883
            Entropy (8bit):4.7417016568034605
            Encrypted:false
            SSDEEP:12:zIiLpVYWywUUNHwlAqqSzrhjBHf9rldmflIKwNovYL7aYWyeDGDDzonyu23:zzFSYqZzrhjBludIv6vQ7aPFi/ET0
            MD5:86152C522ED21FBA89907A9B2D6D3208
            SHA1:167E408EBAA83F24DE3638A289AF902DC3EAD9AD
            SHA-256:59B28389B0EDC210D3950F466CE031DA0B714143CB8B614290540B689E6C71E3
            SHA-512:9151D995FFDF3835B8A586216BC3463BEE279908CFAC2BE017CDD1F11BB59177AAB373151885E7E731B9793B0848A03F98A2CD253787A11C148A136C0F0774CB
            Malicious:false
            Reputation:low
            Preview:..RemoteDelProf v1.0.0 - Remote Profile Deletion Utility..Copyright (C) 2009 Jonathan Bennett..http://www.autoitscript.com/tools....Options:.. -h [ --help ] This help message... -u [ --user ] arg Username in 'user' or 'domain\user' format... -w [ --workstation ] arg Workstation name in NETBIOS or FQDN format... -l [ --local ] Delete the cached roaming profile from the specified.. workstation... -n [ --network ] Delete the central roaming profile from the network.....Examples:.. DelProf.exe --user Jonathan --workstation WORKSTATION1.. DelProf.exe --u DOMAIN\Jonathan -w WORKSTATION1 --local.. DelProf.exe -u Jonathan -w WORKSTATION1 --local --network....Notes:.. - The user must not be logged onto the target workstation... - The c$ share and remote registry must be accessible on the target workstation...

            Static File Info

            General

            File type:PE32 executable (console) Intel 80386, for MS Windows
            Entropy (8bit):6.394461592159801
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:RemoteDelProf.exe
            File size:249'712 bytes
            MD5:8614f771d622fd11ecf75a01fa2373b1
            SHA1:8425e4813d0fe74f30f4dfbbad9721a3fca7b143
            SHA256:a32555ec55b0918b0d67e2cd28c29b7dd55571535ec63bfa0c683851a6f4a0db
            SHA512:2953f38a2d6f1a1180c40392911dad93196984badb73d59d4dfa12c349e334fb1e0d031d2a8ef6a8afa6e8caa82af52ad34b34490f1e7e4db33ba0b8800dc2e5
            SSDEEP:6144:yIx8FPvgN6IGOi8NqOeL+wtI/HxfOS9+a:3xkgOOOOeJtI/H0St
            TLSH:3E347B223BC5C477C25322768CC8D77AA6F9F8709D30960BBBD5076E9F75A92CA11312
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-A..L/..L/..L/..4...L/..4...L/..4...L/...T..L/..L...L/..4...L/......L/..4...L/.Rich.L/.................PE..L...N..J...........

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x41a25f
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x4A1CF24E [Wed May 27 07:57:02 2009 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:bb24c91dde7f346f9afa0c834a0adafb

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 08/02/2009 19:00:00 09/02/2012 18:59:59
            Subject Chain
            • CN=Jonathan Bennett, O=Jonathan Bennett, STREET=19 Linnet Close, L=Birmingham, S=West Midlands, PostalCode=B30 1XB, C=GB
            Version:3
            Thumbprint MD5:5FE91C20B3DE6BA483BF3C8D461FAB8B
            Thumbprint SHA-1:B1B968D50B0BED69315EFCE51D307D8DCBEBD584
            Thumbprint SHA-256:771CA562615F9F128FF3993D079825DA87F8800358B67E52172DEA5691E6E4A4
            Serial:00FF3628AC973FD4AF789D25697A20B243

            Entrypoint Preview

            Instruction
            call 00007F8530F37743h
            jmp 00007F8530F30BFAh
            mov edi, edi
            push ebp
            mov ebp, esp
            sub esp, 20h
            mov eax, dword ptr [ebp+08h]
            push esi
            push edi
            push 00000008h
            pop ecx
            mov esi, 0042AB8Ch
            lea edi, dword ptr [ebp-20h]
            rep movsd
            mov dword ptr [ebp-08h], eax
            mov eax, dword ptr [ebp+0Ch]
            pop edi
            mov dword ptr [ebp-04h], eax
            pop esi
            test eax, eax
            je 00007F8530F30D5Eh
            test byte ptr [eax], 00000008h
            je 00007F8530F30D59h
            mov dword ptr [ebp-0Ch], 01994000h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            push dword ptr [ebp-10h]
            push dword ptr [ebp-1Ch]
            push dword ptr [ebp-20h]
            call dword ptr [0042A084h]
            leave
            retn 0008h
            mov edi, edi
            push ebp
            mov ebp, esp
            push ecx
            push ebx
            mov eax, dword ptr [ebp+0Ch]
            add eax, 0Ch
            mov dword ptr [ebp-04h], eax
            mov ebx, dword ptr fs:[00000000h]
            mov eax, dword ptr [ebx]
            mov dword ptr fs:[00000000h], eax
            mov eax, dword ptr [ebp+08h]
            mov ebx, dword ptr [ebp+0Ch]
            mov ebp, dword ptr [ebp-04h]
            mov esp, dword ptr [ebx-04h]
            jmp eax
            pop ebx
            leave
            retn 0008h
            pop eax
            pop ecx
            xchg dword ptr [esp], eax
            jmp eax
            mov edi, edi
            push ebp
            mov ebp, esp
            push ecx
            push ecx
            push ebx
            push esi
            push edi
            mov esi, dword ptr fs:[00000000h]
            mov dword ptr [ebp-04h], esi
            mov dword ptr [ebp-08h], 0041A319h
            push 00000000h
            push dword ptr [ebp+0Ch]
            push dword ptr [ebp-08h]
            push dword ptr [ebp+08h]
            call 00007F8530F3E27Ah
            mov eax, dword ptr [ebp+0Ch]
            mov eax, dword ptr [eax+04h]
            and eax, FFFFFFFDh
            mov ecx, dword ptr [ebp+0Ch]
            mov dword ptr [ecx+00h], eax

            Rich Headers

            Programming Language:
            • [ASM] VS2008 SP1 build 30729
            • [C++] VS2008 SP1 build 30729
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2005 build 50727
            • [RES] VS2008 build 21022
            • [LNK] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x33e580x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x584.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x3ba000x1570
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000x29c8.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d9d80x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x178.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x28f3a0x290004b62bdbfd72255ee52001d2c36248719False0.5371212842987805MPEG-4 LOAS, single stream6.559933314783063IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x2a0000xa6e40xa8005b401e3d032b8d811d1911f5e7a9504aFalse0.3277994791666667COM executable for DOS4.5698855375708645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x350000x53c80x34008abed0343d2a33e8a204d11e9a2dd15cFalse0.15895432692307693data4.416996255355425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x3b0000x5840x60064fd7f8dbf35ba906d9ac036c2f80a5cFalse0.40234375data4.3367779800646815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x3c0000x431c0x4400a2a1b48e2da619d0c0da11616c6b46ddFalse0.45358455882352944data4.857845741570547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x3b0a00x388dataEnglishGreat Britain0.415929203539823
            RT_MANIFEST0x3b4280x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

            Imports

            DLLImport
            KERNEL32.dllGetFileAttributesW, GetVersionExW, LocalFree, GetLastError, CreateFileA, SetStdHandle, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedCompareExchange, InterlockedExchange, MultiByteToWideChar, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetStringTypeW, GetModuleHandleW, GetProcAddress, ExitProcess, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapSize, HeapAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, CloseHandle, GetStringTypeA, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
            USER32.dllCharUpperBuffW
            ADVAPI32.dllRegCloseKey, RegEnumKeyExW, RegDeleteKeyW, RegQueryValueExW, RegOpenKeyExW, LookupAccountSidW, ConvertSidToStringSidW, IsValidSid, RegConnectRegistryW, LookupAccountNameW
            SHELL32.dllSHFileOperationW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:12:59:22
            Start date:02/12/2024
            Path:C:\Users\user\Desktop\RemoteDelProf.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\RemoteDelProf.exe"
            Imagebase:0xba0000
            File size:249'712 bytes
            MD5 hash:8614F771D622FD11ECF75A01FA2373B1
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:12:59:22
            Start date:02/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:8.6%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0.5%
              Total number of Nodes:1483
              Total number of Limit Nodes:8
              execution_graph 23678 bba10e 23679 bba11a _fseek 23678->23679 23713 bc0c22 HeapCreate 23679->23713 23682 bba177 23715 bbf4b3 GetModuleHandleW 23682->23715 23687 bba188 __RTC_Initialize 23749 bc0982 23687->23749 23689 bba197 23690 bba1a3 GetCommandLineW 23689->23690 23895 bbec92 62 API calls 3 library calls 23689->23895 23764 bc0925 GetEnvironmentStringsW 23690->23764 23693 bba1a2 23693->23690 23694 bba1b2 23771 bc0877 GetModuleFileNameW 23694->23771 23697 bba1c7 23777 bc0648 23697->23777 23701 bba1d8 23790 bbed51 23701->23790 23704 bba1e0 23705 bba1eb 23704->23705 23898 bbec92 62 API calls 3 library calls 23704->23898 23796 ba132e 23705->23796 23708 bba208 23709 bba21a 23708->23709 23890 bbef02 23708->23890 23899 bbef2e 62 API calls _doexit 23709->23899 23712 bba21f _fseek 23714 bba16b 23713->23714 23714->23682 23893 bba0e5 62 API calls 3 library calls 23714->23893 23716 bbf4ce 23715->23716 23717 bbf4c7 23715->23717 23719 bbf4d8 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 23716->23719 23720 bbf636 23716->23720 23900 bbec62 Sleep GetModuleHandleW 23717->23900 23722 bbf521 TlsAlloc 23719->23722 23922 bbf1cd 65 API calls 2 library calls 23720->23922 23721 bbf4cd 23721->23716 23725 bba17d 23722->23725 23726 bbf56f TlsSetValue 23722->23726 23725->23687 23894 bba0e5 62 API calls 3 library calls 23725->23894 23726->23725 23727 bbf580 23726->23727 23901 bbef4c 6 API calls 4 library calls 23727->23901 23729 bbf585 23902 bbf0a3 TlsGetValue 23729->23902 23732 bbf0a3 __encode_pointer 6 API calls 23733 bbf5a0 23732->23733 23734 bbf0a3 __encode_pointer 6 API calls 23733->23734 23735 bbf5b0 23734->23735 23736 bbf0a3 __encode_pointer 6 API calls 23735->23736 23737 bbf5c0 23736->23737 23912 bc0eb2 InitializeCriticalSectionAndSpinCount ___lock_fhandle 23737->23912 23739 bbf5cd 23739->23720 23913 bbf11e 6 API calls __crt_waiting_on_module_handle 23739->23913 23741 bbf5e1 23741->23720 23914 bbd427 23741->23914 23745 bbf614 23745->23720 23746 bbf61b 23745->23746 23921 bbf20a 62 API calls 5 library calls 23746->23921 23748 bbf623 GetCurrentThreadId 23748->23725 23951 bbf6e4 23749->23951 23751 bc098e GetStartupInfoA 23752 bbd427 __calloc_crt 62 API calls 23751->23752 23753 bc09af 23752->23753 23754 bc0bcd _fseek 23753->23754 23755 bc0b14 23753->23755 23758 bbd427 __calloc_crt 62 API calls 23753->23758 23760 bc0a97 23753->23760 23754->23689 23755->23754 23756 bc0b4a GetStdHandle 23755->23756 23757 bc0baf SetHandleCount 23755->23757 23759 bc0b5c GetFileType 23755->23759 23953 bc5f7b InitializeCriticalSectionAndSpinCount _fseek 23755->23953 23756->23755 23757->23754 23758->23753 23759->23755 23760->23754 23760->23755 23761 bc0ac0 GetFileType 23760->23761 23952 bc5f7b InitializeCriticalSectionAndSpinCount _fseek 23760->23952 23761->23760 23765 bc093a 23764->23765 23766 bc0936 23764->23766 23954 bbd3e2 62 API calls _malloc 23765->23954 23766->23694 23769 bc0962 FreeEnvironmentStringsW 23769->23694 23770 bc095b _realloc 23770->23769 23772 bc08ac _wparse_cmdline 23771->23772 23773 bba1bc 23772->23773 23774 bc08e9 23772->23774 23773->23697 23896 bbec92 62 API calls 3 library calls 23773->23896 23955 bbd3e2 62 API calls _malloc 23774->23955 23776 bc08ef _wparse_cmdline 23776->23773 23779 bc0660 _wcslen 23777->23779 23782 bba1cd 23777->23782 23778 bbd427 __calloc_crt 62 API calls 23785 bc0684 _wcslen 23778->23785 23779->23778 23780 bc06e9 23958 bba82a 62 API calls _fseek 23780->23958 23782->23701 23897 bbec92 62 API calls 3 library calls 23782->23897 23783 bbd427 __calloc_crt 62 API calls 23783->23785 23784 bc070f 23959 bba82a 62 API calls _fseek 23784->23959 23785->23780 23785->23782 23785->23783 23785->23784 23788 bc06ce 23785->23788 23956 bb84d6 62 API calls _fseek 23785->23956 23788->23785 23957 bb8554 10 API calls 3 library calls 23788->23957 23791 bbed5f __IsNonwritableInCurrentImage 23790->23791 23960 bc5de5 23791->23960 23793 bbed7d __initterm_e 23795 bbed9c __IsNonwritableInCurrentImage __initterm 23793->23795 23964 bb80e0 73 API calls _AtModuleExit 23793->23964 23795->23704 23797 ba1355 __EH_prolog3_catch 23796->23797 23965 ba17db 23797->23965 23802 ba1371 24179 bb7faa 23802->24179 23804 ba138f 23804->23708 23805 ba1397 ctype 24017 ba7d43 23805->24017 23809 ba13eb 24031 ba8116 23809->24031 23811 ba13fd 24037 bb251a 23811->24037 23813 ba1408 24043 ba3e6a 23813->24043 23815 ba1415 23816 ba3e6a 74 API calls 23815->23816 23817 ba1424 23816->23817 24046 bb0008 23817->24046 23819 ba1444 24058 bb0096 23819->24058 23821 ba1456 23822 bb0096 75 API calls 23821->23822 23823 ba1468 23822->23823 23824 bb0008 75 API calls 23823->23824 23825 ba1479 23824->23825 23826 bb0008 75 API calls 23825->23826 23827 ba148a 23826->23827 24068 ba40ae 23827->24068 23829 ba14b0 24078 bb2503 23829->24078 23836 ba7d43 std::_String_base::_Xlen 75 API calls 23837 ba14eb 23836->23837 24101 ba2a28 23837->24101 23840 ba8116 codecvt 63 API calls 23841 ba150f 23840->23841 23842 ba153c 23841->23842 23843 ba1513 23841->23843 23845 ba7d43 std::_String_base::_Xlen 75 API calls 23842->23845 23844 bac277 159 API calls 23843->23844 23846 ba1526 23844->23846 23847 ba1549 23845->23847 23848 ba4161 113 API calls 23846->23848 23849 ba2a28 75 API calls 23847->23849 23850 ba152e 23848->23850 23851 ba1562 23849->23851 23852 ba195d 115 API calls 23850->23852 23854 ba7d43 std::_String_base::_Xlen 75 API calls 23851->23854 23856 ba1590 23851->23856 23853 ba1535 23852->23853 24188 ba1771 75 API calls 3 library calls 23853->24188 23857 ba1573 23854->23857 23855 ba15af 23860 ba15c2 23855->23860 23863 ba8116 codecvt 63 API calls 23855->23863 23856->23855 23858 ba8116 codecvt 63 API calls 23856->23858 23861 ba2a28 75 API calls 23857->23861 23858->23855 23864 ba15ee 23860->23864 23865 ba15c7 23860->23865 23861->23856 23862 ba16d8 24189 ba1722 63 API calls 4 library calls 23862->24189 23863->23860 23866 ba7d43 std::_String_base::_Xlen 75 API calls 23864->23866 24106 bac277 23865->24106 23869 ba15fe 23866->23869 23872 ba2a28 75 API calls 23869->23872 23870 ba16e4 24190 ba2e03 23870->24190 23875 ba1611 23872->23875 23878 ba8116 codecvt 63 API calls 23875->23878 23876 ba16ef 23879 ba2e03 ctype 63 API calls 23876->23879 23877 ba15e2 24123 ba195d 23877->24123 23881 ba1622 23878->23881 23882 ba16fd 23879->23882 23883 ba7d43 std::_String_base::_Xlen 75 API calls 23881->23883 23882->23708 23884 ba163a 23883->23884 23885 ba2a28 75 API calls 23884->23885 23886 ba164d 23885->23886 23887 ba8116 codecvt 63 API calls 23886->23887 23888 ba165e 23887->23888 24187 ba1ae9 145 API calls 2 library calls 23888->24187 25617 bbedd6 23890->25617 23892 bbef13 23892->23709 23893->23682 23894->23687 23895->23693 23896->23697 23897->23701 23898->23705 23899->23712 23900->23721 23901->23729 23903 bbf0bb 23902->23903 23904 bbf0dc GetModuleHandleW 23902->23904 23903->23904 23907 bbf0c5 TlsGetValue 23903->23907 23905 bbf0ec 23904->23905 23906 bbf0f7 GetProcAddress 23904->23906 23923 bbec62 Sleep GetModuleHandleW 23905->23923 23909 bbf0d4 23906->23909 23910 bbf0d0 23907->23910 23909->23732 23910->23904 23910->23909 23911 bbf0f2 23911->23906 23911->23909 23912->23739 23913->23741 23917 bbd430 23914->23917 23916 bbd46d 23916->23720 23920 bbf11e 6 API calls __crt_waiting_on_module_handle 23916->23920 23917->23916 23918 bbd44e Sleep 23917->23918 23924 bc4254 23917->23924 23919 bbd463 23918->23919 23919->23916 23919->23917 23920->23745 23921->23748 23922->23725 23923->23911 23925 bc4260 _fseek 23924->23925 23926 bc4278 23925->23926 23935 bc4297 _memset 23925->23935 23937 bbe7a1 62 API calls __getptd_noexit 23926->23937 23928 bc427d 23938 bb867c 6 API calls 2 library calls 23928->23938 23930 bc4309 HeapAlloc 23930->23935 23931 bc428d _fseek 23931->23917 23935->23930 23935->23931 23939 bc102e 23935->23939 23946 bc1840 5 API calls 2 library calls 23935->23946 23947 bc4350 LeaveCriticalSection _doexit 23935->23947 23948 bbf9f4 6 API calls __decode_pointer 23935->23948 23937->23928 23940 bc1056 EnterCriticalSection 23939->23940 23941 bc1043 23939->23941 23940->23935 23949 bc0f6b 62 API calls 9 library calls 23941->23949 23943 bc1049 23943->23940 23950 bbec92 62 API calls 3 library calls 23943->23950 23945 bc1055 23945->23940 23946->23935 23947->23935 23948->23935 23949->23943 23950->23945 23951->23751 23952->23760 23953->23755 23954->23770 23955->23776 23956->23785 23957->23788 23958->23782 23959->23782 23961 bc5deb 23960->23961 23962 bbf0a3 __encode_pointer 6 API calls 23961->23962 23963 bc5e03 23961->23963 23962->23961 23963->23793 23964->23795 23966 ba17e7 __EH_prolog3_GS ctype 23965->23966 24196 ba26e4 23966->24196 23970 ba181a 23971 ba2e03 ctype 63 API calls 23970->23971 23972 ba182a 23971->23972 23973 ba26e4 75 API calls 23972->23973 23974 ba1837 23973->23974 23975 ba838e 75 API calls 23974->23975 23976 ba1847 23975->23976 23977 ba2e03 ctype 63 API calls 23976->23977 23978 ba1854 23977->23978 23979 ba26e4 75 API calls 23978->23979 23980 ba1861 23979->23980 23981 ba838e 75 API calls 23980->23981 23982 ba1871 23981->23982 23983 ba2e03 ctype 63 API calls 23982->23983 23984 ba187e 23983->23984 23985 ba26e4 75 API calls 23984->23985 23986 ba188b 23985->23986 23987 ba838e 75 API calls 23986->23987 23988 ba189b 23987->23988 23989 ba2e03 ctype 63 API calls 23988->23989 23990 ba18a8 23989->23990 23991 ba26e4 75 API calls 23990->23991 23992 ba18b1 23991->23992 23993 ba838e 75 API calls 23992->23993 23994 ba18c1 23993->23994 23995 ba2e03 ctype 63 API calls 23994->23995 23996 ba18ce 23995->23996 24210 ba8370 23996->24210 23999 ba2e03 ctype 63 API calls 24000 ba18e0 23999->24000 24214 bba787 24000->24214 24002 ba1368 24003 ba18e6 24002->24003 24004 ba18f2 __EH_prolog3_GS ctype 24003->24004 24007 ba26e4 75 API calls 24004->24007 24016 ba1951 24004->24016 24005 bba787 ctype 5 API calls 24006 ba136d 24005->24006 24006->23802 24006->23805 24008 ba1920 24007->24008 24009 ba838e 75 API calls 24008->24009 24010 ba1930 24009->24010 24011 ba2e03 ctype 63 API calls 24010->24011 24012 ba193e 24011->24012 24013 ba8370 115 API calls 24012->24013 24014 ba1946 24013->24014 24015 ba2e03 ctype 63 API calls 24014->24015 24015->24016 24016->24005 24018 ba7d54 std::_String_base::_Xlen 24017->24018 24415 ba7d26 24018->24415 24021 baf40b 24022 baf417 __EH_prolog3 24021->24022 24448 ba80a5 24022->24448 24026 baf436 24458 baee1c 24026->24458 24028 baf442 24029 baede4 75 API calls 24028->24029 24030 baf44e std::_Locinfo::_Locinfo 24029->24030 24030->23809 24032 ba8120 24031->24032 24033 ba8149 std::_String_base::_Xlen 24031->24033 24032->24033 24036 ba8140 24032->24036 24544 ba80cb 62 API calls codecvt 24032->24544 24033->23811 24545 bb80f7 24036->24545 24038 bb2526 __EH_prolog3 24037->24038 24552 bb215d 24038->24552 24042 bb254e std::_Locinfo::_Locinfo 24042->23813 24044 bb819a std::ios_base::_Init 74 API calls 24043->24044 24045 ba3e73 std::_Locinfo::_Locinfo 24044->24045 24045->23815 24047 bb0014 __EH_prolog3 24046->24047 24048 bb819a std::ios_base::_Init 74 API calls 24047->24048 24049 bb001d 24048->24049 24050 bb819a std::ios_base::_Init 74 API calls 24049->24050 24055 bb0051 24049->24055 24053 bb0030 24050->24053 24052 bb0062 ctype 24652 bafc70 24052->24652 24658 baed83 75 API calls 3 library calls 24053->24658 24649 bad573 24055->24649 24057 bb0080 std::_Locinfo::_Locinfo ctype 24057->23819 24059 bb00a2 __EH_prolog3 24058->24059 24060 bb819a std::ios_base::_Init 74 API calls 24059->24060 24061 bb00ab 24060->24061 24062 bb00c8 24061->24062 24679 baed83 75 API calls 3 library calls 24061->24679 24064 bad573 74 API calls 24062->24064 24065 bb00d5 ctype 24064->24065 24066 bafc70 75 API calls 24065->24066 24067 bb00f3 std::_Locinfo::_Locinfo ctype 24066->24067 24067->23821 24069 ba40bd __EH_prolog3 24068->24069 24680 ba4a3f 24069->24680 24071 ba40f0 24695 bb423f 24071->24695 24073 ba410a 24699 ba4ae6 24073->24699 24077 ba414c std::_Locinfo::_Locinfo 24077->23829 25001 bb219d 24078->25001 24081 ba17a9 24082 ba2f19 63 API calls 24081->24082 24083 ba17b7 24082->24083 24084 bb80f7 ctype 63 API calls 24083->24084 24085 ba17be 24084->24085 25103 ba2eef 24085->25103 24088 bb80f7 ctype 63 API calls 24089 ba14cb 24088->24089 24090 bb13bf 24089->24090 24091 ba3416 ctype 6 API calls 24090->24091 24092 bb13d7 24091->24092 24093 bb10b8 6 API calls 24092->24093 24094 bb13e2 24093->24094 24095 ba3bb5 6 API calls 24094->24095 24096 bb13eb 24095->24096 24098 bb10b8 6 API calls 24096->24098 24099 ba3bb5 6 API calls 24096->24099 24100 ba14d7 24096->24100 25110 bb10d1 6 API calls 24096->25110 24098->24096 24099->24096 24100->23836 25111 ba3358 24101->25111 25132 bb07dd 24106->25132 24108 ba15da 24109 ba4161 24108->24109 24110 ba416d __EH_prolog3_catch _strlen 24109->24110 24111 ba7a33 76 API calls 24110->24111 24115 ba419e 24111->24115 24112 ba41a8 24114 ba7a16 75 API calls 24112->24114 24113 ba41eb 24113->24112 25611 ba8ea7 24113->25611 24117 ba4232 24114->24117 24115->24112 24115->24113 24118 ba777b 111 API calls 24115->24118 24116 ba4207 24116->24112 24120 ba777b 111 API calls 24116->24120 24119 ba77fb 76 API calls 24117->24119 24118->24115 24121 ba423e std::_Locinfo::_Locinfo 24119->24121 24120->24116 24121->23877 24124 ba1969 __EH_prolog3_GS ctype 24123->24124 24125 ba26e4 75 API calls 24124->24125 24126 ba198b 24125->24126 24127 ba838e 75 API calls 24126->24127 24128 ba199b 24127->24128 24129 ba2e03 ctype 63 API calls 24128->24129 24130 ba19ab 24129->24130 24131 ba26e4 75 API calls 24130->24131 24132 ba19b8 24131->24132 24133 ba838e 75 API calls 24132->24133 24134 ba19c8 24133->24134 24135 ba2e03 ctype 63 API calls 24134->24135 24136 ba19d5 24135->24136 24137 ba26e4 75 API calls 24136->24137 24138 ba19e2 24137->24138 24139 ba838e 75 API calls 24138->24139 24140 ba19f2 24139->24140 24141 ba2e03 ctype 63 API calls 24140->24141 24142 ba19ff 24141->24142 24143 ba26e4 75 API calls 24142->24143 24144 ba1a0c 24143->24144 24145 ba838e 75 API calls 24144->24145 24146 ba1a1c 24145->24146 24147 ba2e03 ctype 63 API calls 24146->24147 24148 ba1a29 24147->24148 24149 ba26e4 75 API calls 24148->24149 24150 ba1a36 24149->24150 24151 ba838e 75 API calls 24150->24151 24152 ba1a46 24151->24152 24153 ba2e03 ctype 63 API calls 24152->24153 24154 ba1a53 24153->24154 24155 ba26e4 75 API calls 24154->24155 24156 ba1a60 24155->24156 24157 ba838e 75 API calls 24156->24157 24158 ba1a70 24157->24158 24159 ba2e03 ctype 63 API calls 24158->24159 24160 ba1a7d 24159->24160 24161 ba26e4 75 API calls 24160->24161 24162 ba1a8a 24161->24162 24163 ba838e 75 API calls 24162->24163 24164 ba1a9a 24163->24164 24165 ba2e03 ctype 63 API calls 24164->24165 24166 ba1aa7 24165->24166 24167 ba26e4 75 API calls 24166->24167 24168 ba1ab4 24167->24168 24169 ba838e 75 API calls 24168->24169 24170 ba1ac4 24169->24170 24171 ba2e03 ctype 63 API calls 24170->24171 24172 ba1ad1 24171->24172 24173 ba8370 115 API calls 24172->24173 24174 ba1ad9 24173->24174 24175 ba2e03 ctype 63 API calls 24174->24175 24176 ba1ae3 24175->24176 24177 bba787 ctype 5 API calls 24176->24177 24178 ba1ae8 24177->24178 24178->23853 24180 bb7fb2 24179->24180 24181 bb7fb4 IsDebuggerPresent 24179->24181 24180->23804 25615 bbfef5 24181->25615 24184 bbf06a SetUnhandledExceptionFilter UnhandledExceptionFilter 24185 bbf08f GetCurrentProcess TerminateProcess 24184->24185 24186 bbf087 __invoke_watson 24184->24186 24185->23804 24186->24185 24187->23853 24188->23862 24189->23870 24191 ba2e36 ctype 24190->24191 24193 ba2e0d 24190->24193 24191->23876 24192 ba2e2d 24195 bb80f7 ctype 63 API calls 24192->24195 24193->24191 24193->24192 25616 ba7bde 62 API calls _wmemcpy_s 24193->25616 24195->24191 24197 ba26f7 ctype 24196->24197 24217 ba2c24 24197->24217 24199 ba180a 24200 ba838e 24199->24200 24201 ba839a __EH_prolog3 24200->24201 24229 ba2ff7 24201->24229 24203 ba83a8 24204 ba26e4 75 API calls 24203->24204 24205 ba83b5 24204->24205 24206 ba2ff7 75 API calls 24205->24206 24207 ba83c5 24206->24207 24208 ba2e03 ctype 63 API calls 24207->24208 24209 ba83d1 std::_Locinfo::_Locinfo 24208->24209 24209->23970 24211 ba8376 24210->24211 24243 ba429f 24211->24243 24213 ba18d6 24213->23999 24215 bb7faa __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24214->24215 24216 bba791 24215->24216 24216->24216 24218 ba2c2e _wcslen 24217->24218 24219 ba2c5b 24218->24219 24220 ba2c3d 24218->24220 24227 ba2da2 75 API calls 2 library calls 24219->24227 24226 ba2736 75 API calls 3 library calls 24220->24226 24223 ba2c59 ctype 24223->24199 24224 ba2c65 24224->24223 24228 ba7bde 62 API calls _wmemcpy_s 24224->24228 24226->24223 24227->24224 24228->24223 24230 ba300a 24229->24230 24231 ba300f 24229->24231 24239 ba876c 75 API calls 4 library calls 24230->24239 24233 ba3037 24231->24233 24240 ba8734 75 API calls 3 library calls 24231->24240 24238 ba3088 ctype 24233->24238 24241 ba2da2 75 API calls 2 library calls 24233->24241 24236 ba304d 24236->24238 24242 ba7bde 62 API calls _wmemcpy_s 24236->24242 24238->24203 24241->24236 24242->24238 24245 ba42ab _wcslen __EH_prolog3_catch 24243->24245 24244 ba42ed 24248 ba430a 24244->24248 24266 ba771b 75 API calls 24244->24266 24245->24244 24265 bab4dc EnterCriticalSection std::_Lockit::_Lockit 24245->24265 24250 ba4324 24248->24250 24257 baa408 24248->24257 24261 ba7a16 24250->24261 24251 ba43ca 24254 ba43e3 std::_Locinfo::_Locinfo 24251->24254 24268 bab4e5 LeaveCriticalSection std::ios_base::_Addstd 24251->24268 24252 ba43b0 24252->24251 24267 ba77ce 75 API calls 2 library calls 24252->24267 24254->24213 24258 baa41b 24257->24258 24259 baa486 24257->24259 24258->24259 24269 baae79 24258->24269 24259->24250 24262 ba7a1e 24261->24262 24263 ba7a2f 24261->24263 24414 ba7701 75 API calls std::ios_base::_Init 24262->24414 24263->24252 24265->24244 24266->24248 24267->24251 24268->24254 24271 baae85 __EH_prolog3_GS 24269->24271 24270 baae94 24275 bba787 ctype 5 API calls 24270->24275 24271->24270 24272 baaefa 24271->24272 24273 baaee1 24271->24273 24303 ba953f 75 API calls 2 library calls 24272->24303 24300 baa5b7 24273->24300 24277 bab023 24275->24277 24277->24258 24278 baaf0b 24304 ba923a 24278->24304 24283 ba923a ctype 6 API calls 24284 baaf32 24283->24284 24285 ba89d8 ctype 6 API calls 24284->24285 24299 baaf39 24285->24299 24286 bab00d 24288 ba8116 codecvt 63 API calls 24286->24288 24287 bab026 24287->24286 24289 bab02b 24287->24289 24288->24270 24290 baa5b7 _Fputc 100 API calls 24289->24290 24291 bab036 24290->24291 24292 ba8116 codecvt 63 API calls 24291->24292 24292->24270 24293 ba923a 6 API calls ctype 24293->24299 24294 bab056 24295 ba8116 codecvt 63 API calls 24294->24295 24295->24270 24297 ba89d8 6 API calls ctype 24297->24299 24299->24286 24299->24287 24299->24293 24299->24294 24299->24297 24314 bbb071 64 API calls 3 library calls 24299->24314 24315 ba9313 75 API calls 3 library calls 24299->24315 24316 bbb903 24300->24316 24302 baa5c7 24302->24270 24303->24278 24305 ba9245 24304->24305 24404 ba8fbd 24305->24404 24308 ba89d8 24309 ba8a0c 24308->24309 24310 ba89e4 24308->24310 24309->24283 24312 ba89ed 24310->24312 24412 bb86a2 6 API calls _fseek 24310->24412 24312->24309 24413 bb86a2 6 API calls _fseek 24312->24413 24314->24299 24315->24299 24317 bbb90f _fseek 24316->24317 24318 bbb91f 24317->24318 24319 bbb93e 24317->24319 24370 bbe7a1 62 API calls __getptd_noexit 24318->24370 24329 bbb47f 24319->24329 24322 bbb924 24371 bb867c 6 API calls 2 library calls 24322->24371 24326 bbb934 _fseek 24326->24302 24330 bbb4b3 EnterCriticalSection 24329->24330 24331 bbb491 24329->24331 24333 bbb4a9 24330->24333 24331->24330 24332 bbb499 24331->24332 24334 bc102e __lock 62 API calls 24332->24334 24335 bbb77c 24333->24335 24334->24333 24336 bbb79e 24335->24336 24337 bbb8d4 24335->24337 24373 bc1c50 24336->24373 24339 bbb890 24337->24339 24403 bc337c 96 API calls 6 library calls 24337->24403 24342 bb7faa __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24339->24342 24344 bbb901 24342->24344 24343 bbb7d1 24343->24337 24347 bc1c50 __fileno 62 API calls 24343->24347 24372 bbb972 LeaveCriticalSection LeaveCriticalSection _fgetc 24344->24372 24345 bc1c50 __fileno 62 API calls 24346 bbb7b5 24345->24346 24346->24343 24349 bc1c50 __fileno 62 API calls 24346->24349 24348 bbb7f2 24347->24348 24350 bbb81a 24348->24350 24352 bc1c50 __fileno 62 API calls 24348->24352 24351 bbb7c1 24349->24351 24350->24337 24355 bc1c50 __fileno 62 API calls 24350->24355 24353 bc1c50 __fileno 62 API calls 24351->24353 24354 bbb7fe 24352->24354 24353->24343 24354->24350 24357 bc1c50 __fileno 62 API calls 24354->24357 24356 bbb83b 24355->24356 24358 bbb863 24356->24358 24360 bc1c50 __fileno 62 API calls 24356->24360 24359 bbb80a 24357->24359 24358->24337 24363 bbb877 24358->24363 24361 bc1c50 __fileno 62 API calls 24359->24361 24362 bbb847 24360->24362 24361->24350 24362->24358 24365 bc1c50 __fileno 62 API calls 24362->24365 24379 bc365c 24363->24379 24366 bbb853 24365->24366 24367 bc1c50 __fileno 62 API calls 24366->24367 24367->24358 24368 bbb889 24368->24339 24382 bc1c82 24368->24382 24370->24322 24372->24326 24374 bc1c5f 24373->24374 24378 bbb7a4 24373->24378 24375 bbe7a1 _fseek 62 API calls 24374->24375 24376 bc1c64 24375->24376 24377 bb867c _fseek 6 API calls 24376->24377 24377->24378 24378->24343 24378->24345 24380 bc34f0 __wctomb_s_l 74 API calls 24379->24380 24381 bc3674 24380->24381 24381->24368 24383 bc1c50 __fileno 62 API calls 24382->24383 24384 bc1c92 24383->24384 24385 bc1c9d 24384->24385 24386 bc1cb4 24384->24386 24387 bbe7a1 _fseek 62 API calls 24385->24387 24388 bc1cb8 24386->24388 24390 bc1cc5 __flsbuf 24386->24390 24397 bc1ca2 24387->24397 24389 bbe7a1 _fseek 62 API calls 24388->24389 24389->24397 24396 bc6e2c __flsbuf 62 API calls 24390->24396 24390->24397 24399 bc1d1b 24390->24399 24402 bc1d26 24390->24402 24391 bc1db5 24393 bc2562 __locking 96 API calls 24391->24393 24392 bc1d35 24394 bc1d4c 24392->24394 24398 bc1d69 24392->24398 24393->24397 24395 bc2562 __locking 96 API calls 24394->24395 24395->24397 24396->24399 24397->24368 24398->24397 24400 bc6d13 __lseeki64 66 API calls 24398->24400 24401 bc1de6 __getbuf 62 API calls 24399->24401 24399->24402 24400->24397 24401->24402 24402->24391 24402->24392 24403->24339 24407 ba8dd7 24404->24407 24410 ba8dee 24407->24410 24409 ba8e1c 24409->24308 24410->24409 24411 bb86a2 6 API calls _fseek 24410->24411 24411->24409 24412->24312 24413->24309 24414->24263 24416 ba7d32 _strlen 24415->24416 24419 ba7caf 24416->24419 24418 ba13d2 24418->24021 24420 ba7cbf std::_Locinfo::_Locinfo_ctor 24419->24420 24421 ba7cc3 24420->24421 24422 ba7ce1 24420->24422 24428 ba8013 24421->24428 24441 ba7fb5 75 API calls 3 library calls 24422->24441 24425 ba7cdf std::_String_base::_Xlen 24425->24418 24426 ba7ced 24426->24425 24442 ba80cb 62 API calls codecvt 24426->24442 24429 ba802b 24428->24429 24430 ba8026 24428->24430 24432 ba8059 24429->24432 24433 ba8041 24429->24433 24443 ba876c 75 API calls 4 library calls 24430->24443 24446 ba7fb5 75 API calls 3 library calls 24432->24446 24444 ba7dac 75 API calls 3 library calls 24433->24444 24436 ba804b 24445 ba7dac 75 API calls 3 library calls 24436->24445 24438 ba8061 24440 ba8057 std::_String_base::_Xlen 24438->24440 24447 ba80cb 62 API calls codecvt 24438->24447 24440->24425 24441->24426 24442->24425 24444->24436 24445->24440 24446->24438 24447->24440 24449 ba80b6 std::_String_base::_Xlen 24448->24449 24450 ba8013 std::runtime_error::runtime_error 75 API calls 24449->24450 24451 ba80c5 24450->24451 24452 baede4 24451->24452 24453 baedf0 __EH_prolog3 24452->24453 24464 bb6365 24453->24464 24457 baee14 std::_Locinfo::_Locinfo 24457->24026 24459 baee28 __EH_prolog3 24458->24459 24460 bb6365 74 API calls 24459->24460 24461 baee3f 24460->24461 24539 baea5c 24461->24539 24463 baee4c std::_Locinfo::_Locinfo 24463->24028 24465 bb637b 24464->24465 24474 bb0e4d 24465->24474 24467 baee07 24468 baea17 24467->24468 24469 baea2e 24468->24469 24470 baea32 24468->24470 24469->24457 24471 baea40 24470->24471 24537 bb3f6f 75 API calls 3 library calls 24470->24537 24538 bacef8 74 API calls 24471->24538 24477 ba3534 24474->24477 24476 bb0e5a ctype 24476->24467 24480 ba4598 24477->24480 24481 ba45b5 24480->24481 24482 ba45a5 24480->24482 24481->24482 24483 ba45c1 24481->24483 24490 bb819a 24482->24490 24502 bb8210 62 API calls 3 library calls 24483->24502 24487 ba45d1 24503 bba269 RaiseException 24487->24503 24489 ba45e6 24493 bb81a4 24490->24493 24492 ba353f 24492->24476 24493->24492 24495 bb81c0 std::bad_alloc::bad_alloc 24493->24495 24504 bbf91b 24493->24504 24522 bbf9f4 6 API calls __decode_pointer 24493->24522 24501 bb81e6 24495->24501 24523 bb80e0 73 API calls _AtModuleExit 24495->24523 24497 bb81f0 24525 bba269 RaiseException 24497->24525 24500 bb81fe 24524 ba7e61 62 API calls std::exception::exception 24501->24524 24502->24487 24503->24489 24505 bbf9ce 24504->24505 24514 bbf92d 24504->24514 24535 bbf9f4 6 API calls __decode_pointer 24505->24535 24507 bbf9d4 24536 bbe7a1 62 API calls __getptd_noexit 24507->24536 24512 bbf98a RtlAllocateHeap 24512->24514 24514->24512 24515 bbf93e 24514->24515 24516 bbf9ba 24514->24516 24519 bbf9bf 24514->24519 24521 bbf9c6 24514->24521 24531 bbf8cc 62 API calls 4 library calls 24514->24531 24532 bbf9f4 6 API calls __decode_pointer 24514->24532 24515->24514 24526 bc00a8 62 API calls 2 library calls 24515->24526 24527 bbfefd 62 API calls 7 library calls 24515->24527 24528 bbece6 24515->24528 24533 bbe7a1 62 API calls __getptd_noexit 24516->24533 24534 bbe7a1 62 API calls __getptd_noexit 24519->24534 24521->24493 24522->24493 24523->24501 24524->24497 24525->24500 24526->24515 24527->24515 24529 bbecbb ___crtCorExitProcess GetModuleHandleW GetProcAddress 24528->24529 24530 bbecf3 ExitProcess 24529->24530 24531->24514 24532->24514 24533->24519 24534->24521 24535->24507 24536->24521 24538->24469 24540 baea77 24539->24540 24541 baea73 24539->24541 24540->24541 24543 bb3f6f 75 API calls 3 library calls 24540->24543 24541->24463 24544->24036 24546 bba82a _fseek 24545->24546 24547 bba889 HeapFree 24546->24547 24549 bba8b2 _fseek 24546->24549 24548 bba89c 24547->24548 24547->24549 24551 bbe7a1 62 API calls __getptd_noexit 24548->24551 24549->24033 24551->24549 24553 bb216c 24552->24553 24560 bb164f 24553->24560 24555 bb2178 24556 bb217d 24555->24556 24557 bb218c 24556->24557 24603 bb168d 24557->24603 24559 bb2198 24559->24042 24561 bb165b __EH_prolog3 24560->24561 24566 bb151d 24561->24566 24565 bb1683 std::_Locinfo::_Locinfo 24565->24555 24567 bb1533 24566->24567 24573 bb1371 24567->24573 24570 bb10e9 24585 bb0f12 24570->24585 24572 bb10f1 24572->24565 24574 bb1387 24573->24574 24577 bb12d1 24574->24577 24578 bb12e7 24577->24578 24581 bb100a 24578->24581 24582 bb1020 24581->24582 24583 bb0e4d 74 API calls 24582->24583 24584 bb1027 24583->24584 24584->24570 24588 bb0e2b 24585->24588 24587 bb0f24 24587->24572 24591 bb0bd6 24588->24591 24592 bb0be3 24591->24592 24593 bb0bf1 24591->24593 24595 bb819a std::ios_base::_Init 74 API calls 24592->24595 24593->24592 24594 bb0bfd 24593->24594 24601 ba7e1b 62 API calls std::exception::exception 24594->24601 24597 bb0bee 24595->24597 24597->24587 24598 bb0c07 24602 bba269 RaiseException 24598->24602 24600 bb0c15 24601->24598 24602->24600 24604 bb1699 __EH_prolog3 24603->24604 24609 bb1544 24604->24609 24608 bb16c1 std::_Locinfo::_Locinfo 24608->24559 24610 bb155a 24609->24610 24616 bb1398 24610->24616 24613 bb1292 24631 bb0f88 24613->24631 24615 bb129a 24615->24608 24617 bb13ae 24616->24617 24620 bb12fc 24617->24620 24621 bb1312 24620->24621 24624 bb102e 24621->24624 24625 bb1044 24624->24625 24628 ba5d81 24625->24628 24629 ba4598 ctype 74 API calls 24628->24629 24630 ba5d8d 24629->24630 24630->24613 24634 bb0cdb 24631->24634 24633 bb0f9a 24633->24615 24637 bb0b96 24634->24637 24638 bb0ba3 24637->24638 24639 bb0bb1 24637->24639 24641 bb819a std::ios_base::_Init 74 API calls 24638->24641 24639->24638 24640 bb0bbd 24639->24640 24647 ba7e1b 62 API calls std::exception::exception 24640->24647 24643 bb0bae 24641->24643 24643->24633 24644 bb0bc7 24648 bba269 RaiseException 24644->24648 24646 bb0bd5 24647->24644 24648->24646 24659 bacfae 24649->24659 24651 bad586 __init_pointers 24651->24052 24653 bafc7c __EH_prolog3 24652->24653 24663 baf661 24653->24663 24655 bafc8e 24669 baf458 24655->24669 24657 bafc9e std::_Locinfo::_Locinfo ctype 24657->24057 24658->24055 24660 bacfba __EH_prolog3_catch 24659->24660 24661 bb819a std::ios_base::_Init 74 API calls 24660->24661 24662 bacfca std::_Locinfo::_Locinfo 24661->24662 24662->24651 24664 baf670 24663->24664 24665 baf67f 24664->24665 24675 bad8b3 6 API calls 24664->24675 24665->24655 24667 baf69a 24676 baf4aa 75 API calls 24667->24676 24670 baf467 24669->24670 24673 baf476 24670->24673 24677 bad8b3 6 API calls 24670->24677 24672 baf491 24678 baee54 75 API calls 24672->24678 24673->24657 24675->24667 24676->24665 24677->24672 24678->24673 24679->24062 24722 ba5151 24680->24722 24682 ba4a88 24730 ba51b1 24682->24730 24684 ba4a99 24740 bb4832 24684->24740 24686 ba4aaa 24746 ba2e5b 24686->24746 24689 bb80f7 ctype 63 API calls 24690 ba4abc 24689->24690 24752 ba4d8f 24690->24752 24693 bb80f7 ctype 63 API calls 24694 ba4acf 24693->24694 24694->24071 24696 bb424b 24695->24696 24802 bb407c 24696->24802 24698 bb4256 24698->24073 24812 ba4db9 24699->24812 24701 ba4b21 24816 bb5c1a 24701->24816 24703 ba4b36 24884 ba4c81 24703->24884 24708 bb80f7 ctype 63 API calls 24709 ba4b5c 24708->24709 24911 bb6fb4 24709->24911 24711 ba4b6a 24712 ba2f19 63 API calls 24711->24712 24713 ba4b73 24712->24713 24714 bb80f7 ctype 63 API calls 24713->24714 24715 ba413a 24714->24715 24716 ba469a 24715->24716 24717 ba46a6 __EH_prolog3 24716->24717 24718 ba2e5b ctype 63 API calls 24717->24718 24719 ba46cb 24718->24719 24720 bb80f7 ctype 63 API calls 24719->24720 24721 ba46d2 std::_Locinfo::_Locinfo 24720->24721 24721->24077 24723 ba515d __EH_prolog3 24722->24723 24758 ba56f5 24723->24758 24725 ba51a8 std::_Locinfo::_Locinfo 24725->24682 24726 ba26e4 75 API calls 24727 ba516f 24726->24727 24727->24725 24727->24726 24729 ba2e03 ctype 63 API calls 24727->24729 24762 ba569a 75 API calls ctype 24727->24762 24729->24727 24731 ba51bd __EH_prolog3 24730->24731 24732 ba56f5 74 API calls 24731->24732 24733 ba51cd 24732->24733 24734 ba5238 std::_Locinfo::_Locinfo 24733->24734 24739 ba51f5 24733->24739 24766 bb86a2 6 API calls _fseek 24733->24766 24734->24684 24738 ba8116 codecvt 63 API calls 24738->24739 24739->24734 24739->24738 24767 bb7c03 75 API calls 24739->24767 24768 ba5722 75 API calls ctype 24739->24768 24741 bb483e __EH_prolog3 24740->24741 24742 ba56f5 74 API calls 24741->24742 24743 bb4848 ctype 24742->24743 24769 bb474d 24743->24769 24745 bb486a std::_Locinfo::_Locinfo 24745->24686 24747 ba2e65 24746->24747 24751 ba2e76 24746->24751 24800 ba3245 63 API calls ctype 24747->24800 24749 ba2e6e 24750 bb80f7 ctype 63 API calls 24749->24750 24750->24751 24751->24689 24753 ba4d99 24752->24753 24757 ba4ac6 24752->24757 24801 ba4e80 63 API calls 24753->24801 24755 ba4da2 24756 bb80f7 ctype 63 API calls 24755->24756 24756->24757 24757->24693 24759 ba5701 __EH_prolog3 24758->24759 24763 ba5a2b 24759->24763 24761 ba570f std::_Locinfo::_Locinfo 24761->24727 24762->24727 24764 ba5d81 ctype 74 API calls 24763->24764 24765 ba5a3e 24764->24765 24765->24761 24766->24739 24767->24739 24768->24739 24772 ba68f4 24769->24772 24773 ba6907 24772->24773 24778 ba6923 24772->24778 24774 ba6928 24773->24774 24775 ba691c 24773->24775 24777 ba693d 24774->24777 24780 ba696b 24774->24780 24793 ba6a98 75 API calls ctype 24775->24793 24794 ba6d2a 75 API calls 24777->24794 24778->24745 24782 ba6977 24780->24782 24783 ba6995 24780->24783 24781 ba6949 24795 ba3245 63 API calls ctype 24781->24795 24796 ba6d2a 75 API calls 24782->24796 24786 ba69af 24783->24786 24797 ba3245 63 API calls ctype 24783->24797 24798 ba59c0 75 API calls 2 library calls 24786->24798 24789 ba69a7 24791 bb80f7 ctype 63 API calls 24789->24791 24790 ba6989 24790->24778 24799 ba6d52 75 API calls ctype 24790->24799 24791->24786 24793->24778 24794->24781 24795->24778 24796->24790 24797->24789 24798->24790 24799->24778 24800->24749 24801->24755 24803 bb4088 __EH_prolog3 24802->24803 24804 ba7d43 std::_String_base::_Xlen 75 API calls 24803->24804 24805 bb40e7 std::_Locinfo::_Locinfo 24803->24805 24806 bb40c9 24804->24806 24805->24698 24810 bb3f31 75 API calls 24806->24810 24808 bb40d9 24811 bba269 RaiseException 24808->24811 24810->24808 24811->24805 24813 ba4dc5 __EH_prolog3 24812->24813 24814 ba5a2b ctype 74 API calls 24813->24814 24815 ba4dd3 std::_Locinfo::_Locinfo 24814->24815 24815->24701 24817 bb5c3b __EH_prolog3 24816->24817 24922 bb425e 75 API calls 2 library calls 24817->24922 24819 bb5c53 24821 bb5c71 24819->24821 24923 bb46d4 75 API calls 24819->24923 24822 bb5cb5 ctype 24821->24822 24924 bb46d4 75 API calls 24821->24924 24823 bb5cff ctype 24822->24823 24925 bb46d4 75 API calls 24822->24925 24828 bb5d4c ctype 24823->24828 24926 bb46d4 75 API calls 24823->24926 24826 bb5dea ctype 24929 bb46d4 75 API calls 24826->24929 24831 bb5d9b ctype 24828->24831 24927 bb46d4 75 API calls 24828->24927 24831->24826 24928 bb46d4 75 API calls 24831->24928 24832 bb5e2e ctype 24834 ba4db9 74 API calls 24832->24834 24879 bb5e42 24834->24879 24835 bb5fbc 24836 ba4db9 74 API calls 24835->24836 24874 bb5fc7 ctype 24836->24874 24838 bb6128 24941 bb51cd 75 API calls 2 library calls 24838->24941 24840 bb327f 6 API calls 24840->24874 24844 ba5722 75 API calls 24844->24879 24845 bb2586 6 API calls 24845->24879 24847 bb61d2 24945 ba29ee 63 API calls ctype 24847->24945 24849 bb61e1 24946 bb432b 63 API calls 2 library calls 24849->24946 24850 ba56f5 74 API calls 24850->24879 24852 bb517b 75 API calls 24852->24879 24854 bb61ed 24856 bb7faa __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 24854->24856 24860 bb6207 24856->24860 24857 ba29ee 63 API calls 24857->24879 24859 bb327f 6 API calls 24861 bb6136 24859->24861 24860->24703 24861->24859 24870 bb6176 24861->24870 24864 bb327f 6 API calls 24864->24879 24865 bb4a88 75 API calls 24865->24879 24866 bb6218 24869 ba7d43 std::_String_base::_Xlen 75 API calls 24866->24869 24871 bb6225 24869->24871 24870->24847 24870->24866 24942 bb327f 6 API calls ctype 24870->24942 24943 bb7c3a 6 API calls 24870->24943 24944 ba68c4 75 API calls std::runtime_error::runtime_error 24870->24944 24947 bb3efd 75 API calls 24871->24947 24874->24838 24874->24840 24882 bb2586 6 API calls 24874->24882 24883 ba5722 75 API calls 24874->24883 24938 bb517b 75 API calls 24874->24938 24939 bb3a36 6 API calls 24874->24939 24940 bb09f6 75 API calls 3 library calls 24874->24940 24875 bb6235 24948 bba269 RaiseException 24875->24948 24878 bb6243 24949 ba5396 75 API calls 24878->24949 24879->24835 24879->24844 24879->24845 24879->24850 24879->24852 24879->24857 24879->24864 24879->24865 24930 bb32aa 6 API calls ctype 24879->24930 24931 bb50c3 75 API calls 3 library calls 24879->24931 24932 bb3a36 6 API calls 24879->24932 24933 ba2990 63 API calls ctype 24879->24933 24934 bb4351 74 API calls 2 library calls 24879->24934 24935 bb3804 6 API calls ctype 24879->24935 24936 bb42e7 75 API calls ctype 24879->24936 24937 ba55bc 63 API calls 2 library calls 24879->24937 24881 bb6250 24881->24703 24882->24874 24883->24874 24885 ba4c94 24884->24885 24900 ba4b45 24884->24900 24886 ba4ca9 24885->24886 24887 ba4cb5 24885->24887 24950 ba4df3 75 API calls ctype 24886->24950 24889 ba4cca 24887->24889 24890 ba4cf8 24887->24890 24951 ba52a1 75 API calls 24889->24951 24894 ba4d04 24890->24894 24896 ba4d22 24890->24896 24892 ba4cd6 24952 ba328a 63 API calls 24892->24952 24953 ba52a1 75 API calls 24894->24953 24897 ba4d3c 24896->24897 24954 ba328a 63 API calls 24896->24954 24955 ba4e3a 24897->24955 24905 ba2f19 24900->24905 24901 ba4d34 24903 bb80f7 ctype 63 API calls 24901->24903 24902 ba4d16 24902->24900 24961 ba52ca 75 API calls ctype 24902->24961 24903->24897 24906 ba2f23 24905->24906 24907 ba2f34 24905->24907 24964 ba328a 63 API calls 24906->24964 24907->24708 24909 ba2f2c 24910 bb80f7 ctype 63 API calls 24909->24910 24910->24907 24912 bb6fc0 __EH_prolog3 24911->24912 24965 bb650d 24912->24965 24914 bb6fca 24971 bb6eea 24914->24971 24916 bb7028 std::_Locinfo::_Locinfo 24916->24711 24921 bb6fe1 24921->24916 24974 bb327f 6 API calls ctype 24921->24974 24975 bb6b3b 75 API calls 2 library calls 24921->24975 24976 bb6f62 75 API calls 24921->24976 24977 ba5586 63 API calls 2 library calls 24921->24977 24922->24819 24923->24821 24924->24822 24925->24823 24926->24828 24927->24831 24928->24826 24929->24832 24930->24879 24931->24879 24932->24879 24933->24879 24934->24879 24935->24879 24936->24879 24937->24879 24938->24874 24939->24874 24940->24874 24941->24861 24942->24870 24943->24870 24944->24870 24945->24849 24946->24854 24947->24875 24948->24878 24949->24881 24950->24900 24951->24892 24952->24900 24953->24902 24954->24901 24956 ba4e55 24955->24956 24960 ba4e51 24955->24960 24957 ba4e62 24956->24957 24962 ba4f03 75 API calls 3 library calls 24956->24962 24963 ba52ff 74 API calls 3 library calls 24957->24963 24960->24902 24961->24900 24963->24960 24964->24909 24966 bb6519 __EH_prolog3 24965->24966 24967 bb6365 74 API calls 24966->24967 24968 bb6530 24967->24968 24978 bb647b 24968->24978 24970 bb653d std::_Locinfo::_Locinfo 24970->24914 24986 bb4fd6 24971->24986 24973 bb6ef8 24973->24921 24974->24921 24975->24921 24976->24921 24977->24921 24979 bb6496 24978->24979 24983 bb6492 24978->24983 24980 bb64a4 24979->24980 24984 bb3f6f 75 API calls 3 library calls 24979->24984 24985 bb6312 74 API calls 24980->24985 24983->24970 24985->24983 24987 bb4fe2 __EH_prolog3_catch 24986->24987 24988 ba5a2b ctype 74 API calls 24987->24988 24989 bb5000 24988->24989 24990 ba4e3a 75 API calls 24989->24990 24991 bb5013 24990->24991 24992 bb5047 std::_Locinfo::_Locinfo 24991->24992 24998 bb3818 6 API calls ctype 24991->24998 24992->24973 24994 bb5026 24999 bb3804 6 API calls ctype 24994->24999 24996 bb5033 25000 bb498e 75 API calls 24996->25000 24998->24994 24999->24996 25000->24992 25002 bb21bb __EH_prolog3_catch 25001->25002 25003 bb217d 74 API calls 25002->25003 25024 bb21e6 ctype 25003->25024 25004 bb235b 25028 bb10b8 25004->25028 25010 bb327f 6 API calls 25010->25024 25012 bb24da 25040 ba17d6 25012->25040 25016 bb24e6 25017 bb7faa __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 25016->25017 25019 ba14bd 25017->25019 25019->24081 25020 ba7d43 std::_String_base::_Xlen 75 API calls 25025 bb2387 ctype 25020->25025 25021 ba80a5 std::runtime_error::runtime_error 75 API calls 25021->25025 25022 ba8161 63 API calls ctype 25022->25025 25023 ba2a28 75 API calls 25023->25025 25024->25004 25024->25010 25046 bb14b6 75 API calls 25024->25046 25047 bb0aeb 75 API calls 2 library calls 25024->25047 25048 bb20a8 75 API calls 3 library calls 25024->25048 25049 bb1a0f 75 API calls ctype 25024->25049 25025->25012 25025->25020 25025->25021 25025->25022 25025->25023 25027 bb20a8 75 API calls 25025->25027 25050 bac2a2 25025->25050 25027->25025 25054 ba3b68 25028->25054 25031 ba3416 25032 ba3b68 ctype 6 API calls 25031->25032 25033 ba3425 25032->25033 25034 bb1d45 25033->25034 25036 bb1d50 25034->25036 25037 bb1d7c 25036->25037 25059 ba3bb5 25036->25059 25062 bb1a0f 75 API calls ctype 25036->25062 25063 bb0e7c 6 API calls 25036->25063 25037->25025 25041 ba2a5d __EH_prolog3 25040->25041 25069 ba2f9d 25041->25069 25044 bb80f7 ctype 63 API calls 25045 ba2a7e std::_Locinfo::_Locinfo 25044->25045 25045->25016 25046->25024 25047->25024 25048->25024 25049->25024 25051 bac2ab 25050->25051 25052 bac2b8 25051->25052 25102 bb86a2 6 API calls _fseek 25051->25102 25052->25025 25055 ba3b7e 25054->25055 25056 ba3b83 25054->25056 25058 bb86a2 6 API calls _fseek 25055->25058 25056->25031 25058->25056 25064 ba3b8e 25059->25064 25062->25036 25063->25036 25065 ba3b9c 25064->25065 25066 ba3ba5 25065->25066 25068 bb86a2 6 API calls _fseek 25065->25068 25066->25036 25068->25066 25070 ba3b68 ctype 6 API calls 25069->25070 25071 ba2fb6 25070->25071 25072 ba3b68 ctype 6 API calls 25071->25072 25073 ba2fc5 25072->25073 25078 ba342c 25073->25078 25076 bb80f7 ctype 63 API calls 25077 ba2a77 25076->25077 25077->25044 25079 ba3b68 ctype 6 API calls 25078->25079 25080 ba3449 25079->25080 25081 ba3b8e ctype 6 API calls 25080->25081 25082 ba3456 25081->25082 25083 ba3b68 ctype 6 API calls 25082->25083 25085 ba348b 25082->25085 25086 ba3467 25083->25086 25084 ba3b8e ctype 6 API calls 25084->25085 25085->25084 25087 ba34b7 25085->25087 25099 ba3e1b 6 API calls ctype 25085->25099 25100 ba383b 75 API calls 5 library calls 25085->25100 25088 ba3b8e ctype 6 API calls 25086->25088 25101 ba3564 6 API calls ctype 25087->25101 25090 ba3474 25088->25090 25090->25085 25093 ba3478 25090->25093 25092 ba2fe1 25092->25076 25098 ba3ac9 63 API calls ctype 25093->25098 25096 ba347f 25097 ba3416 ctype 6 API calls 25096->25097 25097->25092 25098->25096 25099->25085 25100->25085 25101->25092 25102->25052 25104 ba17c6 25103->25104 25105 ba2ef9 25103->25105 25104->24088 25109 ba3273 63 API calls 25105->25109 25107 ba2f02 25108 bb80f7 ctype 63 API calls 25107->25108 25108->25104 25109->25107 25110->24096 25112 ba3370 25111->25112 25113 ba33ac 25112->25113 25117 ba45e7 75 API calls 25112->25117 25114 ba33df 25113->25114 25124 ba45e7 75 API calls 25113->25124 25116 ba3b68 ctype 6 API calls 25114->25116 25118 ba33eb 25116->25118 25117->25112 25119 ba3b68 ctype 6 API calls 25118->25119 25120 ba2a3a 25119->25120 25121 ba44c3 25120->25121 25125 ba4bbb 25121->25125 25124->25113 25126 ba3b8e ctype 6 API calls 25125->25126 25128 ba4bca 25126->25128 25129 ba3b8e ctype 6 API calls 25128->25129 25130 ba14fe 25128->25130 25131 ba3dcc 6 API calls ctype 25128->25131 25129->25128 25130->23840 25131->25128 25133 bb07ec __EH_prolog3 25132->25133 25140 bb080d 25133->25140 25158 baf7d4 25133->25158 25135 bb0805 25136 ba4161 113 API calls 25135->25136 25136->25140 25137 bac2a2 6 API calls 25137->25140 25140->25137 25142 bb090f 25140->25142 25148 ba4161 113 API calls 25140->25148 25154 baf7d4 113 API calls 25140->25154 25155 ba8161 63 API calls ctype 25140->25155 25213 bafe3b 25140->25213 25219 bae966 25140->25219 25223 bae8bd 25140->25223 25244 baf9b7 25140->25244 25258 bae9fd 25140->25258 25261 bad841 25140->25261 25141 bb09b0 std::_Locinfo::_Locinfo 25141->24108 25145 bac2a2 6 API calls 25142->25145 25146 bb0971 25142->25146 25152 ba4161 113 API calls 25142->25152 25173 bac8ba 25142->25173 25177 bb06b8 25142->25177 25144 bac2a2 6 API calls 25144->25146 25145->25142 25146->25141 25146->25144 25149 ba4161 113 API calls 25146->25149 25151 bac277 159 API calls 25146->25151 25148->25140 25149->25146 25151->25146 25152->25142 25154->25140 25155->25140 25159 baf7e0 __EH_prolog3_catch 25158->25159 25264 ba7a33 25159->25264 25161 baf837 25162 ba7a16 75 API calls 25161->25162 25163 baf96f 25162->25163 25270 ba77fb 25163->25270 25164 baf827 25164->25161 25165 baf8a4 25164->25165 25276 ba777b 25164->25276 25165->25161 25170 ba777b 111 API calls 25165->25170 25172 baf8fb 25165->25172 25280 bb25e0 6 API calls ctype 25165->25280 25167 baf97b std::_Locinfo::_Locinfo 25167->25135 25170->25165 25171 ba777b 111 API calls 25171->25172 25172->25161 25172->25171 25174 bac8c2 25173->25174 25175 bac8cd 25174->25175 25350 bb86a2 6 API calls _fseek 25174->25350 25175->25142 25178 bb06c7 __EH_prolog3 25177->25178 25179 bafe3b 133 API calls 25178->25179 25180 bb06d6 25179->25180 25181 bae966 75 API calls 25180->25181 25182 bb06e6 25181->25182 25183 bae8bd 75 API calls 25182->25183 25184 bb06f8 25183->25184 25185 ba4161 113 API calls 25184->25185 25186 bb0711 25185->25186 25187 baf7d4 113 API calls 25186->25187 25188 bb0719 25187->25188 25189 baf9b7 113 API calls 25188->25189 25190 bb0721 25189->25190 25191 baf7d4 113 API calls 25190->25191 25192 bb0729 25191->25192 25351 ba8161 25192->25351 25195 ba8161 ctype 63 API calls 25196 bb0743 25195->25196 25197 bae9fd 75 API calls 25196->25197 25198 bb0752 25197->25198 25199 baf7d4 113 API calls 25198->25199 25200 bb075f 25199->25200 25201 ba8161 ctype 63 API calls 25200->25201 25202 bb076d 25201->25202 25203 bb07c5 25202->25203 25205 bae9fd 75 API calls 25202->25205 25204 bad841 63 API calls 25203->25204 25206 bb07d7 std::_Locinfo::_Locinfo 25204->25206 25207 bb0791 25205->25207 25206->25142 25208 ba8161 ctype 63 API calls 25207->25208 25209 bb07a5 25208->25209 25210 bb07b6 25209->25210 25354 bafcb2 25209->25354 25364 bb0562 25210->25364 25214 bafe47 __EH_prolog3 25213->25214 25469 baf72d 25214->25469 25216 bafe81 25475 bad8c7 25216->25475 25218 bafe9a std::_Locinfo::_Locinfo 25218->25140 25220 bae979 25219->25220 25221 ba7d43 std::_String_base::_Xlen 75 API calls 25220->25221 25222 bae984 25220->25222 25221->25222 25222->25140 25224 bae8c9 __EH_prolog3 25223->25224 25225 bae8dd 25224->25225 25226 bae920 25224->25226 25228 ba80a5 std::runtime_error::runtime_error 75 API calls 25225->25228 25227 ba7d43 std::_String_base::_Xlen 75 API calls 25226->25227 25229 bae92d 25227->25229 25230 bae8e6 25228->25230 25592 ba4740 75 API calls 25229->25592 25589 ba26b2 75 API calls _strlen 25230->25589 25233 bae93f 25235 ba80a5 std::runtime_error::runtime_error 75 API calls 25233->25235 25234 bae901 25590 ba4740 75 API calls 25234->25590 25237 bae918 25235->25237 25240 ba8161 ctype 63 API calls 25237->25240 25238 bae908 25591 ba26b2 75 API calls _strlen 25238->25591 25242 bae95b std::_Locinfo::_Locinfo 25240->25242 25241 bae90f 25243 ba80a5 std::runtime_error::runtime_error 75 API calls 25241->25243 25242->25140 25243->25237 25245 baf9c3 __EH_prolog3_catch 25244->25245 25246 ba7a33 76 API calls 25245->25246 25254 baf9d4 25246->25254 25247 bafb2c 25248 ba7a16 75 API calls 25247->25248 25249 bafb4e 25248->25249 25250 ba77fb 76 API calls 25249->25250 25251 bafb5a std::_Locinfo::_Locinfo 25250->25251 25251->25140 25252 bafa79 25253 ba777b 111 API calls 25252->25253 25255 bafa8f 25253->25255 25254->25247 25254->25252 25256 ba777b 111 API calls 25254->25256 25255->25247 25257 ba777b 111 API calls 25255->25257 25256->25254 25257->25255 25593 bae40a 25258->25593 25610 bad23e 63 API calls 3 library calls 25261->25610 25263 bad84c 25265 ba7a3f __EH_prolog3 25264->25265 25281 ba7831 25265->25281 25268 ba7a6c std::_Locinfo::_Locinfo 25268->25164 25271 ba7807 __EH_prolog3 25270->25271 25272 ba7820 25271->25272 25292 ba77ce 75 API calls 2 library calls 25271->25292 25287 ba7855 25272->25287 25275 ba782b std::_Locinfo::_Locinfo 25275->25167 25277 ba7783 25276->25277 25278 ba7790 25277->25278 25294 ba973d 25277->25294 25278->25164 25280->25165 25282 ba784f 25281->25282 25283 ba7847 25281->25283 25282->25268 25285 ba771b 75 API calls 25282->25285 25286 bab4dc EnterCriticalSection std::_Lockit::_Lockit 25283->25286 25285->25268 25286->25282 25288 ba786c 25287->25288 25289 ba7864 25287->25289 25288->25275 25293 bac1ba LeaveCriticalSection 25289->25293 25291 bab4ec 25291->25275 25292->25272 25293->25291 25296 ba9749 __EH_prolog3_GS 25294->25296 25295 ba9753 25297 bba787 ctype 5 API calls 25295->25297 25296->25295 25299 ba9796 25296->25299 25300 ba97a5 25296->25300 25298 ba975a 25297->25298 25298->25278 25320 ba904d 25299->25320 25323 ba953f 75 API calls 2 library calls 25300->25323 25303 ba97b3 25304 ba923a ctype 6 API calls 25303->25304 25305 ba97c2 25304->25305 25306 ba89d8 ctype 6 API calls 25305->25306 25307 ba97c9 25306->25307 25308 ba923a ctype 6 API calls 25307->25308 25309 ba97da 25308->25309 25310 ba89d8 ctype 6 API calls 25309->25310 25318 ba97e1 25310->25318 25311 ba98bb 25312 ba904d _Fputc 98 API calls 25311->25312 25314 ba98b9 25311->25314 25312->25314 25313 ba8116 codecvt 63 API calls 25313->25314 25314->25313 25317 ba923a 6 API calls ctype 25317->25318 25318->25311 25318->25314 25318->25317 25319 ba89d8 6 API calls ctype 25318->25319 25324 bbb071 64 API calls 3 library calls 25318->25324 25325 ba9313 75 API calls 3 library calls 25318->25325 25319->25318 25326 bba9bc 25320->25326 25322 ba905f 25322->25295 25323->25303 25324->25318 25325->25318 25327 bba9c8 _fseek 25326->25327 25328 bba9fb 25327->25328 25329 bba9db 25327->25329 25331 bbb47f __lock_file 63 API calls 25328->25331 25345 bbe7a1 62 API calls __getptd_noexit 25329->25345 25333 bbaa01 25331->25333 25332 bba9e0 25346 bb867c 6 API calls 2 library calls 25332->25346 25335 bbaa7b 25333->25335 25336 bc1c50 __fileno 62 API calls 25333->25336 25337 bbaa8c 25335->25337 25339 bc1c82 __flsbuf 96 API calls 25335->25339 25341 bbaa11 25336->25341 25349 bbaac0 LeaveCriticalSection LeaveCriticalSection _fgetc 25337->25349 25339->25337 25340 bba9f0 _fseek 25340->25322 25341->25335 25347 bbe7a1 62 API calls __getptd_noexit 25341->25347 25343 bbaa6b 25348 bb867c 6 API calls 2 library calls 25343->25348 25345->25332 25347->25343 25349->25340 25350->25175 25352 ba8116 codecvt 63 API calls 25351->25352 25353 ba816a 25352->25353 25353->25195 25355 bafcbe __EH_prolog3_catch 25354->25355 25356 ba7a33 76 API calls 25355->25356 25357 bafcd1 25356->25357 25360 ba777b 111 API calls 25357->25360 25361 bafce0 25357->25361 25358 ba7a16 75 API calls 25359 bafd5e 25358->25359 25362 ba77fb 76 API calls 25359->25362 25360->25361 25361->25358 25363 bafd6a std::_Locinfo::_Locinfo 25362->25363 25363->25209 25365 bb0571 __EH_prolog3_GS 25364->25365 25390 bae394 75 API calls 3 library calls 25365->25390 25367 bb0597 25391 bae53c 75 API calls 25367->25391 25369 bb05a8 25392 bb39bb 63 API calls 3 library calls 25369->25392 25371 bb05b7 25393 bafd74 99 API calls 2 library calls 25371->25393 25373 bb05c9 25394 bafdd7 99 API calls 2 library calls 25373->25394 25375 bb05df 25395 bad5cf 6 API calls 25375->25395 25377 bb0685 25430 badd35 63 API calls 3 library calls 25377->25430 25379 bb0694 25431 badd35 63 API calls 3 library calls 25379->25431 25381 ba80a5 std::runtime_error::runtime_error 75 API calls 25383 bb05f6 25381->25383 25382 bb06a3 25385 bba787 ctype 5 API calls 25382->25385 25383->25377 25383->25381 25387 bad5cf 6 API calls 25383->25387 25388 baf9b7 113 API calls 25383->25388 25389 bafcb2 113 API calls 25383->25389 25396 bb027b 25383->25396 25386 bb06b7 25385->25386 25386->25203 25387->25383 25388->25383 25389->25383 25390->25367 25391->25369 25392->25371 25393->25373 25394->25375 25395->25383 25397 bb028b __EH_prolog3 25396->25397 25398 bad854 6 API calls 25397->25398 25400 bb02b4 25397->25400 25399 bb02c9 25398->25399 25401 ba923a ctype 6 API calls 25399->25401 25402 bb034b 25400->25402 25403 bb0338 25400->25403 25409 bb02d7 25401->25409 25405 ba923a ctype 6 API calls 25402->25405 25404 baf7d4 113 API calls 25403->25404 25406 bb0344 25404->25406 25407 bb0357 25405->25407 25412 ba8161 ctype 63 API calls 25406->25412 25432 bad854 25407->25432 25408 bb0319 25445 ba7dac 75 API calls 3 library calls 25408->25445 25409->25408 25413 ba7d43 std::_String_base::_Xlen 75 API calls 25409->25413 25414 bb054f 25412->25414 25415 bb02ff 25413->25415 25414->25383 25443 ba1000 75 API calls std::_String_base::_Xlen 25415->25443 25416 bac2c3 6 API calls 25422 bb036e 25416->25422 25418 bb030f 25444 baf10c 99 API calls 3 library calls 25418->25444 25420 bac93d 6 API calls 25420->25422 25422->25406 25422->25416 25422->25420 25423 ba89d8 6 API calls ctype 25422->25423 25426 bac96b 6 API calls 25422->25426 25427 baf9b7 113 API calls 25422->25427 25428 bafcb2 113 API calls 25422->25428 25429 bad598 6 API calls 25422->25429 25436 bad1d9 25422->25436 25439 bb0109 25422->25439 25446 bac8ee 25422->25446 25423->25422 25426->25422 25427->25422 25428->25422 25429->25422 25430->25379 25431->25382 25433 bad85d 25432->25433 25434 ba8fbd ctype 6 API calls 25433->25434 25435 bad86a 25434->25435 25435->25422 25452 bacee1 25436->25452 25440 bb0123 ctype 25439->25440 25455 baff48 25440->25455 25443->25418 25444->25408 25445->25400 25447 bac8fb 25446->25447 25451 bac931 25446->25451 25449 bac909 25447->25449 25467 bb86a2 6 API calls _fseek 25447->25467 25449->25451 25468 bb86a2 6 API calls _fseek 25449->25468 25451->25422 25453 bac8ee 6 API calls 25452->25453 25454 baceed 25453->25454 25454->25422 25456 baff54 25455->25456 25458 baff6d 25455->25458 25456->25458 25459 bafb9c 25456->25459 25458->25422 25460 baf9b7 113 API calls 25459->25460 25461 bafbaf 25460->25461 25462 ba4161 113 API calls 25461->25462 25464 bafbc0 25461->25464 25462->25464 25463 bafbda 25463->25456 25464->25463 25466 bb86a2 6 API calls _fseek 25464->25466 25466->25463 25467->25449 25468->25451 25470 baf739 __EH_prolog3 25469->25470 25479 baf507 25470->25479 25472 baf772 25483 bac484 25472->25483 25474 baf780 std::_Locinfo::_Locinfo 25474->25216 25476 bad8d3 __EH_prolog3 25475->25476 25574 ba8f26 25476->25574 25478 bad8dd std::_Locinfo::_Locinfo 25478->25218 25480 baf513 __EH_prolog3 25479->25480 25487 ba9d75 25480->25487 25482 baf55d std::_Locinfo::_Locinfo 25482->25472 25484 bac490 __EH_prolog3 25483->25484 25486 bac4d7 std::_Locinfo::_Locinfo 25484->25486 25573 babb28 EnterCriticalSection LeaveCriticalSection std::ios_base::_Addstd std::_Lockit::_Lockit 25484->25573 25486->25474 25496 ba9bd6 25487->25496 25491 ba9d97 25492 ba9dae 25491->25492 25511 ba7701 75 API calls std::ios_base::_Init 25491->25511 25494 ba9db9 25492->25494 25512 babb28 EnterCriticalSection LeaveCriticalSection std::ios_base::_Addstd std::_Lockit::_Lockit 25492->25512 25494->25482 25513 ba78fb 25496->25513 25499 bb819a std::ios_base::_Init 74 API calls 25500 ba9c0c 25499->25500 25501 ba9c18 25500->25501 25519 ba8881 79 API calls 3 library calls 25500->25519 25503 ba9c7a 25501->25503 25504 ba9c86 __EH_prolog3 25503->25504 25521 ba8933 25504->25521 25508 ba9c99 25542 ba88b8 25508->25542 25510 ba9ca8 std::_Locinfo::_Locinfo 25510->25491 25511->25492 25512->25494 25514 ba7a00 25513->25514 25518 ba793f 25513->25518 25514->25499 25516 ba7d43 75 API calls std::_String_base::_Xlen 25516->25518 25517 ba7c2a 75 API calls std::ios_base::_Init 25517->25518 25518->25516 25518->25517 25520 bba269 RaiseException 25518->25520 25519->25501 25520->25518 25546 ba889d 25521->25546 25524 ba9a9b 25525 ba9aa7 __EH_prolog3 25524->25525 25549 bab6ba 25525->25549 25529 ba9ac8 std::locale::_Getfacet 25530 ba9adb 25529->25530 25563 ba969c 128 API calls 6 library calls 25529->25563 25559 bab6e2 25530->25559 25532 ba9b30 std::_Locinfo::_Locinfo 25532->25508 25534 ba9aeb 25535 ba9b0d 25534->25535 25564 bb8300 62 API calls std::exception::exception 25534->25564 25566 ba881a 25535->25566 25538 ba9aff 25565 bba269 RaiseException 25538->25565 25543 ba88be 25542->25543 25545 ba88c3 25542->25545 25572 ba8844 EnterCriticalSection LeaveCriticalSection std::ios_base::_Addstd std::_Lockit::_Lockit 25543->25572 25545->25510 25547 ba881a std::locale::facet::_Incref EnterCriticalSection LeaveCriticalSection 25546->25547 25548 ba88b1 25547->25548 25548->25524 25550 ba9ab1 25549->25550 25551 bab6cc 25549->25551 25553 ba87e3 25550->25553 25552 bac1aa std::_Lockit::_Lockit EnterCriticalSection 25551->25552 25552->25550 25554 ba87f1 25553->25554 25555 ba8815 25553->25555 25556 bab6ba std::_Lockit::_Lockit EnterCriticalSection 25554->25556 25555->25529 25557 ba87fb 25556->25557 25558 bab6e2 std::ios_base::_Addstd LeaveCriticalSection 25557->25558 25558->25555 25560 bab6f7 25559->25560 25561 bab6e9 25559->25561 25560->25532 25562 bac1ba std::ios_base::_Addstd LeaveCriticalSection 25561->25562 25562->25560 25563->25534 25564->25538 25565->25535 25567 bab6ba std::_Lockit::_Lockit EnterCriticalSection 25566->25567 25568 ba882d 25567->25568 25569 bab6e2 std::ios_base::_Addstd LeaveCriticalSection 25568->25569 25570 ba8841 25569->25570 25571 bab85b 76 API calls 2 library calls 25570->25571 25571->25530 25572->25545 25573->25486 25575 ba8f32 __EH_prolog3 25574->25575 25582 bab4ab 25575->25582 25578 bb819a std::ios_base::_Init 74 API calls 25579 ba8f50 25578->25579 25581 ba8f5c std::_Locinfo::_Locinfo ctype 25579->25581 25587 ba8881 79 API calls 3 library calls 25579->25587 25581->25478 25583 bb819a std::ios_base::_Init 74 API calls 25582->25583 25584 bab4b7 25583->25584 25588 bac18a InitializeCriticalSection 25584->25588 25586 ba8f45 25586->25578 25587->25581 25588->25586 25589->25234 25590->25238 25591->25241 25592->25233 25594 bae416 __EH_prolog3_GS ctype 25593->25594 25600 bae431 ctype 25594->25600 25602 bae47b ctype 25594->25602 25595 bae4af std::_Locinfo::_Locinfo 25596 ba80a5 std::runtime_error::runtime_error 75 API calls 25595->25596 25597 bae473 25596->25597 25598 ba8161 ctype 63 API calls 25597->25598 25599 bae4e5 25598->25599 25601 bba787 ctype 5 API calls 25599->25601 25608 bae0cf 75 API calls 2 library calls 25600->25608 25605 bae4ec 25601->25605 25602->25595 25609 bae0cf 75 API calls 2 library calls 25602->25609 25605->25140 25606 bae462 25607 ba80a5 std::runtime_error::runtime_error 75 API calls 25606->25607 25607->25597 25608->25606 25609->25595 25610->25263 25612 ba8f1c 25611->25612 25613 ba8eba 25611->25613 25612->24116 25613->25612 25614 ba973d 111 API calls 25613->25614 25614->25613 25615->24184 25616->24192 25618 bbede2 _fseek 25617->25618 25619 bc102e __lock 62 API calls 25618->25619 25620 bbede9 25619->25620 25621 bbeeb2 __initterm 25620->25621 25622 bbee15 25620->25622 25636 bbeeed 25621->25636 25641 bbf11e 6 API calls __crt_waiting_on_module_handle 25622->25641 25626 bbee20 25627 bbeea2 __initterm 25626->25627 25642 bbf11e 6 API calls __crt_waiting_on_module_handle 25626->25642 25627->25621 25629 bbeeea _fseek 25629->23892 25631 bbeee1 25632 bbece6 _fast_error_exit 3 API calls 25631->25632 25632->25629 25633 bbf115 6 API calls _doexit 25635 bbee35 25633->25635 25634 bbf11e 6 API calls __decode_pointer 25634->25635 25635->25627 25635->25633 25635->25634 25637 bbeece 25636->25637 25638 bbeef3 25636->25638 25637->25629 25640 bc0f54 LeaveCriticalSection 25637->25640 25643 bc0f54 LeaveCriticalSection 25638->25643 25640->25631 25641->25626 25642->25635 25643->25637

              Executed Functions

              Function 00BA132E Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 274COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BA1350
                • Part of subcall function 00BA17DB: __EH_prolog3_GS.LIBCMT ref: 00BA17E2
                • Part of subcall function 00BA18E6: __EH_prolog3_GS.LIBCMT ref: 00BA18ED
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3_catch
              • String ID: Delete the cached roaming profile from the specified workstation.$Delete the central roaming profile from the network.$Options$This help message.$Username in 'user' or 'domain\user' format.$Workstation name in NETBIOS or FQDN format.$help$help,h$local$local,l$network$network,n$user$user,u$workstation$workstation,w
              • API String ID: 756925408-3822090977
              • Opcode ID: 241691663c8fa0a05cb40b551285c00121f1ff7cc897c4064640a192b6ffe130
              • Instruction ID: de74d1a2542977e0982b7d2c0a328e2ea106d96bb046fd0a26c136b9343a1848
              • Opcode Fuzzy Hash: 241691663c8fa0a05cb40b551285c00121f1ff7cc897c4064640a192b6ffe130
              • Instruction Fuzzy Hash: 6BA1A271D48288AEDB15EBA8CC52FEE7BF89F16300F1040D9F549A7192DB705B49CBA1
              Function 00BAAE79 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 114 baae79-baae92 call bba704 117 baaea3-baaeac 114->117 118 baae94-baae9e call baa534 114->118 120 baaeae-baaeb8 117->120 121 baaed1-baaed6 117->121 126 bab01e-bab023 call bba787 118->126 120->121 125 baaeba-baaecc 120->125 122 bab019 121->122 123 baaedc-baaedf 121->123 122->126 127 baaefa-baaf42 call ba953f call ba923a call ba89d8 call ba923a call ba89d8 123->127 128 baaee1-baaee3 call baa5b7 123->128 125->126 144 baafeb-bab007 127->144 132 baaee8-baaeef 128->132 132->126 135 baaef5 132->135 135->122 146 bab00d-bab00f 144->146 147 baaf47-baaf4a 144->147 148 bab012-bab014 call ba8116 146->148 149 baaf50-baaf68 call ba923a call ba89d8 147->149 150 bab026-bab029 147->150 148->122 161 baaf6a-baaf8e call ba923a call ba89d8 call bbb071 149->161 162 baaf90-baaf9a 149->162 150->146 153 bab02b-bab03e call baa5b7 150->153 159 bab040 153->159 160 bab045-bab054 call ba8116 153->160 159->160 160->126 161->146 161->162 166 baafa0-baafa2 162->166 167 bab056-bab066 call ba8116 162->167 168 baafb6-baafe9 call ba923a call ba89d8 call ba923a call ba89d8 166->168 169 baafa4-baafad 166->169 167->126 168->144 169->148 173 baafaf-baafb1 call ba9313 169->173 173->168
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: FputcH_prolog3_
              • String ID:
              • API String ID: 4013897487-3916222277
              • Opcode ID: 27f62b66f4b889290ed3bb9bb6f72dc6c3cf31a7e7b9722d3a0d5537185b4598
              • Instruction ID: 3dafcd733f7a709e25e40d34cfbe553f0b3ed2059ce95654c260a8ef33ece4fa
              • Opcode Fuzzy Hash: 27f62b66f4b889290ed3bb9bb6f72dc6c3cf31a7e7b9722d3a0d5537185b4598
              • Instruction Fuzzy Hash: DC5196329042049FCF25EBA4D891DEFB3F5EF5A300F5084AAF512A7581EF70A945DB61
              Function 00BA973D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 187 ba973d-ba9751 call bba704 190 ba975d-ba9766 187->190 191 ba9753 187->191 193 ba9768-ba9771 190->193 194 ba9785-ba978a 190->194 192 ba9755-ba975a call bba787 191->192 193->194 196 ba9773-ba977f 193->196 197 ba978c-ba978f 194->197 198 ba9791-ba9794 194->198 200 ba9781-ba9783 196->200 197->192 201 ba9796-ba9798 call ba904d 198->201 202 ba97a5-ba97ea call ba953f call ba923a call ba89d8 call ba923a call ba89d8 198->202 200->192 206 ba979d-ba97a1 201->206 216 ba9897-ba98b3 202->216 206->197 208 ba97a3 206->208 208->200 218 ba98b9 216->218 219 ba97ef-ba97f2 216->219 220 ba98d1 218->220 221 ba98bb-ba98be 219->221 222 ba97f8-ba9810 call ba923a call ba89d8 219->222 225 ba98d4-ba98e0 call ba8116 220->225 221->220 223 ba98c0-ba98cf call ba904d 221->223 234 ba983c-ba9846 222->234 235 ba9812-ba9836 call ba923a call ba89d8 call bbb071 222->235 223->220 232 ba98e7-ba98ea 223->232 225->232 232->225 234->232 237 ba984c-ba984e 234->237 235->220 235->234 239 ba9862-ba9895 call ba923a call ba89d8 call ba923a call ba89d8 237->239 240 ba9850-ba9854 237->240 239->216 240->220 242 ba9856-ba985d call ba9313 240->242 242->239
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Fputc$H_prolog3_
              • String ID:
              • API String ID: 2569218679-3916222277
              • Opcode ID: ed640bd50ebc7c88e887b76f1f2fd8bdebbd9d7d5f073e58900269c6e6ede340
              • Instruction ID: b4a6c32a7161b67ff74d9232a91ff074f5918f5cec78b292ebcee346065017b3
              • Opcode Fuzzy Hash: ed640bd50ebc7c88e887b76f1f2fd8bdebbd9d7d5f073e58900269c6e6ede340
              • Instruction Fuzzy Hash: 2351A3329082049FCF15DFA4C891DEEB7F5EF5B710F1085AAE112A7281EF70A844DB61
              Function 00BB819A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 255 bb819a-bb81a2 256 bb81b1-bb81bc call bbf91b 255->256 259 bb81be-bb81bf 256->259 260 bb81a4-bb81af call bbf9f4 256->260 260->256 263 bb81c0-bb81cc 260->263 264 bb81ce-bb81e6 call bb817f call bb80e0 263->264 265 bb81e7-bb81fe call ba7e61 call bba269 263->265 264->265
              APIs
              • _malloc.LIBCMT ref: 00BB81B4
                • Part of subcall function 00BBF91B: __FF_MSGBANNER.LIBCMT ref: 00BBF93E
                • Part of subcall function 00BBF91B: __NMSG_WRITE.LIBCMT ref: 00BBF945
                • Part of subcall function 00BBF91B: RtlAllocateHeap.NTDLL(00000000,58928523,00000001,00000000,00000000,?,00BBD3F3,58928532,00000001,58928532,?,00BC0FB8,00000018,00BD2610,0000000C,00BC1049), ref: 00BBF992
              • std::bad_alloc::bad_alloc.LIBCMT ref: 00BB81D7
                • Part of subcall function 00BB817F: std::exception::exception.LIBCMT ref: 00BB818B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
              • String ID: Pk
              • API String ID: 3447465555-574118001
              • Opcode ID: ce9ab568fcbca4f5be71cf109b1448fadf83bea065ab212413b2bb282c95de93
              • Instruction ID: 3a2764966a80637903da9fc25f0dce6df4c6fe434160f1b87439c0767ed88417
              • Opcode Fuzzy Hash: ce9ab568fcbca4f5be71cf109b1448fadf83bea065ab212413b2bb282c95de93
              • Instruction Fuzzy Hash: 7DF05E3190620563DB047769EC07AFD77ECCB04B64B1400E9A804661A1EEE0DA46C151
              Function 00BB027B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              • Only one tab per paragraph is allowed, xrefs: 00BB02F2
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3
              • String ID: Only one tab per paragraph is allowed
              • API String ID: 431132790-829416125
              • Opcode ID: 80b3b2fd140a6e4e53a11a3f97b87f6b951f518cbc1870eed2821e8c5f0b772c
              • Instruction ID: 910e74f35abbac2984f24375a57e8917d1c5c4afba5862e33a973a14295649d7
              • Opcode Fuzzy Hash: 80b3b2fd140a6e4e53a11a3f97b87f6b951f518cbc1870eed2821e8c5f0b772c
              • Instruction Fuzzy Hash: 1DA13B72504248AFCF15EFA4C895AEE3BE5FF19350F44019AF906A72A2EB71D944CB90
              Function 00BA429F Relevance: 3.1, APIs: 2, Instructions: 130COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 378 ba429f-ba42cb call bba6ce call bb86b2 383 ba42d8 378->383 384 ba42cd-ba42cf 378->384 386 ba42db-ba42e3 383->386 384->383 385 ba42d1-ba42d6 384->385 385->386 387 ba42ed-ba42fa 386->387 388 ba42e5-ba42e8 call bab4dc 386->388 390 ba430a-ba4322 387->390 391 ba42fc-ba4301 387->391 388->387 393 ba432d-ba433c 390->393 394 ba4324-ba432b 390->394 391->390 392 ba4303-ba4305 call ba771b 391->392 392->390 397 ba433e-ba4342 393->397 398 ba4374-ba4383 call baa408 393->398 396 ba439f-ba43c1 call ba7a16 call bab4ee 394->396 415 ba43ca-ba43d9 396->415 416 ba43c3-ba43c5 call ba77ce 396->416 400 ba436e-ba4372 397->400 401 ba4344-ba4364 call ba766c 397->401 402 ba4386-ba4388 398->402 400->398 405 ba4391-ba439c 400->405 412 ba436a 401->412 413 ba43eb-ba43ee 401->413 406 ba438a 402->406 407 ba43f3-ba43f7 402->407 405->396 406->405 407->405 410 ba43f9-ba4419 call ba766c 407->410 421 ba441b-ba441f 410->421 422 ba4424-ba4427 410->422 412->400 413->397 419 ba43db-ba43de call bab4e5 415->419 420 ba43e3-ba43ea call bba773 415->420 416->415 419->420 421->405 422->407
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3_catch_wcslen
              • String ID:
              • API String ID: 1260878687-0
              • Opcode ID: 7a9cd3435b27ac6bdc0aee52cbcb782ca7d740a8bc9d3a58d62271c24e3012f7
              • Instruction ID: 6d1fe0e25d83a688084f489596ccd2cb0f81052dfc18c53569c62efef5946708
              • Opcode Fuzzy Hash: 7a9cd3435b27ac6bdc0aee52cbcb782ca7d740a8bc9d3a58d62271c24e3012f7
              • Instruction Fuzzy Hash: BF512674A082058FDB20DF58C595A6CBBF0EF99304F2581E9E1859B3A2CBB0DE45CB84
              Function 00BA4161 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 427 ba4161-ba418b call bba6ce call bb8440 432 ba418d-ba418f 427->432 433 ba4195-ba41a6 call ba7a33 427->433 432->433 434 ba4191-ba4193 432->434 437 ba41a8-ba41af 433->437 438 ba41b1-ba41c6 433->438 434->433 439 ba4221-ba4245 call ba7a16 call ba77fb call bba773 437->439 440 ba41c8-ba41ca 438->440 441 ba41f5-ba4204 call ba8ea7 438->441 443 ba41ef-ba41f3 440->443 444 ba41cc-ba41e9 call ba777b 440->444 446 ba4207-ba4209 441->446 443->441 445 ba4212-ba421d 443->445 455 ba41eb 444->455 456 ba4246-ba4247 444->456 445->439 449 ba420b 446->449 450 ba424c-ba424e 446->450 449->445 450->445 454 ba4250-ba426d call ba777b 450->454 461 ba426f-ba4273 454->461 462 ba4275-ba4276 454->462 455->443 456->440 461->445 462->450
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3_catch_strlen
              • String ID:
              • API String ID: 3133806014-0
              • Opcode ID: 9234fb91a51f69b6cb4ab8f1070a27081eb0f1cff0ca53a73c0fec864db6d5c6
              • Instruction ID: d22d71cd10dd53c16b97995c96329d022f8696d2b025eeee1b79dc98dbe6052c
              • Opcode Fuzzy Hash: 9234fb91a51f69b6cb4ab8f1070a27081eb0f1cff0ca53a73c0fec864db6d5c6
              • Instruction Fuzzy Hash: 93414E346082048FDB11CFA8C985BADBBF0EF59314F254598F551AB3A2C7B1DE44CB81
              Function 00BBECE6 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 464 bbece6-bbecf7 call bbecbb ExitProcess
              APIs
              • ___crtCorExitProcess.LIBCMT ref: 00BBECEE
                • Part of subcall function 00BBECBB: GetModuleHandleW.KERNEL32(mscoree.dll,?,00BBECF3,58928532,?,00BBF954,000000FF,0000001E,?,00BBD3F3,58928532,00000001,58928532,?,00BC0FB8,00000018), ref: 00BBECC5
                • Part of subcall function 00BBECBB: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BBECD5
              • ExitProcess.KERNEL32 ref: 00BBECF7
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExitProcess$AddressHandleModuleProc___crt
              • String ID:
              • API String ID: 2427264223-0
              • Opcode ID: e6e7194ca13192279c09e1340c943430cf6cb0a054700d539839c6d523f6d96b
              • Instruction ID: f6fc9da4dd57da6d7da1f23d5df1845c0492109ad4ffbf14a481e76ef39f31af
              • Opcode Fuzzy Hash: e6e7194ca13192279c09e1340c943430cf6cb0a054700d539839c6d523f6d96b
              • Instruction Fuzzy Hash: 0CB0923100010CBFCB012F22DD0EC9D3F6AEB807A0B104020F8180A171DFB2EDD79A85
              Function 00BB07DD Relevance: 1.7, APIs: 1, Instructions: 158COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00BB07E7
                • Part of subcall function 00BAF7D4: __EH_prolog3_catch.LIBCMT ref: 00BAF7DB
                • Part of subcall function 00BA4161: __EH_prolog3_catch.LIBCMT ref: 00BA4168
                • Part of subcall function 00BA4161: _strlen.LIBCMT ref: 00BA4175
                • Part of subcall function 00BB06B8: __EH_prolog3.LIBCMT ref: 00BB06C2
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_catch$_strlen
              • String ID:
              • API String ID: 2084972985-0
              • Opcode ID: 21ce60ff9a3870c96b95afb7f12339499c61bc00c9c9987d223e0887e902a19f
              • Instruction ID: 66f876e791690e088a3fab09d125b9f2ec6d26508e056c466ada5941ded59858
              • Opcode Fuzzy Hash: 21ce60ff9a3870c96b95afb7f12339499c61bc00c9c9987d223e0887e902a19f
              • Instruction Fuzzy Hash: D0517271A08309AFDF05BBF0C846BFE7BE9AF46310F10009AF41167182EFB59A418755
              Function 00BB06B8 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00BB06C2
                • Part of subcall function 00BAFE3B: __EH_prolog3.LIBCMT ref: 00BAFE42
                • Part of subcall function 00BAE8BD: __EH_prolog3.LIBCMT ref: 00BAE8C4
                • Part of subcall function 00BA4161: __EH_prolog3_catch.LIBCMT ref: 00BA4168
                • Part of subcall function 00BA4161: _strlen.LIBCMT ref: 00BA4175
                • Part of subcall function 00BAF7D4: __EH_prolog3_catch.LIBCMT ref: 00BAF7DB
                • Part of subcall function 00BAF9B7: __EH_prolog3_catch.LIBCMT ref: 00BAF9BE
                • Part of subcall function 00BAFCB2: __EH_prolog3_catch.LIBCMT ref: 00BAFCB9
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3_catch$H_prolog3$_strlen
              • String ID:
              • API String ID: 392102239-0
              • Opcode ID: 8e7edbd4fef893357a3637189f18f4ab24ca302ec1a3731f6f2732014f017770
              • Instruction ID: 0e9686b0fc4e8bb4fe1be2a4b9eb3d7da3d9b9b13a50fc92bc20150fd68b2aac
              • Opcode Fuzzy Hash: 8e7edbd4fef893357a3637189f18f4ab24ca302ec1a3731f6f2732014f017770
              • Instruction Fuzzy Hash: 57317E32908209AEEF15EBE0C856FEE7BE89F15320F1441D9F45967182EE74AE44CB61
              Function 00BB0008 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00BB000F
                • Part of subcall function 00BB819A: _malloc.LIBCMT ref: 00BB81B4
                • Part of subcall function 00BB819A: std::bad_alloc::bad_alloc.LIBCMT ref: 00BB81D7
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3_mallocstd::bad_alloc::bad_alloc
              • String ID:
              • API String ID: 3856819035-0
              • Opcode ID: d5a8f6705695e69e5b91c53a27a85fba3a11790ca365938ff199cdb8bae08fb4
              • Instruction ID: 7af295401bdb15dfb04a8fd3793427e71cce3538ab71972369717bb3199b9738
              • Opcode Fuzzy Hash: d5a8f6705695e69e5b91c53a27a85fba3a11790ca365938ff199cdb8bae08fb4
              • Instruction Fuzzy Hash: D1019270A04209EBDB14FBB4C842BFF77F4AF00320F10419AB516A61D1DFB09A05C761
              Function 00BC0C22 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 626 bc0c22-bc0c44 HeapCreate 627 bc0c48-bc0c51 626->627 628 bc0c46-bc0c47 626->628
              APIs
              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00BC0C37
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: db746b688f7152dd76baf4f5fdba67671c7e3df2311452f0934f4af903e6a5fb
              • Instruction ID: 8fbbc6afd0c4ec4c99585d71013c2580f232b7814890288005c702da5fbb0b98
              • Opcode Fuzzy Hash: db746b688f7152dd76baf4f5fdba67671c7e3df2311452f0934f4af903e6a5fb
              • Instruction Fuzzy Hash: 9FD05E32590349AADB005FB1AD08B263BDDD384796F004876B90DC7150FA74C5408A00
              Function 00BBEF02 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 629 bbef02-bbef0e call bbedd6 631 bbef13-bbef17 629->631
              APIs
              • _doexit.LIBCMT ref: 00BBEF0E
                • Part of subcall function 00BBEDD6: __lock.LIBCMT ref: 00BBEDE4
                • Part of subcall function 00BBEDD6: __decode_pointer.LIBCMT ref: 00BBEE1B
                • Part of subcall function 00BBEDD6: __decode_pointer.LIBCMT ref: 00BBEE30
                • Part of subcall function 00BBEDD6: __decode_pointer.LIBCMT ref: 00BBEE5A
                • Part of subcall function 00BBEDD6: __decode_pointer.LIBCMT ref: 00BBEE70
                • Part of subcall function 00BBEDD6: __decode_pointer.LIBCMT ref: 00BBEE7D
                • Part of subcall function 00BBEDD6: __initterm.LIBCMT ref: 00BBEEAC
                • Part of subcall function 00BBEDD6: __initterm.LIBCMT ref: 00BBEEBC
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: __decode_pointer$__initterm$__lock_doexit
              • String ID:
              • API String ID: 1597249276-0
              • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
              • Instruction ID: 025febcc2d33b0bd8a5cbd1bc2ccdab0277c2ac4a49775179d70cc9778c04dcf
              • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
              • Instruction Fuzzy Hash: AEB0923258020833EA212542AC03F963A4997C1B60E244070BA2C191A1A9E2A96180CA

              Non-executed Functions

              Function 00BC479F Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ___getlocaleinfo
              • String ID:
              • API String ID: 1937885557-0
              • Opcode ID: 2d7e5d5b6e05d2ebdb8e189b33bf7355ddbb63fc27a1065a91b07e5b475de4b4
              • Instruction ID: 0daeb7ecc4289b4ddfd521409616530e45aa515ef80cfe4528b0fe2d264be735
              • Opcode Fuzzy Hash: 2d7e5d5b6e05d2ebdb8e189b33bf7355ddbb63fc27a1065a91b07e5b475de4b4
              • Instruction Fuzzy Hash: 70E1EDB295020DFEEB11EAE0CD81EFF77FDEB14744F01496AB255E2041EAB0AA159760
              Function 00BA1AE9 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 334registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BA4161: __EH_prolog3_catch.LIBCMT ref: 00BA4168
                • Part of subcall function 00BA4161: _strlen.LIBCMT ref: 00BA4175
              • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 00BA1BFB
                • Part of subcall function 00BA2228: __EH_prolog3.LIBCMT ref: 00BA222F
                • Part of subcall function 00BA2228: RegOpenKeyExW.ADVAPI32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?,00000024,00BA1C5F,00000000,?,00000000,00000000), ref: 00BA2248
              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BA1C69
                • Part of subcall function 00BA2E03: char_traits.LIBCPMT ref: 00BA2E28
              • RegCloseKey.ADVAPI32(?,?,?,?,58928532), ref: 00BA1D1E
              • RegCloseKey.ADVAPI32(?,?,?,?,58928532), ref: 00BA1ED1
              Strings
              • ERROR: Unable to delete user's ProfileGuid entry from remote registry., xrefs: 00BA1E60
              • ..., xrefs: 00BA1E8A, 00BA1EFF
              • WARNING: Unable to completely delete folder. Check access rights and manually delete., xrefs: 00BA1EBA, 00BA1F2F
              • Deleting user profile registry entries..., xrefs: 00BA1DE1
              • ERROR: Unable to delete user's ProfileList entry from remote registry., xrefs: 00BA1E16
              • Deleting , xrefs: 00BA1DD1, 00BA1E92, 00BA1F07
              • Querying remote registry..., xrefs: 00BA1BD1
              • ERROR: Unable to connect to remote registry., xrefs: 00BA1C05
              • Querying Active Directory..., xrefs: 00BA1B33
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Close$ConnectH_prolog3H_prolog3_catchOpenRegistry_strlenchar_traits
              • String ID: Deleting $Deleting user profile registry entries...$Querying remote registry...$ ...$ERROR: Unable to connect to remote registry.$ERROR: Unable to delete user's ProfileGuid entry from remote registry.$ERROR: Unable to delete user's ProfileList entry from remote registry.$Querying Active Directory...$WARNING: Unable to completely delete folder. Check access rights and manually delete.
              • API String ID: 3494896214-1452430164
              • Opcode ID: 6857d707ebbb6109582e4f48f368e1ed5ff85a7b369754bf6e3a99db5d90d606
              • Instruction ID: f0487ed0871293dd617e25688683e83c4fccd452779447880be65afb54564311
              • Opcode Fuzzy Hash: 6857d707ebbb6109582e4f48f368e1ed5ff85a7b369754bf6e3a99db5d90d606
              • Instruction Fuzzy Hash: 28B1847150C340AAD624EF28DC46FEBBBE8EF97754F0009ADF88553152EB709A44C6A2
              Function 00BA204B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
              Download Yara Rule
              APIs
              • LookupAccountNameW.ADVAPI32(00000000,00000004,00000000,58928532,00000000,?,00000000), ref: 00BA2090
              • GetLastError.KERNEL32 ref: 00BA209A
              • LookupAccountNameW.ADVAPI32(00000000,00000004,00000000,?,00000000,?,?), ref: 00BA20E9
              • IsValidSid.ADVAPI32(00000000), ref: 00BA20F5
              • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00BA211D
                • Part of subcall function 00BA2C24: _wcslen.LIBCMT ref: 00BA2C29
              • LocalFree.KERNEL32(00000000), ref: 00BA2141
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: AccountLookupName$ConvertErrorFreeLastLocalStringValid_wcslen
              • String ID:
              • API String ID: 1389766527-0
              • Opcode ID: 29a0f7461c2ffd65a1dfa94236623317d3d2fd9e9c1c52d61e6e059a3d2fbde1
              • Instruction ID: fb2bb24e5350d02024f0652f5b2a052149ad5b6d8bc6a07d607a978f09b28996
              • Opcode Fuzzy Hash: 29a0f7461c2ffd65a1dfa94236623317d3d2fd9e9c1c52d61e6e059a3d2fbde1
              • Instruction Fuzzy Hash: 1D31807290420AAFDF15EFA8CC81EAEB7F8FF09350F2040A9E505A6151EB719E44CB10
              Function 00BB7FAA Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00BBF058
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BBF06D
              • UnhandledExceptionFilter.KERNEL32(00BCB520), ref: 00BBF078
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00BBF094
              • TerminateProcess.KERNEL32(00000000), ref: 00BBF09B
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: c350327ab592acbf6db2de9e2ae28ffa3c88a04e9116e11bedecbcb2acb45327
              • Instruction ID: f145bc553968c95be1983ba0eff411b0c9e9f30f9852bd1b3f089db0ed38d88b
              • Opcode Fuzzy Hash: c350327ab592acbf6db2de9e2ae28ffa3c88a04e9116e11bedecbcb2acb45327
              • Instruction Fuzzy Hash: 1221CFB4903205DFD741DF29FC64AA4BBF4FB08306F60516BE41887261FFB199818B06
              Function 00BA81A0 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00BA81C6
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: a183ab94be16c425c6fe06b7ac363cd1702d9a256380a67ba02b31b93a145e34
              • Instruction ID: 1065b7f04aeb75c0dc70adccb3abfac470ee015e0609d38cd4e3690b8899d994
              • Opcode Fuzzy Hash: a183ab94be16c425c6fe06b7ac363cd1702d9a256380a67ba02b31b93a145e34
              • Instruction Fuzzy Hash: 3441A73150DBC4CED732CEA889447A6BFE15F27308F188A8DC4D657A43D6A5E68CC762
              Function 00BC04DA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_00020498), ref: 00BC04DF
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: d0dc283621a6925d192f24d2c1534877485c279697f111e71302802f8405e777
              • Instruction ID: 428ad1a85fa0a8a4005a18821a566bd179a22e9fcc33a998f20989b8d906b627
              • Opcode Fuzzy Hash: d0dc283621a6925d192f24d2c1534877485c279697f111e71302802f8405e777
              • Instruction Fuzzy Hash: 6C900264261104C686542B787D49D0A76E45A8C64674244E86122C5164DE7050005532
              Function 00BB97A1 Relevance: .4, Instructions: 384COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
              • Instruction ID: 185af54e09021f16abcb2c0983cb9efe26612f003260af6f38c9424de99c066f
              • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
              • Instruction Fuzzy Hash: 00D17073C0A9B34B8775812E44681BAEEE2AFD1B5031EC7E0DDD43F289D6A75D0195D0
              Function 00BB9381 Relevance: .4, Instructions: 378COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
              • Instruction ID: 21075b79dcf5c71c9dd844e670ea6d8b09bb15a46241726fa9eed8d379cad05f
              • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
              • Instruction Fuzzy Hash: 78D16FB3C1A9B34B8736812D40681BAEBE2AFD1B5031EC7E1DDD42F289D6A79D0195D0
              Function 00BB8F75 Relevance: .4, Instructions: 361COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
              • Instruction ID: 4bf06aa78e6dab740a66769ec4bed7aa39462ec929ac79bfff6c5cd028751688
              • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
              • Instruction Fuzzy Hash: 74C14BB3C0A9B34B8736813D40681BAEAA2AFD165131FC7E1CDD43F289D6A79D0595D0
              Function 00BB8BA1 Relevance: .4, Instructions: 351COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
              • Instruction ID: 7c97bd2ab6ccc65cebd2da7ffb6a6dcfde2a0f1f3347328f352bb7fc9fdc1b25
              • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
              • Instruction Fuzzy Hash: 0BC17DB3D0A9B34B8736813D40681BAEEA6EFD174131EC7E1DC942F289DAA79D01D5D0
              Function 00BBEAA0 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction ID: 80f00d9e663767569ce5866c594c9936d650c0c01be294178f2a93ed0ad41711
              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction Fuzzy Hash: 0311087720109283D624CA3DC4F46F7E7D9FAD532072D83FAD0628F6B8D1E2E9459600
              Function 00BBF20A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00BD24E0,0000000C,00BBF345,00000000,00000000,?,00BA7D3F,?,00000000,?,00BA7D5F,58928532,00000000,?), ref: 00BBF21C
              • __crt_waiting_on_module_handle.LIBCMT ref: 00BBF227
                • Part of subcall function 00BBEC62: Sleep.KERNEL32(000003E8,00000000,?,00BBF16D,KERNEL32.DLL,?,00BBF1B9,?,00BA7D3F,?,00000000,?,00BA7D5F,58928532,00000000,?), ref: 00BBEC6E
                • Part of subcall function 00BBEC62: GetModuleHandleW.KERNEL32(58928532,?,00BBF16D,KERNEL32.DLL,?,00BBF1B9,?,00BA7D3F,?,00000000,?,00BA7D5F,58928532,00000000,?), ref: 00BBEC77
              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00BBF250
              • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00BBF260
              • __lock.LIBCMT ref: 00BBF282
              • InterlockedIncrement.KERNEL32(?), ref: 00BBF28F
              • __lock.LIBCMT ref: 00BBF2A3
              • ___addlocaleref.LIBCMT ref: 00BBF2C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
              • API String ID: 1028249917-2843748187
              • Opcode ID: d3ce16b40d9ba5fa1983b2fc2b86ccffe145b117c63e61149ffdf20a34b5d5ed
              • Instruction ID: fe7e2c19685231c9bb740618a56fcd51d1a5f19d42c4174def0e5d08919e6fd2
              • Opcode Fuzzy Hash: d3ce16b40d9ba5fa1983b2fc2b86ccffe145b117c63e61149ffdf20a34b5d5ed
              • Instruction Fuzzy Hash: EC119D75940B469FD7209F799C02FAEBBE0EF14315F1045AEF499A32A1DBB49A40CB11
              Function 00BAC016 Relevance: 18.1, APIs: 12, Instructions: 139COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ____lc_handle_func.LIBCMT ref: 00BAC04A
              • ____lc_codepage_func.LIBCMT ref: 00BAC052
              • __GetLocaleForCP.LIBCPMT ref: 00BAC07B
              • ____mb_cur_max_l_func.LIBCMT ref: 00BAC091
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,00000000,00000000,?,?,?,?,00BAA0BC,?,00000000,00000001,00000000), ref: 00BAC0B0
              • ____mb_cur_max_l_func.LIBCMT ref: 00BAC0BE
              • ___pctype_func.LIBCMT ref: 00BAC0E3
              • ____mb_cur_max_l_func.LIBCMT ref: 00BAC109
              • ____mb_cur_max_l_func.LIBCMT ref: 00BAC121
              • ____mb_cur_max_l_func.LIBCMT ref: 00BAC139
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,?,?,?,00BAA0BC,?,00000000,00000001,00000000), ref: 00BAC146
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,?,00BAA0BC,?,00000000,00000001,00000000), ref: 00BAC177
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
              • String ID:
              • API String ID: 3819326198-0
              • Opcode ID: cae3d0126c229c31399daf19e3bb3fd348bd09e9b660a1fd55f6e6d6b630c1fd
              • Instruction ID: 398f4239339fccedfe2202186e0926a17581603f3cf1a78ae70f76635e5d8629
              • Opcode Fuzzy Hash: cae3d0126c229c31399daf19e3bb3fd348bd09e9b660a1fd55f6e6d6b630c1fd
              • Instruction Fuzzy Hash: A0419F31208245EFDB305F259C85B7A3FE5EF02361F2485A9F8659A192EBB4CC90EB50
              Function 00BA249B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: _wcslen$BuffCharH_prolog3_Upper
              • String ID: ProfileImagePath:$%SYSTEMDRIVE%$%SYSTEMROOT%$ERROR: Unable to expand ProfileImagePath.
              • API String ID: 3525394599-2089877940
              • Opcode ID: b97c37840e48a8bf59cff6c754646490ffdfe0e23b57ee304a3d191010b9b203
              • Instruction ID: eff004382da29b6173f15b5a9fcea460a36d8b4f08ad0dffae3df2ef67216964
              • Opcode Fuzzy Hash: b97c37840e48a8bf59cff6c754646490ffdfe0e23b57ee304a3d191010b9b203
              • Instruction Fuzzy Hash: F2519471A08204BEDB14BB6CCC92EBD77F8EF56320F1002A9F415B72D2EEA05E458761
              Function 00BA22B6 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00BA22BD
                • Part of subcall function 00BA2C24: _wcslen.LIBCMT ref: 00BA2C29
                • Part of subcall function 00BA2FF7: std::_String_base::_Xlen.LIBCPMT ref: 00BA3032
                • Part of subcall function 00BA2FF7: char_traits.LIBCPMT ref: 00BA3083
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,00000000,000000FF,0000006C,00BA1D11,?,?,?,?,00000000,00000000,00000000), ref: 00BA2310
                • Part of subcall function 00BA83D9: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000,00000007,?,?,?,00BA2283,?,?,SystemRoot), ref: 00BA8410
                • Part of subcall function 00BA83D9: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00BA2283,?,?,SystemRoot), ref: 00BA8449
                • Part of subcall function 00BA2E03: char_traits.LIBCPMT ref: 00BA2E28
              • RegCloseKey.ADVAPI32(?,00000001,00000000,CentralProfile,00000001,00000000,Guid,00000000,00000001,00000000,ProfileImagePath,?,00000000,00020019,?,00000000), ref: 00BA2483
                • Part of subcall function 00BA4454: __EH_prolog3.LIBCMT ref: 00BA445B
              Strings
              • Guid, xrefs: 00BA236F
              • ProfileGuid:, xrefs: 00BA23E6
              • CentralProfile:, xrefs: 00BA245D
              • ProfileImagePath, xrefs: 00BA2332
              • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\, xrefs: 00BA22DC
              • ERROR: User does not have a registry-based profile on specified workstation., xrefs: 00BA231A
              • CentralProfile, xrefs: 00BA2413
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: QueryValuechar_traits$CloseH_prolog3H_prolog3_OpenString_base::_Xlen_wcslenstd::_
              • String ID: CentralProfile:$ ProfileGuid:$CentralProfile$ERROR: User does not have a registry-based profile on specified workstation.$Guid$ProfileImagePath$SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
              • API String ID: 119362826-279320193
              • Opcode ID: 153edc3b05bfaeff1892b6d0548563761a7f3d7d00dfcd7871b046d251466097
              • Instruction ID: 2268d945d544a57502ea189dc061bb61b98dde08ad5842d220a73b0f2d76de82
              • Opcode Fuzzy Hash: 153edc3b05bfaeff1892b6d0548563761a7f3d7d00dfcd7871b046d251466097
              • Instruction Fuzzy Hash: 46517371D08208BFDF14EBA8DC86DDEBBF8EF56710B1444AAF415B7252EA706A04C760
              Function 00BAB2A2 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BAB2A9
              • std::_Lockit::_Lockit.LIBCPMT ref: 00BAB2B3
              • int.LIBCPMT ref: 00BAB2CA
                • Part of subcall function 00BA87E3: std::_Lockit::_Lockit.LIBCPMT ref: 00BA87F6
              • std::locale::_Getfacet.LIBCPMT ref: 00BAB2D3
              • codecvt.LIBCPMT ref: 00BAB2ED
              • std::bad_exception::bad_exception.LIBCMT ref: 00BAB301
              • __CxxThrowException@8.LIBCMT ref: 00BAB30F
              • std::locale::facet::_Incref.LIBCPMT ref: 00BAB31F
              • std::locale::facet::facet_Register.LIBCPMT ref: 00BAB325
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 577375395-3145022300
              • Opcode ID: d64392833cbf819afa34d1acec0858069b39cee77950f9a630743ade98b98b2c
              • Instruction ID: e08ca208024eec6b6e881ef0571ae5b172c5b6a3e0d8bd4b803d211cf3a15d9d
              • Opcode Fuzzy Hash: d64392833cbf819afa34d1acec0858069b39cee77950f9a630743ade98b98b2c
              • Instruction Fuzzy Hash: C301843190921597CF01FBA4C852EFDB3F5AF55B21F640599F0206B2D2DF7499018795
              Function 00BAB205 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BAB20C
              • std::_Lockit::_Lockit.LIBCPMT ref: 00BAB216
              • int.LIBCPMT ref: 00BAB22D
                • Part of subcall function 00BA87E3: std::_Lockit::_Lockit.LIBCPMT ref: 00BA87F6
              • std::locale::_Getfacet.LIBCPMT ref: 00BAB236
              • ctype.LIBCPMT ref: 00BAB250
              • std::bad_exception::bad_exception.LIBCMT ref: 00BAB264
              • __CxxThrowException@8.LIBCMT ref: 00BAB272
              • std::locale::facet::_Incref.LIBCPMT ref: 00BAB282
              • std::locale::facet::facet_Register.LIBCPMT ref: 00BAB288
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2535038987-3145022300
              • Opcode ID: 3cc47ac11eb0d6519c960e1417cb0f6be1b0db1fd32f0efa6370ae9911481c17
              • Instruction ID: c20a79aa812828eca8e8b0187cbf6f40df0e536492502e2d82ce475d8dd3d5aa
              • Opcode Fuzzy Hash: 3cc47ac11eb0d6519c960e1417cb0f6be1b0db1fd32f0efa6370ae9911481c17
              • Instruction Fuzzy Hash: DA0184319092199BCB05FBA4C952FFDB3F5AF41B20F6402DAF0206B2E2DF7499018755
              Function 00BA9A9B Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA9AA2
              • std::_Lockit::_Lockit.LIBCPMT ref: 00BA9AAC
              • int.LIBCPMT ref: 00BA9AC3
                • Part of subcall function 00BA87E3: std::_Lockit::_Lockit.LIBCPMT ref: 00BA87F6
              • std::locale::_Getfacet.LIBCPMT ref: 00BA9ACC
              • ctype.LIBCPMT ref: 00BA9AE6
              • std::bad_exception::bad_exception.LIBCMT ref: 00BA9AFA
              • __CxxThrowException@8.LIBCMT ref: 00BA9B08
              • std::locale::facet::_Incref.LIBCPMT ref: 00BA9B18
              • std::locale::facet::facet_Register.LIBCPMT ref: 00BA9B1E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2535038987-3145022300
              • Opcode ID: b2ce028b74b7efa5f1784e5d810629c4f7ea00b397795dea75330ad6dedfe580
              • Instruction ID: 6d938417d9fb44301e17489a550db40548ef504d55b8726c5e3fc8284dce4dc0
              • Opcode Fuzzy Hash: b2ce028b74b7efa5f1784e5d810629c4f7ea00b397795dea75330ad6dedfe580
              • Instruction Fuzzy Hash: ED01843190921A97CF05EBA4D852EFDB3F6EF55720F640199F0106B2E2DF749902D7A1
              Function 00BA9CBA Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA9CC1
              • std::_Lockit::_Lockit.LIBCPMT ref: 00BA9CCB
              • int.LIBCPMT ref: 00BA9CE2
                • Part of subcall function 00BA87E3: std::_Lockit::_Lockit.LIBCPMT ref: 00BA87F6
              • std::locale::_Getfacet.LIBCPMT ref: 00BA9CEB
              • codecvt.LIBCPMT ref: 00BA9D05
              • std::bad_exception::bad_exception.LIBCMT ref: 00BA9D19
              • __CxxThrowException@8.LIBCMT ref: 00BA9D27
              • std::locale::facet::_Incref.LIBCPMT ref: 00BA9D37
              • std::locale::facet::facet_Register.LIBCPMT ref: 00BA9D3D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 577375395-3145022300
              • Opcode ID: 779f5a10d9d5952402b5425842e269f35313b858a24c8f72375b67b968fc8670
              • Instruction ID: 1590c45d604736ab6e9c49130723f055a30d938bd3912df7a2fbe54836dd0f56
              • Opcode Fuzzy Hash: 779f5a10d9d5952402b5425842e269f35313b858a24c8f72375b67b968fc8670
              • Instruction Fuzzy Hash: 10018431908219ABCF01EBA4C852AFEB3F5AF51720F640199F0106B2E1DF749A019751
              Function 00BBE4FA Relevance: 15.1, APIs: 10, Instructions: 95COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __calloc_crt.LIBCMT ref: 00BBE513
                • Part of subcall function 00BBD427: __calloc_impl.LIBCMT ref: 00BBD438
                • Part of subcall function 00BBD427: Sleep.KERNEL32(00000000), ref: 00BBD44F
              • __calloc_crt.LIBCMT ref: 00BBE537
              • __calloc_crt.LIBCMT ref: 00BBE553
              • __copytlocinfo_nolock.LIBCMT ref: 00BBE578
              • __setlocale_nolock.LIBCMT ref: 00BBE585
              • ___removelocaleref.LIBCMT ref: 00BBE591
              • ___freetlocinfo.LIBCMT ref: 00BBE598
              • __setmbcp_nolock.LIBCMT ref: 00BBE5B0
              • ___removelocaleref.LIBCMT ref: 00BBE5C5
              • ___freetlocinfo.LIBCMT ref: 00BBE5CC
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
              • String ID:
              • API String ID: 2969281212-0
              • Opcode ID: 89990863f7819698b6000f2202cdba6e491c47b35ecda616b19f78a51d6e4533
              • Instruction ID: 7a3e8247f84d5f5cfec3f8c892c9ab365938aad412ceb60d0c3e543fc324e76c
              • Opcode Fuzzy Hash: 89990863f7819698b6000f2202cdba6e491c47b35ecda616b19f78a51d6e4533
              • Instruction Fuzzy Hash: 41210235104A01EBE7317F25DC02DFAB7E5EFA0724B2084A9F8A456672FFB5DD008A91
              Function 00BA195D Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 123COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00BA1964
                • Part of subcall function 00BA838E: __EH_prolog3.LIBCMT ref: 00BA8395
                • Part of subcall function 00BA2E03: char_traits.LIBCPMT ref: 00BA2E28
              Strings
              • DelProf.exe -u Jonathan -w WORKSTATION1 --local --network, xrefs: 00BA19FF
              • Notes:, xrefs: 00BA1A53
              • Examples:, xrefs: 00BA197B
              • DelProf.exe --u DOMAIN\Jonathan -w WORKSTATION1 --local, xrefs: 00BA19D5
              • DelProf.exe --user Jonathan --workstation WORKSTATION1, xrefs: 00BA19AB
              • - The c$ share and remote registry must be accessible on the target workstation., xrefs: 00BA1AA7
              • - The user must not be logged onto the target workstation., xrefs: 00BA1A7D
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_char_traits
              • String ID: - The c$ share and remote registry must be accessible on the target workstation.$ - The user must not be logged onto the target workstation.$ DelProf.exe --u DOMAIN\Jonathan -w WORKSTATION1 --local$ DelProf.exe --user Jonathan --workstation WORKSTATION1$ DelProf.exe -u Jonathan -w WORKSTATION1 --local --network$Examples:$Notes:
              • API String ID: 3685356560-1177095237
              • Opcode ID: 1801b531a6d24209e8232fb06b46831d8ce8bb86c5490370a5242f80c05b7050
              • Instruction ID: 831884f39f27e6e1f7a5ce97bdadfcf7acfccfdf96086734ff053bbf7d685d2f
              • Opcode Fuzzy Hash: 1801b531a6d24209e8232fb06b46831d8ce8bb86c5490370a5242f80c05b7050
              • Instruction Fuzzy Hash: E641E975C4914CAECB05E7E8D991EDEBBFCAF26300F0840DAE81173252DA745B4ACA61
              Function 00BA7076 Relevance: 13.8, APIs: 9, Instructions: 340COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: char_traits$String_base::_Xlenstd::_
              • String ID:
              • API String ID: 1810552321-0
              • Opcode ID: e228d069cdba8bad5596e6f9d922bf989f0097d53428f9326e2ff53b5aa7e66c
              • Instruction ID: 76d30f524189e2f4605a5f9e9fa240f97d59986c60e14ac073eded65e4d108f8
              • Opcode Fuzzy Hash: e228d069cdba8bad5596e6f9d922bf989f0097d53428f9326e2ff53b5aa7e66c
              • Instruction Fuzzy Hash: ABD11CB064C50AAFCB08CF58CDD4CAAB7E6FB863007508659E81A87655DB30FA65CBD4
              Function 00BA8507 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,Deleting ), ref: 00BA8552
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00BA8578
              • RegCloseKey.ADVAPI32(?), ref: 00BA859A
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BA85B5
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BA85E8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Enum$CloseDeleteOpen
              • String ID: Deleting
              • API String ID: 2095303065-3793058071
              • Opcode ID: 46ad4c1597844e574ae92056b7065ec61f5835438ebc5bb9fb2e6cf22d77e0e2
              • Instruction ID: a0c54cb8680a29133ac17a3169295c24d58500264b77615eadc51a6f2d768340
              • Opcode Fuzzy Hash: 46ad4c1597844e574ae92056b7065ec61f5835438ebc5bb9fb2e6cf22d77e0e2
              • Instruction Fuzzy Hash: 5D2197B594111CAFDB21DF94DC88EFAB7FCEB28344F1001D6A919A2051DA305E888F60
              Function 00BA2228 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47registryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA222F
              • RegOpenKeyExW.ADVAPI32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?,00000024,00BA1C5F,00000000,?,00000000,00000000), ref: 00BA2248
              • RegCloseKey.ADVAPI32(?,00000001,00000000,SystemRoot), ref: 00BA2297
                • Part of subcall function 00BA4161: __EH_prolog3_catch.LIBCMT ref: 00BA4168
                • Part of subcall function 00BA4161: _strlen.LIBCMT ref: 00BA4175
              Strings
              • ERROR: Unable to open remote Windows information., xrefs: 00BA2252
              • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00BA2240
              • SystemRoot, xrefs: 00BA2267
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: CloseH_prolog3H_prolog3_catchOpen_strlen
              • String ID: ERROR: Unable to open remote Windows information.$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SystemRoot
              • API String ID: 2245420635-285966602
              • Opcode ID: 66b54af25c2b464619507437a5c83cba7d537c5f8ddb84f8cb9db5e73d9a58c2
              • Instruction ID: afcb8760bd329636e5956e85027e6fb4c7b350df24ad1e936615d17240ec40d7
              • Opcode Fuzzy Hash: 66b54af25c2b464619507437a5c83cba7d537c5f8ddb84f8cb9db5e73d9a58c2
              • Instruction Fuzzy Hash: 3101B131A08218BBCB10EBA4EC46EEEBFF4EF02B10F5080A9F414660E1DF705A01D660
              Function 00BC3AAD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00BC3AB9
                • Part of subcall function 00BBF36A: __getptd_noexit.LIBCMT ref: 00BBF36D
                • Part of subcall function 00BBF36A: __amsg_exit.LIBCMT ref: 00BBF37A
              • __amsg_exit.LIBCMT ref: 00BC3AD9
              • __lock.LIBCMT ref: 00BC3AE9
              • InterlockedDecrement.KERNEL32(?), ref: 00BC3B06
              • InterlockedIncrement.KERNEL32(00E62CE0), ref: 00BC3B31
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
              • String ID: ,
              • API String ID: 4271482742-4120420056
              • Opcode ID: c47b2941b33b2ba6cc01fb502528aee426a44e2ad1c56a456c504738fbf28d19
              • Instruction ID: d499691f6b610a4650d2d9744c9e78ef5f0689dd54f978997c7e6f85ab122ea7
              • Opcode Fuzzy Hash: c47b2941b33b2ba6cc01fb502528aee426a44e2ad1c56a456c504738fbf28d19
              • Instruction Fuzzy Hash: 1C018431A45A21ABCB11AF689805FADB7E0FF04B10F4581DAF80067291EF789E51CBD1
              Function 00BB4CEE Relevance: 9.2, APIs: 6, Instructions: 199COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BB4D0D
              • std::_String_base::_Xlen.LIBCPMT ref: 00BB4D51
                • Part of subcall function 00BA4F03: __EH_prolog3.LIBCMT ref: 00BA4F0A
                • Part of subcall function 00BA4F03: __CxxThrowException@8.LIBCMT ref: 00BA4F3C
              • ctype.LIBCPMT ref: 00BB4DC9
              • ctype.LIBCPMT ref: 00BB4DEC
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: e3bdf83c1e5a867651f4324529af83377dba74211cd4b1bde2ef574284f6f3cf
              • Instruction ID: 72b45372ab4bf6db2316a2487532d88ee8b0e5f94e216532928f9e6eab29875e
              • Opcode Fuzzy Hash: e3bdf83c1e5a867651f4324529af83377dba74211cd4b1bde2ef574284f6f3cf
              • Instruction Fuzzy Hash: BC717E71A007099FDB24DFA4CD81AFEBBF6FB48710F10456DE41A97291DBB0AA08CB51
              Function 00BB6C02 Relevance: 9.2, APIs: 6, Instructions: 199COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BB6C21
              • std::_String_base::_Xlen.LIBCPMT ref: 00BB6C65
                • Part of subcall function 00BB3F6F: __EH_prolog3.LIBCMT ref: 00BB3F76
                • Part of subcall function 00BB3F6F: __CxxThrowException@8.LIBCMT ref: 00BB3FA1
              • ctype.LIBCPMT ref: 00BB6CDD
              • ctype.LIBCPMT ref: 00BB6D00
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 9c91dcc3b797cd9d73cfd399cb70bbd59e1a51ef27d15ab659e45226dbe3d8a3
              • Instruction ID: a46c6091d5661a045981a352fcdc995e27f7d6e98d457fc3bff8aa854fe65f24
              • Opcode Fuzzy Hash: 9c91dcc3b797cd9d73cfd399cb70bbd59e1a51ef27d15ab659e45226dbe3d8a3
              • Instruction Fuzzy Hash: 8B715F71A003099FDB24DFA4CD86AFEBBF6EB44310F10456DE51A97291DBB4AE08CB51
              Function 00BA5B16 Relevance: 9.2, APIs: 6, Instructions: 181COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00BA5B1D
              • std::_String_base::_Xlen.LIBCPMT ref: 00BA5B58
                • Part of subcall function 00BA4F03: __EH_prolog3.LIBCMT ref: 00BA4F0A
                • Part of subcall function 00BA4F03: __CxxThrowException@8.LIBCMT ref: 00BA4F3C
              • ctype.LIBCPMT ref: 00BA5BC5
              • ctype.LIBCPMT ref: 00BA5BE5
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catch_String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1119708605-0
              • Opcode ID: 306450482ffcd53f087086c6f74c67c139f3e804e1170a8e496dc50d96eb2a4e
              • Instruction ID: dd47a1c6bac51a58c2e23d32dd2a9887686c49a414aeda2fdf0275546a6e9f5b
              • Opcode Fuzzy Hash: 306450482ffcd53f087086c6f74c67c139f3e804e1170a8e496dc50d96eb2a4e
              • Instruction Fuzzy Hash: 85519071A04708AFCF24DFA8C885E9EBBF6FB45310F14852DF4159B281EBB1EA049B10
              Function 00BA5DA1 Relevance: 9.2, APIs: 6, Instructions: 181COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00BA5DA8
              • std::_String_base::_Xlen.LIBCPMT ref: 00BA5DE3
                • Part of subcall function 00BA4F03: __EH_prolog3.LIBCMT ref: 00BA4F0A
                • Part of subcall function 00BA4F03: __CxxThrowException@8.LIBCMT ref: 00BA4F3C
              • ctype.LIBCPMT ref: 00BA5E50
              • ctype.LIBCPMT ref: 00BA5E70
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catch_String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1119708605-0
              • Opcode ID: 78f29ec75afe40bb27c438f245e7f3348eae277e2cd424e1692ec99ef2f14c3a
              • Instruction ID: 2e929e06c919ca6a4cbe04eda7eb153feee2944e72a90ff3ba93ccc89892ab01
              • Opcode Fuzzy Hash: 78f29ec75afe40bb27c438f245e7f3348eae277e2cd424e1692ec99ef2f14c3a
              • Instruction Fuzzy Hash: A55161B1A04708AFDB24DFA8CD85AAEBBF6FF45310F54855DF4159B281DBB1A908CB10
              Function 00BB438F Relevance: 9.2, APIs: 6, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BB4396
              • std::_String_base::_Xlen.LIBCPMT ref: 00BB43CB
                • Part of subcall function 00BB3F6F: __EH_prolog3.LIBCMT ref: 00BB3F76
                • Part of subcall function 00BB3F6F: __CxxThrowException@8.LIBCMT ref: 00BB3FA1
              • ctype.LIBCPMT ref: 00BB443F
              • ctype.LIBCPMT ref: 00BB445F
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: af8c2941da185ea3fd14659c36555b241a70ebb73c241041c1ae28dc7779626e
              • Instruction ID: 302fa85b141d3832d84fac764bb4f0c30b77a34c2659e0099b66cdc6ea7953c1
              • Opcode Fuzzy Hash: af8c2941da185ea3fd14659c36555b241a70ebb73c241041c1ae28dc7779626e
              • Instruction Fuzzy Hash: 065169B1A00609AFCF24DFA8C995ABEBBF5FF54310F11465CE416A7281DBB0AA04CB51
              Function 00BAEEB1 Relevance: 9.2, APIs: 6, Instructions: 161COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BAEEB8
              • std::_String_base::_Xlen.LIBCPMT ref: 00BAEEED
                • Part of subcall function 00BB3F6F: __EH_prolog3.LIBCMT ref: 00BB3F76
                • Part of subcall function 00BB3F6F: __CxxThrowException@8.LIBCMT ref: 00BB3FA1
              • ctype.LIBCPMT ref: 00BAEF5D
              • ctype.LIBCPMT ref: 00BAEF7B
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: ad8830c48aee537508f050aaf632e9b9e68e54a7433197d09c58ea9f221d0ca7
              • Instruction ID: 886221ec243bed3f35aef0ac3a4819fbba2de1483c551b1ed85e310a8e095717
              • Opcode Fuzzy Hash: ad8830c48aee537508f050aaf632e9b9e68e54a7433197d09c58ea9f221d0ca7
              • Instruction Fuzzy Hash: 2A514A7190460AAFCF25DFA4C845ABEBBF5FF45310F10465DF426A7241EB70AA14CBA1
              Function 00BAEAA0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00BAEAA7
              • std::_String_base::_Xlen.LIBCPMT ref: 00BAEADC
                • Part of subcall function 00BB3F6F: __EH_prolog3.LIBCMT ref: 00BB3F76
                • Part of subcall function 00BB3F6F: __CxxThrowException@8.LIBCMT ref: 00BB3FA1
              • ctype.LIBCPMT ref: 00BAEB3D
              • ctype.LIBCPMT ref: 00BAEB50
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 333a45e9445a3ef7452f2bf83eb5db99b2646e293cfdca5cf16246907a7719e7
              • Instruction ID: 70acf2d1d08077b2656f133888c7329130151a4b8e74b99130aa2bd61372c8d2
              • Opcode Fuzzy Hash: 333a45e9445a3ef7452f2bf83eb5db99b2646e293cfdca5cf16246907a7719e7
              • Instruction Fuzzy Hash: 32517AB0A0420A9FCF15EF68C8959AF7BF5EF45300B10496DF82697601EB30EE14CBA1
              Function 00BBC354 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __CreateFrameInfo.LIBCMT ref: 00BBC37C
                • Part of subcall function 00BBA596: __getptd.LIBCMT ref: 00BBA5A4
                • Part of subcall function 00BBA596: __getptd.LIBCMT ref: 00BBA5B2
              • __getptd.LIBCMT ref: 00BBC386
                • Part of subcall function 00BBF36A: __getptd_noexit.LIBCMT ref: 00BBF36D
                • Part of subcall function 00BBF36A: __amsg_exit.LIBCMT ref: 00BBF37A
              • __getptd.LIBCMT ref: 00BBC394
              • __getptd.LIBCMT ref: 00BBC3A2
              • __getptd.LIBCMT ref: 00BBC3AD
              • _CallCatchBlock2.LIBCMT ref: 00BBC3D3
                • Part of subcall function 00BBA63B: __CallSettingFrame@12.LIBCMT ref: 00BBA687
                • Part of subcall function 00BBC47A: __getptd.LIBCMT ref: 00BBC489
                • Part of subcall function 00BBC47A: __getptd.LIBCMT ref: 00BBC497
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 1602911419-0
              • Opcode ID: bf01ef6683568cfa86e0e988b50197a58db2928f5bdb43054812afae3a3738ec
              • Instruction ID: f540ff048ee9dfee7bc0a1067d28057dc91b033e753d96445e720a0375a522b8
              • Opcode Fuzzy Hash: bf01ef6683568cfa86e0e988b50197a58db2928f5bdb43054812afae3a3738ec
              • Instruction Fuzzy Hash: 691194B1D0420AAFDF00EFA4D945AFDBBF0FB08314F1480AAF814A7251DBB89A159B54
              Function 00BB2F92 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BB2F99
              • __CxxThrowException@8.LIBCMT ref: 00BB2FCA
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              • __EH_prolog3.LIBCMT ref: 00BB2FD7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: multiple_occurrences$multiple_values
              • API String ID: 1412866469-1208176579
              • Opcode ID: c93a165ed3254a7beaec6b2af16d0ee9c3c1277e21e2f30b7ffe6f92c593a1f8
              • Instruction ID: cfdee22282eb7f0f86afb9705e0f40031bd244fddec77971d650a4a1f593e7a7
              • Opcode Fuzzy Hash: c93a165ed3254a7beaec6b2af16d0ee9c3c1277e21e2f30b7ffe6f92c593a1f8
              • Instruction Fuzzy Hash: 0D214571C04208ABDB14FBA4C856BFDB7F9AF14304F5085D9F05AAA192CFB19B49CB61
              Function 00BB7452 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BB7459
              • std::_Lockit::_Lockit.LIBCPMT ref: 00BB7465
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BB74D3
                • Part of subcall function 00BA7C2A: __EH_prolog3.LIBCMT ref: 00BA7C31
              • __CxxThrowException@8.LIBCMT ref: 00BB74CA
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow
              • String ID: bad locale name
              • API String ID: 4278901745-1405518554
              • Opcode ID: c65b8a1c1cc44f763118e5fc696d3e8d5f11ffc119660efb0ea073edb5c8f895
              • Instruction ID: be1bca2ceed48d38540be4ea609d4efc572ae26849a07ead4fd90c175944edf1
              • Opcode Fuzzy Hash: c65b8a1c1cc44f763118e5fc696d3e8d5f11ffc119660efb0ea073edb5c8f895
              • Instruction Fuzzy Hash: 42016D3184C288AADB05E7E4C946BEEBBF4AF25310F1084CDF14527182EFB55B08C7A2
              Function 00BB407C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMON
              Download Yara Rule
              APIs
              Strings
              • style disallows parameters for long options, xrefs: 00BB409A
              • style disallows all characters for short options, xrefs: 00BB40BB
              • style disallows parameters for short options, xrefs: 00BB40AC, 00BB40C0
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Exception@8H_prolog3Throw
              • String ID: style disallows all characters for short options$style disallows parameters for long options$style disallows parameters for short options
              • API String ID: 3670251406-2573483067
              • Opcode ID: d4865a67aa7ab119d4c249b05ea2458f9567c335a8c3a59b06fef41dae071a2c
              • Instruction ID: be9bef23c66db1e0faa1d8ead59d47a97fa84a8c2d544f1a8af583c219a8b26c
              • Opcode Fuzzy Hash: d4865a67aa7ab119d4c249b05ea2458f9567c335a8c3a59b06fef41dae071a2c
              • Instruction Fuzzy Hash: F2F04F7291410897DF15F598C646BFE63E8FF14318F4400E9FB42AB142CBE59D44C756
              Function 00BA17DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00BA17E2
                • Part of subcall function 00BA838E: __EH_prolog3.LIBCMT ref: 00BA8395
                • Part of subcall function 00BA2E03: char_traits.LIBCPMT ref: 00BA2E28
              Strings
              • http://www.autoitscript.com/tools, xrefs: 00BA187E
              • RemoteDelProf v1.0.0 - Remote Profile Deletion Utility, xrefs: 00BA182A
              • Copyright (C) 2009 Jonathan Bennett, xrefs: 00BA1854
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_char_traits
              • String ID: Copyright (C) 2009 Jonathan Bennett$RemoteDelProf v1.0.0 - Remote Profile Deletion Utility$http://www.autoitscript.com/tools
              • API String ID: 3685356560-3682555908
              • Opcode ID: fe045c929ecb325734ef8d6829d0af818df465d49c46c445a329c1e8a8324bec
              • Instruction ID: 169fd2cc6df85994b5c298389a01961b24cdc1c5e31d60db8a49947e8cc00ae9
              • Opcode Fuzzy Hash: fe045c929ecb325734ef8d6829d0af818df465d49c46c445a329c1e8a8324bec
              • Instruction Fuzzy Hash: E6310C75C4914CAEDB05E7E8D991EDEBBFCAF26300F0840D9E81173252DA345B4ACA71
              Function 00BA78FB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 00BA7948
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Exception@8Throw
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2005118841-1866435925
              • Opcode ID: 55d0584324b0a4d923a2c45ad2c30fd977db96fa0edd3e64ffd634507b4a3959
              • Instruction ID: 24c2a2184f7d5b226b7a0019d309ef8b7309ed16a1edcf8fd444b2c0f2bc8176
              • Opcode Fuzzy Hash: 55d0584324b0a4d923a2c45ad2c30fd977db96fa0edd3e64ffd634507b4a3959
              • Instruction Fuzzy Hash: 602195B528C784AFC310DF24CC91F9BB3E8EB85710F5049AEF49586191EF759509CB52
              Function 00BBC701 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBCMT ref: 00BBC714
                • Part of subcall function 00BBC66F: ___BuildCatchObjectHelper.LIBCMT ref: 00BBC6A5
              • _UnwindNestedFrames.LIBCMT ref: 00BBC72B
              • ___FrameUnwindToState.LIBCMT ref: 00BBC739
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
              • String ID: csm
              • API String ID: 2163707966-1018135373
              • Opcode ID: 897de3ac07446944308d15e80b2e02fed61e753b384f2a82f7a733087c59a827
              • Instruction ID: d32d4cab902aa4aa65c1362f0d47fea59a74719679ed445c5139e6b054ce3ff7
              • Opcode Fuzzy Hash: 897de3ac07446944308d15e80b2e02fed61e753b384f2a82f7a733087c59a827
              • Instruction Fuzzy Hash: F901F671400109BBDF12AF52CC85EFA7FAAEF19390F044094BD1959161DBB2D9B1EBA1
              Function 00BC3200 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BC3234
              • __isleadbyte_l.LIBCMT ref: 00BC3268
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 00BC3299
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 00BC3307
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: b0a63c13ecf7318dae00c013174c76551ab331e1be907678f2b39a375f01acb7
              • Instruction ID: da841fc7db6ec70e916677e06152b6c1d6b41b1b39ff2f08e82330091227e43d
              • Opcode Fuzzy Hash: b0a63c13ecf7318dae00c013174c76551ab331e1be907678f2b39a375f01acb7
              • Instruction Fuzzy Hash: 5031AA31A0428AEFDF20DFA4C880EAA3BE1EF01721B55C5ECE4659F191E731DA40DB50
              Function 00BA8479 Relevance: 6.1, APIs: 4, Instructions: 52registryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA8480
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,00000000,00000008,00BA1E0F,?), ref: 00BA84A5
                • Part of subcall function 00BA8507: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,Deleting ), ref: 00BA8552
              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,58928532), ref: 00BA84D0
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BA84E8
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: CloseDeleteEnumH_prolog3Open
              • String ID:
              • API String ID: 3097940968-0
              • Opcode ID: af766358e69d96e9f8e2f6c7d3a67fae0d58daf459d0cb6313aafcefd60d225a
              • Instruction ID: efac18de5617d91a1664bc97d4c78305e3e875716d4452e8d0e2c792d1f37fa7
              • Opcode Fuzzy Hash: af766358e69d96e9f8e2f6c7d3a67fae0d58daf459d0cb6313aafcefd60d225a
              • Instruction Fuzzy Hash: 44013930688109AADB11DF20CC49EEE3BE8FF5A744B408058F8159B241DF749A49DB55
              Function 00BBD8CE Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00BBD8DA
                • Part of subcall function 00BBF36A: __getptd_noexit.LIBCMT ref: 00BBF36D
                • Part of subcall function 00BBF36A: __amsg_exit.LIBCMT ref: 00BBF37A
              • __getptd.LIBCMT ref: 00BBD8F1
              • __amsg_exit.LIBCMT ref: 00BBD8FF
              • __lock.LIBCMT ref: 00BBD90F
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
              • String ID:
              • API String ID: 3521780317-0
              • Opcode ID: 7c2aada6cb104e14e5b8cf270a7067495f18d7c1f4bba7d9aaf3d35d4b8ad73f
              • Instruction ID: a64abe94ee61de94676661fa2d0df4418651afb0904977100e1b51c4d7ee1165
              • Opcode Fuzzy Hash: 7c2aada6cb104e14e5b8cf270a7067495f18d7c1f4bba7d9aaf3d35d4b8ad73f
              • Instruction Fuzzy Hash: 0EF062319447059BD720BB649C027FDB3E0EB00B10F1045D9E48097291EFF89841CA51
              Function 00BA3587 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA358E
                • Part of subcall function 00BA816B: __EH_prolog3.LIBCMT ref: 00BA8172
              • __CxxThrowException@8.LIBCMT ref: 00BA35CC
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              • invalid map/set<T> iterator, xrefs: 00BA359F
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: invalid map/set<T> iterator
              • API String ID: 1412866469-152884079
              • Opcode ID: fbd36baea7e8a05e5286121b762f0310055bdd137521dd2ef0e49711154a39f0
              • Instruction ID: 3e24b9f6a22703db75aa784ae3d9c383c062505de28215c41bd04fa9b824d686
              • Opcode Fuzzy Hash: fbd36baea7e8a05e5286121b762f0310055bdd137521dd2ef0e49711154a39f0
              • Instruction Fuzzy Hash: 84A137B0A0C281AFDB55DF28C0C4B65BBE2AF56714F6890CDE4464F6A2C7B1ED85CB50
              Function 00BA383B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA3842
                • Part of subcall function 00BA816B: __EH_prolog3.LIBCMT ref: 00BA8172
              • __CxxThrowException@8.LIBCMT ref: 00BA3880
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              • invalid map/set<T> iterator, xrefs: 00BA3853
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: invalid map/set<T> iterator
              • API String ID: 1412866469-152884079
              • Opcode ID: 409bfd5dd1107406629eb83a232dbc0b9898ec0be0a630ee7c1c11e9cfc27c28
              • Instruction ID: 257c45dd4325993f6debc30837fcce709ad4f1a848c698630bcff45bd8a074e6
              • Opcode Fuzzy Hash: 409bfd5dd1107406629eb83a232dbc0b9898ec0be0a630ee7c1c11e9cfc27c28
              • Instruction Fuzzy Hash: D0A15DB0A08291DFD715CF14C094B69BBE2AF5A714F2881DDF08A4F2A2C7B5ED85CB54
              Function 00BB176E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BB1775
              • __CxxThrowException@8.LIBCMT ref: 00BB17AD
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 1961742612-1285458680
              • Opcode ID: c84b648f592376363562751c81d6f73c2aefcf09197bd5b288dcc3b3ab6d7355
              • Instruction ID: b414ace1a6df128e6e934d17dd10c6fa2c302e405e7b7f66fb5f7fa4fea0f19d
              • Opcode Fuzzy Hash: c84b648f592376363562751c81d6f73c2aefcf09197bd5b288dcc3b3ab6d7355
              • Instruction Fuzzy Hash: 0E61DF70908244AFDB12BF24DC92BAD3BE6EF43710F5404E9F4416B2A2CFB59E509B61
              Function 00BB1B14 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BB1B1B
              • __CxxThrowException@8.LIBCMT ref: 00BB1B53
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 1961742612-1285458680
              • Opcode ID: 6fa332a4105da3acd2efe55a52f42e46a96dacfa0652c8b67c2f56b1af3af56c
              • Instruction ID: a0cc1b4a26dccfc46a58dc6cfa39a652c29ed6d814819d000f7bcce9257f316c
              • Opcode Fuzzy Hash: 6fa332a4105da3acd2efe55a52f42e46a96dacfa0652c8b67c2f56b1af3af56c
              • Instruction Fuzzy Hash: 8661B17050C204AFDB22BF78C8A2BAD7BE6EF56710F5404E5F4406B2A2DFB55E508B61
              Function 00BA3EC2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00BA3EC9
                • Part of subcall function 00BA4872: __EH_prolog3.LIBCMT ref: 00BA4879
                • Part of subcall function 00BA48BD: __EH_prolog3.LIBCMT ref: 00BA48C4
                • Part of subcall function 00BA8116: char_traits.LIBCPMT ref: 00BA813B
                • Part of subcall function 00BA2AE1: std::_String_base::_Xlen.LIBCPMT ref: 00BA2B1E
                • Part of subcall function 00BA2AE1: char_traits.LIBCPMT ref: 00BA2B6D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: H_prolog3char_traits$H_prolog3_String_base::_Xlenstd::_
              • String ID: (=$[=arg(=
              • API String ID: 3935908814-2804717308
              • Opcode ID: afced1e466169a4d7642ac69a23fc97837fa84b4637272daf3992a5146115a9e
              • Instruction ID: dd620adf47f9ee6a08cdd2809d07b43e5bc1b901c4b83349fca5614e328e21a1
              • Opcode Fuzzy Hash: afced1e466169a4d7642ac69a23fc97837fa84b4637272daf3992a5146115a9e
              • Instruction Fuzzy Hash: 7A318071C48244BEDB11EBA48C46EDEFBF8EB9AB00F4041EEF505B2182DBB65605C761
              Function 00BA4F52 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 00BA4FF9
              Strings
              • multiple values not allowed, xrefs: 00BA4FCB
              • at least one value required, xrefs: 00BA5025
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: Exception@8Throw
              • String ID: at least one value required$multiple values not allowed
              • API String ID: 2005118841-4090532116
              • Opcode ID: 8be602a2a11eabc988c45b478bf14538f1b6eb008997bd8bbf4b50810be9b399
              • Instruction ID: 0218ffac843cd29a7f4039d8ab8280dee774b295f290de3414d049e83b71beb4
              • Opcode Fuzzy Hash: 8be602a2a11eabc988c45b478bf14538f1b6eb008997bd8bbf4b50810be9b399
              • Instruction Fuzzy Hash: 5521F77164C384ABC324DF58D882FEAF7E8EB96720F1005BEF455871D0EBB095088792
              Function 00BBC47A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00BBA5E9: __getptd.LIBCMT ref: 00BBA5EF
                • Part of subcall function 00BBA5E9: __getptd.LIBCMT ref: 00BBA5FF
              • __getptd.LIBCMT ref: 00BBC489
                • Part of subcall function 00BBF36A: __getptd_noexit.LIBCMT ref: 00BBF36D
                • Part of subcall function 00BBF36A: __amsg_exit.LIBCMT ref: 00BBF37A
              • __getptd.LIBCMT ref: 00BBC497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: __getptd$__amsg_exit__getptd_noexit
              • String ID: csm
              • API String ID: 803148776-1018135373
              • Opcode ID: 0b9afb5acb4bb7d54ecad8ad35f6e90ca45216c08752e6fb8ab4406847694c3b
              • Instruction ID: 853ae8b5c0a3a602652711c9fecc86e30d41cc67c8df5ad449b58b419a131023
              • Opcode Fuzzy Hash: 0b9afb5acb4bb7d54ecad8ad35f6e90ca45216c08752e6fb8ab4406847694c3b
              • Instruction Fuzzy Hash: 840112358012069BDF38EE64C4606FDBBF5FF20311F6584AEE445E62A2CBB08B81CA41
              Function 00BA876C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00BA8773
              • __CxxThrowException@8.LIBCMT ref: 00BA879E
                • Part of subcall function 00BBA269: RaiseException.KERNEL32(?,?,00BB81FE,?,?,?,?,?,00BB81FE,?,00BD2C30,00BD8688,?,00BA7E8E,58928532,ios_base::eofbit set), ref: 00BBA2AB
              Strings
              • invalid string position, xrefs: 00BA8778
              Memory Dump Source
              • Source File: 00000000.00000002.1718358539.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
              • Associated: 00000000.00000002.1718340043.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718385501.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718403566.0000000000BD5000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1718419620.0000000000BDB000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ba0000_RemoteDelProf.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: invalid string position
              • API String ID: 1961742612-1799206989
              • Opcode ID: 7d2c62fdcd39119c9f1495f6c0788006e726c154d73cc1eb859fdb6806d09ab7
              • Instruction ID: 5d71fe7afc1d18f903aac46ce13332e5e0a5b4ecd90f3ded850f53867142bed8
              • Opcode Fuzzy Hash: 7d2c62fdcd39119c9f1495f6c0788006e726c154d73cc1eb859fdb6806d09ab7
              • Instruction Fuzzy Hash: 44D0127195815897CB00E7D0CC46FFDB3FCAF14700F0404E9B201BA091DEE49604CA25