Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

Overview

General Information

Sample name:1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
Analysis ID:1575960
MD5:5b74ba5d3f7a0aff3dea2d3ae9bb1a59
SHA1:e872b3d30b3da56ac0cafb905087d595c129d73b
SHA256:b84745937d020b9750842b35590589aadf47153c995f266a3f44dae8b1ff51d8
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious sample
Found API chain indicative of debugger detection
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe" MD5: 5B74BA5D3F7A0AFF3DEA2D3AE9BB1A59)
    • WMIC.exe (PID: 7644 cmdline: wmic os get Name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7756 cmdline: wmic cpu get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7880 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 31.13.224.69, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, Initiated: true, ProcessId: 7396, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-16T12:24:54.644862+010020283713Unknown Traffic192.168.2.44973152.17.181.189443TCP
2024-12-16T12:24:56.660990+010020283713Unknown Traffic192.168.2.44973334.117.59.81443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://xweb.ddns.net:8080Avira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.8% probability
Machine Learning detection for sample
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeJoe Sandbox ML: detected
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknownHTTPS traffic detected: 52.17.181.189:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 4x nop then jmp 001515A0h0_2_001716A0
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 4x nop then jmp 001515A0h0_2_00171651
Source: global trafficTCP traffic: 192.168.2.4:49738 -> 31.13.224.69:8080
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: ipinfo.io
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 52.17.181.189:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 34.117.59.81:443
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: checkip.amazonaws.com
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: checkip.amazonaws.com
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficDNS traffic detected: DNS query: checkip.amazonaws.com
Source: global trafficDNS traffic detected: DNS query: ipinfo.io
Source: global trafficDNS traffic detected: DNS query: xscapezo.capetown
Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 452Host: xscapezo.capetown:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.000000000165C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3347288009.000000000165C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3347288009.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3047079705.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2747266956.000000000160C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/)x
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/-
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/4
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3047079705.000000000160C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/;
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/?
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080/l
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:80802.40
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xscapezo.capetown:8080on3Microsoft
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xweb.ddns.net:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xweb.ddns.net:80807http://xscapezo.capetown:8080
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.com/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/country
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/countryt
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887871602.0000000001611000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/countryxSd
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/country443/
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 52.17.181.189:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001590290_2_00159029
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0016587C0_2_0016587C
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001681290_2_00168129
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001583A50_2_001583A5
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00159CAD0_2_00159CAD
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00164CD70_2_00164CD7
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015AF500_2_0015AF50
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015E0780_2_0015E078
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001660C90_2_001660C9
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015AA690_2_0015AA69
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001714D00_2_001714D0
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015ED200_2_0015ED20
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0016B6100_2_0016B610
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0016CE7D0_2_0016CE7D
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015F6B70_2_0015F6B7
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: String function: 00153DB2 appears 44 times
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: mal64.evad.winEXE@10/0@3/3
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015AF50 CoInitialize,GetActiveObject,CoCreateInstance,CoGetObject,SysFreeString,VariantClear,0_2_0015AF50
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\J1NXL04D3R_V3
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe "C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe"
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Name
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get NameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get nameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001515A0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001515A0
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeStatic PE information: section name: .eh_fram
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0016587C push esi; mov dword ptr [esp], 0017C140h0_2_0016573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00164CD7 push edx; mov dword ptr [esp], eax0_2_00165486
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00164CD7 push ecx; mov dword ptr [esp], eax0_2_00165493
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00154831 push edx; mov dword ptr [esp], 0017C140h0_2_00154869
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00156029 push edx; mov dword ptr [esp], edi0_2_0015604A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00156029 push edi; mov dword ptr [esp], 0017C140h0_2_00156078
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001660C9 push esi; mov dword ptr [esp], 0017C140h0_2_0016573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00156150 push eax; mov dword ptr [esp], 0017C140h0_2_0015617F
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00184273 push esp; ret 0_2_0018427A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015AA69 push ecx; mov dword ptr [esp], 00000000h0_2_0015AC11
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015AA69 push eax; mov dword ptr [esp], edi0_2_0015AC5A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0018031B push D1DD3004h; retf 0_2_00180320
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00183B03 pushad ; ret 0_2_00183B0A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001663DF push esi; mov dword ptr [esp], 0017C140h0_2_0016573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00183CB0 push ecx; ret 0_2_00183CDA
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001844F1 push es; ret 0_2_001844F4
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001574EF push eax; mov dword ptr [esp], 0017C140h0_2_00157521
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015BD1C push ebx; mov dword ptr [esp], 0017C140h0_2_0015BD5A
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015A508 push edx; mov dword ptr [esp], 0017C140h0_2_0015A555
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00183D39 push edi; ret 0_2_00183D44
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0018252F push edx; ret 0_2_00182536
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015754B push eax; mov dword ptr [esp], 0017C140h0_2_00157588
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001665BC push esi; mov dword ptr [esp], 0017C140h0_2_0016573B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0018469A push ecx; ret 0_2_0018469B
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015A6B5 push eax; mov dword ptr [esp], 0017C140h0_2_0015A6EB
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00156F34 push eax; mov dword ptr [esp], 0017C140h0_2_00156F85
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0015BF56 push ebx; mov dword ptr [esp], 0017C140h0_2_0015BF84
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00156FB3 push eax; mov dword ptr [esp], 0017C140h0_2_00156FF5
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXEP
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE0!I
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 7560Thread sleep time: -210000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 7564Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 7560Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 7400Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe TID: 8080Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeThread delayed: delay time: 30000Jump to behavior
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW```
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeDebugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleepgraph_0-18329
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_0016587C Sleep,IsDebuggerPresent,0_2_0016587C
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001515A0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001515A0
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_001728AE RemoveVectoredExceptionHandler,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,0_2_001728AE
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00151148 GetStartupInfoA,_amsg_exit,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,0_2_00151148
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00151189 _amsg_exit,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,0_2_00151189
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00151207 _initterm,_initterm,SetUnhandledExceptionFilter,__p__acmdln,__initenv,exit,_cexit,0_2_00151207
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get NameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get nameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00164227 CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateFileW,GetLastError,CreateFileW,GetLastError,0_2_00164227
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeCode function: 0_2_00175168 GetSystemTimeAsFileTime,0_2_00175168
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tcpview.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: lordpe.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procexp.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: autoruns.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
Source: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: regmon.exe
Source: C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		12
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		12
Process Injection		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager241
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets121
Virtualization/Sandbox Evasion		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync4
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe11%ReversingLabs
1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://xscapezo.capetown:8080/?0%Avira URL Cloudsafe
http://xweb.ddns.net:80807http://xscapezo.capetown:80800%Avira URL Cloudsafe
http://xscapezo.capetown:8080on3Microsoft0%Avira URL Cloudsafe
http://xscapezo.capetown:8080/40%Avira URL Cloudsafe
http://xscapezo.capetown:8080/;0%Avira URL Cloudsafe
http://xscapezo.capetown:80800%Avira URL Cloudsafe
http://xscapezo.capetown:8080/l0%Avira URL Cloudsafe
http://xscapezo.capetown:8080/)x0%Avira URL Cloudsafe
http://xscapezo.capetown:80802.400%Avira URL Cloudsafe
http://xscapezo.capetown:8080/-0%Avira URL Cloudsafe
http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque0%Avira URL Cloudsafe
http://xscapezo.capetown:8080/0%Avira URL Cloudsafe
http://xweb.ddns.net:8080100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
checkip.eu-west-1.prod.check-ip.aws.a2z.com
52.17.181.189
truefalse
    		high
    ipinfo.io
    		34.117.59.81
    		truefalse
      		high
      xscapezo.capetown
      		31.13.224.69
      		truefalse
        		high
        checkip.amazonaws.com
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://ipinfo.io/countryfalse
            		high
            https://checkip.amazonaws.com/false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://xscapezo.capetown:8080on3Microsoft1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://xweb.ddns.net:80807http://xscapezo.capetown:80801734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://xscapezo.capetown:8080/?1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://xscapezo.capetown:8080/;1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3047079705.000000000160C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://xscapezo.capetown:80801734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://xscapezo.capetown:8080/41734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/countryt1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://ipinfo.io:443/country443/1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F0000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://xscapezo.capetown:8080/-1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xscapezo.capetown:8080/l1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xscapezo.capetown:80802.401734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/countryxSd1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887742930.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1887871602.0000000001611000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.1869312955.0000000001612000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://xscapezo.capetown:8080/)x1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://xscapezo.capetown:8080/1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.000000000165C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3347288009.000000000165C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541594269.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3347288009.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.3047079705.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000003.2747266956.000000000160C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://xweb.ddns.net:80806WinHttp.WinHttpRequest.5.16WinHttp.WinHttpRequest.5.16WinHttp.WinHttpReque1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://xweb.ddns.net:80801734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe, 00000000.00000002.3541491548.0000000001490000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      31.13.224.69
                      		xscapezo.capetownBulgaria
                      		48584SARNICA-ASBGfalse
                      34.117.59.81
                      		ipinfo.ioUnited States
                      		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                      52.17.181.189
                      		checkip.eu-west-1.prod.check-ip.aws.a2z.comUnited States
                      		16509AMAZON-02USfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1575960
                      Start date and time:2024-12-16 12:23:42 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 15s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:11
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      Detection:MAL
                      Classification:mal64.evad.winEXE@10/0@3/3
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 86%
                      • Number of executed functions: 32
                      • Number of non-executed functions: 50
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: 1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      31.13.224.69Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • xscapezo.capetown:8080/
                      Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • xscapezo.capetown:8080/
                      34.117.59.81file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                      • ipinfo.io/json
                      Code%20Send%20meta%20Discord%20EXE.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                      • ipinfo.io/json
                      idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                      • ipinfo.io/json
                      FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmdGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      172.104.150.66.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      VertusinstruccionesFedEX_66521.zipGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      UjbjOP.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      licarisan_api.exeGet hashmaliciousIcarusBrowse
                      • ipinfo.io/ip

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ipinfo.iofile.exeGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                      • 34.117.59.81
                      http://enteolcl.top/Get hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      Product Blueprint..htmlGet hashmaliciousHTMLPhisherBrowse
                      • 34.117.59.81
                      dYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9Get hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      zW72x5d91l.batGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      xscapezo.capetownEvjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • 31.13.224.69
                      ugisGK1R1q.exeGet hashmaliciousDarkVision RatBrowse
                      • 31.13.224.69
                      Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • 31.13.224.69
                      checkip.eu-west-1.prod.check-ip.aws.a2z.comEvjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • 54.74.44.6
                      Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                      • 52.49.226.227
                      exe028.exeGet hashmaliciousAgentTeslaBrowse
                      • 34.247.132.162
                      exe028.exeGet hashmaliciousUnknownBrowse
                      • 63.32.212.245
                      setup.exeGet hashmaliciousUnknownBrowse
                      • 3.248.31.219
                      1.cmdGet hashmaliciousUnknownBrowse
                      • 54.77.225.185
                      2.cmdGet hashmaliciousUnknownBrowse
                      • 18.203.170.139
                      fL271NVAru.exeGet hashmaliciousUnknownBrowse
                      • 34.245.248.194
                      fL271NVAru.exeGet hashmaliciousUnknownBrowse
                      • 54.72.227.37

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      AMAZON-02USmain_mips.elfGet hashmaliciousMiraiBrowse
                      • 34.249.145.219
                      sh4.elfGet hashmaliciousMiraiBrowse
                      • 13.61.153.114
                      main_arm5.elfGet hashmaliciousMiraiBrowse
                      • 54.171.230.55
                      arm4.elfGet hashmaliciousMiraiBrowse
                      • 52.25.126.226
                      main_sh4.elfGet hashmaliciousMiraiBrowse
                      • 54.171.230.55
                      ppc.elfGet hashmaliciousMiraiBrowse
                      • 54.253.166.233
                      i686.elfGet hashmaliciousMiraiBrowse
                      • 54.119.189.16
                      la.bot.mips.elfGet hashmaliciousMiraiBrowse
                      • 54.171.230.55
                      PAYMENT RECEIPT.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 13.227.8.110
                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 34.117.188.166
                      P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                      • 34.117.188.166
                      P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                      • 34.117.188.166
                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                      • 34.117.188.166
                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                      • 34.117.188.166
                      arm6.elfGet hashmaliciousUnknownBrowse
                      • 34.117.135.65
                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                      • 34.117.188.166
                      armv5l.elfGet hashmaliciousUnknownBrowse
                      • 34.119.157.208
                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                      • 34.117.188.166
                      SARNICA-ASBGdebug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      spc.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      ppc.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      arm.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      x86.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      arm7.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208
                      mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                      • 93.123.109.208

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      a0e9f5d64349fb13191bc781f81f42e1h.htmlGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      UUH30xVTpr.exeGet hashmaliciousLummaC, StealcBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      4TPPuMwzSA.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      yYJUaOwKa8.exeGet hashmaliciousLummaCBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      Wqd6nMOfmG.exeGet hashmaliciousLummaC, StealcBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      hiip7UoiAq.exeGet hashmaliciousLummaCBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      AzunBFiz02.exeGet hashmaliciousLummaCBrowse
                      • 34.117.59.81
                      • 52.17.181.189
                      MessengerAdmin.exeGet hashmaliciousLummaCBrowse
                      • 34.117.59.81
                      • 52.17.181.189

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Entropy (8bit):6.2915290015918925
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      File size:231'936 bytes
                      MD5:5b74ba5d3f7a0aff3dea2d3ae9bb1a59
                      SHA1:e872b3d30b3da56ac0cafb905087d595c129d73b
                      SHA256:b84745937d020b9750842b35590589aadf47153c995f266a3f44dae8b1ff51d8
                      SHA512:1f4fb6efb04f3b4c57b92271996bd7008462660cd51ed6ee5144c2e073c3d090e11864ce0963ab996030b174400581699bc35d3566d2cd54a6e7137fa82114b5
                      SSDEEP:3072:PtjlDNJxzpxhot+5XDTzcsNsEYwszSHRGhYlW5SQUxk5ja:Pp+tErcslYZYw9QkU
                      TLSH:EA340815E202C4B5C43356B6998ED5A7A610BF3681239D0FBECE0F58F336B01592E76B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g...............$..........................@.................................W.....@... ............................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x4010ba
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x673EE9D5 [Thu Nov 21 08:05:41 2024 UTC]
                      TLS Callbacks:0x41a51c, 0x41a5b3, 0x4228ae
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:12964e2649ce9036e2a1286774ae86cc

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      sub esp, 18h
                      mov dword ptr [ebp-0Ch], 000000FFh
                      mov dword ptr [004382E0h], 00000001h
                      call 00007F82086C51B1h
                      mov dword ptr [ebp-0Ch], eax
                      mov eax, dword ptr [ebp-0Ch]
                      leave
                      ret
                      push ebp
                      mov ebp, esp
                      sub esp, 18h
                      mov dword ptr [ebp-0Ch], 000000FFh
                      mov dword ptr [004382E0h], 00000000h
                      call 00007F82086C518Dh
                      mov dword ptr [ebp-0Ch], eax
                      mov eax, dword ptr [ebp-0Ch]
                      leave
                      ret
                      lea ecx, dword ptr [esp+04h]
                      and esp, FFFFFFF0h
                      push dword ptr [ecx-04h]
                      push ebp
                      mov ebp, esp
                      push ecx
                      sub esp, 00000094h
                      mov dword ptr [ebp-0Ch], 00000000h
                      mov dword ptr [ebp-10h], 00000000h
                      mov dword ptr [esp+08h], 00000044h
                      mov dword ptr [esp+04h], 00000000h
                      lea eax, dword ptr [ebp-7Ch]
                      mov dword ptr [esp], eax
                      call 00007F82086E4976h
                      mov eax, dword ptr [004382E0h]
                      test eax, eax
                      je 00007F82086C5192h
                      lea eax, dword ptr [ebp-7Ch]
                      mov dword ptr [esp], eax
                      mov eax, dword ptr [00439278h]
                      call eax
                      sub esp, 04h
                      mov dword ptr [ebp-18h], 00000000h
                      mov dword ptr [ebp-20h], 00000018h
                      mov eax, dword ptr [ebp-20h]
                      mov eax, dword ptr fs:[eax]
                      mov dword ptr [ebp-24h], eax
                      mov eax, dword ptr [ebp-24h]
                      mov eax, dword ptr [eax+04h]
                      mov dword ptr [ebp-1Ch], eax
                      mov dword ptr [ebp-14h], 00000000h
                      jmp 00007F82086C51A4h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x390000xd2c.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x224.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x1974.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x306c00x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x392300x1e0.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x2a6840x2a800f192cbeafafbd036787705e45cd5893cFalse0.43780445772058824data6.144924956418916IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0x2c0000x26c0x400cd4faee918b6d039163459e9ae43b365False0.2353515625Matlab v4 mat-file (little endian) \240\326B, numeric, rows 0, columns 0, imaginary1.8158646800282847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0x2d0000x4d740x4e0026a00dcabd068bb3c2a6c5d84f4dd568False0.4118088942307692data5.844738930570382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .eh_fram0x320000x5a540x5c00cecdba5a38cd979b609cc7ed770370a6False0.3012058423913043data4.87734250713647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .bss0x380000xd600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0x390000xd2c0xe00b35ff9b62b16a100bd2cc076e9eec51eFalse0.38253348214285715data5.085846307423846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .CRT0x3a0000x380x200be43b8407ee9c03eea15b7f75f778714False0.072265625data0.3195396310293397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0x3b0000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x3c0000x2240x400607703b05b5f04b5884d9f6aa2c5cda8False0.3056640625data3.4103687270366034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .reloc0x3d0000x19740x1a00bcf6e1b200c8178aaf8164efda0e1e90False0.8143028846153846data6.667293120350955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x3c0580x1caXML 1.0 document, ASCII text, with very long lines (456), with CRLF line terminatorsEnglishUnited States0.5764192139737991

                      Imports

                      DLLImport
                      KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
                      msvcrt.dll__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _errno, _fileno, _initterm, _iob, _lock, _onexit, _setjmp3, _setmode, _strdup, _ultoa, _unlock, _vsnprintf, _vsnwprintf, _wfopen, _wgetenv, abort, atoi, calloc, exit, fclose, fflush, fgetwc, fprintf, fputc, free, fwrite, getc, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, realloc, setlocale, setvbuf, signal, strchr, strerror, strlen, strncmp, vfprintf, wcslen
                      USER32.dllMessageBoxA

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-12-16T12:24:54.644862+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973152.17.181.189443TCP
                      2024-12-16T12:24:56.660990+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973334.117.59.81443TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Dec 16, 2024 12:24:53.226515055 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:53.226577997 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:53.226910114 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:53.231164932 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:53.231182098 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:54.644562960 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:54.644861937 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:54.659754038 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:54.659811974 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:54.660238028 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:54.729815006 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:54.775325060 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:55.142071962 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:55.142142057 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:55.142339945 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:55.243721008 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:55.243721008 CET49731443192.168.2.452.17.181.189
                      Dec 16, 2024 12:24:55.243791103 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:55.243824959 CET4434973152.17.181.189192.168.2.4
                      Dec 16, 2024 12:24:55.433432102 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:55.433461905 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:55.433983088 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:55.434262991 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:55.434276104 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:56.660903931 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:56.660990000 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:56.663379908 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:56.663393021 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:56.663667917 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:56.665359974 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:56.711327076 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:57.111772060 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:57.111948967 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:57.112046957 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:57.112282038 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:57.112302065 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:24:57.112313986 CET49733443192.168.2.434.117.59.81
                      Dec 16, 2024 12:24:57.112322092 CET4434973334.117.59.81192.168.2.4
                      Dec 16, 2024 12:25:31.624236107 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:25:31.744564056 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:25:31.744735003 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:25:31.745007038 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:25:31.745042086 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:25:31.865653992 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:25:31.865811110 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:25:33.021675110 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:25:33.074651957 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:03.046371937 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:03.046372890 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:03.166333914 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:03.166344881 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:03.550230026 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:03.606090069 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:33.561984062 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:33.561985016 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:26:33.682096958 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:33.682133913 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:33.964381933 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:26:34.012490034 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:03.970740080 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:03.970740080 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:04.091169119 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:04.091218948 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:04.372456074 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:04.418741941 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:34.391093016 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:34.391093016 CET497388080192.168.2.431.13.224.69
                      Dec 16, 2024 12:27:34.511518002 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:34.511569023 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:34.786112070 CET80804973831.13.224.69192.168.2.4
                      Dec 16, 2024 12:27:34.840749979 CET497388080192.168.2.431.13.224.69

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Dec 16, 2024 12:24:53.079062939 CET5852753192.168.2.41.1.1.1
                      Dec 16, 2024 12:24:53.218168020 CET53585271.1.1.1192.168.2.4
                      Dec 16, 2024 12:24:55.292742014 CET5619553192.168.2.41.1.1.1
                      Dec 16, 2024 12:24:55.431827068 CET53561951.1.1.1192.168.2.4
                      Dec 16, 2024 12:25:31.380153894 CET5500253192.168.2.41.1.1.1
                      Dec 16, 2024 12:25:31.623167038 CET53550021.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Dec 16, 2024 12:24:53.079062939 CET192.168.2.41.1.1.10x2f0cStandard query (0)checkip.amazonaws.comA (IP address)IN (0x0001)false
                      Dec 16, 2024 12:24:55.292742014 CET192.168.2.41.1.1.10x546cStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                      Dec 16, 2024 12:25:31.380153894 CET192.168.2.41.1.1.10x3e47Standard query (0)xscapezo.capetownA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Dec 16, 2024 12:24:53.218168020 CET1.1.1.1192.168.2.40x2f0cNo error (0)checkip.amazonaws.comcheckip.check-ip.aws.a2z.comCNAME (Canonical name)IN (0x0001)false
                      Dec 16, 2024 12:24:53.218168020 CET1.1.1.1192.168.2.40x2f0cNo error (0)checkip.check-ip.aws.a2z.comcheckip.eu-west-1.prod.check-ip.aws.a2z.comCNAME (Canonical name)IN (0x0001)false
                      Dec 16, 2024 12:24:53.218168020 CET1.1.1.1192.168.2.40x2f0cNo error (0)checkip.eu-west-1.prod.check-ip.aws.a2z.com52.17.181.189A (IP address)IN (0x0001)false
                      Dec 16, 2024 12:24:53.218168020 CET1.1.1.1192.168.2.40x2f0cNo error (0)checkip.eu-west-1.prod.check-ip.aws.a2z.com18.202.169.9A (IP address)IN (0x0001)false
                      Dec 16, 2024 12:24:53.218168020 CET1.1.1.1192.168.2.40x2f0cNo error (0)checkip.eu-west-1.prod.check-ip.aws.a2z.com54.195.26.29A (IP address)IN (0x0001)false
                      Dec 16, 2024 12:24:55.431827068 CET1.1.1.1192.168.2.40x546cNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                      Dec 16, 2024 12:25:31.623167038 CET1.1.1.1192.168.2.40x3e47No error (0)xscapezo.capetown31.13.224.69A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • checkip.amazonaws.com
                      • ipinfo.io
                      • xscapezo.capetown:8080

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973831.13.224.6980807396C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      TimestampBytes transferredDirectionData
                      Dec 16, 2024 12:25:31.745007038 CET225OUTPOST / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json; Charset=UTF-8
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Content-Length: 452
                      Host: xscapezo.capetown:8080
                      Dec 16, 2024 12:25:33.021675110 CET167INHTTP/1.1 200 OK
                      Date: Mon, 16 Dec 2024 11:25:32 GMT
                      Content-Length: 50
                      Content-Type: text/plain; charset=utf-8
                      Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36
                      Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
                      Dec 16, 2024 12:26:03.046371937 CET225OUTPOST / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json; Charset=UTF-8
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Content-Length: 452
                      Host: xscapezo.capetown:8080
                      Dec 16, 2024 12:26:03.550230026 CET167INHTTP/1.1 200 OK
                      Date: Mon, 16 Dec 2024 11:26:03 GMT
                      Content-Length: 50
                      Content-Type: text/plain; charset=utf-8
                      Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36
                      Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
                      Dec 16, 2024 12:26:33.561984062 CET225OUTPOST / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json; Charset=UTF-8
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Content-Length: 452
                      Host: xscapezo.capetown:8080
                      Dec 16, 2024 12:26:33.964381933 CET167INHTTP/1.1 200 OK
                      Date: Mon, 16 Dec 2024 11:26:33 GMT
                      Content-Length: 50
                      Content-Type: text/plain; charset=utf-8
                      Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36
                      Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
                      Dec 16, 2024 12:27:03.970740080 CET225OUTPOST / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json; Charset=UTF-8
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Content-Length: 452
                      Host: xscapezo.capetown:8080
                      Dec 16, 2024 12:27:04.372456074 CET167INHTTP/1.1 200 OK
                      Date: Mon, 16 Dec 2024 11:27:04 GMT
                      Content-Length: 50
                      Content-Type: text/plain; charset=utf-8
                      Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36
                      Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06
                      Dec 16, 2024 12:27:34.391093016 CET225OUTPOST / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json; Charset=UTF-8
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Content-Length: 452
                      Host: xscapezo.capetown:8080
                      Dec 16, 2024 12:27:34.786112070 CET167INHTTP/1.1 200 OK
                      Date: Mon, 16 Dec 2024 11:27:34 GMT
                      Content-Length: 50
                      Content-Type: text/plain; charset=utf-8
                      Data Raw: 36 65 39 38 61 34 63 35 34 62 62 38 63 30 31 65 38 36 37 37 63 37 39 30 34 64 38 65 39 32 62 62 32 33 61 31 64 39 65 34 63 61 65 35 66 64 34 64 30 36
                      Data Ascii: 6e98a4c54bb8c01e8677c7904d8e92bb23a1d9e4cae5fd4d06


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973152.17.181.1894437396C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      TimestampBytes transferredDirectionData
                      2024-12-16 11:24:54 UTC187OUTGET / HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Host: checkip.amazonaws.com
                      2024-12-16 11:24:55 UTC237INHTTP/1.1 200
                      Date: Mon, 16 Dec 2024 11:24:54 GMT
                      Content-Type: text/plain;charset=UTF-8
                      Content-Length: 13
                      Connection: close
                      Server: nginx
                      Vary: Origin
                      Vary: Access-Control-Request-Method
                      Vary: Access-Control-Request-Headers
                      2024-12-16 11:24:55 UTC13INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a
                      Data Ascii: 8.46.123.189


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.44973334.117.59.814437396C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      TimestampBytes transferredDirectionData
                      2024-12-16 11:24:56 UTC182OUTGET /country HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/json
                      Accept: */*
                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                      Host: ipinfo.io
                      2024-12-16 11:24:57 UTC448INHTTP/1.1 200 OK
                      access-control-allow-origin: *
                      Content-Length: 3
                      content-type: text/html; charset=utf-8
                      date: Mon, 16 Dec 2024 11:24:56 GMT
                      referrer-policy: strict-origin-when-cross-origin
                      x-content-type-options: nosniff
                      x-frame-options: SAMEORIGIN
                      x-xss-protection: 1; mode=block
                      via: 1.1 google
                      strict-transport-security: max-age=2592000; includeSubDomains
                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                      Connection: close
                      2024-12-16 11:24:57 UTC3INData Raw: 55 53 0a
                      Data Ascii: US


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:24:35
                      Start date:16/12/2024
                      Path:C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe"
                      Imagebase:0x150000
                      File size:231'936 bytes
                      MD5 hash:5B74BA5D3F7A0AFF3DEA2D3AE9BB1A59
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:2
                      Start time:06:24:55
                      Start date:16/12/2024
                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                      Wow64 process (32bit):true
                      Commandline:wmic os get Name
                      Imagebase:0x820000
                      File size:427'008 bytes
                      MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:3
                      Start time:06:24:55
                      Start date:16/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:06:24:57
                      Start date:16/12/2024
                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                      Wow64 process (32bit):true
                      Commandline:wmic cpu get name
                      Imagebase:0x820000
                      File size:427'008 bytes
                      MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:7
                      Start time:06:24:57
                      Start date:16/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:06:24:58
                      Start date:16/12/2024
                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                      Wow64 process (32bit):true
                      Commandline:wmic path win32_VideoController get name
                      Imagebase:0x980000
                      File size:427'008 bytes
                      MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:9
                      Start time:06:24:58
                      Start date:16/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:6.7%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:43.6%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:99
                        execution_graph 18829 164a1d 18873 152779 18829->18873 18831 164a22 18879 153f9a EnterCriticalSection 18831->18879 18834 1649fe 18851 164a16 18834->18851 18869 15360d 18834->18869 18836 1527f2 29 API calls 18836->18834 18840 15360d strlen 18842 164a61 18840->18842 18841 164cc3 18845 15360d strlen 18842->18845 18842->18851 18843 152812 29 API calls 18844 164c8c 18843->18844 18844->18841 18846 152812 29 API calls 18844->18846 18847 164a81 18845->18847 18852 164cab 18846->18852 18848 164a96 CreateProcessW GetLastError 18847->18848 18847->18851 18849 164b1b 18848->18849 18848->18851 18850 164b24 18849->18850 18888 15828c 18849->18888 18850->18851 18854 164b76 18850->18854 18901 1582c3 18850->18901 18906 152812 18851->18906 18852->18841 18855 1527f2 29 API calls 18852->18855 18854->18851 18857 164bb9 18854->18857 18859 164b88 18854->18859 18855->18841 18861 15379b 29 API calls 18857->18861 18894 154b85 18859->18894 18860 15828c 31 API calls 18863 164b46 18860->18863 18865 164bc7 18861->18865 18863->18850 18863->18851 18864 15828c 31 API calls 18863->18864 18864->18850 18866 154b85 44 API calls 18865->18866 18867 164c1d 18866->18867 18867->18851 18868 1527f2 29 API calls 18867->18868 18868->18851 18870 153623 18869->18870 18871 153631 18870->18871 18910 1518dc 18870->18910 18871->18840 18871->18851 18874 152791 18873->18874 18875 1518dc strlen 18874->18875 18877 1527bf 18874->18877 18876 1527a4 18875->18876 18876->18877 18878 1525a2 29 API calls 18876->18878 18877->18831 18878->18877 18880 153fbb 18879->18880 18881 1621e8 fputc _errno _lock _unlock 18880->18881 18882 15402c fputc 18880->18882 18883 1716a0 29 API calls 18880->18883 18884 1540b4 18880->18884 18885 154066 fwrite 18880->18885 18881->18880 18882->18880 18883->18880 18884->18834 18884->18836 18887 15409e fflush LeaveCriticalSection 18885->18887 18887->18884 18889 15829c 18888->18889 18893 1582ad 18888->18893 18913 1581ec CloseHandle 18889->18913 18892 1716a0 29 API calls 18892->18893 18893->18851 18893->18860 18917 1542c0 18894->18917 18897 1716a0 29 API calls 18898 154b9f 18897->18898 18899 153db2 42 API calls 18898->18899 18900 154bce 18899->18900 18900->18851 18903 1582d3 18901->18903 18902 1716a0 29 API calls 18902->18903 18903->18902 18904 158333 18903->18904 18905 15828c 31 API calls 18903->18905 18904->18854 18905->18903 18907 152824 18906->18907 18908 15281f 18906->18908 18907->18841 18907->18843 18909 1527f2 29 API calls 18908->18909 18909->18907 18911 1518f0 18910->18911 18912 1518e0 strlen 18910->18912 18911->18871 18912->18871 18914 158201 GetLastError 18913->18914 18915 158214 18913->18915 18916 1716a0 29 API calls 18914->18916 18915->18892 18916->18915 18918 1536c0 29 API calls 18917->18918 18919 1542e0 18918->18919 18920 1716a0 29 API calls 18919->18920 18921 15430c 18920->18921 18922 154312 FormatMessageW 18921->18922 18928 154387 18921->18928 18924 154358 18922->18924 18922->18928 18923 154425 18923->18897 18940 1518f3 18924->18940 18926 1543f8 18926->18923 18930 15414d 29 API calls 18926->18930 18927 1543cf 18950 1537db 18927->18950 18928->18923 18928->18926 18928->18927 18943 154212 18928->18943 18930->18923 18933 15414d 29 API calls 18936 154374 18933->18936 18935 1543db 18938 1537db 42 API calls 18935->18938 18936->18928 18937 15437d LocalFree 18936->18937 18937->18928 18938->18926 18957 1622ac 18940->18957 18944 154237 18943->18944 18945 154222 18943->18945 18944->18923 18944->18927 18947 153877 18944->18947 18945->18944 18946 1525a2 29 API calls 18945->18946 18946->18944 18948 1537db 42 API calls 18947->18948 18949 15388c 18948->18949 18949->18927 18951 153802 18950->18951 18952 1537ef 18950->18952 18953 1525a2 29 API calls 18951->18953 18952->18951 18955 1537f7 18952->18955 18954 15380d 18953->18954 18954->18935 18955->18954 18956 15262d 42 API calls 18955->18956 18956->18954 18958 15379b 29 API calls 18957->18958 18962 1622d4 18958->18962 18959 15190a 18959->18928 18959->18933 18960 1716a0 29 API calls 18960->18962 18961 153877 42 API calls 18961->18962 18962->18959 18962->18960 18962->18961 19430 151207 _initterm 19431 151218 19430->19431 19432 151222 _initterm 19431->19432 19434 151240 19431->19434 19432->19434 19446 16ac8e 19434->19446 19435 15128c 19436 1512b3 __p__acmdln 19435->19436 19437 1512cd 19436->19437 19450 1514b1 malloc 19437->19450 19441 151366 19442 1513a2 exit 19441->19442 19443 1513af 19441->19443 19442->19443 19444 1513bd 19443->19444 19445 1513b8 _cexit 19443->19445 19445->19444 19447 16ad1e 19446->19447 19448 16aca1 19446->19448 19447->19435 19458 16aa54 19448->19458 19451 151552 19450->19451 19452 1514dd strlen malloc memcpy 19451->19452 19453 151361 19451->19453 19452->19451 19454 16a4dc 19453->19454 19455 16a4fa 19454->19455 19456 16a4eb 19454->19456 19455->19441 19489 16a47d 19456->19489 19459 16aa73 19458->19459 19460 16aaf8 19458->19460 19461 16aaad 19459->19461 19462 16aafd 19459->19462 19460->19447 19461->19460 19468 16aa1f 19461->19468 19465 16ab1e 19462->19465 19473 16a6b8 19462->19473 19465->19460 19466 16a6b8 3 API calls 19465->19466 19467 16aa1f fwrite vfprintf abort memcpy 19465->19467 19466->19465 19467->19465 19469 16aa51 19468->19469 19470 16aa2b 19468->19470 19469->19461 19479 16a718 19470->19479 19487 170fd4 19473->19487 19475 16a6d1 fwrite 19488 170fd4 19475->19488 19477 16a700 vfprintf abort 19478 16a718 19477->19478 19478->19465 19480 16a729 19479->19480 19481 16a958 memcpy 19480->19481 19482 16a6b8 3 API calls 19480->19482 19483 16a7b9 19480->19483 19481->19469 19482->19483 19484 16a6b8 3 API calls 19483->19484 19485 16a882 19483->19485 19484->19485 19485->19481 19486 16a6b8 3 API calls 19485->19486 19486->19481 19487->19475 19488->19477 19490 16a491 19489->19490 19493 15157d _onexit 19490->19493 19494 151592 19493->19494 19494->19455 19729 168129 19730 153719 29 API calls 19729->19730 19731 16813a 19730->19731 19732 15833a 29 API calls 19731->19732 19733 168151 19732->19733 19734 15833a 29 API calls 19733->19734 19737 1680d1 19733->19737 19735 16817f 19734->19735 19735->19737 20002 1555bf 19735->20002 19736 169f39 19738 169f4d 19736->19738 19744 1527f2 29 API calls 19736->19744 19737->19736 19741 1527f2 29 API calls 19737->19741 19739 169f61 19738->19739 19745 1527f2 29 API calls 19738->19745 19742 169f75 19739->19742 19747 1527f2 29 API calls 19739->19747 19741->19736 19746 169f89 19742->19746 19752 1527f2 29 API calls 19742->19752 19744->19738 19745->19739 19749 169f9d 19746->19749 19754 1527f2 29 API calls 19746->19754 19747->19742 19748 15833a 29 API calls 19751 1681da 19748->19751 19750 169fb1 19749->19750 19755 1527f2 29 API calls 19749->19755 19753 169fc5 19750->19753 19758 1527f2 29 API calls 19750->19758 19751->19737 19757 15833a 29 API calls 19751->19757 19752->19746 19756 169fd9 19753->19756 19762 1527f2 29 API calls 19753->19762 19754->19749 19755->19750 19759 169fed 19756->19759 19764 1527f2 29 API calls 19756->19764 19760 168206 19757->19760 19758->19753 19761 16a001 19759->19761 19767 1527f2 29 API calls 19759->19767 19760->19737 19765 1555bf 44 API calls 19760->19765 19763 16a015 19761->19763 19769 1527f2 29 API calls 19761->19769 19762->19756 19768 16a029 19763->19768 19773 1527f2 29 API calls 19763->19773 19764->19759 19766 168235 19765->19766 19766->19737 20016 159029 19766->20016 19767->19761 19770 16a03d 19768->19770 19776 1527f2 29 API calls 19768->19776 19769->19763 19771 16a051 19770->19771 19777 1527f2 29 API calls 19770->19777 19775 16a065 19771->19775 19780 1527f2 29 API calls 19771->19780 19773->19768 19778 16a079 19775->19778 19784 1527f2 29 API calls 19775->19784 19776->19770 19777->19771 19781 16a08d 19778->19781 19786 1527f2 29 API calls 19778->19786 19779 15833a 29 API calls 19783 16829e 19779->19783 19780->19775 19782 16a0a1 19781->19782 19787 1527f2 29 API calls 19781->19787 19785 16a0c9 19782->19785 19790 1527f2 29 API calls 19782->19790 19788 15833a 29 API calls 19783->19788 19828 16838c 19783->19828 19784->19778 19789 16a0f1 19785->19789 19794 1527f2 29 API calls 19785->19794 19786->19781 19787->19782 19791 1682ca 19788->19791 19792 16a105 19789->19792 19799 1527f2 29 API calls 19789->19799 19790->19785 19791->19828 20172 159cad 19791->20172 19793 16a12d 19792->19793 19800 1527f2 29 API calls 19792->19800 19796 16a155 19793->19796 19805 1527f2 29 API calls 19793->19805 19794->19789 19801 16a169 19796->19801 19809 1527f2 29 API calls 19796->19809 19799->19792 19800->19793 19806 16a17d 19801->19806 19813 1527f2 29 API calls 19801->19813 19803 168403 19804 168414 19803->19804 19811 1527f2 29 API calls 19803->19811 19808 168425 19804->19808 19816 1527f2 29 API calls 19804->19816 19805->19796 19815 1527f2 29 API calls 19806->19815 19825 16a191 19806->19825 19807 1527f2 29 API calls 19807->19803 19812 16844d 19808->19812 19818 1527f2 29 API calls 19808->19818 19809->19801 19811->19804 19812->19737 19819 15833a 29 API calls 19812->19819 19813->19806 19815->19825 19816->19808 19818->19812 19820 168482 19819->19820 19823 15833a 29 API calls 19820->19823 19831 1684f1 19820->19831 19822 16a286 19834 1527f2 29 API calls 19822->19834 19836 16a2ae 19822->19836 19827 1684a6 19823->19827 19825->19822 19829 1527f2 29 API calls 19825->19829 19826 16a34f 20436 154509 19826->20436 19838 159cad 50 API calls 19827->19838 19845 1684cd 19827->19845 20269 1544a5 19828->20269 19829->19822 19830 168508 19830->19737 19837 15833a 29 API calls 19830->19837 19831->19830 19835 1527f2 29 API calls 19831->19835 19832 16a2d1 19839 1544a5 29 API calls 19832->19839 19834->19836 19835->19830 19836->19826 19836->19832 19841 1527f2 29 API calls 19836->19841 19842 168538 19837->19842 19838->19845 19843 16a2e8 19839->19843 19841->19832 19846 15833a 29 API calls 19842->19846 19854 1685a7 19842->19854 19844 16a2fe 19843->19844 19852 1527f2 29 API calls 19843->19852 19848 16a312 19844->19848 19855 1527f2 29 API calls 19844->19855 19845->19831 19847 1527f2 29 API calls 19845->19847 19851 16855c 19846->19851 19847->19831 19849 1544a5 29 API calls 19848->19849 19853 16a329 19849->19853 19850 1685be 19850->19737 19852->19844 19856 1544a5 29 API calls 19853->19856 19854->19850 19857 1527f2 29 API calls 19854->19857 19855->19848 19860 16a342 19856->19860 19857->19850 19862 156150 30 API calls 19860->19862 19862->19826 20003 1555e0 20002->20003 20004 15360d strlen 20003->20004 20005 1555fd 20004->20005 20006 1716a0 29 API calls 20005->20006 20007 15560f 20006->20007 20008 155639 20007->20008 20009 155618 _wgetenv 20007->20009 20011 15564c 20008->20011 20012 155654 20008->20012 20013 155647 20008->20013 20010 152812 29 API calls 20009->20010 20010->20008 20011->19737 20011->19748 20015 153719 29 API calls 20012->20015 20014 1518f3 42 API calls 20013->20014 20014->20011 20015->20011 20017 15833a 29 API calls 20016->20017 20018 159058 20017->20018 20019 1716a0 29 API calls 20018->20019 20020 159072 20019->20020 20021 156d2d 48 API calls 20020->20021 20118 1590a5 20020->20118 20022 15908f 20021->20022 20024 1590ed 20022->20024 20025 15909c 20022->20025 20023 156150 30 API calls 20030 159aa6 20023->20030 20027 15833a 29 API calls 20024->20027 20026 156c0e 29 API calls 20025->20026 20026->20118 20034 159102 20027->20034 20028 159ac0 20031 156150 30 API calls 20028->20031 20029 15833a 29 API calls 20032 1595f3 20029->20032 20030->20028 20033 1527f2 29 API calls 20030->20033 20102 1595db 20030->20102 20043 159ac7 20031->20043 20035 159612 20032->20035 20037 153719 29 API calls 20032->20037 20033->20028 20036 15833a 29 API calls 20034->20036 20034->20118 20035->19737 20035->19779 20039 15913e 20036->20039 20040 15960b 20037->20040 20038 159aef 20041 156150 30 API calls 20038->20041 20046 157341 34 API calls 20039->20046 20039->20118 20042 152ffd 42 API calls 20040->20042 20044 159afa 20041->20044 20042->20035 20043->20038 20045 1527f2 29 API calls 20043->20045 20043->20102 20050 156150 30 API calls 20044->20050 20044->20102 20045->20038 20047 15915f 20046->20047 20048 15916c 20047->20048 20049 1591a9 20047->20049 20051 156150 30 API calls 20048->20051 20052 15833a 29 API calls 20049->20052 20055 159b0b 20050->20055 20051->20118 20053 1591c7 20052->20053 20056 157341 34 API calls 20053->20056 20053->20118 20054 159b39 20057 156150 30 API calls 20054->20057 20055->20054 20058 1527f2 29 API calls 20055->20058 20055->20102 20059 1591e8 20056->20059 20066 159b44 20057->20066 20058->20054 20060 1591f5 20059->20060 20061 159228 20059->20061 20062 156150 30 API calls 20060->20062 20064 1573eb 31 API calls 20061->20064 20062->20118 20063 159b72 20065 159b97 20063->20065 20073 1527f2 29 API calls 20063->20073 20067 159238 20064->20067 20070 156150 30 API calls 20065->20070 20066->20063 20071 1527f2 29 API calls 20066->20071 20066->20102 20068 159243 20067->20068 20069 1592a9 20067->20069 20072 156150 30 API calls 20068->20072 20075 1656cb 63 API calls 20069->20075 20074 159ba2 20070->20074 20071->20063 20072->20118 20073->20065 20076 156150 30 API calls 20074->20076 20074->20102 20077 1592e4 20075->20077 20078 159bb6 20076->20078 20079 1592ef 20077->20079 20080 15934b 20077->20080 20082 156150 30 API calls 20078->20082 20078->20102 20081 156150 30 API calls 20079->20081 20083 15833a 29 API calls 20080->20083 20081->20118 20087 159bca 20082->20087 20085 159360 20083->20085 20084 159bf8 20086 156150 30 API calls 20084->20086 20089 15833a 29 API calls 20085->20089 20085->20118 20087->20084 20088 1527f2 29 API calls 20087->20088 20087->20102 20088->20084 20102->20029 20102->20035 20118->20023 20173 159cde 20172->20173 20174 15833a 29 API calls 20173->20174 20175 159d01 20174->20175 20176 1716a0 29 API calls 20175->20176 20177 159d12 20176->20177 20178 15833a 29 API calls 20177->20178 20255 15a2df 20177->20255 20179 159d32 20178->20179 20181 15379b 29 API calls 20179->20181 20179->20255 20180 1544a5 29 API calls 20182 15a3cb 20180->20182 20193 159d56 20181->20193 20183 15a3de 20182->20183 20185 1527f2 29 API calls 20182->20185 20184 15a3ef 20183->20184 20188 1527f2 29 API calls 20183->20188 20186 15a40b 20184->20186 20189 1527f2 29 API calls 20184->20189 20185->20183 20187 15a427 20186->20187 20191 1527f2 29 API calls 20186->20191 20190 15a443 20187->20190 20192 1527f2 29 API calls 20187->20192 20188->20184 20189->20186 20196 1527f2 29 API calls 20190->20196 20191->20187 20192->20190 20200 15833a 29 API calls 20193->20200 20201 159da7 20200->20201 20202 15833a 29 API calls 20201->20202 20201->20255 20203 159dca 20202->20203 20204 159e7a 20203->20204 20208 159eb2 20203->20208 20203->20255 20473 1536da 20203->20473 20255->20180 20271 1544b6 20269->20271 20270 1544be 20270->19803 20270->19807 20272 1544ba 20271->20272 20273 1527f2 29 API calls 20271->20273 20272->20270 20274 1527f2 29 API calls 20272->20274 20273->20271 20274->20270 20437 1716a0 29 API calls 20436->20437 20438 15451c 20437->20438 20439 154564 20438->20439 20440 1716a0 29 API calls 20438->20440 20441 15452d 20440->20441 20441->20439 20635 153a85 20441->20635 20444 152c92 42 API calls 20636 153aa7 20635->20636 20637 15379b 29 API calls 20636->20637 20638 153aba 20636->20638 20650 153ad4 20637->20650 20639 1518dc strlen 20638->20639 20640 153d1e 20639->20640 20641 153d47 20640->20641 20644 1518dc strlen 20640->20644 20652 153025 MessageBoxA 20641->20652 20642 153afb 20642->20638 20643 153d7d 20642->20643 20645 1527f2 29 API calls 20642->20645 20643->20643 20644->20641 20645->20638 20647 1537db 42 API calls 20647->20650 20648 153d6b 20648->20444 20649 15399a 42 API calls 20649->20650 20650->20642 20650->20647 20650->20649 20651 153877 42 API calls 20650->20651 20651->20650 20652->20648 21839 151148 21840 151155 _amsg_exit 21839->21840 21842 151218 21840->21842 21843 151222 _initterm 21842->21843 21845 151240 21842->21845 21843->21845 21844 16ac8e 4 API calls 21846 15128c 21844->21846 21845->21844 21847 1512b3 __p__acmdln 21846->21847 21848 1512cd 21847->21848 21849 1514b1 4 API calls 21848->21849 21850 151361 21849->21850 21851 16a4dc _onexit 21850->21851 21852 151366 21851->21852 21853 1513a2 exit 21852->21853 21854 1513af 21852->21854 21853->21854 21855 1513bd 21854->21855 21856 1513b8 _cexit 21854->21856 21856->21855 19718 15a58b 19719 1716a0 29 API calls 19718->19719 19720 15a5b0 19719->19720 19721 15a5b5 CoInitialize 19720->19721 19722 15a5c8 19720->19722 19721->19722 19723 156150 30 API calls 19722->19723 19724 15a5cf 19723->19724 19725 1716a0 29 API calls 19724->19725 19726 15a5db 19725->19726 19727 15a5f3 19726->19727 19728 1536c0 29 API calls 19726->19728 19728->19727 22121 151d8a 22123 151e18 22121->22123 22124 151db2 22121->22124 22122 151e8f 22123->22122 22125 151ce3 6 API calls 22123->22125 22124->22123 22127 151ce3 22124->22127 22125->22122 22128 151d33 22127->22128 22129 151c83 6 API calls 22128->22129 22130 151d5a 22129->22130 22130->22123 22953 15f6b7 22954 15833a 29 API calls 22953->22954 22955 15f6cc 22954->22955 22956 15496d memcmp 22955->22956 22961 15f6d8 22955->22961 22957 15f7fd 22956->22957 22959 15f827 22957->22959 22960 15f801 22957->22960 22958 161151 22962 16116d 22958->22962 22968 1527f2 29 API calls 22958->22968 23273 15a72b 22959->23273 22963 15833a 29 API calls 22960->22963 22961->22958 22966 1527f2 29 API calls 22961->22966 22965 15f816 22963->22965 22970 15496d memcmp 22965->22970 23013 15f822 22965->23013 22966->22958 22968->22962 22972 15fb95 22970->22972 22973 15fbbf 22972->22973 22974 15fb99 22972->22974 22977 15a72b 42 API calls 22973->22977 22976 15833a 29 API calls 22974->22976 22975 1540bc 42 API calls 22978 15fab3 22975->22978 22982 15fbae 22976->22982 22984 15fbd1 22977->22984 22980 1544a5 29 API calls 22978->22980 22985 15fabf 22980->22985 22989 15496d memcmp 22982->22989 23135 15fbba 22982->23135 22983 1527f2 29 API calls 22983->22961 22988 15833a 29 API calls 22984->22988 23259 15fe79 22984->23259 22986 15fadd 22985->22986 22993 1527f2 29 API calls 22985->22993 23000 1527f2 29 API calls 22986->23000 23007 15f944 22986->23007 22991 15fc08 22988->22991 22992 160809 22989->22992 23002 15833a 29 API calls 22991->23002 22991->23259 22996 160835 22992->22996 22997 16080d 22992->22997 22993->22986 22994 15fb15 23004 15fb31 22994->23004 23012 1527f2 29 API calls 22994->23012 22995 1540bc 42 API calls 23001 1605b9 22995->23001 22998 15a72b 42 API calls 22996->22998 23003 15496d memcmp 22997->23003 23005 160847 22998->23005 22999 15379b 29 API calls 23028 15f8ad 22999->23028 23000->23007 23008 1544a5 29 API calls 23001->23008 23009 15fc2e 23002->23009 23011 160828 23003->23011 23006 15fb4d 23004->23006 23020 1527f2 29 API calls 23004->23020 23019 155678 44 API calls 23005->23019 23077 1609a3 23005->23077 23006->23013 23027 1527f2 29 API calls 23006->23027 23007->22994 23014 1527f2 29 API calls 23007->23014 23015 1605c5 23008->23015 23018 1555bf 44 API calls 23009->23018 23009->23259 23010 1527f2 29 API calls 23010->23013 23016 160830 23011->23016 23017 160b21 23011->23017 23012->23004 23013->22961 23013->22983 23014->22994 23021 1605d8 23015->23021 23030 1527f2 29 API calls 23015->23030 23530 15e078 23016->23530 23022 15496d memcmp 23017->23022 23029 15fc54 23018->23029 23026 16086a 23019->23026 23020->23006 23024 1605f7 23021->23024 23036 1527f2 29 API calls 23021->23036 23023 160b3c 23022->23023 23035 15ed20 53 API calls 23023->23035 23023->23135 23032 160613 23024->23032 23043 1527f2 29 API calls 23024->23043 23039 15aa69 42 API calls 23026->23039 23026->23077 23027->23013 23377 15ea18 23028->23377 23034 15833a 29 API calls 23029->23034 23029->23259 23030->23021 23031 1540bc 42 API calls 23037 160a82 23031->23037 23040 16062f 23032->23040 23051 1527f2 29 API calls 23032->23051 23045 15fc80 23034->23045 23035->23135 23036->23024 23042 1544a5 29 API calls 23037->23042 23038 160ea6 23054 156150 30 API calls 23038->23054 23046 160885 23039->23046 23044 16064b 23040->23044 23055 1527f2 29 API calls 23040->23055 23049 160a91 23042->23049 23043->23032 23048 160667 23044->23048 23062 1527f2 29 API calls 23044->23062 23056 15a508 45 API calls 23045->23056 23045->23259 23058 15a508 45 API calls 23046->23058 23046->23077 23057 160683 23048->23057 23076 1527f2 29 API calls 23048->23076 23052 160aaf 23049->23052 23071 1527f2 29 API calls 23049->23071 23050 1716a0 29 API calls 23053 160b8e 23050->23053 23051->23040 23081 1527f2 29 API calls 23052->23081 23093 160a03 23052->23093 23066 160b99 23053->23066 23693 15bf56 23053->23693 23067 16107b 23054->23067 23055->23044 23063 15fc9d 23056->23063 23064 16069f 23057->23064 23087 1527f2 29 API calls 23057->23087 23065 1608a2 23058->23065 23062->23048 23086 15833a 29 API calls 23063->23086 23063->23259 23078 1606bb 23064->23078 23089 1527f2 29 API calls 23064->23089 23065->23077 23088 15379b 29 API calls 23065->23088 23155 160ba8 23066->23155 23682 15ae31 23066->23682 23073 161083 23067->23073 23084 156150 30 API calls 23067->23084 23071->23052 23082 152ffd 42 API calls 23073->23082 23073->23135 23075 160ae7 23085 160af8 23075->23085 23100 1527f2 29 API calls 23075->23100 23076->23057 23077->23031 23079 1606d7 23078->23079 23096 1527f2 29 API calls 23078->23096 23090 1606f3 23079->23090 23101 1527f2 29 API calls 23079->23101 23081->23093 23082->23135 23094 161094 23084->23094 23106 1527f2 29 API calls 23085->23106 23085->23135 23095 15fcc0 23086->23095 23087->23064 23107 1608b8 23088->23107 23089->23078 23097 16070f 23090->23097 23108 1527f2 29 API calls 23090->23108 23092 156150 30 API calls 23092->23066 23093->23075 23099 1527f2 29 API calls 23093->23099 23094->23073 23103 156150 30 API calls 23094->23103 23105 15a508 45 API calls 23095->23105 23095->23259 23096->23079 23102 16072b 23097->23102 23114 1527f2 29 API calls 23097->23114 23099->23075 23100->23085 23101->23090 23120 1527f2 29 API calls 23102->23120 23122 15ffe0 23102->23122 23110 1610a0 23103->23110 23104 160ba0 23111 1716a0 29 API calls 23104->23111 23104->23155 23112 15fcdd 23105->23112 23106->23135 23118 15ea18 85 API calls 23107->23118 23108->23097 23110->23073 23123 156150 30 API calls 23110->23123 23117 160c13 23111->23117 23127 15833a 29 API calls 23112->23127 23112->23259 23114->23102 23115 156150 30 API calls 23121 160e78 23115->23121 23116 16076c 23124 160788 23116->23124 23139 1527f2 29 API calls 23116->23139 23125 160c2f 23117->23125 23126 160c1b CoInitialize 23117->23126 23128 1608f8 23118->23128 23120->23122 23129 160e92 23121->23129 23137 156150 30 API calls 23121->23137 23122->23116 23138 1527f2 29 API calls 23122->23138 23130 1610ac 23123->23130 23132 1607ad 23124->23132 23143 1527f2 29 API calls 23124->23143 23133 156150 30 API calls 23125->23133 23126->23125 23131 15fd00 23127->23131 23128->23077 23145 1609ae 23128->23145 23146 16090c 23128->23146 23140 160e9e 23129->23140 23141 160eab 23129->23141 23130->23073 23148 156150 30 API calls 23130->23148 23142 15a508 45 API calls 23131->23142 23131->23259 23132->23135 23153 1527f2 29 API calls 23132->23153 23134 160c36 23133->23134 23151 1536c0 29 API calls 23134->23151 23213 160d61 23134->23213 23135->23010 23135->23013 23136 15f924 23136->22975 23147 160e85 23137->23147 23138->23116 23139->23124 23149 156150 30 API calls 23140->23149 23756 162579 23141->23756 23150 15fd1d 23142->23150 23143->23132 23156 1540bc 42 API calls 23145->23156 23154 15345e 29 API calls 23146->23154 23147->23129 23163 156150 30 API calls 23147->23163 23157 1610b9 23148->23157 23149->23038 23165 15833a 29 API calls 23150->23165 23150->23259 23158 160c55 23151->23158 23153->23135 23174 160916 23154->23174 23155->23115 23162 1609b5 23156->23162 23157->23073 23164 156150 30 API calls 23157->23164 23172 160c75 SafeArrayCreate 23158->23172 23158->23213 23159 160eec 23783 15dd07 23159->23783 23160 160eca 23166 156150 30 API calls 23160->23166 23161 1580cb 30 API calls 23167 160e0e 23161->23167 23168 1544a5 29 API calls 23162->23168 23163->23129 23169 1610c6 23164->23169 23170 15fd40 23165->23170 23166->23038 23167->23155 23742 163f4c 23167->23742 23171 1609c9 23168->23171 23169->23073 23177 156150 30 API calls 23169->23177 23178 15a508 45 API calls 23170->23178 23170->23259 23176 1609e7 23171->23176 23185 1527f2 29 API calls 23171->23185 23179 160ca6 23172->23179 23172->23213 23174->23077 23432 15ed20 23174->23432 23176->23093 23188 1527f2 29 API calls 23176->23188 23191 1610d3 23177->23191 23182 15fd5d 23178->23182 23186 1536c0 29 API calls 23179->23186 23215 160caa 23179->23215 23189 15833a 29 API calls 23182->23189 23182->23259 23185->23176 23190 160cc0 23186->23190 23188->23093 23192 15fd80 23189->23192 23191->23073 23196 1527f2 29 API calls 23191->23196 23200 15a508 45 API calls 23192->23200 23192->23259 23195 160d75 CoInitialize 23195->23215 23196->23073 23199 156150 30 API calls 23199->23215 23203 15fd9d 23200->23203 23211 15aa69 42 API calls 23203->23211 23203->23259 23207 1536c0 29 API calls 23207->23215 23209 160d9c SafeArrayPutElement 23216 15fdb7 23211->23216 23213->23155 23213->23161 23215->23195 23215->23199 23215->23207 23215->23209 23215->23213 23222 15a508 45 API calls 23216->23222 23216->23259 23225 15fdd3 23222->23225 23230 15379b 29 API calls 23225->23230 23225->23259 23233 15fdec 23230->23233 23234 15ea18 85 API calls 23233->23234 23235 15fe42 23234->23235 23236 15fe52 23235->23236 23237 15fe7e 23235->23237 23235->23259 23239 15833a 29 API calls 23236->23239 23238 1540bc 42 API calls 23237->23238 23241 15fe85 23238->23241 23240 15fe67 23239->23240 23240->23259 23259->22995 23274 15833a 29 API calls 23273->23274 23275 15a76c 23274->23275 23276 1716a0 29 API calls 23275->23276 23277 15a77c 23276->23277 23278 161f83 42 API calls 23277->23278 23306 15a9b4 23277->23306 23279 15a7aa 23278->23279 23282 153719 29 API calls 23279->23282 23279->23306 23280 1544a5 29 API calls 23281 15aa34 23280->23281 23283 15aa47 23281->23283 23287 1527f2 29 API calls 23281->23287 23284 15a7d9 23282->23284 23285 15aa59 23283->23285 23289 1527f2 29 API calls 23283->23289 23286 15833a 29 API calls 23284->23286 23285->23136 23321 155678 GetTempPathW 23285->23321 23290 15a7f0 23286->23290 23287->23283 23288 15a9fd 23292 1527f2 29 API calls 23288->23292 23288->23306 23289->23285 23290->23288 23291 15a8c1 23290->23291 23293 15833a 29 API calls 23290->23293 23294 15833a 29 API calls 23291->23294 23292->23306 23299 15a84c 23293->23299 23295 15a8d8 23294->23295 23296 15a9ec 23295->23296 23297 15a8e4 23295->23297 23296->23288 23300 1527f2 29 API calls 23296->23300 23298 153719 29 API calls 23297->23298 23305 15a8f3 23298->23305 23299->23291 23299->23296 23301 15a88b 23299->23301 23300->23288 23302 15833a 29 API calls 23301->23302 23304 15a8ae 23302->23304 23303 15a998 23303->23306 23310 1527f2 29 API calls 23303->23310 23307 154919 29 API calls 23304->23307 23311 15a8bc 23304->23311 23305->23303 23308 1527f2 29 API calls 23305->23308 23306->23280 23309 15a911 23307->23309 23308->23303 23312 15a922 23309->23312 23313 15a9bf 23309->23313 23310->23306 23311->23296 23314 1527f2 29 API calls 23311->23314 23315 15379b 29 API calls 23312->23315 23313->23311 23316 1527f2 29 API calls 23313->23316 23314->23296 23318 15a92d 23315->23318 23316->23311 23317 15a96b 23317->23305 23320 1527f2 29 API calls 23317->23320 23318->23317 23319 1527f2 29 API calls 23318->23319 23319->23317 23320->23305 23322 1556d1 23321->23322 23323 1556a9 23321->23323 23846 153652 23322->23846 23324 1556cd 23323->23324 23326 15414d 29 API calls 23323->23326 23327 155739 23323->23327 23850 154177 23324->23850 23326->23324 23327->23136 23337 15aa69 23327->23337 23330 1716a0 29 API calls 23331 1556f9 23330->23331 23331->23327 23332 155700 GetTempPathW 23331->23332 23333 15571c 23332->23333 23334 15573b 23332->23334 23333->23327 23335 152812 29 API calls 23333->23335 23336 1518f3 42 API calls 23334->23336 23335->23323 23336->23333 23340 15aa82 23337->23340 23339 1716a0 29 API calls 23339->23340 23340->23339 23341 15ac40 23340->23341 23345 15aafd 23340->23345 23857 15a618 23340->23857 23342 1544ed 29 API calls 23341->23342 23343 15ac58 23342->23343 23344 1544ed 29 API calls 23343->23344 23346 15ac68 23344->23346 23347 15833a 29 API calls 23345->23347 23348 15ac25 23346->23348 23350 1527f2 29 API calls 23346->23350 23349 15ab12 23347->23349 23348->23136 23368 15a508 23348->23368 23351 15833a 29 API calls 23349->23351 23353 15ac29 23349->23353 23350->23348 23352 15ab46 23351->23352 23354 153719 29 API calls 23352->23354 23366 15abd3 23352->23366 23353->23341 23355 1527f2 29 API calls 23353->23355 23365 15ab61 23354->23365 23355->23341 23356 15abec 23357 15abfd 23356->23357 23359 1527f2 29 API calls 23356->23359 23860 1544ed 23357->23860 23359->23357 23361 1537db 42 API calls 23361->23365 23362 153684 29 API calls 23362->23365 23363 1544ed 29 API calls 23363->23348 23364 154212 29 API calls 23364->23365 23365->23361 23365->23362 23365->23364 23365->23366 23367 1527f2 29 API calls 23365->23367 23366->23353 23366->23356 23367->23365 23369 15379b 29 API calls 23368->23369 23370 15a534 23369->23370 23864 154ce0 23370->23864 23373 1716a0 29 API calls 23374 15a561 23373->23374 23375 15a57b 23374->23375 23376 154ce0 45 API calls 23374->23376 23375->22999 23375->23136 23376->23375 23967 162911 23377->23967 23380 1716a0 29 API calls 23381 15ea61 23380->23381 23433 15ed47 23432->23433 23434 153652 29 API calls 23433->23434 23435 15ed51 23434->23435 23436 1716a0 29 API calls 23435->23436 23448 15ed63 23436->23448 23437 15edc3 23438 152812 29 API calls 23437->23438 23440 15ee14 23438->23440 23439 15ed7b GetModuleFileNameW 23441 15ed9f 23439->23441 23439->23448 23444 155678 44 API calls 23440->23444 23528 15f1f5 23440->23528 23441->23437 23443 15414d 29 API calls 23441->23443 23442 15ed9d 23446 1622ac 42 API calls 23442->23446 23443->23437 23447 15ee3a 23444->23447 23445 153652 29 API calls 23445->23448 23446->23441 23452 15aa69 42 API calls 23447->23452 23447->23528 23448->23437 23448->23439 23448->23442 23448->23445 23449 15edd1 23448->23449 23453 152812 29 API calls 23449->23453 23450 1540bc 42 API calls 23451 15f4aa 23450->23451 23454 1544a5 29 API calls 23451->23454 23455 15ee60 23452->23455 23453->23437 23456 15f4b6 23454->23456 23458 15a508 45 API calls 23455->23458 23455->23528 23457 15f4c9 23456->23457 23461 1527f2 29 API calls 23456->23461 23459 15f4e5 23457->23459 23464 1527f2 29 API calls 23457->23464 23460 15ee7d 23458->23460 23462 15f501 23459->23462 23468 1527f2 29 API calls 23459->23468 23463 15833a 29 API calls 23460->23463 23460->23528 23461->23457 23466 15f51d 23462->23466 23469 1527f2 29 API calls 23462->23469 23465 15eea0 23463->23465 23464->23459 23471 15379b 29 API calls 23465->23471 23465->23528 23467 15f539 23466->23467 23472 1527f2 29 API calls 23466->23472 23468->23462 23469->23466 23481 15eeb6 23471->23481 23472->23467 23528->23450 23531 15833a 29 API calls 23530->23531 23532 15e0a7 23531->23532 23533 1716a0 29 API calls 23532->23533 23534 15e0c1 23533->23534 23535 156d2d 48 API calls 23534->23535 23581 15e0f4 23534->23581 23536 15e0de 23535->23536 23538 15e0f9 23536->23538 23539 15e0eb 23536->23539 23537 156150 30 API calls 23545 15e966 23537->23545 23540 15833a 29 API calls 23538->23540 23541 156c0e 29 API calls 23539->23541 23549 15e10e 23540->23549 23541->23581 23542 15833a 29 API calls 23544 15e9de 23542->23544 23543 15e97c 23546 156150 30 API calls 23543->23546 23547 15e9f9 23544->23547 23550 153719 29 API calls 23544->23550 23545->23543 23548 1527f2 29 API calls 23545->23548 23651 15e7f7 23545->23651 23556 15e984 23546->23556 23547->23038 23547->23050 23548->23543 23551 15833a 29 API calls 23549->23551 23558 15e177 23549->23558 23552 15e9f2 23550->23552 23554 15e144 23551->23554 23560 152ffd 42 API calls 23552->23560 23553 15e9ae 23557 156c0e 29 API calls 23553->23557 23554->23558 23562 157341 34 API calls 23554->23562 23555 15e5d6 23559 156150 30 API calls 23555->23559 23556->23553 23561 1527f2 29 API calls 23556->23561 23556->23651 23557->23651 23558->23555 23563 1527f2 29 API calls 23558->23563 23564 15e5e1 23559->23564 23560->23547 23561->23553 23565 15e15f 23562->23565 23563->23555 23567 156150 30 API calls 23564->23567 23658 15e5e6 23564->23658 23568 15e190 23565->23568 23569 15e16c 23565->23569 23566 15833a 29 API calls 23570 15e5fe 23566->23570 23582 15e616 23567->23582 23572 157341 34 API calls 23568->23572 23571 156150 30 API calls 23569->23571 23574 15e609 23570->23574 23578 15a4b0 29 API calls 23570->23578 23571->23558 23573 15e1ab 23572->23573 23575 15e215 23573->23575 23576 15e1b8 23573->23576 23574->23581 23586 15833a 29 API calls 23574->23586 23580 1573eb 31 API calls 23575->23580 23579 156150 30 API calls 23576->23579 23577 15e62c 23583 156150 30 API calls 23577->23583 23584 15e740 23578->23584 23579->23558 23585 15e225 23580->23585 23581->23537 23582->23577 23587 1527f2 29 API calls 23582->23587 23582->23658 23597 15e637 23583->23597 23588 153f9a 38 API calls 23584->23588 23589 15e230 23585->23589 23590 15e283 23585->23590 23602 15e857 23586->23602 23587->23577 23591 15e755 23588->23591 23593 156150 30 API calls 23589->23593 23603 1656cb 63 API calls 23590->23603 23592 15833a 29 API calls 23591->23592 23595 15e76a 23592->23595 23593->23558 23594 15e661 23596 15e686 23594->23596 23605 1527f2 29 API calls 23594->23605 23599 15e805 23595->23599 23600 15e773 23595->23600 23601 156150 30 API calls 23596->23601 23597->23594 23598 1527f2 29 API calls 23597->23598 23597->23658 23598->23594 23607 15e81e 23599->23607 23617 1527f2 29 API calls 23599->23617 23604 153719 29 API calls 23600->23604 23606 15e691 23601->23606 23602->23581 23618 1656cb 63 API calls 23602->23618 23608 15e2be 23603->23608 23609 15e782 23604->23609 23605->23596 23616 156150 30 API calls 23606->23616 23606->23658 23607->23574 23612 15e82f 23607->23612 23619 1527f2 29 API calls 23607->23619 23610 15e312 23608->23610 23611 15e2c9 23608->23611 23615 15e795 23609->23615 23626 1527f2 29 API calls 23609->23626 23614 15833a 29 API calls 23610->23614 23613 156150 30 API calls 23611->23613 23612->23574 23625 152ffd 42 API calls 23612->23625 23613->23558 23634 15e327 23614->23634 23620 15e7a6 23615->23620 23630 1527f2 29 API calls 23615->23630 23621 15e6a5 23616->23621 23617->23607 23622 15e8a3 23618->23622 23619->23612 23627 156150 30 API calls 23620->23627 23631 156150 30 API calls 23621->23631 23621->23658 23623 15e8b4 23622->23623 23624 15e8aa 23622->23624 24024 157da4 23623->24024 23628 156150 30 API calls 23624->23628 23625->23574 23626->23615 23632 15e7ad 23627->23632 23628->23581 23630->23620 23635 15e6b9 23631->23635 23636 156150 30 API calls 23632->23636 23632->23651 23634->23558 23638 15833a 29 API calls 23634->23638 23641 156150 30 API calls 23635->23641 23635->23658 23637 15e8c8 23639 156150 30 API calls 23637->23639 23640 15e361 23638->23640 23652 15e8d3 23639->23652 23640->23558 23643 157341 34 API calls 23640->23643 23649 15e6cd 23641->23649 23648 15e37c 23643->23648 23644 15e6fb 23644->23658 23662 1527f2 29 API calls 23644->23662 23647 15e8ed 23655 156150 30 API calls 23647->23655 23653 15e399 23648->23653 23654 15e389 23648->23654 23649->23644 23657 1527f2 29 API calls 23649->23657 23649->23658 23651->23542 23651->23547 23651->23552 23652->23647 23652->23651 23659 1527f2 29 API calls 23652->23659 23664 15e8f5 23655->23664 23657->23644 23658->23566 23658->23574 23659->23647 23662->23658 23663 15e923 23666 156c0e 29 API calls 23663->23666 23664->23651 23664->23663 23667 1527f2 29 API calls 23664->23667 23666->23651 23667->23663 23683 15ae55 23682->23683 23684 1716a0 29 API calls 23683->23684 23685 15ae61 23684->23685 23687 15ae91 23685->23687 23688 15ae85 23685->23688 23692 15ae99 23685->23692 23686 15af1c 23686->23104 23687->23686 23689 15754b 30 API calls 23687->23689 23690 1716a0 29 API calls 23688->23690 23689->23686 23690->23687 23691 1716a0 29 API calls 23691->23687 23692->23687 23692->23691 23694 153719 29 API calls 23693->23694 23695 15bf82 23694->23695 23696 1716a0 29 API calls 23695->23696 23697 15bf90 23696->23697 23698 15bf98 23697->23698 23699 15c01b CLRCreateInstance 23697->23699 23704 15c005 23697->23704 23701 15c2d5 CLRCreateInstance 23698->23701 23711 15c2d0 23698->23711 23725 15bfd1 23698->23725 23700 1716a0 29 API calls 23699->23700 23708 15c048 23700->23708 23702 1716a0 29 API calls 23701->23702 23703 15c302 23702->23703 23707 155d36 44 API calls 23703->23707 23703->23725 23704->23698 23709 1527f2 29 API calls 23704->23709 23705 156150 30 API calls 23706 15c56e 23705->23706 23706->23711 23712 156150 30 API calls 23706->23712 23714 15c31c 23707->23714 23708->23704 23717 155c6f 29 API calls 23708->23717 23718 1527f2 29 API calls 23708->23718 23720 155c3d 29 API calls 23708->23720 23723 155c3d 29 API calls 23708->23723 23729 155b62 31 API calls 23708->23729 23732 15414d 29 API calls 23708->23732 23709->23698 23710 15c600 23710->23092 23711->23710 23713 1527f2 29 API calls 23711->23713 23712->23711 23713->23710 23715 15379b 29 API calls 23714->23715 23714->23725 23726 15c380 23714->23726 23716 15c392 23715->23716 23719 1527f2 29 API calls 23716->23719 23716->23726 23717->23708 23718->23708 23719->23726 23721 15c1a8 lstrlenW 23720->23721 23722 155c6f 29 API calls 23721->23722 23722->23708 23723->23708 23725->23705 23726->23725 24061 15a58b 23726->24061 23729->23708 23732->23708 23743 15754b 30 API calls 23742->23743 23744 163f69 23743->23744 23757 1716a0 29 API calls 23756->23757 23758 162594 23757->23758 23759 1625ac 23758->23759 23760 162599 CoInitialize 23758->23760 23761 156150 30 API calls 23759->23761 23760->23759 23762 1625b5 23761->23762 23763 1716a0 29 API calls 23762->23763 23764 1625c1 23763->23764 23765 160ec1 23764->23765 23766 1536c0 29 API calls 23764->23766 23765->23159 23765->23160 23767 1625db 23766->23767 23767->23765 23768 1625fa SafeArrayCreate 23767->23768 23768->23765 23769 162628 23768->23769 23770 1536c0 29 API calls 23769->23770 23774 16262c 23769->23774 23774->23765 23784 1716a0 29 API calls 23783->23784 23785 15dd21 23784->23785 23847 153668 23846->23847 23848 15345e 29 API calls 23847->23848 23849 153675 23848->23849 23849->23330 23851 154211 23850->23851 23856 154183 23850->23856 23851->23327 23852 1541f0 23853 15414d 29 API calls 23852->23853 23855 154207 23853->23855 23854 1538a3 42 API calls 23854->23856 23855->23327 23856->23852 23856->23854 23858 1716a0 29 API calls 23857->23858 23859 15a664 23858->23859 23859->23340 23861 154505 23860->23861 23862 1544fa 23860->23862 23861->23363 23862->23861 23863 1527f2 29 API calls 23862->23863 23863->23861 23865 1716a0 29 API calls 23864->23865 23867 154d04 23865->23867 23866 154d17 23866->23373 23868 154212 29 API calls 23867->23868 23871 154d0b 23867->23871 23868->23871 23869 154177 42 API calls 23870 154d66 23869->23870 23870->23866 23872 153719 29 API calls 23870->23872 23871->23866 23871->23869 23873 154d93 23872->23873 23875 153719 29 API calls 23873->23875 23896 1552f1 23873->23896 23874 1553bc 23874->23866 23879 154177 42 API calls 23874->23879 23878 154df7 23875->23878 23876 1553c1 23880 15414d 29 API calls 23876->23880 23883 1553cd 23876->23883 23882 153684 29 API calls 23878->23882 23885 154e85 23878->23885 23879->23866 23880->23883 23881 155221 23881->23874 23886 15414d 29 API calls 23881->23886 23891 154e31 23882->23891 23883->23874 23884 1527f2 29 API calls 23883->23884 23884->23874 23885->23881 23888 1527f2 29 API calls 23885->23888 23887 155287 23886->23887 23890 1537db 42 API calls 23887->23890 23888->23881 23889 154212 29 API calls 23889->23891 23904 155294 23890->23904 23891->23889 23902 154e6c 23891->23902 23892 154435 29 API calls 23892->23896 23893 1538a3 42 API calls 23893->23896 23894 153877 42 API calls 23894->23896 23895 154e80 23895->23885 23903 1527f2 29 API calls 23895->23903 23896->23874 23896->23876 23896->23892 23896->23893 23896->23894 23898 1537db 42 API calls 23896->23898 23912 1527f2 29 API calls 23896->23912 23961 15194e 23896->23961 23897 1552aa 23900 1552ae 23897->23900 23905 1527f2 29 API calls 23897->23905 23898->23896 23899 154ec4 23899->23895 23907 154919 29 API calls 23899->23907 23906 1549a7 29 API calls 23900->23906 23901 154212 29 API calls 23901->23904 23902->23895 23902->23899 23908 154919 29 API calls 23902->23908 23903->23885 23904->23897 23904->23901 23905->23900 23906->23896 23909 155178 23907->23909 23910 154ef9 23908->23910 23911 1551de 23909->23911 23913 16a3a1 29 API calls 23909->23913 23910->23899 23914 161efe 29 API calls 23910->23914 23911->23895 23916 1527f2 29 API calls 23911->23916 23912->23896 23915 15519e 23913->23915 23917 154f2b 23914->23917 23918 1551cf 23915->23918 23919 1551aa 23915->23919 23916->23895 23917->23899 23921 153684 29 API calls 23917->23921 23918->23911 23922 1527f2 29 API calls 23918->23922 23920 152d0e 29 API calls 23919->23920 23920->23895 23926 154f45 23921->23926 23922->23911 23923 154f81 23923->23899 23924 154212 29 API calls 23924->23926 23926->23923 23926->23924 23962 15196f 23961->23962 23963 1716a0 29 API calls 23962->23963 23965 1519c6 23962->23965 23964 1519bc 23963->23964 23964->23965 23966 15194e 29 API calls 23964->23966 23965->23896 23966->23965 23968 162933 23967->23968 23969 15360d strlen 23968->23969 23970 16295d 23969->23970 23971 1716a0 29 API calls 23970->23971 23972 16296f 23971->23972 23973 15360d strlen 23972->23973 23979 15ea50 23972->23979 23974 162981 23973->23974 23975 16298c _wfopen 23974->23975 23974->23979 23979->23380 24025 157db5 24024->24025 24044 157e29 24024->24044 24026 1716a0 29 API calls 24025->24026 24027 157dc3 24026->24027 24028 157e4f 24027->24028 24029 156669 45 API calls 24027->24029 24027->24044 24031 157ea3 24028->24031 24032 157e93 SafeArrayGetDim 24028->24032 24028->24044 24030 157dfe 24029->24030 24033 157e2e 24030->24033 24034 157da4 45 API calls 24030->24034 24036 157ed4 SafeArrayGetVartype 24031->24036 24031->24044 24060 157ff5 24031->24060 24032->24031 24035 156150 30 API calls 24033->24035 24037 157e13 24034->24037 24035->24028 24039 157ef1 24036->24039 24036->24060 24037->24033 24040 157e24 24037->24040 24038 1536c0 29 API calls 24041 15800e 24038->24041 24043 157f0e SafeArrayGetLBound 24039->24043 24039->24044 24039->24060 24042 156150 30 API calls 24040->24042 24041->24044 24045 1562db 42 API calls 24041->24045 24042->24044 24046 157f34 24043->24046 24043->24060 24044->23581 24044->23637 24046->24044 24060->24038 24060->24044 24062 1716a0 29 API calls 24061->24062 24063 15a5b0 24062->24063 24064 15a5b5 CoInitialize 24063->24064 24065 15a5c8 24063->24065 24064->24065 24066 156150 30 API calls 24065->24066 24067 15a5cf 24066->24067 24068 1716a0 29 API calls 24067->24068 18321 1665bc 18326 165747 18321->18326 18324 1527f2 29 API calls 18324->18326 18326->18324 18327 165719 Sleep 18326->18327 18329 165756 IsDebuggerPresent 18326->18329 18332 157341 34 API calls 18326->18332 18334 156150 30 API calls 18326->18334 18335 15833a 29 API calls 18326->18335 18336 1656cb 63 API calls 18326->18336 18367 153719 18326->18367 18376 156d2d 18326->18376 18404 1573eb 18326->18404 18415 156c0e 18326->18415 18419 152ffd 18326->18419 18424 1549a7 18326->18424 18337 1716a0 18327->18337 18329->18326 18332->18326 18334->18326 18335->18326 18336->18326 18338 1716f0 18337->18338 18362 1716b2 18337->18362 18432 1730f4 18338->18432 18342 1716bf 18344 1716c5 18342->18344 18345 171730 calloc 18342->18345 18346 1717d0 realloc 18344->18346 18347 1716cf 18344->18347 18349 17b655 abort 18345->18349 18350 171750 18345->18350 18346->18349 18352 1717fc memset 18346->18352 18351 1716de 18347->18351 18355 171787 malloc 18347->18355 18356 171838 malloc 18347->18356 18458 173527 18350->18458 18351->18326 18357 173527 20 API calls 18352->18357 18353 171868 18353->18326 18355->18349 18360 17179e 18355->18360 18356->18349 18363 171850 18356->18363 18361 171830 18357->18361 18359 171766 18359->18347 18359->18351 18364 1717b6 memcpy 18360->18364 18365 171880 memset 18360->18365 18361->18356 18428 1734a7 18362->18428 18363->18353 18363->18360 18366 1717c2 18364->18366 18365->18349 18365->18366 18366->18326 18368 153731 18367->18368 18369 153754 18368->18369 18370 153745 18368->18370 18373 15373f 18368->18373 18369->18326 18370->18369 18553 1527f2 18370->18553 18371 153743 18556 1525a2 18371->18556 18373->18369 18373->18371 18375 1527f2 29 API calls 18373->18375 18375->18371 18377 1716a0 29 API calls 18376->18377 18378 156d4e 18377->18378 18379 156d66 18378->18379 18380 156d53 CoInitialize 18378->18380 18381 156c0e 29 API calls 18379->18381 18380->18379 18382 156d6d 18381->18382 18383 1716a0 29 API calls 18382->18383 18384 156d79 18383->18384 18394 156ec4 18384->18394 18559 1536c0 18384->18559 18386 156d9d 18562 156c64 18386->18562 18389 1716a0 29 API calls 18390 156de4 18389->18390 18391 156e52 CoGetClassObject 18390->18391 18395 156def 18390->18395 18391->18395 18393 156dfa 18578 156cd8 18393->18578 18394->18326 18395->18394 18574 15379b 18395->18574 18398 156ef2 18586 153db2 18398->18586 18399 156e48 18583 1540bc 18399->18583 18402 156e4d 18402->18394 18403 1527f2 29 API calls 18402->18403 18403->18394 18405 1716a0 29 API calls 18404->18405 18406 157401 18405->18406 18407 157406 CoInitialize 18406->18407 18408 157419 18406->18408 18407->18408 18824 156150 18408->18824 18411 1716a0 29 API calls 18412 15742c 18411->18412 18413 1536c0 29 API calls 18412->18413 18414 157444 18412->18414 18413->18414 18414->18326 18416 156c20 18415->18416 18417 1716a0 29 API calls 18416->18417 18418 156c32 18416->18418 18417->18418 18418->18326 18420 1716a0 29 API calls 18419->18420 18421 15300f 18420->18421 18422 152ec6 42 API calls 18421->18422 18423 153022 18422->18423 18423->18326 18425 1549b5 18424->18425 18427 1549c0 18424->18427 18426 1527f2 29 API calls 18425->18426 18425->18427 18426->18427 18427->18326 18429 1734b4 18428->18429 18466 173841 18429->18466 18431 1734bc 18431->18342 18433 173113 18432->18433 18434 171704 18432->18434 18433->18434 18435 172c3f calloc 18433->18435 18452 171b64 18434->18452 18436 17313e 18435->18436 18437 171b64 2 API calls 18436->18437 18438 17314f 18437->18438 18439 17319d 18438->18439 18440 173158 18438->18440 18442 17318d 18439->18442 18445 1731ba fprintf 18439->18445 18537 173a4d 18440->18537 18443 171c0d 2 API calls 18442->18443 18446 1731e3 18443->18446 18445->18442 18448 172d01 3 API calls 18446->18448 18447 173a4d 16 API calls 18449 173179 18447->18449 18450 1731ee 18448->18450 18451 173a4d 16 API calls 18449->18451 18450->18434 18451->18442 18540 1719d6 18452->18540 18454 171710 18454->18353 18455 171c0d 18454->18455 18456 17199c 2 API calls 18455->18456 18457 171c1f 18456->18457 18457->18362 18459 173534 18458->18459 18460 173841 16 API calls 18459->18460 18461 17353c 18460->18461 18462 17355c realloc 18461->18462 18465 17358a 18461->18465 18463 1735a2 realloc 18462->18463 18462->18465 18464 1735d8 memset memset 18463->18464 18463->18465 18464->18465 18465->18359 18478 172e02 18466->18478 18470 173880 18470->18431 18475 173976 abort 18476 17397b 18475->18476 18476->18470 18477 1739cb abort 18476->18477 18477->18470 18479 172e17 18478->18479 18480 172e21 18478->18480 18479->18470 18492 172696 18479->18492 18480->18479 18512 172c3f 18480->18512 18482 172e4c 18483 171b64 2 API calls 18482->18483 18484 172e5d 18483->18484 18485 172e76 18484->18485 18486 172e66 18484->18486 18485->18486 18488 172e93 fprintf 18485->18488 18487 171c0d 2 API calls 18486->18487 18489 172ebc 18487->18489 18488->18486 18517 172d01 18489->18517 18491 172ec7 18491->18479 18493 171b64 2 API calls 18492->18493 18494 1726af 18493->18494 18495 17271e 18494->18495 18496 1726bd calloc 18494->18496 18499 1722b2 3 API calls 18495->18499 18497 17270d 18496->18497 18498 1726da 18496->18498 18501 171c0d 2 API calls 18497->18501 18530 1722b2 18498->18530 18502 172729 18499->18502 18504 172719 18501->18504 18507 171c0d 2 API calls 18502->18507 18506 172785 18504->18506 18505 1726fb free 18505->18497 18506->18470 18508 17278d 18506->18508 18507->18504 18509 17289c DuplicateHandle 18508->18509 18510 17279f 18508->18510 18509->18475 18509->18476 18510->18509 18511 172894 abort 18510->18511 18511->18509 18513 172c58 18512->18513 18514 172c87 calloc 18513->18514 18515 172ce1 18513->18515 18516 172cb6 18514->18516 18515->18482 18516->18515 18518 172d18 18517->18518 18521 172dc9 18517->18521 18519 172da4 fprintf 18518->18519 18520 172d51 18518->18520 18519->18521 18520->18521 18526 171def 18520->18526 18521->18491 18529 171e08 18526->18529 18527 171e40 free 18527->18521 18528 171e2c free 18528->18527 18529->18527 18529->18528 18531 1722c9 18530->18531 18534 1722bf 18530->18534 18532 1722e5 malloc 18531->18532 18533 172318 realloc 18531->18533 18535 172304 18531->18535 18532->18534 18532->18535 18533->18534 18533->18535 18534->18497 18534->18505 18535->18534 18536 1723e2 memmove 18535->18536 18536->18534 18538 173841 16 API calls 18537->18538 18539 17316a 18538->18539 18539->18447 18543 17199c 18540->18543 18542 1719e8 18542->18454 18544 1719b5 18543->18544 18545 1719cd 18544->18545 18546 1719b9 18544->18546 18545->18542 18549 171909 malloc 18546->18549 18550 17192b 18549->18550 18551 171924 18549->18551 18550->18551 18552 17198a free 18550->18552 18551->18545 18552->18551 18554 1716a0 29 API calls 18553->18554 18555 152807 18554->18555 18557 1716a0 29 API calls 18556->18557 18558 1525b7 18557->18558 18602 15345e 18559->18602 18561 1536d4 18561->18386 18563 1716a0 29 API calls 18562->18563 18564 156c7f 18563->18564 18565 156c9e 18564->18565 18566 156c8e 18564->18566 18567 155d36 44 API calls 18565->18567 18605 155d36 18566->18605 18570 156ca3 18567->18570 18572 156c9a 18570->18572 18573 156caa CLSIDFromString 18570->18573 18571 156cbc CLSIDFromProgID 18571->18572 18572->18389 18572->18394 18573->18572 18575 1537b1 18574->18575 18576 1525a2 29 API calls 18575->18576 18577 1537bf 18575->18577 18576->18577 18577->18393 18579 1536c0 29 API calls 18578->18579 18580 156cee 18579->18580 18771 153ef1 18580->18771 18774 152c92 18583->18774 18587 153dc2 18586->18587 18588 153df8 18587->18588 18589 153328 42 API calls 18587->18589 18590 1716a0 29 API calls 18588->18590 18589->18588 18591 153e2b 18590->18591 18592 1716a0 29 API calls 18591->18592 18601 153e75 18591->18601 18593 153e3d 18592->18593 18814 152ec6 18593->18814 18596 152c92 42 API calls 18601->18402 18603 1525a2 29 API calls 18602->18603 18604 15346c 18603->18604 18604->18561 18642 155c7f 18605->18642 18608 1716a0 29 API calls 18609 155d5c 18608->18609 18610 1716a0 29 API calls 18609->18610 18620 155e03 18609->18620 18611 155d79 18610->18611 18612 155d81 18611->18612 18613 155daa 18611->18613 18614 1716a0 29 API calls 18612->18614 18652 1533bb 18613->18652 18619 155d8d 18614->18619 18616 155e31 18618 1716a0 29 API calls 18616->18618 18616->18620 18623 155e89 18618->18623 18619->18616 18619->18620 18667 152ce4 18619->18667 18620->18571 18620->18572 18621 155e07 18625 1716a0 29 API calls 18621->18625 18622 155df1 18661 152d66 18622->18661 18626 155ea9 18623->18626 18629 155f4f 18623->18629 18630 1533bb 42 API calls 18623->18630 18628 155e13 18625->18628 18626->18629 18633 1533bb 42 API calls 18626->18633 18628->18616 18632 152d66 29 API calls 18628->18632 18631 155fd9 18629->18631 18634 15414d 29 API calls 18629->18634 18630->18626 18631->18620 18675 155c3d 18631->18675 18632->18616 18638 155ede 18633->18638 18634->18631 18636 155f11 18637 155f27 18636->18637 18639 152d66 29 API calls 18636->18639 18640 152d66 29 API calls 18637->18640 18638->18629 18638->18636 18671 15414d 18638->18671 18639->18637 18640->18629 18643 155c91 18642->18643 18644 1716a0 29 API calls 18643->18644 18645 155ca2 18644->18645 18646 155ca9 MultiByteToWideChar 18645->18646 18647 155d28 18645->18647 18679 155c6f 18646->18679 18647->18608 18650 155c3d 29 API calls 18651 155cf5 MultiByteToWideChar 18650->18651 18651->18647 18653 1533cd 18652->18653 18654 1533d1 18653->18654 18655 152ce4 29 API calls 18653->18655 18657 1533ef 18654->18657 18658 1533de 18654->18658 18655->18653 18656 152ce4 29 API calls 18656->18658 18660 1533f1 18657->18660 18686 153328 18657->18686 18658->18656 18658->18660 18660->18621 18660->18622 18664 152d77 18661->18664 18662 152d7b 18663 152d7f 18662->18663 18666 1527f2 29 API calls 18662->18666 18663->18620 18664->18662 18665 1527f2 29 API calls 18664->18665 18665->18664 18666->18663 18668 152cf2 18667->18668 18669 152cfd 18667->18669 18668->18669 18670 1527f2 29 API calls 18668->18670 18669->18619 18670->18669 18672 154166 18671->18672 18673 15415b 18671->18673 18672->18638 18673->18672 18674 1527f2 29 API calls 18673->18674 18674->18672 18676 155c4b 18675->18676 18677 1716a0 29 API calls 18676->18677 18678 155c5c 18677->18678 18678->18620 18682 153684 18679->18682 18683 15369a 18682->18683 18684 15345e 29 API calls 18683->18684 18685 1536a6 18683->18685 18684->18685 18685->18647 18685->18650 18687 15334e 18686->18687 18688 15337a 18686->18688 18687->18688 18690 15262d 18687->18690 18688->18660 18691 1716a0 29 API calls 18690->18691 18692 152645 18691->18692 18695 1525c2 18692->18695 18694 152651 18694->18688 18696 1525e2 18695->18696 18698 1525d7 18695->18698 18699 152373 18696->18699 18698->18694 18700 1523a8 18699->18700 18708 15238c 18699->18708 18711 1523ba 18700->18711 18712 1521e2 18700->18712 18701 15250f 18703 15252d 18701->18703 18704 152539 18701->18704 18706 1521e2 7 API calls 18703->18706 18733 151be3 VirtualAlloc 18704->18733 18706->18711 18708->18701 18726 151ea9 18708->18726 18711->18698 18713 1521f9 18712->18713 18714 15230e 18713->18714 18719 1522a1 18713->18719 18715 152317 18714->18715 18716 152329 18714->18716 18717 152052 7 API calls 18715->18717 18741 152052 18716->18741 18720 152320 18717->18720 18721 15230b 18719->18721 18723 151d67 6 API calls 18719->18723 18720->18721 18722 151c83 6 API calls 18721->18722 18725 152362 18722->18725 18723->18721 18725->18711 18727 151ec7 18726->18727 18728 151ee1 VirtualFree 18727->18728 18729 151f20 18728->18729 18730 151f38 18728->18730 18755 162413 18729->18755 18730->18708 18734 151c16 18733->18734 18735 151c11 18733->18735 18737 151c83 18734->18737 18759 151bba 18735->18759 18738 151c9f 18737->18738 18742 152068 18741->18742 18756 16242a 18755->18756 18760 151bcd 18759->18760 18772 153719 29 API calls 18771->18772 18773 153f1a 18772->18773 18773->18398 18773->18399 18775 152cc2 18774->18775 18776 152c9d 18774->18776 18775->18402 18778 15288b 18776->18778 18779 1528a0 18778->18779 18780 1528a9 18778->18780 18782 1716a0 29 API calls 18779->18782 18803 1528a4 18779->18803 18781 1716a0 29 API calls 18780->18781 18780->18803 18781->18803 18783 152914 18782->18783 18784 152939 18783->18784 18785 1525a2 29 API calls 18783->18785 18806 15272b 18784->18806 18785->18784 18788 1716a0 29 API calls 18789 152953 18788->18789 18790 1525a2 29 API calls 18789->18790 18789->18803 18803->18775 18807 15275e 18806->18807 18808 152741 18806->18808 18807->18788 18809 15262d 42 API calls 18808->18809 18809->18807 18815 152ed1 18814->18815 18816 152c92 42 API calls 18815->18816 18817 152ede 18816->18817 18818 152ee9 18817->18818 18819 152dc1 29 API calls 18817->18819 18818->18596 18819->18818 18825 156162 18824->18825 18826 156166 VariantClear 18825->18826 18827 15618b 18825->18827 18828 1716a0 29 API calls 18826->18828 18827->18411 18828->18827 18963 1583a5 19119 15833a 18963->19119 18966 1716a0 29 API calls 18967 1583ee 18966->18967 18968 156d2d 48 API calls 18967->18968 19031 158421 18967->19031 18969 15840b 18968->18969 18971 158469 18969->18971 18972 158418 18969->18972 18970 156150 30 API calls 18977 158e22 18970->18977 18974 15833a 29 API calls 18971->18974 18973 156c0e 29 API calls 18972->18973 18973->19031 18981 15847e 18974->18981 18975 158e3c 18978 156150 30 API calls 18975->18978 18976 15833a 29 API calls 18979 15896f 18976->18979 18977->18975 18980 1527f2 29 API calls 18977->18980 19118 158957 18977->19118 18984 158e43 18978->18984 18983 153719 29 API calls 18979->18983 18991 15898e 18979->18991 18980->18975 18982 15833a 29 API calls 18981->18982 18981->19031 18986 1584ba 18982->18986 18987 158987 18983->18987 18985 158e6b 18984->18985 18992 1527f2 29 API calls 18984->18992 18984->19118 18988 156150 30 API calls 18985->18988 18986->19031 19124 157341 18986->19124 18989 152ffd 42 API calls 18987->18989 18990 158e76 18988->18990 18989->18991 18997 156150 30 API calls 18990->18997 18990->19118 18992->18985 18995 158525 18999 15833a 29 API calls 18995->18999 18996 1584e8 18998 156150 30 API calls 18996->18998 19002 158e87 18997->19002 18998->19031 19000 158543 18999->19000 19003 157341 34 API calls 19000->19003 19000->19031 19001 158eb5 19004 156150 30 API calls 19001->19004 19002->19001 19005 1527f2 29 API calls 19002->19005 19002->19118 19006 158564 19003->19006 19013 158ec0 19004->19013 19005->19001 19007 1585a4 19006->19007 19008 158571 19006->19008 19011 1573eb 31 API calls 19007->19011 19009 156150 30 API calls 19008->19009 19009->19031 19010 158eee 19012 158f13 19010->19012 19020 1527f2 29 API calls 19010->19020 19014 1585b4 19011->19014 19015 156150 30 API calls 19012->19015 19013->19010 19016 1527f2 29 API calls 19013->19016 19013->19118 19017 158625 19014->19017 19018 1585bf 19014->19018 19021 158f1e 19015->19021 19016->19010 19142 1656cb 19017->19142 19019 156150 30 API calls 19018->19019 19019->19031 19020->19012 19023 156150 30 API calls 19021->19023 19021->19118 19025 158f32 19023->19025 19029 156150 30 API calls 19025->19029 19025->19118 19026 1586c7 19030 15833a 29 API calls 19026->19030 19027 15866b 19028 156150 30 API calls 19027->19028 19028->19031 19034 158f46 19029->19034 19035 1586dc 19030->19035 19031->18970 19032 158f74 19033 156150 30 API calls 19032->19033 19041 158f7f 19033->19041 19034->19032 19037 1527f2 29 API calls 19034->19037 19034->19118 19035->19031 19036 15833a 29 API calls 19035->19036 19038 158718 19036->19038 19037->19032 19038->19031 19040 157341 34 API calls 19038->19040 19039 158fad 19042 158fd2 19039->19042 19049 1527f2 29 API calls 19039->19049 19043 158739 19040->19043 19041->19039 19044 1527f2 29 API calls 19041->19044 19041->19118 19045 158ff7 19042->19045 19052 1527f2 29 API calls 19042->19052 19047 158765 19043->19047 19048 158746 19043->19048 19044->19039 19046 156c0e 29 API calls 19045->19046 19046->19118 19051 15833a 29 API calls 19047->19051 19050 156150 30 API calls 19048->19050 19049->19042 19050->19031 19053 158783 19051->19053 19052->19045 19053->19031 19118->18976 19118->18991 19120 153ef1 29 API calls 19119->19120 19122 158353 19120->19122 19121 158397 19121->18966 19122->19121 19123 154212 29 API calls 19122->19123 19123->19122 19125 1716a0 29 API calls 19124->19125 19126 157356 19125->19126 19127 15736e 19126->19127 19128 15735b CoInitialize 19126->19128 19129 156150 30 API calls 19127->19129 19128->19127 19130 157377 19129->19130 19131 1716a0 29 API calls 19130->19131 19132 157383 19131->19132 19133 1573df 19132->19133 19134 1536c0 29 API calls 19132->19134 19133->18995 19133->18996 19135 157399 19134->19135 19135->19133 19136 155c7f 31 API calls 19135->19136 19137 1573b0 19136->19137 19137->19133 19138 155c3d 29 API calls 19137->19138 19139 1573bc SysAllocString 19138->19139 19139->19133 19140 1573ce 19139->19140 19140->19133 19141 1527f2 29 API calls 19140->19141 19141->19133 19148 164cd7 19142->19148 19149 155c7f 31 API calls 19148->19149 19150 164d13 19149->19150 19151 1716a0 29 API calls 19150->19151 19152 164d27 19151->19152 19153 155c3d 29 API calls 19152->19153 19156 165198 19152->19156 19154 164d3f 19153->19154 19154->19156 19158 1716a0 29 API calls 19154->19158 19155 158660 19155->19026 19155->19027 19156->19155 19157 1527f2 29 API calls 19156->19157 19157->19155 19224 164d92 19158->19224 19159 165193 19159->19155 19159->19156 19160 153328 42 API calls 19159->19160 19175 1651f7 19160->19175 19161 15379b 29 API calls 19162 165101 19161->19162 19163 156cd8 29 API calls 19162->19163 19165 16514d 19163->19165 19164 16538b 19164->19156 19166 1527f2 29 API calls 19164->19166 19167 165157 19165->19167 19168 16515e 19165->19168 19166->19156 19170 1540bc 42 API calls 19167->19170 19169 153db2 42 API calls 19168->19169 19171 16515c 19169->19171 19170->19171 19171->19159 19172 16533f 19172->19164 19238 156669 19172->19238 19175->19164 19175->19172 19202 16537e 19175->19202 19260 1572c4 19175->19260 19180 15379b 29 API calls 19188 1653f1 19180->19188 19182 165094 SysFreeString 19182->19224 19231 164e47 19182->19231 19186 1527f2 29 API calls 19186->19182 19191 156cd8 29 API calls 19188->19191 19195 16543d 19191->19195 19199 1716a0 29 API calls 19199->19224 19202->19172 19202->19180 19209 164fd9 CoInitialize 19209->19224 19214 156150 30 API calls 19214->19224 19223 1536c0 29 API calls 19223->19224 19224->19159 19224->19182 19224->19186 19224->19199 19224->19209 19224->19214 19224->19223 19226 165039 19224->19226 19224->19231 19232 1561ab 19224->19232 19228 16504a SysFreeString 19226->19228 19230 1527f2 29 API calls 19226->19230 19228->19231 19230->19228 19231->19156 19231->19161 19233 1716a0 29 API calls 19232->19233 19234 1561c0 19233->19234 19235 1561c5 SysStringLen 19234->19235 19236 1561d8 19234->19236 19308 155b62 19235->19308 19236->19224 19239 1716a0 29 API calls 19238->19239 19240 15668b 19239->19240 19241 156690 CoInitialize 19240->19241 19242 1566a3 19240->19242 19241->19242 19261 1716a0 29 API calls 19260->19261 19262 1572db 19261->19262 19263 1572e0 CoInitialize 19262->19263 19264 1572f3 19262->19264 19263->19264 19265 156150 30 API calls 19264->19265 19309 155b73 WideCharToMultiByte 19308->19309 19310 155c29 19308->19310 19311 153684 29 API calls 19309->19311 19310->19236 19312 155bc0 19311->19312 19499 1728ae 19500 1728fd 19499->19500 19529 1728c8 19499->19529 19501 172903 RtlAddVectoredExceptionHandler 19500->19501 19503 172926 19500->19503 19501->19529 19502 172a1d 19505 172a35 19502->19505 19512 172b32 19502->19512 19503->19502 19504 17296b 19503->19504 19503->19529 19530 1736d2 19504->19530 19507 1736d2 31 API calls 19505->19507 19510 172a77 19507->19510 19508 171def free 19509 172b6d 19508->19509 19513 17278d abort 19509->19513 19514 172b0d 19510->19514 19515 172a88 19510->19515 19511 171def free 19516 1729d8 19511->19516 19512->19508 19512->19529 19513->19529 19518 171def free 19514->19518 19522 171def free 19515->19522 19519 17278d abort 19516->19519 19520 172b1b 19518->19520 19521 1729ed 19519->19521 19523 17278d abort 19520->19523 19537 1725a4 19521->19537 19525 172ac6 19522->19525 19523->19529 19526 17278d abort 19525->19526 19527 172adb 19526->19527 19528 1725a4 8 API calls 19527->19528 19528->19529 19531 1736e2 19530->19531 19532 17297c 19530->19532 19552 172274 19531->19552 19532->19511 19535 1736ed 19535->19532 19558 175b83 19535->19558 19582 176089 19535->19582 19538 1725b4 19537->19538 19539 172691 19537->19539 19538->19539 19540 171b64 2 API calls 19538->19540 19539->19529 19541 1725d1 19540->19541 19542 1725ef 19541->19542 19712 172460 19541->19712 19544 172607 19542->19544 19545 1725f9 free 19542->19545 19546 172611 free 19544->19546 19547 17261f 19544->19547 19545->19544 19546->19547 19548 172637 memset 19547->19548 19549 172629 free 19547->19549 19550 17265b 19548->19550 19549->19548 19551 171c0d 2 API calls 19550->19551 19551->19539 19553 172287 19552->19553 19554 172280 19552->19554 19555 171b64 2 API calls 19553->19555 19554->19535 19556 172293 19555->19556 19557 171c0d 2 API calls 19556->19557 19557->19554 19595 175591 19558->19595 19560 175b9c 19561 171b64 2 API calls 19560->19561 19581 175ba5 19560->19581 19562 175bc3 19561->19562 19563 175be3 19562->19563 19564 175bcc 19562->19564 19565 175c8a 19563->19565 19566 175c09 19563->19566 19599 175504 19564->19599 19569 171c0d 2 API calls 19565->19569 19568 171b64 2 API calls 19566->19568 19571 175c17 19568->19571 19570 175c98 19569->19570 19572 175504 2 API calls 19570->19572 19573 175c42 19571->19573 19574 175c20 19571->19574 19572->19581 19603 175778 19573->19603 19575 171c0d 2 API calls 19574->19575 19577 175c2e 19575->19577 19579 175504 2 API calls 19577->19579 19579->19581 19580 175504 2 API calls 19580->19581 19581->19535 19583 17609a 19582->19583 19584 1760a3 19583->19584 19585 176123 19583->19585 19586 1760bd 19583->19586 19584->19535 19587 175778 2 API calls 19585->19587 19588 171b64 2 API calls 19586->19588 19590 176112 19587->19590 19589 1760cb 19588->19589 19589->19590 19591 176101 19589->19591 19634 176d7d 19589->19634 19592 175504 2 API calls 19590->19592 19594 171c0d 2 API calls 19591->19594 19592->19584 19594->19590 19596 1755a8 19595->19596 19598 1755b3 19595->19598 19608 17588b 19596->19608 19598->19560 19600 175516 19599->19600 19601 175572 19600->19601 19602 17553e fprintf exit 19600->19602 19601->19581 19602->19601 19604 171c0d 2 API calls 19603->19604 19605 17578c 19604->19605 19606 171c0d 2 API calls 19605->19606 19607 17579d 19606->19607 19607->19580 19609 17589d 19608->19609 19611 1758a7 19609->19611 19612 1758e1 19609->19612 19611->19598 19613 1758f7 calloc 19612->19613 19614 1758ed 19612->19614 19613->19614 19615 175927 19613->19615 19614->19611 19616 175984 19615->19616 19617 175971 free 19615->19617 19618 1759a3 19616->19618 19619 1759c1 19616->19619 19617->19614 19620 171def free 19618->19620 19628 176971 19619->19628 19622 1759b1 free 19620->19622 19622->19614 19624 171def free 19625 1759ee 19624->19625 19626 171def free 19625->19626 19627 1759fc free 19626->19627 19627->19614 19629 17698e 19628->19629 19632 1759d7 19628->19632 19630 1769a8 calloc 19629->19630 19629->19632 19630->19632 19633 1769cf 19630->19633 19631 176aac free 19631->19632 19632->19614 19632->19624 19633->19631 19633->19632 19635 176d89 19634->19635 19637 176d92 19634->19637 19635->19637 19638 17778c 19635->19638 19637->19591 19639 17779f 19638->19639 19641 1777d4 19639->19641 19642 177835 19639->19642 19641->19637 19643 1778de 19642->19643 19648 177853 19642->19648 19662 173a01 19643->19662 19646 1779ff 19647 177a09 19646->19647 19649 177acc 19646->19649 19647->19648 19650 173cad 16 API calls 19647->19650 19654 177a73 19647->19654 19648->19641 19649->19648 19655 173cad 16 API calls 19649->19655 19658 177b70 19649->19658 19650->19647 19651 177956 19651->19648 19676 173cad 19651->19676 19652 177901 19652->19651 19657 177977 19652->19657 19661 173d58 31 API calls 19652->19661 19654->19648 19656 173d58 31 API calls 19654->19656 19655->19649 19656->19648 19665 173d58 19657->19665 19658->19648 19660 173d58 31 API calls 19658->19660 19660->19648 19661->19652 19663 173841 16 API calls 19662->19663 19664 173a0c 19663->19664 19664->19646 19664->19652 19666 173841 16 API calls 19665->19666 19668 173d63 19666->19668 19667 173e21 19667->19648 19668->19667 19669 171b64 2 API calls 19668->19669 19672 173d9d 19669->19672 19670 173e13 19671 171c0d 2 API calls 19670->19671 19671->19667 19672->19670 19673 171c0d 2 API calls 19672->19673 19674 173e0e 19673->19674 19680 173c29 19674->19680 19677 173cc3 19676->19677 19679 173cbc 19676->19679 19678 173841 16 API calls 19677->19678 19678->19679 19679->19648 19681 173841 16 API calls 19680->19681 19682 173c34 19681->19682 19689 173d0b 19682->19689 19685 173d0b 16 API calls 19686 173c9e 19685->19686 19692 173a97 19686->19692 19690 173841 16 API calls 19689->19690 19691 173c53 19690->19691 19691->19685 19693 173841 16 API calls 19692->19693 19694 173aaf 19693->19694 19695 1736d2 30 API calls 19694->19695 19696 173acc 19695->19696 19697 173af2 19696->19697 19698 173ada longjmp 19696->19698 19699 173b5f 19697->19699 19700 173b1b 19697->19700 19705 173b84 19697->19705 19698->19697 19702 173841 16 API calls 19699->19702 19701 1725a4 8 API calls 19700->19701 19701->19699 19703 173c34 19702->19703 19704 173d0b 16 API calls 19703->19704 19705->19699 19706 1725a4 8 API calls 19705->19706 19706->19699 19713 17247a 19712->19713 19714 172470 19712->19714 19713->19714 19715 172519 19713->19715 19716 1724d9 memmove 19713->19716 19714->19542 19715->19714 19717 17252f free 19715->19717 19716->19715 19717->19714 19374 1647c7 19404 1580e7 19374->19404 19377 1647f0 SetHandleInformation 19378 164816 GetLastError 19377->19378 19379 16483a SetHandleInformation 19377->19379 19380 164820 19378->19380 19395 1647a4 19378->19395 19381 164860 SetHandleInformation 19379->19381 19382 154b85 44 API calls 19380->19382 19383 16476e 19381->19383 19384 16488a GetLastError 19381->19384 19386 164831 19382->19386 19412 155767 19383->19412 19388 1648c3 19384->19388 19384->19395 19385 152812 29 API calls 19390 164c6d 19385->19390 19386->19379 19386->19395 19392 154b85 44 API calls 19388->19392 19389 164cc3 19390->19389 19393 152812 29 API calls 19390->19393 19392->19395 19394 164c8c 19393->19394 19394->19389 19396 152812 29 API calls 19394->19396 19395->19385 19398 164cab 19396->19398 19397 153877 42 API calls 19402 164915 19397->19402 19398->19389 19400 1527f2 29 API calls 19398->19400 19399 155767 42 API calls 19399->19402 19400->19389 19401 1537db 42 API calls 19401->19402 19402->19395 19402->19397 19402->19399 19402->19401 19403 1527f2 29 API calls 19402->19403 19403->19402 19429 15193d 19404->19429 19406 158103 CreatePipe 19407 158163 19406->19407 19408 158138 GetLastError 19406->19408 19407->19377 19407->19395 19409 1716a0 29 API calls 19408->19409 19410 15814b 19409->19410 19410->19407 19411 154b85 44 API calls 19410->19411 19411->19407 19413 155797 19412->19413 19414 1716a0 29 API calls 19413->19414 19416 1557c9 19414->19416 19415 155935 19415->19402 19416->19415 19417 1537db 42 API calls 19416->19417 19426 155800 19416->19426 19417->19426 19418 155820 19419 1537db 42 API calls 19418->19419 19421 155835 19418->19421 19419->19421 19420 15590f 19420->19415 19425 1527f2 29 API calls 19420->19425 19421->19420 19422 1537db 42 API calls 19421->19422 19423 1558f5 19422->19423 19428 1537db 42 API calls 19423->19428 19424 1537db 42 API calls 19424->19426 19425->19415 19426->19418 19426->19424 19427 153877 42 API calls 19426->19427 19427->19426 19428->19420 19429->19406 19495 1525c2 19496 1525e2 19495->19496 19498 1525d7 19495->19498 19497 152373 13 API calls 19496->19497 19497->19498 22307 16a1cf 22308 153719 29 API calls 22307->22308 22309 16a1e4 22308->22309 22310 153f9a 38 API calls 22309->22310 22311 16a22b 22310->22311 22312 16a23f 22311->22312 22314 1527f2 29 API calls 22311->22314 22313 152ffd 42 API calls 22312->22313 22316 16a19c 22312->22316 22313->22316 22314->22312 22315 16a286 22321 1527f2 29 API calls 22315->22321 22322 16a2ae 22315->22322 22316->22315 22318 1527f2 29 API calls 22316->22318 22317 16a34f 22320 154509 45 API calls 22317->22320 22318->22315 22319 16a2d1 22323 1544a5 29 API calls 22319->22323 22324 16a36c 22320->22324 22321->22322 22322->22317 22322->22319 22325 1527f2 29 API calls 22322->22325 22326 16a2e8 22323->22326 22325->22319 22327 16a2fe 22326->22327 22330 1527f2 29 API calls 22326->22330 22328 16a312 22327->22328 22332 1527f2 29 API calls 22327->22332 22329 1544a5 29 API calls 22328->22329 22331 16a329 22329->22331 22330->22327 22333 1544a5 29 API calls 22331->22333 22332->22328 22334 16a342 22333->22334 22335 156150 30 API calls 22334->22335 22335->22317 20653 1716e8 20654 1716f0 20653->20654 20655 1730f4 17 API calls 20654->20655 20656 171704 20655->20656 20657 171b64 2 API calls 20656->20657 20658 171710 20657->20658 20659 171868 20658->20659 20660 171c0d 2 API calls 20658->20660 20661 1716b2 20660->20661 20662 1734a7 16 API calls 20661->20662 20663 1716bf 20662->20663 20664 1716c5 20663->20664 20665 171730 calloc 20663->20665 20666 1717d0 realloc 20664->20666 20667 1716cf 20664->20667 20668 17b655 abort 20665->20668 20669 171750 20665->20669 20666->20668 20671 1717fc memset 20666->20671 20670 1716de 20667->20670 20673 171787 malloc 20667->20673 20674 171838 malloc 20667->20674 20672 173527 20 API calls 20669->20672 20675 173527 20 API calls 20671->20675 20676 171766 20672->20676 20673->20668 20677 17179e 20673->20677 20674->20668 20679 171850 20674->20679 20678 171830 20675->20678 20676->20667 20676->20670 20680 1717b6 memcpy 20677->20680 20681 171880 memset 20677->20681 20678->20674 20679->20659 20679->20677 20682 1717c2 20680->20682 20681->20668 20681->20682

                        Executed Functions

                        Function 00164CD7 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 674COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00155C7F: MultiByteToWideChar.KERNEL32 ref: 00155CD0
                          • Part of subcall function 00155C7F: MultiByteToWideChar.KERNEL32 ref: 00155D17
                        • CoInitialize.OLE32 ref: 00164FE0
                        • SysFreeString.OLEAUT32 ref: 00165050
                        • SysFreeString.OLEAUT32 ref: 0016509A
                        • VariantClear.OLEAUT32 ref: 00165364
                        • SysFreeString.OLEAUT32(00000000), ref: 0016547C
                        • SysFreeString.OLEAUT32 ref: 00165489
                        • SysFreeString.OLEAUT32 ref: 00165496
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: FreeString$ByteCharMultiWide$ClearInitializeVariant
                        • String ID: $COMError$COMException$com.nim$invoke
                        • API String ID: 3707380375-1182642905
                        • Opcode ID: d62c234410b63160738b8452864292ccc418296d098138251cf7d0e9287c6f9f
                        • Instruction ID: 5928d5e232fd961b972f291a4b78e0b1df6a9f85fd048e9f7ddbb0a364faed83
                        • Opcode Fuzzy Hash: d62c234410b63160738b8452864292ccc418296d098138251cf7d0e9287c6f9f
                        • Instruction Fuzzy Hash: 78624570904769CFDB21DF68C88479DBBF2BF59304F148599E898AB341DB709989CF82
                        Function 001660C9 Relevance: 18.8, APIs: 2, Strings: 8, Instructions: 1255COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: -$JsonError$ValueError$fromHex$jsony.nim$parseHook$parseObjectInner$strutils.nim
                        • API String ID: 0-130352387
                        • Opcode ID: 4df840365af2f8b4ef330f36d3e65d55abf2bc5b335be0882651356b4928ba36
                        • Instruction ID: 0a13eb7041d68173eec9e5f9bc0841bde76e251a390627835419f38e5a2e0d27
                        • Opcode Fuzzy Hash: 4df840365af2f8b4ef330f36d3e65d55abf2bc5b335be0882651356b4928ba36
                        • Instruction Fuzzy Hash: 29D268B0A042698FDB61DF14CC90799B7B2BF55308F0480D9EA596B392CB309EC9CF59
                        Function 0015AF50 Relevance: 18.4, APIs: 6, Strings: 4, Instructions: 898comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32 ref: 0015AFED
                        • GetActiveObject.OLEAUT32 ref: 0015B0EA
                        • CoCreateInstance.COMBASE ref: 0015B124
                        • CoGetObject.OLE32 ref: 0015B23E
                          • Part of subcall function 001574EF: VariantClear.OLEAUT32 ref: 0015751A
                        • SysFreeString.OLEAUT32 ref: 0015B6AE
                        • VariantClear.OLEAUT32 ref: 0015BA77
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ClearObjectVariant$ActiveCreateFreeInitializeInstanceString
                        • String ID: COMError$GetAV$GetObject$com.nim
                        • API String ID: 1187925771-4142695778
                        • Opcode ID: ce7f6dca040e84e47eceba1ac363424a6f5346579b5ff5acc37d018486f11329
                        • Instruction ID: 9a2911db6073454db96562f30a5c39c7138e342a1ed10dc4bd7674d7eb7c7457
                        • Opcode Fuzzy Hash: ce7f6dca040e84e47eceba1ac363424a6f5346579b5ff5acc37d018486f11329
                        • Instruction Fuzzy Hash: 69825B74D08358CFDB219F64C49176EBBF1AF56301F148099E8A8AF356DB748989CF82
                        Function 001716A0 Relevance: 12.1, APIs: 8, Instructions: 139COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1798 1716a0-1716b0 1799 1716b2-1716c3 call 1734a7 1798->1799 1800 1716f0-1716ff call 1730f4 1798->1800 1806 1716c5-1716c9 1799->1806 1807 171730-17174a calloc 1799->1807 1803 171704-171715 call 171b64 1800->1803 1816 17171b-171727 call 171c0d 1803->1816 1817 171868-171879 1803->1817 1808 1717d0-1717f6 realloc 1806->1808 1809 1716cf-1716d8 1806->1809 1811 17b655-17b65e abort 1807->1811 1812 171750-17176c call 173527 1807->1812 1808->1811 1815 1717fc-171830 memset call 173527 1808->1815 1813 1716de-1716e7 1809->1813 1814 171778-171781 1809->1814 1812->1813 1828 171772 1812->1828 1819 171787-171798 malloc 1814->1819 1820 171838-17184a malloc 1814->1820 1815->1820 1816->1799 1819->1811 1824 17179e-1717a4 1819->1824 1820->1811 1827 171850-17185f 1820->1827 1829 1717a7-1717b0 1824->1829 1827->1817 1827->1829 1828->1814 1830 1717b6-1717bd memcpy 1829->1830 1831 171880-171890 memset 1829->1831 1832 1717c2-1717cf 1830->1832 1831->1811 1831->1832
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f6e96e84b44aaa24c9ac55feba659ecb40cdbead6819ee0b73a946acb7df2052
                        • Instruction ID: d4d2f4e9292f5069e69a2e76704a0cfa1abb59c3c271847fcc6413c04b9228ee
                        • Opcode Fuzzy Hash: f6e96e84b44aaa24c9ac55feba659ecb40cdbead6819ee0b73a946acb7df2052
                        • Instruction Fuzzy Hash: AC515AB1A09701EFC710EF69C48455ABBF5EF84304F56C929E99C9B205EB30E945CB82
                        Function 00151148 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2000 151148-151220 _amsg_exit 2006 151240-151244 2000->2006 2007 151222-151236 _initterm 2000->2007 2008 151246-15125c 2006->2008 2009 15125d-151264 2006->2009 2007->2006 2008->2009 2010 151287-1512cb call 16ac8e call 170fe8 call 16a6b0 __p__acmdln 2009->2010 2011 151266-151284 2009->2011 2020 151326-15132d 2010->2020 2021 1512cd 2010->2021 2011->2010 2022 15134c-151361 call 1514b1 call 16a4dc 2020->2022 2023 15132f-151337 2020->2023 2024 1512ea-1512f2 2021->2024 2040 151366-15138f call 16a404 2022->2040 2025 151342 2023->2025 2026 151339-151340 2023->2026 2028 1512f4-1512fc 2024->2028 2029 1512cf-1512d7 2024->2029 2030 151347 2025->2030 2026->2030 2034 1512fe-151302 2028->2034 2035 15130a-151312 2028->2035 2031 1512e6 2029->2031 2032 1512d9-1512e3 2029->2032 2030->2022 2031->2024 2032->2031 2034->2029 2037 151304 2034->2037 2038 151314-15131c 2035->2038 2039 15131e-151321 2035->2039 2037->2035 2038->2039 2041 151306 2038->2041 2039->2020 2043 151394-1513a0 2040->2043 2041->2035 2044 1513a2-1513aa exit 2043->2044 2045 1513af-1513b6 2043->2045 2044->2045 2046 1513bd-1513c9 2045->2046 2047 1513b8 _cexit 2045->2047 2047->2046
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: __p__acmdln_amsg_exit_cexit_inittermexit
                        • String ID:
                        • API String ID: 3774341475-0
                        • Opcode ID: e302f8b04be14490dde19eba1e9c80a2ef4e136bd08a5b796d0452b26f88fdf6
                        • Instruction ID: bffe5c0f724e5fa6a095c1d81f5ab828940f7cc68648c6f4ce214d071dfba9c4
                        • Opcode Fuzzy Hash: e302f8b04be14490dde19eba1e9c80a2ef4e136bd08a5b796d0452b26f88fdf6
                        • Instruction Fuzzy Hash: AF6168B4900208EFCB51EFA4D9847ADBBF0FF19315F50805AE864AB760D7749A88CF52
                        Function 00151189 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2048 151189-151220 _amsg_exit 2052 151240-151244 2048->2052 2053 151222-151236 _initterm 2048->2053 2054 151246-15125c 2052->2054 2055 15125d-151264 2052->2055 2053->2052 2054->2055 2056 151287-1512cb call 16ac8e call 170fe8 call 16a6b0 __p__acmdln 2055->2056 2057 151266-151284 2055->2057 2066 151326-15132d 2056->2066 2067 1512cd 2056->2067 2057->2056 2068 15134c-151361 call 1514b1 call 16a4dc 2066->2068 2069 15132f-151337 2066->2069 2070 1512ea-1512f2 2067->2070 2086 151366-15138f call 16a404 2068->2086 2071 151342 2069->2071 2072 151339-151340 2069->2072 2074 1512f4-1512fc 2070->2074 2075 1512cf-1512d7 2070->2075 2076 151347 2071->2076 2072->2076 2080 1512fe-151302 2074->2080 2081 15130a-151312 2074->2081 2077 1512e6 2075->2077 2078 1512d9-1512e3 2075->2078 2076->2068 2077->2070 2078->2077 2080->2075 2083 151304 2080->2083 2084 151314-15131c 2081->2084 2085 15131e-151321 2081->2085 2083->2081 2084->2085 2087 151306 2084->2087 2085->2066 2089 151394-1513a0 2086->2089 2087->2081 2090 1513a2-1513aa exit 2089->2090 2091 1513af-1513b6 2089->2091 2090->2091 2092 1513bd-1513c9 2091->2092 2093 1513b8 _cexit 2091->2093 2093->2092
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: __p__acmdln_amsg_exit_cexit_inittermexit
                        • String ID:
                        • API String ID: 3774341475-0
                        • Opcode ID: 64a7d1b8e7eafe67cf89682cf26bf4e08eb61b8fa454a5c2dd7866051ba18b7b
                        • Instruction ID: 4025f1cb8971a9b72a4a79d39c635b6b50c41a720d6c37a6c4d734b24f8a54d0
                        • Opcode Fuzzy Hash: 64a7d1b8e7eafe67cf89682cf26bf4e08eb61b8fa454a5c2dd7866051ba18b7b
                        • Instruction Fuzzy Hash: 81418874904204EFCB91EFA4D98472DBBF0BF14315F908419F8A4AB661CB748A88DF52
                        Function 00151207 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2094 151207-151220 _initterm 2096 151240-151244 2094->2096 2097 151222-151236 _initterm 2094->2097 2098 151246-15125c 2096->2098 2099 15125d-151264 2096->2099 2097->2096 2098->2099 2100 151287-1512cb call 16ac8e call 170fe8 call 16a6b0 __p__acmdln 2099->2100 2101 151266-151284 2099->2101 2110 151326-15132d 2100->2110 2111 1512cd 2100->2111 2101->2100 2112 15134c-15138f call 1514b1 call 16a4dc call 16a404 2110->2112 2113 15132f-151337 2110->2113 2114 1512ea-1512f2 2111->2114 2133 151394-1513a0 2112->2133 2115 151342 2113->2115 2116 151339-151340 2113->2116 2118 1512f4-1512fc 2114->2118 2119 1512cf-1512d7 2114->2119 2120 151347 2115->2120 2116->2120 2124 1512fe-151302 2118->2124 2125 15130a-151312 2118->2125 2121 1512e6 2119->2121 2122 1512d9-1512e3 2119->2122 2120->2112 2121->2114 2122->2121 2124->2119 2127 151304 2124->2127 2128 151314-15131c 2125->2128 2129 15131e-151321 2125->2129 2127->2125 2128->2129 2131 151306 2128->2131 2129->2110 2131->2125 2134 1513a2-1513aa exit 2133->2134 2135 1513af-1513b6 2133->2135 2134->2135 2136 1513bd-1513c9 2135->2136 2137 1513b8 _cexit 2135->2137 2137->2136
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: _initterm$__p__acmdln_cexitexit
                        • String ID:
                        • API String ID: 1163873781-0
                        • Opcode ID: c6564fbdb5a6c48f9bf86465e5e0517d8acb076a7f82be10b7b5e6086303a463
                        • Instruction ID: 91b3393df87d31044bdb48cbef71032b1c79441f41af7e9c3a02c08dfe0e1f0d
                        • Opcode Fuzzy Hash: c6564fbdb5a6c48f9bf86465e5e0517d8acb076a7f82be10b7b5e6086303a463
                        • Instruction Fuzzy Hash: 85418870A04204EFCB91EFA4D98472DBBF0BF14315F908009F8A4AB661DB748A88DF52
                        Function 00159CAD Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 553synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2194 159cad-159d15 call 15193d call 15833a call 1716a0 2201 15a2e4-15a319 2194->2201 2202 159d1b-159d40 call 15833a 2194->2202 2204 15a3ab-15a3b2 2201->2204 2207 159d46-159daf call 15379b call 151b43 * 4 call 15833a 2202->2207 2208 15a31e-15a34c 2202->2208 2206 15a3b9-15a3cf call 1544a5 2204->2206 2213 15a3d1-15a3d5 2206->2213 2214 15a3de-15a3e0 2206->2214 2258 159db5-159dd3 call 15833a 2207->2258 2259 15a34e-15a36e 2207->2259 2208->2204 2213->2214 2216 15a3d7-15a3d9 call 1527f2 2213->2216 2217 15a3e2-15a3e6 2214->2217 2218 15a3ef-15a3f3 2214->2218 2216->2214 2217->2218 2221 15a3e8-15a3ea call 1527f2 2217->2221 2222 15a3f5-15a401 2218->2222 2223 15a40b-15a40f 2218->2223 2221->2218 2222->2223 2228 15a403-15a406 call 1527f2 2222->2228 2224 15a427-15a42b 2223->2224 2225 15a411-15a41d 2223->2225 2231 15a443-15a447 2224->2231 2232 15a42d-15a439 2224->2232 2225->2224 2230 15a41f-15a422 call 1527f2 2225->2230 2228->2223 2230->2224 2236 15a45f-15a463 2231->2236 2237 15a449-15a455 2231->2237 2232->2231 2235 15a43b-15a43e call 1527f2 2232->2235 2235->2231 2242 15a465-15a471 2236->2242 2243 15a47b-15a47f 2236->2243 2237->2236 2240 15a457-15a45a call 1527f2 2237->2240 2240->2236 2242->2243 2248 15a473 2242->2248 2244 15a497-15a4ac call 152dae 2243->2244 2245 15a481-15a48d 2243->2245 2245->2244 2250 15a48f-15a492 call 1527f2 2245->2250 2249 15a476 call 1527f2 2248->2249 2249->2243 2250->2244 2262 15a370-15a389 2258->2262 2263 159dd9-159e35 call 15193d call 1640fd 2258->2263 2259->2204 2262->2204 2268 15a04c-15a053 2263->2268 2269 159e3b-159e46 2263->2269 2270 15a055-15a05a 2268->2270 2271 159e48-159e53 call 1536da 2269->2271 2272 159e7a-159e8c call 16a378 2269->2272 2274 15a067-15a098 call 1540bc * 3 2270->2274 2275 15a05c-15a060 2270->2275 2283 159e55-159e5c call 1540bc 2271->2283 2284 159e5e-159e70 call 152c92 2271->2284 2281 159e8d-159e98 2272->2281 2274->2262 2305 15a09e-15a0e1 call 161efe 2274->2305 2275->2274 2278 15a062 call 1527f2 2275->2278 2278->2274 2281->2270 2288 159e9e-159ea2 2281->2288 2283->2281 2284->2272 2295 159e72-159e75 call 152dc1 2284->2295 2292 159ea4-159eb0 call 1540db 2288->2292 2293 159eb7-159ec3 call 1540db 2288->2293 2306 159eb2 2292->2306 2307 159eec-159ef6 call 1517a0 2292->2307 2303 159ec5-159ed8 2293->2303 2304 159edb-159ee5 call 1540bc 2293->2304 2295->2272 2303->2304 2304->2292 2315 159ee7 2304->2315 2316 15a0e7-15a101 call 15833a 2305->2316 2317 15a38b-15a39b 2305->2317 2306->2270 2307->2270 2318 159efc-159f1e call 15379b 2307->2318 2315->2270 2323 15a107-15a13e call 161f83 2316->2323 2324 15a39d-15a3a4 2316->2324 2317->2204 2325 159f21-159f29 2318->2325 2323->2204 2332 15a144-15a148 2323->2332 2324->2204 2327 159f74-159f7c 2325->2327 2328 159f2b 2325->2328 2334 159f80-159f83 2327->2334 2330 159f32-159f3d call 1518a1 2328->2330 2340 159f3f-159f41 2330->2340 2341 159f7e 2330->2341 2336 15a14f-15a186 call 153719 2332->2336 2337 15a14a-15a14c 2332->2337 2334->2270 2339 159f89-159f8b 2334->2339 2347 15a18c-15a1c8 call 161efe 2336->2347 2348 15a2b8-15a2bf 2336->2348 2337->2336 2343 159f8d-159f91 2339->2343 2344 159ffb-15a034 call 1537db call 151b43 call 1537db call 151b43 2339->2344 2345 159f43-159f45 2340->2345 2346 159f4b-159f4e call 1518a1 2340->2346 2341->2334 2349 159ff1 2343->2349 2350 159f93-159fb4 WaitForSingleObject 2343->2350 2344->2325 2351 159f47-159f49 2345->2351 2352 159f5a-159f5c 2345->2352 2359 159f53-159f58 2346->2359 2358 15a2c6-15a2c8 2347->2358 2370 15a1ce-15a1d0 2347->2370 2348->2358 2356 159ff4-159ff7 2349->2356 2350->2356 2357 159fb6-159fde GetExitCodeProcess call 158235 2350->2357 2351->2334 2360 159f5e-159f69 call 153877 2352->2360 2361 159f6b-159f72 2352->2361 2366 15a039-15a03d 2356->2366 2367 159ff9 2356->2367 2372 159fe3-159fef 2357->2372 2358->2206 2365 15a2ce-15a2d2 2358->2365 2359->2334 2360->2330 2361->2334 2365->2206 2373 15a2d8-15a2df call 1527f2 2365->2373 2366->2325 2371 15a043-15a04a call 1582c3 2366->2371 2367->2270 2377 15a1d2-15a1d6 2370->2377 2378 15a1df-15a1fb call 1544a5 2370->2378 2371->2270 2372->2356 2373->2206 2377->2378 2382 15a1d8-15a1da call 1527f2 2377->2382 2390 15a1fd-15a201 2378->2390 2391 15a20a-15a20c 2378->2391 2382->2378 2390->2391 2394 15a203-15a205 call 1527f2 2390->2394 2392 15a20e-15a212 2391->2392 2393 15a21b-15a21f 2391->2393 2392->2393 2395 15a214-15a216 call 1527f2 2392->2395 2396 15a237-15a23b 2393->2396 2397 15a221-15a22d 2393->2397 2394->2391 2395->2393 2401 15a253-15a257 2396->2401 2402 15a23d-15a249 2396->2402 2397->2396 2400 15a22f-15a232 call 1527f2 2397->2400 2400->2396 2405 15a26f-15a273 2401->2405 2406 15a259-15a265 2401->2406 2402->2401 2404 15a24b-15a24e call 1527f2 2402->2404 2404->2401 2407 15a275-15a281 2405->2407 2408 15a28b-15a292 2405->2408 2406->2405 2410 15a267-15a26a call 1527f2 2406->2410 2407->2408 2411 15a283-15a286 call 1527f2 2407->2411 2408->2243 2412 15a298-15a2a7 2408->2412 2410->2405 2411->2408 2412->2243 2415 15a2ad-15a2b3 2412->2415 2415->2249
                        APIs
                        • WaitForSingleObject.KERNEL32 ref: 00159FA1
                        • GetExitCodeProcess.KERNELBASE ref: 00159FCA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CodeExitObjectProcessSingleWait
                        • String ID: D
                        • API String ID: 1680577353-2746444292
                        • Opcode ID: 007aafc847d74cac402fb0e1ee7934f51bc1ade9a6b2173b8df804722e91c3cf
                        • Instruction ID: e6113205256e5169200ca4551ecc0bee2174ebc27b1be18bb1bd5baec8809fd1
                        • Opcode Fuzzy Hash: 007aafc847d74cac402fb0e1ee7934f51bc1ade9a6b2173b8df804722e91c3cf
                        • Instruction Fuzzy Hash: D53225B0E04219CFDB24DFA8C49479DBBF1BF58305F648229E864AF292D7749849CF42
                        Function 00168129 Relevance: 5.8, Strings: 3, Instructions: 2032COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: _wgetenv
                        • String ID: @$@$kI,B
                        • API String ID: 1821490009-2128285436
                        • Opcode ID: 87ac561064cbc37473a0cbab888912b494ffe2693aa22d2fca083a08fc8b02c2
                        • Instruction ID: 4c2667c72959c77ec3c3af1ba9ede845c49af8e0e73f30df2c835fbbdaeb0bbe
                        • Opcode Fuzzy Hash: 87ac561064cbc37473a0cbab888912b494ffe2693aa22d2fca083a08fc8b02c2
                        • Instruction Fuzzy Hash: 26231C75A00228CFDB64DF28CC81B99B7B6BF99300F4581E9D819AB365DB309E85CF51
                        Function 0016587C Relevance: 3.5, APIs: 2, Instructions: 540sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3071 16587c-165899 call 157341 3074 1658c3-1658f8 call 157341 3071->3074 3075 16589b-165d69 call 156150 3071->3075 3081 165960-165982 call 1573eb 3074->3081 3082 1658fa-16595b call 156150 3074->3082 3084 165dd5 3075->3084 3089 165984-1659db call 156150 3081->3089 3090 1659e0-165a2f call 15193d call 1656cb 3081->3090 3082->3084 3088 165ddf-165e06 call 156150 3084->3088 3097 166622-166652 call 156150 3088->3097 3098 165e0c-165e0e 3088->3098 3089->3084 3109 165a83-165aaf call 15833a 3090->3109 3110 165a31-165a7e call 156150 3090->3110 3115 166654-166666 3097->3115 3116 166673-166695 call 156c0e 3097->3116 3101 165e10-165e14 3098->3101 3102 165e1d-165e31 call 156150 3098->3102 3101->3102 3103 165e16-165e18 call 1527f2 3101->3103 3102->3097 3113 165e37-165e4b call 156150 3102->3113 3103->3102 3123 165ab5-165ae9 call 15193d call 15833a 3109->3123 3124 165d6b-165d83 3109->3124 3110->3084 3113->3097 3130 165e51-165e53 3113->3130 3115->3116 3117 166668-16666e call 1527f2 3115->3117 3132 166697-16669b 3116->3132 3133 1666a2-1666a7 Sleep call 1716a0 IsDebuggerPresent call 152ffd 3116->3133 3117->3116 3146 165d85-165d91 3123->3146 3147 165aef-165b0c call 157341 3123->3147 3128 165d93-165db3 3124->3128 3128->3084 3134 165e55-165e59 3130->3134 3135 165e62-165e76 call 156150 3130->3135 3132->3133 3137 16669d call 1527f2 3132->3137 3176 165787-165791 3133->3176 3177 16579f-165876 call 153719 call 15833a call 156d2d call 15833a call 15193d call 15833a 3133->3177 3134->3135 3139 165e5b-165e5d call 1527f2 3134->3139 3135->3097 3149 165e7c-165e83 3135->3149 3137->3133 3139->3135 3146->3128 3163 165b22-165b4e call 15833a 3147->3163 3164 165b0e-165b1d call 156150 3147->3164 3151 165ea4-165eab 3149->3151 3152 165e85-165e97 3149->3152 3156 165ecc-165ee0 call 156150 3151->3156 3157 165ead-165ebf 3151->3157 3152->3151 3155 165e99-165e9f call 1527f2 3152->3155 3155->3151 3156->3097 3172 165ee6-165efa call 156150 3156->3172 3157->3156 3161 165ec1-165ec7 call 1527f2 3157->3161 3161->3156 3174 165b54-165b71 call 157341 3163->3174 3175 165db5-165db7 3163->3175 3164->3128 3172->3097 3185 165f00-165f14 call 156150 3172->3185 3186 165b85-165bda call 15193d call 1656cb 3174->3186 3187 165b73-165b80 call 156150 3174->3187 3180 165db9-165dcf 3175->3180 3176->3177 3177->3071 3180->3084 3185->3097 3194 165f1a-165f2e call 156150 3185->3194 3205 165bdc-165bf5 call 156150 3186->3205 3206 165bfa-165c20 call 15833a 3186->3206 3187->3180 3194->3097 3204 165f34-165f3b 3194->3204 3209 165f5c-165f63 3204->3209 3210 165f3d-165f4f 3204->3210 3205->3084 3220 165c26-165c5a call 15193d call 157341 3206->3220 3221 165dd1 3206->3221 3216 165f84-165f94 3209->3216 3217 165f65-165f77 3209->3217 3210->3209 3215 165f51-165f57 call 1527f2 3210->3215 3215->3209 3216->3097 3224 165f9a-1667d2 call 15193d call 15833a call 15193d * 2 call 1656cb call 156150 3216->3224 3217->3216 3223 165f79-165f7f call 1527f2 3217->3223 3240 165c5c-165c63 call 156150 3220->3240 3241 165c68-165cbb call 15193d call 1656cb 3220->3241 3227 165dd3 3221->3227 3223->3216 3262 1667d4-1667d8 3224->3262 3263 1667e1-1667f3 call 1549a7 3224->3263 3227->3084 3240->3227 3241->3088 3253 165cc1-165ccc call 156150 3241->3253 3253->3084 3262->3263 3265 1667da-1667dc call 1527f2 3262->3265 3268 166814-166828 call 156150 3263->3268 3269 1667f5-166807 3263->3269 3265->3263 3268->3097 3274 16682e-166835 3268->3274 3269->3268 3270 166809-16680f call 1527f2 3269->3270 3270->3268 3275 166856-16685d 3274->3275 3276 166837-166849 3274->3276 3278 16687e-16688c 3275->3278 3279 16685f-166871 3275->3279 3276->3275 3277 16684b-166851 call 1527f2 3276->3277 3277->3275 3278->3097 3279->3278 3280 166873-166879 call 1527f2 3279->3280 3280->3278
                        APIs
                          • Part of subcall function 00157341: CoInitialize.OLE32(?), ref: 00157364
                          • Part of subcall function 00157341: SysAllocString.OLEAUT32(?), ref: 001573BF
                          • Part of subcall function 00156150: VariantClear.OLEAUT32 ref: 00156178
                        • Sleep.KERNELBASE ref: 00165734
                        • IsDebuggerPresent.KERNEL32(00000000), ref: 00165756
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AllocClearDebuggerInitializePresentSleepStringVariant
                        • String ID:
                        • API String ID: 3378142341-0
                        • Opcode ID: 5db70401f51541382e0c22c597761fff07fc3e69c0a89d2928a86d21740a73b2
                        • Instruction ID: 35ceb80404281ee570bec02f49b79aa4a22a8b4e9b0cd3b7bf60c29f9dbdfcdb
                        • Opcode Fuzzy Hash: 5db70401f51541382e0c22c597761fff07fc3e69c0a89d2928a86d21740a73b2
                        • Instruction Fuzzy Hash: 6A4249B0A05268CFEBA1DF24CC90799B7B6BF95304F0040D9D6486B292CB749EC8CF59
                        Function 00159029 Relevance: 3.2, Strings: 2, Instructions: 665COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID: 3}>f$;eD0
                        • API String ID: 2538663250-262806450
                        • Opcode ID: 774746dd1c6269297d56edfa6b050539fcbff69c66a4701fdb77102ff4435d2d
                        • Instruction ID: db657ba05490583d9ccaa867ae1f663941d97e12ff59c6ecaa14a97c49adaba8
                        • Opcode Fuzzy Hash: 774746dd1c6269297d56edfa6b050539fcbff69c66a4701fdb77102ff4435d2d
                        • Instruction Fuzzy Hash: F16206B0E04269CFEB20DF65C89579DBBB1BF55305F50809AD868AB382DB744D88CF52
                        Function 001728AE Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                        Download Yara Rule
                        APIs
                        • RtlAddVectoredExceptionHandler.NTDLL ref: 00172917
                          • Part of subcall function 00171DEF: free.MSVCRT ref: 00171E32
                          • Part of subcall function 0017278D: abort.MSVCRT ref: 00172897
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ExceptionHandlerVectoredabortfree
                        • String ID:
                        • API String ID: 3783204689-0
                        • Opcode ID: f926854633170c1097f1e56b8ff6ebdfd221058bf66fc8027e78a9d0b4179254
                        • Instruction ID: e973fe78cfdd504b57c0ceba871dd71206a6109eb6f72bc81462bea76215d72d
                        • Opcode Fuzzy Hash: f926854633170c1097f1e56b8ff6ebdfd221058bf66fc8027e78a9d0b4179254
                        • Instruction Fuzzy Hash: F991A274A04205EFCB14EFA8D985A5DBBF0FF14304F0585A9E8A89B361D774EA85CF41
                        Function 001583A5 Relevance: .7, Instructions: 665COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: 8e5fed23386302317144bb346c7bae4e8ad5fadb73db80cce7c2ce0cfed191cf
                        • Instruction ID: 67b6e65cd570e77d6687995dddaf3edf73b87b763c036465f2f27e4431ae7d61
                        • Opcode Fuzzy Hash: 8e5fed23386302317144bb346c7bae4e8ad5fadb73db80cce7c2ce0cfed191cf
                        • Instruction Fuzzy Hash: BF62F5B0E04269CFEF24DF64C89579DBBB1BF55309F50809AD868AB282DB744D88CF51
                        Function 001663DF Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 490COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: -$-$JsonError$jsony.nim$parseHook
                        • API String ID: 0-2511633537
                        • Opcode ID: 25a411ddd2958c35413fee8898acc90850721df48d6b4a493d9620bdbd9a990b
                        • Instruction ID: 5a30d6ad293b8c94384a49bedc3be1c1880acc9dfae4130c50cd7232163dc604
                        • Opcode Fuzzy Hash: 25a411ddd2958c35413fee8898acc90850721df48d6b4a493d9620bdbd9a990b
                        • Instruction Fuzzy Hash: DE3249B0A04268CFDB61DF28CC90B99B7B5BF55304F0480D9EA596B252CB749EC8CF59
                        Function 001579AA Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1833 1579aa-1579db call 157489 call 1716a0 1838 1579e1-1579ea 1833->1838 1839 157d98-157da1 1833->1839 1840 157a01-157a47 call 15193d 1838->1840 1841 1579ec-1579f6 call 15771d 1838->1841 1851 157a50-157a66 call 1716a0 1840->1851 1852 157a49-157a4b 1840->1852 1846 157d10-157d64 call 15193d * 2 call 164cd7 1841->1846 1847 1579fc 1841->1847 1870 157d69-157d75 1846->1870 1849 157d7e-157d8e call 156c0e 1847->1849 1860 157d95 1849->1860 1861 157d90-157d93 1849->1861 1851->1852 1864 157a68-157a6f 1851->1864 1855 157c1f-157c32 call 156fb3 1852->1855 1868 157ce2-157ce5 1855->1868 1869 157c38-157c3f 1855->1869 1860->1839 1861->1860 1867 157a72-157a7a 1864->1867 1871 157c00 1867->1871 1872 157a80-157a82 1867->1872 1875 157ce7-157cf5 call 1560ed 1868->1875 1876 157d03-157d0b call 1560ed 1868->1876 1869->1868 1873 157c45-157ca4 call 15379b call 151b43 * 2 call 1716a0 call 156cd8 1869->1873 1870->1849 1874 157d77-157d7c call 156c0e 1870->1874 1878 157c02-157c18 call 1575cb 1871->1878 1872->1871 1880 157a88-157aa7 1872->1880 1912 157ca6-157cab call 1540bc 1873->1912 1913 157cad-157cce call 153db2 1873->1913 1874->1860 1875->1839 1888 157cfb-157cfe 1875->1888 1876->1839 1878->1855 1892 157c1a-157c1d 1878->1892 1880->1871 1893 157aad-157ab4 1880->1893 1888->1839 1892->1855 1895 157ab6-157ab9 1893->1895 1896 157abb-157ac2 1893->1896 1895->1867 1898 157ac8-157af5 1896->1898 1899 157bdb-157bf1 call 1575b5 1896->1899 1898->1899 1906 157afb-157b02 1898->1906 1899->1871 1908 157bf3-157bfa 1899->1908 1906->1899 1909 157b08-157b20 call 15193d call 1561ab 1906->1909 1908->1871 1908->1895 1922 157b22-157b44 call 1575e1 1909->1922 1923 157b88-157b95 SysFreeString 1909->1923 1921 157cd1-157cd3 1912->1921 1913->1921 1921->1868 1924 157cd5-157cd9 1921->1924 1929 157b46-157b4b call 156150 1922->1929 1930 157b4d-157b6a call 156f34 1922->1930 1923->1899 1924->1868 1926 157cdb-157cdd call 1527f2 1924->1926 1926->1868 1929->1923 1930->1923 1935 157b6c-157b86 call 15496d 1930->1935 1935->1923 1938 157b97-157bbc SysFreeString call 1575b5 1935->1938 1938->1878 1941 157bbe-157bcc call 1575cb 1938->1941 1941->1855 1944 157bce-157bd6 call 156fb3 1941->1944 1944->1868
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: COMError$com.nim$getValue
                        • API String ID: 0-564522733
                        • Opcode ID: 8015b081e3c78bcd100491930ff5f627b1631b19dea37b8b2b64bc01045c776a
                        • Instruction ID: 17b8593a871765f5c312edf4b04abdf3ce9a6a8f78c6620c67c78c32bbfa363b
                        • Opcode Fuzzy Hash: 8015b081e3c78bcd100491930ff5f627b1631b19dea37b8b2b64bc01045c776a
                        • Instruction Fuzzy Hash: 5AD16774C08258DFDF12EFA4E4817ADBBF0AF56301F148499E8A0AF395D7749849CB92
                        Function 00156D2D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1947 156d2d-156d51 call 1716a0 1950 156d66-156d85 call 156c0e call 1716a0 1947->1950 1951 156d53-156d63 CoInitialize 1947->1951 1956 156f27-156f31 1950->1956 1957 156d8b-156dd2 call 1536c0 call 15193d call 156c64 1950->1957 1951->1950 1957->1956 1964 156dd8-156ded call 1716a0 1957->1964 1967 156e52-156e81 CoGetClassObject 1964->1967 1968 156def-156e42 call 15379b call 151b43 * 2 call 156cd8 1964->1968 1967->1968 1969 156e87-156e8d 1967->1969 1990 156ef2-156f13 call 153db2 1968->1990 1991 156e48-156e4d call 1540bc 1968->1991 1971 156e8f-156eb4 1969->1971 1972 156ece-156ee1 call 1560ed 1969->1972 1971->1972 1979 156eb6-156eba 1971->1979 1972->1956 1981 156ee3-156eea 1972->1981 1979->1972 1983 156ebc-156ec2 1979->1983 1981->1968 1982 156ef0 1981->1982 1982->1956 1983->1972 1985 156ec4-156ecc call 1560ed 1983->1985 1985->1956 1996 156f16-156f18 1990->1996 1991->1996 1996->1956 1997 156f1a-156f1e 1996->1997 1997->1956 1998 156f20-156f22 call 1527f2 1997->1998 1998->1956
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ClassInitializeObject
                        • String ID: COMError$CreateObject$com.nim
                        • API String ID: 2072964892-2591894477
                        • Opcode ID: 9e0c41b3aea67a4452ed0d3306db58734fe8e24e0bc0928e1b8b695c4c7ab1be
                        • Instruction ID: b42b8a5907b1f688aeed8b9549b9d966ac6be47ce24b9f2d64516c33cca37d33
                        • Opcode Fuzzy Hash: 9e0c41b3aea67a4452ed0d3306db58734fe8e24e0bc0928e1b8b695c4c7ab1be
                        • Instruction Fuzzy Hash: 755187B4908248DFDB11EFA8D88179EBFF0EF55301F54842AE8A49F351D7749849CB82
                        Function 001647C7 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2138 1647c7-1647d0 call 1580e7 2140 1647d5-1647d8 2138->2140 2141 1647f0-164814 SetHandleInformation 2140->2141 2142 1647da 2140->2142 2144 164816-16481e GetLastError 2141->2144 2145 16483a-164884 SetHandleInformation * 2 2141->2145 2143 1647a4-1647a6 2142->2143 2146 164c4f-164c72 call 152812 2143->2146 2144->2143 2147 164820-164834 call 154b85 2144->2147 2150 16476e-164920 call 155767 2145->2150 2151 16488a-1648bd GetLastError 2145->2151 2159 164cc7-164cd4 2146->2159 2160 164c74-164c91 call 152812 2146->2160 2147->2143 2147->2145 2167 164922-16492b 2150->2167 2168 164998-1649a3 2150->2168 2151->2143 2158 1648c3-1648d4 call 154b85 2151->2158 2158->2146 2160->2159 2169 164c93-164cb0 call 152812 2160->2169 2171 164931-164937 2167->2171 2168->2146 2169->2159 2175 164cb2-164cb4 2169->2175 2171->2168 2174 164939-164964 call 153877 call 155767 2171->2174 2174->2168 2184 164966-164982 call 1537db call 151b43 2174->2184 2177 164cb6-164cba 2175->2177 2178 164cc3-164cc5 2175->2178 2177->2178 2180 164cbc-164cbe call 1527f2 2177->2180 2178->2159 2180->2178 2189 164984-164987 2184->2189 2190 164989-16498d 2184->2190 2189->2171 2190->2189 2191 16498f-164996 call 1527f2 2190->2191 2191->2189
                        APIs
                          • Part of subcall function 001580E7: CreatePipe.KERNELBASE ref: 0015812B
                          • Part of subcall function 001580E7: GetLastError.KERNEL32 ref: 00158138
                        • SetHandleInformation.KERNEL32 ref: 00164809
                        • GetLastError.KERNEL32 ref: 00164816
                        • SetHandleInformation.KERNEL32 ref: 00164853
                        • SetHandleInformation.KERNEL32 ref: 00164879
                        • GetLastError.KERNEL32 ref: 001648B5
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ErrorHandleInformationLast$CreatePipe
                        • String ID:
                        • API String ID: 3790209225-0
                        • Opcode ID: a525411b1d36930743772ecbaae0819c748d4e615eace294e71c4eb6e734149f
                        • Instruction ID: 80b6497a44662ff6f029e2bf6b923c91c0a6ea8f0d36958bc919fe7060e192f9
                        • Opcode Fuzzy Hash: a525411b1d36930743772ecbaae0819c748d4e615eace294e71c4eb6e734149f
                        • Instruction Fuzzy Hash: D241CD70908396DFEB10EF64DD84B6ABBF4AF91304F108599E88887342D7749CE8DB12
                        Function 001649FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2926 1649fe-164a14 call 15360d 2929 164a16 2926->2929 2930 164a5a-164a70 call 15360d 2926->2930 2931 164c4f-164c72 call 152812 2929->2931 2930->2931 2936 164a76-164a90 call 15360d 2930->2936 2937 164cc7-164cd4 2931->2937 2938 164c74-164c91 call 152812 2931->2938 2936->2931 2942 164a96-164b15 CreateProcessW GetLastError 2936->2942 2938->2937 2945 164c93-164cb0 call 152812 2938->2945 2942->2931 2944 164b1b-164b22 2942->2944 2947 164b24-164b26 2944->2947 2948 164b2d-164b38 call 15828c 2944->2948 2945->2937 2955 164cb2-164cb4 2945->2955 2950 164b6a-164b74 2947->2950 2951 164b28 2947->2951 2948->2931 2963 164b3e-164b49 call 15828c 2948->2963 2953 164b76-164b7d 2950->2953 2954 164ba4-164bb2 call 1582c3 2950->2954 2956 164c33-164c4c 2951->2956 2958 164b7f-164b86 2953->2958 2959 164bb9-164c1f call 15379b call 151b43 * 3 call 154b85 2953->2959 2954->2953 2971 164bb4 2954->2971 2960 164cb6-164cba 2955->2960 2961 164cc3-164cc5 2955->2961 2956->2931 2958->2959 2964 164b88-164b9f call 154b85 2958->2964 2977 164c2e-164c31 2959->2977 2989 164c21-164c25 2959->2989 2960->2961 2965 164cbc-164cbe call 1527f2 2960->2965 2961->2937 2963->2931 2975 164b4f-164b56 2963->2975 2964->2977 2965->2961 2971->2931 2975->2947 2978 164b58-164b63 call 15828c 2975->2978 2977->2931 2977->2956 2978->2947 2985 164b65 2978->2985 2985->2931 2989->2977 2990 164c27-164c29 call 1527f2 2989->2990 2990->2977
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CreateErrorLastProcess
                        • String ID: W
                        • API String ID: 2919029540-655174618
                        • Opcode ID: 0dfa5be7acecefd3390cbada4e2972dfc9073a58632e18e6b814606172cc1752
                        • Instruction ID: 59aa45d8a929ec8ac914c70fdc8f92b34066552c70e73353bd546a6f98e6005e
                        • Opcode Fuzzy Hash: 0dfa5be7acecefd3390cbada4e2972dfc9073a58632e18e6b814606172cc1752
                        • Instruction Fuzzy Hash: E4714670D0536ACFEB24DB64C940B99BBF1AF55300F14859AE858AB352D7709E98CF41
                        Function 00151BBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2992 151bba-151c0f call 151b7f exit VirtualAlloc 2997 151c16-151c17 2992->2997 2998 151c11 call 151bba 2992->2998 2998->2997
                        APIs
                          • Part of subcall function 00151B7F: strlen.MSVCRT ref: 00151B8E
                          • Part of subcall function 00151B7F: fwrite.MSVCRT ref: 00151BA6
                          • Part of subcall function 00151B7F: fflush.MSVCRT ref: 00151BAE
                        • exit.MSVCRT ref: 00151BDE
                        • VirtualAlloc.KERNELBASE ref: 00151C04
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AllocVirtualexitfflushfwritestrlen
                        • String ID: out of memory
                        • API String ID: 3211969242-49810860
                        • Opcode ID: eab2cd7aaeede16c0bec7e5939e761ead15e823ff6671b70dda28770d1dab6ba
                        • Instruction ID: 18ef5a459b297d3643bc807de05b76c507419160165d1b84ac9b08e5bc99f7a7
                        • Opcode Fuzzy Hash: eab2cd7aaeede16c0bec7e5939e761ead15e823ff6671b70dda28770d1dab6ba
                        • Instruction Fuzzy Hash: 5BE0EDB0448304EBE3417FB8C90A31DBEF9AB50305F40855CE9D856292E7B894858B97
                        Function 00173841 Relevance: 4.6, APIs: 3, Instructions: 111COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3000 173841-17387e call 172e02 3004 173880-173883 3000->3004 3005 173888-173897 call 172696 3000->3005 3006 1739d3-1739da 3004->3006 3009 17389f-1738a4 3005->3009 3010 173899-17389d 3005->3010 3009->3006 3010->3009 3011 1738a9-173974 call 17278d DuplicateHandle 3010->3011 3019 173976 abort 3011->3019 3020 17397b-1739c9 3011->3020 3019->3020 3023 1739d0 3020->3023 3024 1739cb abort 3020->3024 3023->3006 3024->3023
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 617ec4160cd565c82c7059d6acfe9b594cb35dcdc5ba00336d38908b91ce5735
                        • Instruction ID: 2944c8a591b2de68d607c69cdcce9919cd2ce3238472d8d8e257f2605e3d1bbc
                        • Opcode Fuzzy Hash: 617ec4160cd565c82c7059d6acfe9b594cb35dcdc5ba00336d38908b91ce5735
                        • Instruction Fuzzy Hash: D441C774904219DFDB40EFA9D984B9EBBF0FF88314F008559E458AB361D3749A85CF92
                        Function 00171729 Relevance: 3.8, APIs: 3, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3025 171729-17174a calloc 3027 17b655-17b65e abort 3025->3027 3028 171750-17176c call 173527 3025->3028 3031 171772-171781 3028->3031 3032 1716de-1716e7 3028->3032 3034 171787-171798 malloc 3031->3034 3035 171838-17184a malloc 3031->3035 3034->3027 3036 17179e-1717a4 3034->3036 3035->3027 3037 171850-17185f 3035->3037 3038 1717a7-1717b0 3036->3038 3037->3038 3039 171868-171879 3037->3039 3040 1717b6-1717bd memcpy 3038->3040 3041 171880-171890 memset 3038->3041 3042 1717c2-1717cf 3040->3042 3041->3027 3041->3042
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: malloc$abortcallocmemcpyrealloc
                        • String ID:
                        • API String ID: 3078593747-0
                        • Opcode ID: 983174bff2dcccec45114810964da740e5fac3e46421e27ccf1bfa1edbdb0588
                        • Instruction ID: 6b380783ba2db8356398aa7cca464bf98d491571c5b7f94d3b2e570ee0fc2845
                        • Opcode Fuzzy Hash: 983174bff2dcccec45114810964da740e5fac3e46421e27ccf1bfa1edbdb0588
                        • Instruction Fuzzy Hash: AA11F3B56047029FDB10DF28C58425ABBF5FF88314F46C929E99C9B301EB30E946CB82
                        Function 001730F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3043 1730f4-173107 3044 173113-173117 3043->3044 3045 173109-17310e 3043->3045 3047 173123-173127 3044->3047 3048 173119-17311e 3044->3048 3046 1731f3-1731f7 3045->3046 3049 173133-173156 call 172c3f call 171b64 3047->3049 3050 173129-17312e 3047->3050 3048->3046 3055 17319d-1731a5 3049->3055 3056 173158-173165 call 173a4d 3049->3056 3050->3046 3058 1731a7-1731d0 fprintf 3055->3058 3059 1731d5-1731ee call 171c0d call 172d01 3055->3059 3061 17316a-17319b call 173a4d * 2 3056->3061 3058->3059 3059->3046 3061->3059
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: once %p is %d
                        • API String ID: 0-95064319
                        • Opcode ID: 3de6bdd520b894e3d5bbe9128292631a889757e0fb5f186673ed8c02e5899837
                        • Instruction ID: 11fe0c49c9232be525e234d63ed95ba2b76e60649b9d2438c2f7ea493687c6c6
                        • Opcode Fuzzy Hash: 3de6bdd520b894e3d5bbe9128292631a889757e0fb5f186673ed8c02e5899837
                        • Instruction Fuzzy Hash: C531B3B0A04209DFDB00EFA8C88569DBBF0BF15354F408818E8A99B311D775DA809F91
                        Function 001665BC Relevance: 3.3, APIs: 2, Instructions: 316sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3284 1665bc-1665bf 3285 1667c4-1667d2 3284->3285 3286 166622-166652 call 156150 3284->3286 3288 1667d4-1667d8 3285->3288 3289 1667e1-1667f3 call 1549a7 3285->3289 3298 166654-166666 3286->3298 3299 166673-166695 call 156c0e 3286->3299 3288->3289 3292 1667da-1667dc call 1527f2 3288->3292 3296 166814-166828 call 156150 3289->3296 3297 1667f5-166807 3289->3297 3292->3289 3296->3286 3309 16682e-166835 3296->3309 3297->3296 3302 166809-16680f call 1527f2 3297->3302 3298->3299 3300 166668-16666e call 1527f2 3298->3300 3310 166697-16669b 3299->3310 3311 1666a2-1666a7 Sleep call 1716a0 IsDebuggerPresent call 152ffd 3299->3311 3300->3299 3302->3296 3312 166856-16685d 3309->3312 3313 166837-166849 3309->3313 3310->3311 3314 16669d call 1527f2 3310->3314 3331 165787-165791 3311->3331 3332 16579f-165899 call 153719 call 15833a call 156d2d call 15833a call 15193d call 15833a call 157341 3311->3332 3317 16687e-16688c 3312->3317 3318 16685f-166871 3312->3318 3313->3312 3316 16684b-166851 call 1527f2 3313->3316 3314->3311 3316->3312 3317->3286 3318->3317 3319 166873-166879 call 1527f2 3318->3319 3319->3317 3331->3332 3351 1658c3-1658f8 call 157341 3332->3351 3352 16589b-165d69 call 156150 3332->3352 3358 165960-165982 call 1573eb 3351->3358 3359 1658fa-16595b call 156150 3351->3359 3361 165dd5 3352->3361 3366 165984-1659db call 156150 3358->3366 3367 1659e0-165a1b call 15193d call 1656cb 3358->3367 3359->3361 3365 165ddf-165e06 call 156150 3361->3365 3365->3286 3374 165e0c-165e0e 3365->3374 3366->3361 3380 165a20-165a2f 3367->3380 3376 165e10-165e14 3374->3376 3377 165e1d-165e31 call 156150 3374->3377 3376->3377 3378 165e16-165e18 call 1527f2 3376->3378 3377->3286 3386 165e37-165e4b call 156150 3377->3386 3378->3377 3383 165a83-165aaf call 15833a 3380->3383 3384 165a31-165a7e call 156150 3380->3384 3391 165ab5-165ae9 call 15193d call 15833a 3383->3391 3392 165d6b-165d83 3383->3392 3384->3361 3386->3286 3396 165e51-165e53 3386->3396 3406 165d85-165d91 3391->3406 3407 165aef-165b0c call 157341 3391->3407 3395 165d93-165db3 3392->3395 3395->3361 3398 165e55-165e59 3396->3398 3399 165e62-165e76 call 156150 3396->3399 3398->3399 3401 165e5b-165e5d call 1527f2 3398->3401 3399->3286 3408 165e7c-165e83 3399->3408 3401->3399 3406->3395 3419 165b22-165b4e call 15833a 3407->3419 3420 165b0e-165b1d call 156150 3407->3420 3409 165ea4-165eab 3408->3409 3410 165e85-165e97 3408->3410 3413 165ecc-165ee0 call 156150 3409->3413 3414 165ead-165ebf 3409->3414 3410->3409 3412 165e99-165e9f call 1527f2 3410->3412 3412->3409 3413->3286 3426 165ee6-165efa call 156150 3413->3426 3414->3413 3417 165ec1-165ec7 call 1527f2 3414->3417 3417->3413 3428 165b54-165b71 call 157341 3419->3428 3429 165db5-165db7 3419->3429 3420->3395 3426->3286 3435 165f00-165f14 call 156150 3426->3435 3436 165b85-165bda call 15193d call 1656cb 3428->3436 3437 165b73-165b80 call 156150 3428->3437 3432 165db9-165dcf 3429->3432 3432->3361 3435->3286 3442 165f1a-165f2e call 156150 3435->3442 3450 165bdc-165bf5 call 156150 3436->3450 3451 165bfa-165c20 call 15833a 3436->3451 3437->3432 3442->3286 3449 165f34-165f3b 3442->3449 3453 165f5c-165f63 3449->3453 3454 165f3d-165f4f 3449->3454 3450->3361 3461 165c26-165c5a call 15193d call 157341 3451->3461 3462 165dd1 3451->3462 3458 165f84-165f94 3453->3458 3459 165f65-165f77 3453->3459 3454->3453 3457 165f51-165f57 call 1527f2 3454->3457 3457->3453 3458->3286 3465 165f9a-1667a4 call 15193d call 15833a call 15193d * 2 call 1656cb call 156150 3458->3465 3459->3458 3464 165f79-165f7f call 1527f2 3459->3464 3477 165c5c-165c63 call 156150 3461->3477 3478 165c68-165cbb call 15193d call 1656cb 3461->3478 3467 165dd3 3462->3467 3464->3458 3465->3285 3467->3361 3477->3467 3478->3365 3490 165cc1-165ccc call 156150 3478->3490 3490->3361
                        APIs
                        • Sleep.KERNELBASE ref: 00165734
                        • IsDebuggerPresent.KERNEL32(00000000), ref: 00165756
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: DebuggerPresentSleep
                        • String ID:
                        • API String ID: 598088951-0
                        • Opcode ID: 4a3afd0311ae8835a158449fbf7c5d48833c99f7e013b1a048cc1aa0611f75d1
                        • Instruction ID: 12fbe3d159125b9edb5fc98f34c8075e074b217708afd98567fef928d010889a
                        • Opcode Fuzzy Hash: 4a3afd0311ae8835a158449fbf7c5d48833c99f7e013b1a048cc1aa0611f75d1
                        • Instruction Fuzzy Hash: A9F14BB0A05268CFEBA1DB28CC90B98B7B5BF55305F4440D9E6586B352CB349EC8CF19
                        Function 00157341 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AllocInitializeString
                        • String ID:
                        • API String ID: 3145325428-0
                        • Opcode ID: 5af0a885fd61005f8bb9b084a1d5aaebdbaa7eb95380b7403a59ed495182a8e4
                        • Instruction ID: 494a16c26eebc2a0ad3b437135814063eda84b3961174a297da6d375517cb275
                        • Opcode Fuzzy Hash: 5af0a885fd61005f8bb9b084a1d5aaebdbaa7eb95380b7403a59ed495182a8e4
                        • Instruction Fuzzy Hash: 1711C6B1908245DBDB507FB4D88171D7BA4BF21391F544068FDB44F382D7B54D4897A2
                        Function 00154BD9 Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ErrorFileLastRead
                        • String ID:
                        • API String ID: 1948546556-0
                        • Opcode ID: f715a94f3a1c750a9e5e19449c05eb9235e606bf51a12a03fe491b130c7254ab
                        • Instruction ID: 4cf0281b3414a59d393f2214417757da82a4b00954894ab9f220ea60ba08acec
                        • Opcode Fuzzy Hash: f715a94f3a1c750a9e5e19449c05eb9235e606bf51a12a03fe491b130c7254ab
                        • Instruction Fuzzy Hash: BF118C71D093049FDB10DFB9D48475ABBF4AB88319F00882AE8A48B241D774A888CB91
                        Function 00156C64 Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromString.COMBASE ref: 00156CB4
                        • CLSIDFromProgID.COMBASE(?,?), ref: 00156CC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: From$ProgString
                        • String ID:
                        • API String ID: 2510552579-0
                        • Opcode ID: e15e2ad0b5dc267b51362fd49c082a4acff0bf55296ad20c0b3373815966ec39
                        • Instruction ID: 15db817c2023b3399772780ebdb66db2de2291a495a98b61852cec7fd6e3622a
                        • Opcode Fuzzy Hash: e15e2ad0b5dc267b51362fd49c082a4acff0bf55296ad20c0b3373815966ec39
                        • Instruction Fuzzy Hash: E40184B1804744FFD720AF64C844A5ABFF8EF95351F45881DF8944B301D771A858C7A2
                        Function 001580E7 Relevance: 3.0, APIs: 2, Instructions: 39pipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CreateErrorLastPipe
                        • String ID:
                        • API String ID: 269057482-0
                        • Opcode ID: 9330de8e2b846887a3992daff884a6215b8643ef1b56cbbcf765f1bb1fbac4eb
                        • Instruction ID: cecfa3c4a14c52068b249c18b78a5bd0036667724c924606b5aaf0fe65d75f63
                        • Opcode Fuzzy Hash: 9330de8e2b846887a3992daff884a6215b8643ef1b56cbbcf765f1bb1fbac4eb
                        • Instruction Fuzzy Hash: EA01D671E04304DFD700AF6AD88438EFBF4EF88314F408459E854AB302D7B599888F91
                        Function 001581EC Relevance: 2.5, APIs: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CloseErrorHandleLast
                        • String ID:
                        • API String ID: 918212764-0
                        • Opcode ID: 9e418a85e0e719f66c9aa517e24a25044b90a3f0203b7ab0941955c734b27697
                        • Instruction ID: 994bf8d9c23ec06a0edac0d76e11ad702b552d104fd3445d50d0675a797606bb
                        • Opcode Fuzzy Hash: 9e418a85e0e719f66c9aa517e24a25044b90a3f0203b7ab0941955c734b27697
                        • Instruction Fuzzy Hash: A6E09B70608649DBCF00EF75D88561A77F46B48348F404058D8455B202DB70D9C48B61
                        Function 001555BF Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: _wgetenv
                        • String ID:
                        • API String ID: 1821490009-0
                        • Opcode ID: 10f5f79c769c43d1a6328bad8ab96c5b7237010c2e33ca638343735c6c19623d
                        • Instruction ID: e4cf143bb918f33d3ec69c2730d99907c819d73e08af6e28c12f364f4ed919e2
                        • Opcode Fuzzy Hash: 10f5f79c769c43d1a6328bad8ab96c5b7237010c2e33ca638343735c6c19623d
                        • Instruction Fuzzy Hash: 342124B4E0020ADFCB04EFA4C591BAEBBF1BF94301F508429E865AB341D7749A45CFA1
                        Function 00152052 Relevance: 1.4, APIs: 1, Instructions: 117memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32 ref: 001520C6
                          • Part of subcall function 00151BE3: VirtualAlloc.KERNELBASE ref: 00151C04
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: a1debc5bdb5a22884c2d08395a9dcd9b9b38954aeb957144d0a05cfdf16dc168
                        • Instruction ID: 7c34bd72258a8fc7e96f94cc05a38e7b290b89000549bc2020a8806ae5a18e94
                        • Opcode Fuzzy Hash: a1debc5bdb5a22884c2d08395a9dcd9b9b38954aeb957144d0a05cfdf16dc168
                        • Instruction Fuzzy Hash: 13413AB2A05202CFC714CF28C884BEABBE5AF95305F588179DC68DF356DB759849CB90
                        Function 0015A58B Relevance: 1.3, APIs: 1, Instructions: 40COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: feddffb8f2bb3540cca1ad7974d790edade8d5ad41ecb65db5b20c5a1ab65247
                        • Instruction ID: ec11d92023f69a76a310fe83a1856eb1f40eca6477e27841143b39a2107dc980
                        • Opcode Fuzzy Hash: feddffb8f2bb3540cca1ad7974d790edade8d5ad41ecb65db5b20c5a1ab65247
                        • Instruction Fuzzy Hash: ADF028729041489BDF00BFB4D80079E7BE5EF95311F404428E6846F241DBB55A8887E2
                        Function 00151BE3 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE ref: 00151C04
                          • Part of subcall function 00151BBA: exit.MSVCRT ref: 00151BDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AllocVirtualexit
                        • String ID:
                        • API String ID: 1690354023-0
                        • Opcode ID: f997f2ff591878f99aa9f700178ad8ee143a5654876b1ca73cb544650f4672c6
                        • Instruction ID: ea543b7832d98f5f1774d6be6a155d833efab27ff56a4e0950d921ad4480c2ad
                        • Opcode Fuzzy Hash: f997f2ff591878f99aa9f700178ad8ee143a5654876b1ca73cb544650f4672c6
                        • Instruction Fuzzy Hash: 3AD09EB0448301ABE711BF79C50931ABEE4AB40349F40855CD99596151E7B584488B97

                        Non-executed Functions

                        Function 0015F6B7 Relevance: 17.4, APIs: 4, Strings: 5, Instructions: 1684COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$VariantConversionError$com.nim$toVariant$<V
                        • API String ID: 0-1035723416
                        • Opcode ID: ea23410680e4d590aa3fb43b2a97fef77a0549082c8a544815c7c31238eae761
                        • Instruction ID: 1e8858741dd2b47c93efd4b100d7cf4b1b4050f1c234e3ab3d2bdf1eea4ea05c
                        • Opcode Fuzzy Hash: ea23410680e4d590aa3fb43b2a97fef77a0549082c8a544815c7c31238eae761
                        • Instruction Fuzzy Hash: 6CF217B0E04259CFEB24DFA9C89479EBBF1BF58304F148129E854AB351DBB59889CF41
                        Function 00164227 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 405filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateNamedPipeW.KERNEL32 ref: 00164464
                        • GetLastError.KERNEL32 ref: 00164486
                        • CreateNamedPipeW.KERNEL32 ref: 001644E9
                        • GetLastError.KERNEL32 ref: 001644FB
                        • CreateFileW.KERNEL32 ref: 0016455B
                        • GetLastError.KERNEL32 ref: 00164581
                        • CreateFileW.KERNEL32 ref: 001645DF
                        • GetLastError.KERNEL32 ref: 00164605
                          • Part of subcall function 0015816B: GetCurrentProcess.KERNEL32 ref: 0015817E
                          • Part of subcall function 0015816B: DuplicateHandle.KERNEL32 ref: 001581AA
                          • Part of subcall function 0015816B: GetLastError.KERNEL32 ref: 001581B7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ErrorLast$Create$FileNamedPipe$CurrentDuplicateHandleProcess
                        • String ID:
                        • API String ID: 2980152811-3916222277
                        • Opcode ID: 504970cf1b1a5b0a322d65fc85cc0b04cadd550b3763390e367563219959cf50
                        • Instruction ID: 5970a4dbc6369c1535e522f27ad0dd4bdc6c24ce649e572ccca81771de8e6203
                        • Opcode Fuzzy Hash: 504970cf1b1a5b0a322d65fc85cc0b04cadd550b3763390e367563219959cf50
                        • Instruction Fuzzy Hash: D5127CB4904259CFEB20DF24C980B9EBBF0BF55304F1085A9E899AB242D7709E98CF51
                        Function 0015ED20 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 600COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: FileModuleNameexit
                        • String ID: @$CF3$IOError$syncio.nim$writeFile${3V2
                        • API String ID: 3381550187-2796672887
                        • Opcode ID: 9a84ab811026c86ee172193738d1c5793c898df9a9c42674628fe871861d06a0
                        • Instruction ID: 4cadf1435b8e81e868f4152d68d8108e75b14ee446577998c40419bcd5e440ed
                        • Opcode Fuzzy Hash: 9a84ab811026c86ee172193738d1c5793c898df9a9c42674628fe871861d06a0
                        • Instruction Fuzzy Hash: CC520FB0D04258CBEB24DFA9C49479EBBF1BF54305F14812DE864AF295DBB4984ACF41
                        Function 001515A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AddressProc$HandleLibraryLoadModule
                        • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
                        • API String ID: 384173800-1835852900
                        • Opcode ID: 493474f1e34161e3cb643055ddce8ad849a54af046437465214e910ea94a4995
                        • Instruction ID: 8181ebb62d6b5516a80085dbce31905f800ab53ca26f98fda5e924442d15f12a
                        • Opcode Fuzzy Hash: 493474f1e34161e3cb643055ddce8ad849a54af046437465214e910ea94a4995
                        • Instruction Fuzzy Hash: 6F0121B1819204EBC7117F78AA4931EBFF4AF41351F45452DE9896B200E7B1944CCB93
                        Function 00171651 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: abort
                        • String ID:
                        • API String ID: 4206212132-0
                        • Opcode ID: fff57b192b85e3bb2b336fcff331ea1afb50365680350acea0ec76e416cc36e6
                        • Instruction ID: 0727ee3e9d209a018a7350701f12a2e339ef1f65918a251ae93994dbc13e2f21
                        • Opcode Fuzzy Hash: fff57b192b85e3bb2b336fcff331ea1afb50365680350acea0ec76e416cc36e6
                        • Instruction Fuzzy Hash: 9BE08C71809302EED7107F64860636AB7F0AFA6349F81AC4CE9AC37102E7B495095B96
                        Function 0016CE7D Relevance: 1.7, Strings: 1, Instructions: 437COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID: gfff
                        • API String ID: 0-1553575800
                        • Opcode ID: 0073a8cf0da60cb04c71dd4f934285ee406274152f31b0e2a9521934299919e5
                        • Instruction ID: d05d3f025d3d231fdd5f60aa165223dc518120e76749fd179958febb2c7b45ca
                        • Opcode Fuzzy Hash: 0073a8cf0da60cb04c71dd4f934285ee406274152f31b0e2a9521934299919e5
                        • Instruction Fuzzy Hash: B512B1B5E0030A8FDB04CFA9C985A9EBBF1AF58350F158169E848DB351E734ED91CB90
                        Function 0015E078 Relevance: .6, Instructions: 574COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: f74e8335a84f846b557511a2837eca6c20babf6b8a198838de46c1face49d30e
                        • Instruction ID: 916e22746aefe886d7a10eb02a026ae1fab57f1d3e536e0cac12b5a34b33e5a0
                        • Opcode Fuzzy Hash: f74e8335a84f846b557511a2837eca6c20babf6b8a198838de46c1face49d30e
                        • Instruction Fuzzy Hash: B7422974D04264CBEF25DF64C89176DBBF1BB55305F048099E8A8AF382DB744A89CF92
                        Function 0015AA69 Relevance: .2, Instructions: 182COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 76e5ca33f3c26341ff3e22965885f9e00869a1c127b81eff92c9a67ff44488ca
                        • Instruction ID: 40d6d7f5da375a9c4ab4ea1fa3278598b48ec4d6d5ed049f0312958918bd4fb7
                        • Opcode Fuzzy Hash: 76e5ca33f3c26341ff3e22965885f9e00869a1c127b81eff92c9a67ff44488ca
                        • Instruction Fuzzy Hash: F36181B5E04218DFCB159FA8D880B9EFBF1BF58311F558629EC64AB341C7349849CB92
                        Function 0016B610 Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f34ab0970795ce4c984d1a3aec6b80fbb63f1c6f645651df4128e3d80a54c061
                        • Instruction ID: 6f1e34e175b3f071b37b52e33d14bc389e7fe86064f14d1d8bc0af7bb1c934c9
                        • Opcode Fuzzy Hash: f34ab0970795ce4c984d1a3aec6b80fbb63f1c6f645651df4128e3d80a54c061
                        • Instruction Fuzzy Hash: 1C5108757083558FC714CE69D4D461AF7E2ABD8710F11892DE998C7340EBB1D869CB82
                        Function 001714D0 Relevance: .1, Instructions: 121COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 095c74716efd8bddd4451833ac99d74df168eb62f009fcb5752a56a238bec1d2
                        • Instruction ID: d03adf1e6235fb576eaecadc5c59ae2c9ca5ecda2a361dbc9a249284bfef390f
                        • Opcode Fuzzy Hash: 095c74716efd8bddd4451833ac99d74df168eb62f009fcb5752a56a238bec1d2
                        • Instruction Fuzzy Hash: F031C3317083196BC718ADADD4C062AF6E39BD9760F55C63DE94EC3380EB719C458781
                        Function 00175168 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61299e4c75c17738104e74f697f77f070edde94ecc06bd8dfeef939e78a551dd
                        • Instruction ID: 0f06a7b43a7dcf9b71d1553580373452cd29fabad1e8621d3544b3bf4058f6e6
                        • Opcode Fuzzy Hash: 61299e4c75c17738104e74f697f77f070edde94ecc06bd8dfeef939e78a551dd
                        • Instruction Fuzzy Hash: E9F01CB4A08209ABDB00EF78D8C175FB7F5EB88344F108438D858D7345D738E9448B52
                        Function 001549D9 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 88libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32 ref: 001549E6
                          • Part of subcall function 001530B2: GetLastError.KERNEL32 ref: 00153108
                          • Part of subcall function 001530B2: MessageBoxA.USER32 ref: 001531BA
                          • Part of subcall function 001530B2: exit.MSVCRT ref: 001531E1
                          • Part of subcall function 001530B2: GetProcAddress.KERNEL32 ref: 00153205
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AddressErrorLastLibraryLoadMessageProcexit
                        • String ID: CloseHandle$CreateFileW$CreateNamedPipeW$CreatePipe$CreateProcessW$DuplicateHandle$FormatMessageW$GetCurrentProcess$GetExitCodeProcess$GetLastError$GetModuleFileNameW$GetStdHandle$LocalFree$ReadFile$SetHandleInformation$Sleep$WaitForSingleObject$WriteFile
                        • API String ID: 2087689892-1854796719
                        • Opcode ID: befdb44a30ff2a5b53ebae33f462b458d83fa81ae88ceb70c35c65702df019ae
                        • Instruction ID: 8e800d46f0ce13274190fa29ad2e7d28bb393437d1c4d297965e5559ed6f382b
                        • Opcode Fuzzy Hash: befdb44a30ff2a5b53ebae33f462b458d83fa81ae88ceb70c35c65702df019ae
                        • Instruction Fuzzy Hash: 28411D74648A05CF8748EFB0BE854153BB2AB94341390C429AD256FB95FF329B8EDB14
                        Function 00153051 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 179libraryloaderwindowCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: exit$AddressProc$ErrorLastMessage
                        • String ID: (bad format; library may be wrong architecture)$@$SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$could not import: $could not load: $unknown signal
                        • API String ID: 24751467-3370411279
                        • Opcode ID: d8793402c0623a5d2a2b6d1986af706bdd5e43573006fe949b4fe6e4e5b3ca49
                        • Instruction ID: 12106423dddaed43c4a4ae921b44e9ab0c69016f509abd70d5faa5ec383c9a25
                        • Opcode Fuzzy Hash: d8793402c0623a5d2a2b6d1986af706bdd5e43573006fe949b4fe6e4e5b3ca49
                        • Instruction Fuzzy Hash: 6761E770904218DBDB10AF64D8853ADBBF6EF54341F44847DEDACAB342D7788E898B91
                        Function 0017278D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: abort
                        • String ID: Erro$ad $eani$eys $for $in_k$ng u$p sp$r cl$thre
                        • API String ID: 4206212132-3726152543
                        • Opcode ID: 4fb041ffc129f2bd8360cae0eb144a8438e12de5e45c6e79d0163cca69e3278f
                        • Instruction ID: e2254e235b57a0cfc01948e54c827834f3ce61417433e33a09f75b1f66961d6f
                        • Opcode Fuzzy Hash: 4fb041ffc129f2bd8360cae0eb144a8438e12de5e45c6e79d0163cca69e3278f
                        • Instruction Fuzzy Hash: B9314570A00248DFDB10CFA9D981B9CBBF1FF85310F148269E8589B366D7759A45CF42
                        Function 001530B2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 151libraryloaderwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00151B7F: strlen.MSVCRT ref: 00151B8E
                          • Part of subcall function 00151B7F: fwrite.MSVCRT ref: 00151BA6
                          • Part of subcall function 00151B7F: fflush.MSVCRT ref: 00151BAE
                        • GetLastError.KERNEL32 ref: 00153108
                        • MessageBoxA.USER32 ref: 001531BA
                        • exit.MSVCRT ref: 001531E1
                        • GetProcAddress.KERNEL32 ref: 00153205
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AddressErrorLastMessageProcexitfflushfwritestrlen
                        • String ID: (bad format; library may be wrong architecture)$@$could not import: $could not load:
                        • API String ID: 2650761064-3540049366
                        • Opcode ID: 412e50522e59433a8f58c00127ee9dd2051affdb795b2512d43e3e509a3c6eb6
                        • Instruction ID: e7ee6d74cd0ecc1f77285188c7c44671093ceea39535fad615f75a648d309f59
                        • Opcode Fuzzy Hash: 412e50522e59433a8f58c00127ee9dd2051affdb795b2512d43e3e509a3c6eb6
                        • Instruction Fuzzy Hash: CB51A4B0904218DBDB10AF64D88579DBBF6EF54341F0440BDDDAC9B342D7788E898B91
                        Function 00157DA4 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 222COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetDim.OLEAUT32 ref: 00157E99
                        • SafeArrayGetVartype.OLEAUT32 ref: 00157EE1
                        • SafeArrayGetLBound.OLEAUT32 ref: 00157F23
                        • SafeArrayGetUBound.OLEAUT32 ref: 00157F55
                        • SafeArrayAccessData.OLEAUT32 ref: 00157F83
                        • SafeArrayUnaccessData.OLEAUT32 ref: 00157FDE
                          • Part of subcall function 00156669: CoInitialize.OLE32 ref: 00156699
                          • Part of subcall function 00156669: VariantCopy.OLEAUT32 ref: 001566E7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ArraySafe$BoundData$AccessCopyInitializeUnaccessVariantVartype
                        • String ID: VariantConversionError$com.nim$fromVariant
                        • API String ID: 2568714141-2391934419
                        • Opcode ID: 95fb5b1c0c23cbb0e40c8eb316b3b6703fbe3e0cf7b5a58e28ae2fe0354d9eec
                        • Instruction ID: f275b11523315678f4cd2dca9e92d6e995dc50a44b5d56fe6f784ed946efa177
                        • Opcode Fuzzy Hash: 95fb5b1c0c23cbb0e40c8eb316b3b6703fbe3e0cf7b5a58e28ae2fe0354d9eec
                        • Instruction Fuzzy Hash: 38A123B4D04248DFDB14DFA8D4847ADBBF1AF45301F148059ECA4AB392DB799C8ACB91
                        Function 00157022 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetDim.OLEAUT32 ref: 0015710F
                        • SysAllocString.OLEAUT32 ref: 001571B0
                          • Part of subcall function 00156669: CoInitialize.OLE32 ref: 00156699
                          • Part of subcall function 00156669: VariantCopy.OLEAUT32 ref: 001566E7
                          • Part of subcall function 001561AB: SysStringLen.OLEAUT32 ref: 001561C8
                        • VariantClear.OLEAUT32 ref: 00157297
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: StringVariant$AllocArrayClearCopyInitializeSafe
                        • String ID: VariantConversionError$com.nim$fromVariant
                        • API String ID: 3897195957-2391934419
                        • Opcode ID: 9a3623ff36ca5defc05330a09d459794d966520bfc5b84e99f8e6b6a36e2c1fb
                        • Instruction ID: 07838d64a80e781b53f38221082d983e3094b06714ccecb31d4220d03b5fb0e1
                        • Opcode Fuzzy Hash: 9a3623ff36ca5defc05330a09d459794d966520bfc5b84e99f8e6b6a36e2c1fb
                        • Instruction Fuzzy Hash: 67716BB0C08658DFDF11AFA4E5857ADBBF0AF5A311F148459ECA46F381D7744888CBA2
                        Function 0015771D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetDim.OLEAUT32 ref: 001577F4
                        • VariantClear.OLEAUT32 ref: 0015798C
                          • Part of subcall function 00156669: CoInitialize.OLE32 ref: 00156699
                          • Part of subcall function 00156669: VariantCopy.OLEAUT32 ref: 001566E7
                        • VariantChangeType.OLEAUT32 ref: 0015784E
                        • CoInitialize.OLE32 ref: 00157942
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: Variant$Initialize$ArrayChangeClearCopySafeType
                        • String ID: VariantConversionError$com.nim$fromVariant
                        • API String ID: 2375843262-2391934419
                        • Opcode ID: 08551fea83b532d02f4141aad6b875acbbbfec28c0b04907ef6a4026a32a7f23
                        • Instruction ID: 1b3fc76f3daba9d087abfc8a33b45aa342c4b36360d6bc53b6c308a842b976fa
                        • Opcode Fuzzy Hash: 08551fea83b532d02f4141aad6b875acbbbfec28c0b04907ef6a4026a32a7f23
                        • Instruction Fuzzy Hash: E771BFB0D08254DFEF22AFA4E4453ADBBF1AF56315F048459ECA46F382D7744848CBA2
                        Function 0016A6B8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Mingw-w64 runtime failure:, xrefs: 0016A6E5
                        • VirtualQuery failed for %d bytes at address %p, xrefs: 0016A876
                        • VirtualProtect failed with code 0x%x, xrefs: 0016A94C
                        • Address %p has no image-section, xrefs: 0016A7AD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: abortfwritevfprintf
                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                        • API String ID: 3176311984-1534286854
                        • Opcode ID: fde8bc24eef7b2dec88ed9803e5631bb899217d3bfc4da68efe2c0680ccb684e
                        • Instruction ID: 44bc242133c85fb7afa1b86e9f057a0aa644aa9c4f88a29c9fff40c0200636ef
                        • Opcode Fuzzy Hash: fde8bc24eef7b2dec88ed9803e5631bb899217d3bfc4da68efe2c0680ccb684e
                        • Instruction Fuzzy Hash: 3B6146B4A046069FC704DF58C88165EB7F2FB98340F95C529E998E7391D334EA91CF82
                        Function 00162579 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ArraySafe$CreateElementInitialize
                        • String ID: VariantConversionError$com.nim$toVariant
                        • API String ID: 2234878901-3035603046
                        • Opcode ID: 419aa073161d33c57daae02b1ca02485dbe131983840a8b8512af3b1d7294bff
                        • Instruction ID: 2e4849ea629e9e164e371f01ab859e1817a67a9025fe15996a22eecec880c397
                        • Opcode Fuzzy Hash: 419aa073161d33c57daae02b1ca02485dbe131983840a8b8512af3b1d7294bff
                        • Instruction Fuzzy Hash: 8E518AB09047149FDB21AF78C88476EBBF0BFA5300F54C46DE8989B352D7758895CB92
                        Function 0016274E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: ArraySafe$CreateElementInitialize
                        • String ID: VariantConversionError$com.nim$toVariant
                        • API String ID: 2234878901-3035603046
                        • Opcode ID: 10ee95c116314c043b13a426d8b58d2904a18bf513769760ff0e2b3ebbd0c165
                        • Instruction ID: f7388451eb6fbb4cf8d1730b03f6003db94246c6000f7590caffb9a256d9ab41
                        • Opcode Fuzzy Hash: 10ee95c116314c043b13a426d8b58d2904a18bf513769760ff0e2b3ebbd0c165
                        • Instruction Fuzzy Hash: D4418DB0D047189FEB21AF78C84475EBBF0BF99304F11846DE8989B341D7798845CB92
                        Function 001531E6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: AddressProc$exit
                        • String ID: (bad format; library may be wrong architecture)$@$could not import:
                        • API String ID: 3486290055-3121247141
                        • Opcode ID: ba10b8dc9c0093941cc00118961ece025193be3385e92c53c79ede6d6a61ba63
                        • Instruction ID: 4ad5b0e24fbe77298219326fb12b8fc6ce5db572a05edd6792f6ea1ede05e96d
                        • Opcode Fuzzy Hash: ba10b8dc9c0093941cc00118961ece025193be3385e92c53c79ede6d6a61ba63
                        • Instruction Fuzzy Hash: A931D370904618DADB14AB69D8827EEF7F6AB55341F0440BDDDAC87242D3398E498BA1
                        Function 00175504 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Assertion failed: (%s), file %s, line %d, xrefs: 00175556
                        • (((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 0017554E
                        • (, xrefs: 0017553E
                        • src/rwlock.c, xrefs: 00175546
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: exitfprintf
                        • String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$Assertion failed: (%s), file %s, line %d$src/rwlock.c
                        • API String ID: 4243785698-3585572628
                        • Opcode ID: 657c3b47538dc2649627c3487a81d95cc0617c8372194f668b4ac25dc8f5ea7f
                        • Instruction ID: 10c1b2d8a8efdae9075ac491472ae1fc78bc44ff3b54347d649acdff00bd3033
                        • Opcode Fuzzy Hash: 657c3b47538dc2649627c3487a81d95cc0617c8372194f668b4ac25dc8f5ea7f
                        • Instruction Fuzzy Hash: 2301AE746057089FC341EFA8C589909BBF5BF49344F41C948E48CAB326D7B4E9899F92
                        Function 0016ADA8 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: signal
                        • String ID:
                        • API String ID: 1946981877-0
                        • Opcode ID: 6949ca8f799aa8d033758fd3bf8f5d029f544a4ce3359bc75fd43cdbee347d9e
                        • Instruction ID: fb75fd1f0520a6f2651d7460f711ca59bb3de992ea152bb73146b84d015e1b50
                        • Opcode Fuzzy Hash: 6949ca8f799aa8d033758fd3bf8f5d029f544a4ce3359bc75fd43cdbee347d9e
                        • Instruction Fuzzy Hash: F0411CB0804205CEEB24DFA4D94836EB7F0AF15328F518A49D0E8B72D1C7798A94CF53
                        Function 001575E1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CopyInitializeVariant
                        • String ID: VariantConversionError$com.nim$toVariant
                        • API String ID: 633353902-3035603046
                        • Opcode ID: 5664c80d141535666b9c5b701ad560f6c19fddb65252a025bc8ccdae58a011b6
                        • Instruction ID: 42ff6943f5ac50c275648925837355ad27af43e361b4223e1e3181e66745b6d7
                        • Opcode Fuzzy Hash: 5664c80d141535666b9c5b701ad560f6c19fddb65252a025bc8ccdae58a011b6
                        • Instruction Fuzzy Hash: F131C1B1908305DFDB10AF78E44539ABFF1AF98301F00C82DE8A95B782D7749948CB92
                        Function 00156669 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CopyInitializeVariant
                        • String ID: VariantConversionError$com.nim$newVariant
                        • API String ID: 633353902-805458017
                        • Opcode ID: 682434338e4c7cfc71424293bba6976883b2960580b05f3bc597978f9b57c3d6
                        • Instruction ID: 43e604fd07d80ee9b992db948681d93bd0ae37d7491100e1ac0495f0b3166e3f
                        • Opcode Fuzzy Hash: 682434338e4c7cfc71424293bba6976883b2960580b05f3bc597978f9b57c3d6
                        • Instruction Fuzzy Hash: 4E31AFB1904305DFDB10AF74D44075EBBF0AF99305F90C82DE8A9AB742D7B59948CB92
                        Function 001758E1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: calloc
                        • String ID:
                        • API String ID: 2635317215-3916222277
                        • Opcode ID: f65756ecc1919784dff9414ac3e3b7b77ab1357038e3adb49f7eaf2e7ec3b0d8
                        • Instruction ID: b5b8445f272458cd468fd9369ee5d9edfa0ba7f8d4a15600d3200e8daa254ca1
                        • Opcode Fuzzy Hash: f65756ecc1919784dff9414ac3e3b7b77ab1357038e3adb49f7eaf2e7ec3b0d8
                        • Instruction Fuzzy Hash: C0418074904618DFDB04EFA8C48979DF7F1FF04308F4189A9E8A9AB342D7749944CB41
                        Function 00153F9A Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,0016A22B), ref: 00153FAE
                        • fputc.MSVCRT ref: 0015403A
                        • fwrite.MSVCRT ref: 0015408D
                        • fflush.MSVCRT ref: 001540A1
                        • LeaveCriticalSection.KERNEL32 ref: 001540AD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeavefflushfputcfwrite
                        • String ID:
                        • API String ID: 623422050-0
                        • Opcode ID: 9786cf9bc2b716c157628e7889602b29449d63e85a799b72493d24b315673e12
                        • Instruction ID: 5b8ef42d578cce2c18875a33ff6ee2b0c47db3fb2f61b7071d5e6d091432c1cb
                        • Opcode Fuzzy Hash: 9786cf9bc2b716c157628e7889602b29449d63e85a799b72493d24b315673e12
                        • Instruction Fuzzy Hash: CB313CB0804305DFDB00EFA8D9807ADBBF4EF88345F15C52DE998AB251D7799984CB52
                        Function 0017AECB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: z
                        • API String ID: 2221118986-1657960367
                        • Opcode ID: 0ef5c05490bef00ab64c421e8dc0c76466720ee0f7439091521b3c6582c53863
                        • Instruction ID: 9cc26bf8f4a4a4f064e017372fb5fec3f7bf7b8b1eb96618dae5bdbc20ffb524
                        • Opcode Fuzzy Hash: 0ef5c05490bef00ab64c421e8dc0c76466720ee0f7439091521b3c6582c53863
                        • Instruction Fuzzy Hash: 3F817F70A0420ADFDB10CF59C485BAEBBF0BF48354F10C519E968AB250D379EA95CF95
                        Function 0017B3FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: &
                        • API String ID: 2221118986-1010288
                        • Opcode ID: 97417f53290297cc1caa45a986f46549f3145e6d93713e9dbf45f40050e36feb
                        • Instruction ID: 071f8b18bac9724693181d1d73f2eb387e9f58b24cc71dbff940dc1a2f83f160
                        • Opcode Fuzzy Hash: 97417f53290297cc1caa45a986f46549f3145e6d93713e9dbf45f40050e36feb
                        • Instruction Fuzzy Hash: B7718F7090820ADFDF11CF59C4847AEB7B0BF08354F14C519E86AAB291D378DA95CF95
                        Function 0017B1FD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: &
                        • API String ID: 2221118986-1010288
                        • Opcode ID: 9e4d073aa8be4ade6cae661355d0d0f7307d55aeb76e789427c838b067a72e7a
                        • Instruction ID: 3efb1ba4175510258bef4390d3b20d68c96d7b5552518c71c2e97b166e34894c
                        • Opcode Fuzzy Hash: 9e4d073aa8be4ade6cae661355d0d0f7307d55aeb76e789427c838b067a72e7a
                        • Instruction Fuzzy Hash: 2A71D27090924ADFDF11CF99C4887AEBBF0BF04355F14C559E868AB281D378AA84CF95
                        Function 00176663 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
                        • API String ID: 383729395-884133013
                        • Opcode ID: 3b850712f0461dcd692b9999e189e62e8f52db8e80b39e11fc5f48cf0b6ed218
                        • Instruction ID: 80ce9f23b774e3359e93c079273f7714961a133a64463225429c7d2a9ed957bf
                        • Opcode Fuzzy Hash: 3b850712f0461dcd692b9999e189e62e8f52db8e80b39e11fc5f48cf0b6ed218
                        • Instruction Fuzzy Hash: 4C219D78A047059FCB44DFA9D88495ABBF4AB88350F10C52AF999DB320D730AA85CF91
                        Function 001757D9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • RWL%p %d %s, xrefs: 0017581B
                        • RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 00175875
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: printf
                        • String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
                        • API String ID: 3524737521-1971217749
                        • Opcode ID: cac0e2199012965f845d098552002213f591796589e4998578db7f78405708ad
                        • Instruction ID: 9660f7e5f3f2e3ae3ffeb63242a3d660a71b103626e415883f3bd19ab07d5012
                        • Opcode Fuzzy Hash: cac0e2199012965f845d098552002213f591796589e4998578db7f78405708ad
                        • Instruction Fuzzy Hash: C721B374A08708AFCB44DF59D48065ABBF1EB88350F10C46AF89DCB360D774EA448F82
                        Function 00172B99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: printf
                        • String ID: T%p %d %s$T%p %d V=%0X H=%p %s
                        • API String ID: 3524737521-2059990036
                        • Opcode ID: e95a11bbecf43738865ecdccdeb76ad0a196bd043dc8da38363628c8f9cf4be5
                        • Instruction ID: 7c247a459a69251d45a2c3d2224afe214f762a2df759d09d4879824b9ddc7da3
                        • Opcode Fuzzy Hash: e95a11bbecf43738865ecdccdeb76ad0a196bd043dc8da38363628c8f9cf4be5
                        • Instruction Fuzzy Hash: 891192746083089FCB54EF69D481A1ABBF4AB99390F11C929F988C7311E730DA85CB52
                        Function 0017112D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: atoisetlocalestrchr
                        • String ID: .
                        • API String ID: 1223908000-248832578
                        • Opcode ID: 913335cb0b85864febce951fc101198b94ac045b3d78c8280c564eefbe26e24a
                        • Instruction ID: d2fe5243c0f5887aa4b3cad3ba0dae3bd3ec34932bc1b9b2fac996affdbb5f0c
                        • Opcode Fuzzy Hash: 913335cb0b85864febce951fc101198b94ac045b3d78c8280c564eefbe26e24a
                        • Instruction Fuzzy Hash: 66E09274808304ABD700BFB9D44A35DBBF4AB00348F51C85CA0889B282DBB89884DB86
                        Function 0017AC8A Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 171COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: z
                        • API String ID: 2221118986-1657960367
                        • Opcode ID: 4e004038e5ce447c5d926e871573253a326e2d7f0417e89028d3d285f5756ebf
                        • Instruction ID: 377a487fcb129feee2f9d10f3566d147e00e714626da35cfd0d753932ef3d0cd
                        • Opcode Fuzzy Hash: 4e004038e5ce447c5d926e871573253a326e2d7f0417e89028d3d285f5756ebf
                        • Instruction Fuzzy Hash: 59819E7090420ADFDF11CF59C4847AEBBF0AF88354F54C529E858AB250D778EA95CF92
                        Function 00173527 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: realloc
                        • String ID:
                        • API String ID: 471065373-0
                        • Opcode ID: 750778984303436d8204164a2b96f6afb10b844e5b164c96d1f4f46635b00e3a
                        • Instruction ID: 6c86622d5682c7110dc3b954d3d88bfaeb34aba448da8c81679d6b069128ae0a
                        • Opcode Fuzzy Hash: 750778984303436d8204164a2b96f6afb10b844e5b164c96d1f4f46635b00e3a
                        • Instruction Fuzzy Hash: 675174B4A0461ADFCB00DFA8C985AAEB7F1BF48304F518959E858EB315D734E941CF51
                        Function 00151006 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: __set_app_type$__p__commode__p__fmode
                        • String ID:
                        • API String ID: 2522132747-0
                        • Opcode ID: 40c2bb5b54a1eef4d17ebd0d7dc712566a0fba737124ef72c622144d80bcf12f
                        • Instruction ID: 549e278478de60bc8e4958229e42467b195c331a9de651377ccb9a2076b26bbb
                        • Opcode Fuzzy Hash: 40c2bb5b54a1eef4d17ebd0d7dc712566a0fba737124ef72c622144d80bcf12f
                        • Instruction Fuzzy Hash: 9CF05874100340CBD352BFA8D84232E77E9AF54304F818519E8989B693DB749DC5CBA2
                        Function 001542C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108windowCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: FormatFreeLocalMessage
                        • String ID: OSError
                        • API String ID: 1427518018-4278961375
                        • Opcode ID: a34d6b3c9c30f7023c7b0e6fd6a869297ce6d5edb0344b19e76e40edba233883
                        • Instruction ID: ff199c0371ab211ed3b5ba14bb124876f1c211368873881b055a90568c5e85d9
                        • Opcode Fuzzy Hash: a34d6b3c9c30f7023c7b0e6fd6a869297ce6d5edb0344b19e76e40edba233883
                        • Instruction Fuzzy Hash: 554147B0A04208DFDB01EF68C884BAEFBF5AF98345F048519E864AF351D7749989CB91
                        Function 00172D01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintffree
                        • String ID: %p not found?!?!
                        • API String ID: 92069018-11085004
                        • Opcode ID: bdb494002378bf90f6d9f9516df6bb8b9f55899f1a6e424f5406bd03e741c821
                        • Instruction ID: f4230e614f766e0b2d86e0aa856f00e19a02610d3a3d36f4894dc42f182a8e93
                        • Opcode Fuzzy Hash: bdb494002378bf90f6d9f9516df6bb8b9f55899f1a6e424f5406bd03e741c821
                        • Instruction Fuzzy Hash: 5721B374904609DFCB10EF99C488A9DBBF0AF58354F01C85AE8999B361D774EA81CF81
                        Function 00151EA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: FreeVirtualexit
                        • String ID: virtualFree failing!
                        • API String ID: 1212090140-3108117800
                        • Opcode ID: d8ca97fc4d1d0d12d8ac46440a1bac20f6e3f3cc91d5ce2e1620fb740602ece6
                        • Instruction ID: 52dddcc781906f6420d15f8b7d796e4ea0a1769439645f014c682aeaa7caa159
                        • Opcode Fuzzy Hash: d8ca97fc4d1d0d12d8ac46440a1bac20f6e3f3cc91d5ce2e1620fb740602ece6
                        • Instruction Fuzzy Hash: 0001B176A04200DFDB00AF6DD9843E9BBF4FF84315F18817AEC488B256D7714449CBA2
                        Function 0016A5F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        • Unknown error, xrefs: 0016A640
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-3474627141
                        • Opcode ID: cf736b279868d1555feadf2da46ddab734d23a7c4d21adc693688e8dd4001856
                        • Instruction ID: dd82589db29b64da1f9f36071f8d2aed6b46f55eea3873b794f3de08630026ca
                        • Opcode Fuzzy Hash: cf736b279868d1555feadf2da46ddab734d23a7c4d21adc693688e8dd4001856
                        • Instruction Fuzzy Hash: D211B374504608EBDB00EF55E48899DBFF0FF8C340F528488E8C8A7255C735E9A4CB56
                        Function 0016A613 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        • Argument singularity (SIGN), xrefs: 0016A613
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2468659920
                        • Opcode ID: 1016ac08033ce5f6b26118086dc80efd188b7b24b7522144bd3d1dd458f0321f
                        • Instruction ID: 01a99eb37486af2e8111d206e0c2888fa80e55cabb56bdfb2e5218c1bab44a1a
                        • Opcode Fuzzy Hash: 1016ac08033ce5f6b26118086dc80efd188b7b24b7522144bd3d1dd458f0321f
                        • Instruction Fuzzy Hash: 11017E74904A08DBDB00EF45E08899DBFB0FF88344F928488E8C866255CB3599B4CB52
                        Function 0016A61C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Overflow range error (OVERFLOW), xrefs: 0016A61C
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4064033741
                        • Opcode ID: 9a1aa47a611df712420709d29b28ccb918504b3a22833ec4da6de919726b613f
                        • Instruction ID: bc3e41e4e3483eefa5e828f128d8c47473fcf1faff0796f491e10f67b20cee81
                        • Opcode Fuzzy Hash: 9a1aa47a611df712420709d29b28ccb918504b3a22833ec4da6de919726b613f
                        • Instruction Fuzzy Hash: 59017E74904A08DBDB40EF45E08899DBFF0FF88344F928488E4C866255CB3599A4CB52
                        Function 0016A60A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Argument domain error (DOMAIN), xrefs: 0016A60A
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2713391170
                        • Opcode ID: 031e1b9a5ff37e5a72789adf4e3bd7aa0230cc5c5612615ad1179f432558dac0
                        • Instruction ID: 05c94dd1cadf6cbb1e2e1b714825cf266d8e0685fd75ea901a5416ad8d504ea4
                        • Opcode Fuzzy Hash: 031e1b9a5ff37e5a72789adf4e3bd7aa0230cc5c5612615ad1179f432558dac0
                        • Instruction Fuzzy Hash: 7A017E74904A09DBDB00EF45E08899DBFB0FF88344F928488E8C866255CB3599B4CB52
                        Function 0016A637 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        • The result is too small to be represented (UNDERFLOW), xrefs: 0016A637
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2187435201
                        • Opcode ID: d7e22ff8f4beb3957ff70404f0efbb95984030cf7fcf282ddabb5220d9022fba
                        • Instruction ID: 1e3bbaa8d4613d06cb9fe2225bdb7ccb07cca3baef0c4dd5a0e2f7306660305d
                        • Opcode Fuzzy Hash: d7e22ff8f4beb3957ff70404f0efbb95984030cf7fcf282ddabb5220d9022fba
                        • Instruction Fuzzy Hash: D0017E74904A08DBDB00EF45E08899DBFB0FF88344F928488E4C866255CB3599A4CB56
                        Function 0016A625 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        • Partial loss of significance (PLOSS), xrefs: 0016A625
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4283191376
                        • Opcode ID: a22a26f69835961887243bc2d493e31148c01a641a010a62e8a42ea70b645ea0
                        • Instruction ID: 6f33d8ea0e753724e94728db8dbac206e1380f44cb3b50a152e18b11c2d28252
                        • Opcode Fuzzy Hash: a22a26f69835961887243bc2d493e31148c01a641a010a62e8a42ea70b645ea0
                        • Instruction Fuzzy Hash: 4B017E74904A08DBDB40EF45E08899DBFF0FF88344F928488E4C866255CB3599A4CB52
                        Function 0016A62E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0016A695
                        • Total loss of significance (TLOSS), xrefs: 0016A62E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4273532761
                        • Opcode ID: 7e8e3086a3ba8e999b7c744ee3db7b83418bb67d6312aff60c34af3295bb10da
                        • Instruction ID: f29bcd4842c3f78341a88f72f94c4c3b61080e599e96d5d6de5e1de3246fd3d9
                        • Opcode Fuzzy Hash: 7e8e3086a3ba8e999b7c744ee3db7b83418bb67d6312aff60c34af3295bb10da
                        • Instruction Fuzzy Hash: A5017E74904A08DBDB00EF45E48899DBFB0FF88344F928488E4D866255CB3599A4CB52
                        Function 001725A4 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: free$memset
                        • String ID:
                        • API String ID: 2717317152-0
                        • Opcode ID: 35233fbc04faa67bab41ae61c1baf2535e6e3ea8bb32b4c16d9a3d76500372ff
                        • Instruction ID: fed4d395ab90a2711f778233283c5491aa9184d7f852991cc664f7ce346b3bb4
                        • Opcode Fuzzy Hash: 35233fbc04faa67bab41ae61c1baf2535e6e3ea8bb32b4c16d9a3d76500372ff
                        • Instruction Fuzzy Hash: AD319B746043099FDB50EF69C584AA97BF4BB18394F528569FC8CCB752DB30EA81CB81
                        Function 001514B1 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3541190615.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                        • Associated: 00000000.00000002.3541141015.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541240299.000000000017C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541261107.000000000017D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541282605.0000000000188000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541302716.000000000018C000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3541322571.000000000018D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_150000_1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae.jbxd
                        Similarity
                        • API ID: malloc$memcpystrlen
                        • String ID:
                        • API String ID: 3553820921-0
                        • Opcode ID: 0df883d8f804be8603d09f79e5027836c1e691306ccb3d88e202735976b77b69
                        • Instruction ID: 6ab39dca939fb4d051960e9a5551aac10d93c2ce0525e6e44a461e3dbc22f1bd
                        • Opcode Fuzzy Hash: 0df883d8f804be8603d09f79e5027836c1e691306ccb3d88e202735976b77b69
                        • Instruction Fuzzy Hash: 49216AB4A0460ADFDB04DF98D881A9EB7F0FF49308F148458E559EB311E334AA44CB91