Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Analysis ID:1521704
MD5:8eb4565c6c7096c17ac94718b2a3724b
SHA1:1bcec351f712f041e4b23545e9a14c421effcfd3
SHA256:c700dc3bb675fb60dd69d26ed9628616c97b64af7faaeff92f6c65e7f4f2b8fe
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
One or more processes crash
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5790E0 FindFirstFileExW,0_2_00007FF76D5790E0
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5712900_2_00007FF76D571290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D57F6880_2_00007FF76D57F688
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5721300_2_00007FF76D572130
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5778940_2_00007FF76D577894
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5790E00_2_00007FF76D5790E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5810100_2_00007FF76D581010
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 816 -s 344
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe, 00000000.00000000.1256164830.00007FF76D594000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnyDeskCrashHandler.exe0 vs SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe, 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnyDeskCrashHandler.exe0 vs SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeBinary or memory string: OriginalFilenameAnyDeskCrashHandler.exe0 vs SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Source: classification engineClassification label: mal52.winEXE@2/5@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess816
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\409e9443-5c1f-4b57-91a9-95832f5ff294Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeReversingLabs: Detection: 28%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 816 -s 344
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeSection loaded: apphelp.dllJump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D57CD54 pushfq ; retf 0000h0_2_00007FF76D57CD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D58784D push rcx; retf 003Fh0_2_00007FF76D58784E
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeAPI coverage: 2.5 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D5790E0 FindFirstFileExW,0_2_00007FF76D5790E0
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D576964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76D576964
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D57B9E0 GetProcessHeap,0_2_00007FF76D57B9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D573194 SetUnhandledExceptionFilter,0_2_00007FF76D573194
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D576964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76D576964
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D572FB4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF76D572FB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D57F4D0 cpuid 0_2_00007FF76D57F4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exeCode function: 0_2_00007FF76D572E74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF76D572E74
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Software Packing		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Obfuscated Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe29%ReversingLabsWin64.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1521704
Start date and time:2024-09-29 02:25:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Detection:MAL
Classification:mal52.winEXE@2/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.73.29
  • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe

Simulations

Behavior and APIs

TimeTypeDescription
20:26:20API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_dc444aea7037bbc0cbafead427273f931b99d060_e02d979f_dca1e886-1d26-4919-a40e-4d7a4551cc84\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.766624178255191
Encrypted:false
SSDEEP:192:SxwkdiALKz01YIScejPUzuiFxZ24lO8N:3pALKg1YIMj8zuiFxY4lO8N
MD5:EB260304C408225848BEB3A9C32B3C00
SHA1:90B962F73580CDB877D5CF5B930A69A55ED7A239
SHA-256:179EF10ABA7055AF8C8125D91EB8B1F1328ABEFCDD802616632A1E3373C2EE93
SHA-512:F03A281A7A35DF16973419EF08EC0EFE9D69309F956CE69DB62B1274C088D74FF18C07779D587B443AF5C2BFD694EFBD1443DF2CF6BEC01DDD85502D43F7384E
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.4.3.1.6.4.6.6.4.4.5.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.4.3.1.6.5.0.0.8.2.0.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.a.1.e.8.8.6.-.1.d.2.6.-.4.9.1.9.-.a.4.0.e.-.4.d.7.a.4.5.5.1.c.c.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.7.3.0.8.1.7.-.d.9.1.e.-.4.7.5.d.-.a.f.d.f.-.c.3.8.b.3.a.f.c.7.6.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...P.o.s.s.i.b.l.e.T.h.r.e.a.t...1.3.4.8.4...6.4.7.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.n.y.D.e.s.k.C.r.a.s.h.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.3.0.-.0.0.0.1.-.0.0.1.4.-.4.a.5.6.-.3.e.2.b.0.6.1.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.b.3.1.1.5.b.4.4.3.0.4.0.b.0.2.0.7.f.c.e.8.b.3.9.7.c.4.8.c.6.0.0.0.0.0.9.0.4.!.0.0.0.0.1.b.c.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D9A.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Sun Sep 29 00:26:04 2024, 0x1205a4 type
Category:dropped
Size (bytes):53892
Entropy (8bit):1.653057773878504
Encrypted:false
SSDEEP:192:iauQZMOWIu8Pf4KaBaZaxuJu/ujqrTsXPIZ7olvD:WKDE8Pf4BskU8WCTkPI1o
MD5:1862A05967E9B4B06749BFB2FFB64F96
SHA1:02A035FFDFDDF178F622DF3920EF30B7222A7A19
SHA-256:A00F31DBC073ABB0962F9E8BE857236DE33A6392F9B2CC604F517F111DB6FCE8
SHA-512:4254686594718057BEFE563E1FE255D40762E65F5F9DA2458699C0D3256D4831091395267948F70D10CE0A2448369564348E1216D0A1DC09C83772BE501511BB
Malicious:false
Reputation:low
Preview:MDMP..a..... ..........f........................0................&..........T.......8...........T.......................................................................................................................eJ......P.......Lw......................T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E27.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8728
Entropy (8bit):3.699516184613014
Encrypted:false
SSDEEP:192:R6l7wVeJT0eUqcv/6YNZPgmfklcAprj89b81ofQ70m:R6lXJgeUp6YTPgmfkQ8Kf4
MD5:F919EA89E221A3054331DE6F4B8B274F
SHA1:5AC14F09F4408A1A0F8E288C255A4DAF11C202F1
SHA-256:C7ADF12225051C22416D74E7D4320657F35225D6D040494BBE860F3AED59BCE7
SHA-512:905D40DABEDF2E44C26A543992A1A8C644F90FB892D0ED5F4AC62768339EF05EF50E69C13E54842B4AA96A6615D7962E82E04A95D3FE37D5C8B73CD7ADF98190
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E48.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4967
Entropy (8bit):4.572518360756344
Encrypted:false
SSDEEP:48:cvIwWl8zsuJg771I9TQWpW8VYsYm8M4JH07aZFcyq85rUwo/nKgS5SHd:uIjfkI7Yp7VAJH0GAoUl/KgS5SHd
MD5:02D97637A84D426AF07B3705BB0E560D
SHA1:10818A1EAE73B9B3C1CED90B2D988C575BDFC3E2
SHA-256:3066A7A00D3AC982EA7CAD40D586093BCC3C275AA1DF6BDB3DAB523D8A920A8A
SHA-512:61EB28BC28F3DA691E50558B01EE781211491DCC83A98032D702FD7829EFB971F7BD568823F445945F42C4F3F3EB3FE7BC6459739810C23C6B388AD9855FB8B9
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520768" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.417072376499763
Encrypted:false
SSDEEP:6144:Kcifpi6ceLPL9skLmb0mISWSPtaJG8nAgex285i2MMhA20X4WABlGuNC5+:ni58ISWIZBk2MM6AFB8o
MD5:B5F05DB2574BB9EE775B516C4431B7AE
SHA1:DFC466CFA7B00954E7672B552A5DBBE50321E989
SHA-256:D67A04BFA81F7D394389AB935451549F767910BDDD0C6675D0B005923C234BA8
SHA-512:D1AA723A6A260241776642D79E442567E2E627A897F39BEAF0E0450720E6F3C3580134C69D54CDD736ECDEFC8B39A783543A66990D2E44A5E755D685E6111257
Malicious:false
Reputation:low
Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..x+................................................................................................................................................................................................................................................................................................................................................v.o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.756024662478089
TrID:
  • Win64 Executable GUI (202006/5) 81.26%
  • UPX compressed Win32 Executable (30571/9) 12.30%
  • Win64 Executable (generic) (12005/4) 4.83%
  • Generic Win/DOS Executable (2004/3) 0.81%
  • DOS Executable Generic (2002/1) 0.81%
File name:SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
File size:60'416 bytes
MD5:8eb4565c6c7096c17ac94718b2a3724b
SHA1:1bcec351f712f041e4b23545e9a14c421effcfd3
SHA256:c700dc3bb675fb60dd69d26ed9628616c97b64af7faaeff92f6c65e7f4f2b8fe
SHA512:5ba97ce8b19efa125efb40aae9b1e1c9fb6a7e45b9261bd8327988c8c5474a5e27aace3e0ca77a0767740caeb7bf2060490dc77deba7eee474f6f3a998b1f0a6
SSDEEP:1536:td3pwkJ+vSKrCdQN8ZAO/IYeBcWCgTumOC9N9b:TpwkAEQN8ZAOAYs2gTumOCJ
TLSH:EA43015D1AECCC38DCEE4D38B7945F6F33A520243E5F72B8E68D9B296E638418845790
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................?............g.......g.......g.......................f.......f........F......f......Rich...........

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x140023aa0
Entrypoint Section:UPX1
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66E2C679 [Thu Sep 12 10:46:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:d090fd5cd28b959e47496dea062def88

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFF2555h]
dec eax
lea edi, dword ptr [esi-00015000h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007EFE24F39B85h
add ebx, ebx
je 00007EFE24F39B34h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007EFE24F39B53h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007EFE24F39B4Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007EFE24F39B21h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007EFE24F39B42h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007EFE24F39B22h
rep ret
cld
inc ecx
pop ebx
jmp 00007EFE24F39B3Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007EFE24F39B3Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007EFE24F39B18h
lea eax, dword ptr [ecx+01h]
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007EFE24F39B3Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007EFE24F39B1Dh
sub eax, 03h
jc 00007EFE24F39B45h
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007EFE24F39B6Ch
dec eax
arpl ax, bp
lea eax, dword ptr [ecx+01h]
inc ecx
call ebx
adc ecx, ecx

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x245400xe0.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x540.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1e0000x105cUPX1
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x246200x1c.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23ce80x140UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
UPX00x10000x150000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX10x160000xe0000xe000971217b39ca6b5ad20cf0699790781a7False0.9666224888392857data7.853520580690587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x240000x10000x8000654d0427235b75a25140946cb4c5f4fFalse0.37646484375data3.56953370154622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x240a40x318dataEnglishUnited States0.4393939393939394
RT_MANIFEST0x243c00x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
SHELL32.dllCommandLineToArgvW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 29, 2024 02:26:24.440877914 CEST53598601.1.1.1192.168.2.7

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:20:26:04
Start date:28/09/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.13484.6474.exe"
Imagebase:0x7ff76d570000
File size:60'416 bytes
MD5 hash:8EB4565C6C7096C17AC94718B2A3724B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:20:26:04
Start date:28/09/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 816 -s 344
Imagebase:0x7ff6d4c40000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.3%
    Total number of Nodes:1684
    Total number of Limit Nodes:2
    execution_graph 7755 7ff76d57cdf8 7756 7ff76d57ce00 7755->7756 7757 7ff76d57ce15 7756->7757 7759 7ff76d57ce2e 7756->7759 7758 7ff76d578284 _set_fmode 9 API calls 7757->7758 7760 7ff76d57ce1a 7758->7760 7761 7ff76d578114 39 API calls 7759->7761 7763 7ff76d57ce25 7759->7763 7762 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7760->7762 7761->7763 7762->7763 6933 7ff76d572904 6934 7ff76d573140 GetModuleHandleW 6933->6934 6936 7ff76d57290b __CxxCallCatchBlock 6934->6936 6935 7ff76d57290f 6936->6935 6937 7ff76d572e74 4 API calls 6936->6937 6938 7ff76d572959 6937->6938 6939 7ff76d57b900 6940 7ff76d57b939 6939->6940 6941 7ff76d57b90a 6939->6941 6941->6940 6942 7ff76d57b91f FreeLibrary 6941->6942 6942->6941 7469 7ff76d578580 7470 7ff76d578585 7469->7470 7471 7ff76d57859a 7469->7471 7475 7ff76d5785a0 7470->7475 7474 7ff76d578b3c __free_lconv_num 9 API calls 7474->7471 7476 7ff76d5785ea 7475->7476 7477 7ff76d5785e2 7475->7477 7479 7ff76d578b3c __free_lconv_num 9 API calls 7476->7479 7478 7ff76d578b3c __free_lconv_num 9 API calls 7477->7478 7478->7476 7480 7ff76d5785f7 7479->7480 7481 7ff76d578b3c __free_lconv_num 9 API calls 7480->7481 7482 7ff76d578604 7481->7482 7483 7ff76d578b3c __free_lconv_num 9 API calls 7482->7483 7484 7ff76d578611 7483->7484 7485 7ff76d578b3c __free_lconv_num 9 API calls 7484->7485 7486 7ff76d57861e 7485->7486 7487 7ff76d578b3c __free_lconv_num 9 API calls 7486->7487 7488 7ff76d57862b 7487->7488 7489 7ff76d578b3c __free_lconv_num 9 API calls 7488->7489 7490 7ff76d578638 7489->7490 7491 7ff76d578b3c __free_lconv_num 9 API calls 7490->7491 7492 7ff76d578645 7491->7492 7493 7ff76d578b3c __free_lconv_num 9 API calls 7492->7493 7494 7ff76d578655 7493->7494 7495 7ff76d578b3c __free_lconv_num 9 API calls 7494->7495 7496 7ff76d578665 7495->7496 7501 7ff76d578444 7496->7501 7498 7ff76d57867a 7505 7ff76d5783bc 7498->7505 7500 7ff76d578592 7500->7474 7503 7ff76d578460 7501->7503 7502 7ff76d578490 7502->7498 7503->7502 7504 7ff76d578b3c __free_lconv_num 9 API calls 7503->7504 7504->7502 7506 7ff76d5783d8 7505->7506 7507 7ff76d578698 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 7506->7507 7508 7ff76d5783e6 7507->7508 7508->7500 7509 7ff76d57ef80 7510 7ff76d57ef97 7509->7510 7511 7ff76d57ef91 CloseHandle 7509->7511 7511->7510 7764 7ff76d578a00 7765 7ff76d578a10 7764->7765 7766 7ff76d578878 _set_fmode 9 API calls 7765->7766 7767 7ff76d578a1b __vcrt_uninitialize_ptd 7765->7767 7766->7767 7768 7ff76d57ac00 7769 7ff76d57ac0c 7768->7769 7771 7ff76d57ac33 7769->7771 7772 7ff76d57a720 7769->7772 7773 7ff76d57a725 7772->7773 7774 7ff76d57a760 7772->7774 7775 7ff76d57a758 7773->7775 7776 7ff76d57a746 RtlDeleteCriticalSection 7773->7776 7774->7769 7777 7ff76d578b3c __free_lconv_num 9 API calls 7775->7777 7776->7775 7776->7776 7777->7774 6655 7ff76d577c80 6658 7ff76d577520 6655->6658 6665 7ff76d5774e8 6658->6665 6666 7ff76d5774fd 6665->6666 6667 7ff76d5774f8 6665->6667 6669 7ff76d577504 6666->6669 6668 7ff76d5774a4 9 API calls 6667->6668 6668->6666 6670 7ff76d577519 6669->6670 6671 7ff76d577514 6669->6671 6673 7ff76d5774a4 6670->6673 6672 7ff76d5774a4 9 API calls 6671->6672 6672->6670 6674 7ff76d5774a9 6673->6674 6675 7ff76d5774da 6673->6675 6676 7ff76d5774d2 6674->6676 6677 7ff76d578b3c __free_lconv_num 9 API calls 6674->6677 6678 7ff76d578b3c __free_lconv_num 9 API calls 6676->6678 6677->6674 6678->6675 7512 7ff76d577f80 7515 7ff76d577f88 7512->7515 7514 7ff76d577fb9 7523 7ff76d577ff0 7514->7523 7515->7514 7516 7ff76d577fb5 7515->7516 7518 7ff76d57b708 7515->7518 7519 7ff76d57b490 5 API calls 7518->7519 7520 7ff76d57b73e 7519->7520 7521 7ff76d57b75d InitializeCriticalSectionAndSpinCount 7520->7521 7522 7ff76d57b743 7520->7522 7521->7522 7522->7515 7524 7ff76d57801b 7523->7524 7525 7ff76d577ffe RtlDeleteCriticalSection 7524->7525 7526 7ff76d57801f 7524->7526 7525->7524 7526->7516 7778 7ff76d571000 7779 7ff76d573b30 __std_exception_copy 39 API calls 7778->7779 7780 7ff76d571029 7779->7780 7527 7ff76d57e78b 7528 7ff76d57ea30 7527->7528 7529 7ff76d57e7cb 7527->7529 7532 7ff76d57f540 _log10_special 14 API calls 7528->7532 7534 7ff76d57ea26 7528->7534 7529->7528 7530 7ff76d57e7ff 7529->7530 7531 7ff76d57ea12 7529->7531 7535 7ff76d57f540 7531->7535 7532->7534 7538 7ff76d57f560 7535->7538 7539 7ff76d57f57a 7538->7539 7540 7ff76d57f55b 7539->7540 7542 7ff76d57f3a8 7539->7542 7540->7534 7543 7ff76d57f3e8 _log10_special 7542->7543 7545 7ff76d57f454 _log10_special 7543->7545 7553 7ff76d57f660 7543->7553 7546 7ff76d57f491 7545->7546 7547 7ff76d57f461 7545->7547 7560 7ff76d57f990 7546->7560 7556 7ff76d57f284 7547->7556 7550 7ff76d57f48f _log10_special 7551 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 7550->7551 7552 7ff76d57f4b9 7551->7552 7552->7540 7566 7ff76d57f688 7553->7566 7557 7ff76d57f2c8 _log10_special 7556->7557 7558 7ff76d57f2dd 7557->7558 7559 7ff76d57f990 _log10_special 9 API calls 7557->7559 7558->7550 7559->7558 7561 7ff76d57f999 7560->7561 7562 7ff76d57f9b0 7560->7562 7564 7ff76d578284 _set_fmode 9 API calls 7561->7564 7565 7ff76d57f9a8 7561->7565 7563 7ff76d578284 _set_fmode 9 API calls 7562->7563 7563->7565 7564->7565 7565->7550 7567 7ff76d57f6c7 _raise_exc _clrfp 7566->7567 7568 7ff76d57f8dc RaiseException 7567->7568 7569 7ff76d57f682 7568->7569 7569->7545 6943 7ff76d574f08 6944 7ff76d574f35 __except_validate_context_record 6943->6944 6945 7ff76d5740a0 _CreateFrameInfo 47 API calls 6944->6945 6946 7ff76d574f3a 6945->6946 6947 7ff76d574f94 6946->6947 6948 7ff76d575022 6946->6948 6964 7ff76d574fe8 6946->6964 6950 7ff76d57500f 6947->6950 6953 7ff76d574fed 6947->6953 6954 7ff76d574fb6 6947->6954 6947->6964 6957 7ff76d575041 6948->6957 6999 7ff76d573a50 6948->6999 6949 7ff76d575090 6949->6964 7005 7ff76d574688 6949->7005 6990 7ff76d573654 6950->6990 6953->6950 6956 7ff76d574fc5 6953->6956 6966 7ff76d57428c 6954->6966 6959 7ff76d575139 6956->6959 6962 7ff76d574fd7 6956->6962 6957->6949 6957->6964 7002 7ff76d573a64 6957->7002 6961 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6959->6961 6963 7ff76d57513e 6961->6963 6971 7ff76d575420 6962->6971 6967 7ff76d57429a 6966->6967 6968 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6967->6968 6969 7ff76d5742ab 6967->6969 6970 7ff76d5742f1 6968->6970 6969->6956 6972 7ff76d573a50 Is_bad_exception_allowed 47 API calls 6971->6972 6973 7ff76d57544f 6972->6973 7067 7ff76d5741e8 6973->7067 6976 7ff76d5740a0 _CreateFrameInfo 47 API calls 6987 7ff76d57546c __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 6976->6987 6977 7ff76d575563 6978 7ff76d5740a0 _CreateFrameInfo 47 API calls 6977->6978 6980 7ff76d575568 6978->6980 6979 7ff76d57559e 6981 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6979->6981 6982 7ff76d575573 6980->6982 6983 7ff76d5740a0 _CreateFrameInfo 47 API calls 6980->6983 6981->6982 6984 7ff76d575580 __FrameHandler3::GetHandlerSearchState 6982->6984 6985 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6982->6985 6983->6982 6984->6964 6986 7ff76d5755a9 6985->6986 6987->6977 6987->6979 6988 7ff76d573a50 47 API calls Is_bad_exception_allowed 6987->6988 7071 7ff76d573a78 6987->7071 6988->6987 7074 7ff76d5736b8 6990->7074 6997 7ff76d575420 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 6998 7ff76d5736a8 6997->6998 6998->6964 7000 7ff76d5740a0 _CreateFrameInfo 47 API calls 6999->7000 7001 7ff76d573a59 7000->7001 7001->6957 7003 7ff76d5740a0 _CreateFrameInfo 47 API calls 7002->7003 7004 7ff76d573a6d 7003->7004 7004->6949 7088 7ff76d5755ac 7005->7088 7007 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7008 7ff76d574b56 7007->7008 7010 7ff76d574807 7013 7ff76d5749d1 7010->7013 7116 7ff76d573788 7010->7116 7011 7ff76d574aa1 7047 7ff76d574b50 7011->7047 7052 7ff76d574a9f 7011->7052 7151 7ff76d574b58 7011->7151 7012 7ff76d5740a0 _CreateFrameInfo 47 API calls 7016 7ff76d574ae3 7012->7016 7021 7ff76d5749ee 7013->7021 7022 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7013->7022 7013->7052 7014 7ff76d5740a0 _CreateFrameInfo 47 API calls 7018 7ff76d574736 7014->7018 7019 7ff76d574aea 7016->7019 7016->7047 7018->7019 7023 7ff76d5740a0 _CreateFrameInfo 47 API calls 7018->7023 7020 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 7019->7020 7024 7ff76d574af6 7020->7024 7027 7ff76d574a10 7021->7027 7021->7052 7143 7ff76d573628 7021->7143 7022->7021 7026 7ff76d574746 7023->7026 7024->6964 7028 7ff76d5740a0 _CreateFrameInfo 47 API calls 7026->7028 7029 7ff76d574a26 7027->7029 7030 7ff76d574b33 7027->7030 7027->7052 7031 7ff76d57474f 7028->7031 7032 7ff76d574a31 7029->7032 7035 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7029->7035 7033 7ff76d5740a0 _CreateFrameInfo 47 API calls 7030->7033 7100 7ff76d573a90 7031->7100 7039 7ff76d575644 47 API calls 7032->7039 7036 7ff76d574b39 7033->7036 7035->7032 7038 7ff76d5740a0 _CreateFrameInfo 47 API calls 7036->7038 7041 7ff76d574b42 7038->7041 7042 7ff76d574a47 7039->7042 7040 7ff76d573a64 47 API calls 7057 7ff76d574833 7040->7057 7045 7ff76d577dc8 39 API calls 7041->7045 7046 7ff76d5736b8 __GetUnwindTryBlock 40 API calls 7042->7046 7042->7052 7043 7ff76d5740a0 _CreateFrameInfo 47 API calls 7044 7ff76d574791 7043->7044 7049 7ff76d5740a0 _CreateFrameInfo 47 API calls 7044->7049 7061 7ff76d5747cf 7044->7061 7045->7047 7048 7ff76d574a61 7046->7048 7047->7007 7148 7ff76d5738bc RtlUnwindEx 7048->7148 7051 7ff76d57479d 7049->7051 7053 7ff76d5740a0 _CreateFrameInfo 47 API calls 7051->7053 7052->7012 7055 7ff76d5747a6 7053->7055 7103 7ff76d575644 7055->7103 7057->7013 7057->7040 7122 7ff76d574dc8 7057->7122 7136 7ff76d5745b4 7057->7136 7060 7ff76d5747ba 7112 7ff76d575734 7060->7112 7061->7010 7061->7011 7063 7ff76d574b2d 7064 7ff76d577dc8 39 API calls 7063->7064 7064->7030 7065 7ff76d5747c2 __CxxCallCatchBlock std::bad_alloc::bad_alloc 7065->7063 7066 7ff76d573d54 Concurrency::cancel_current_task 2 API calls 7065->7066 7066->7063 7068 7ff76d57420a 7067->7068 7069 7ff76d5741ff 7067->7069 7068->6976 7070 7ff76d57428c __GetCurrentState 39 API calls 7069->7070 7070->7068 7072 7ff76d5740a0 _CreateFrameInfo 47 API calls 7071->7072 7073 7ff76d573a86 7072->7073 7073->6987 7075 7ff76d574284 __FrameHandler3::FrameUnwindToEmptyState 39 API calls 7074->7075 7078 7ff76d5736e6 7075->7078 7076 7ff76d573673 7079 7ff76d574284 7076->7079 7077 7ff76d573710 RtlLookupFunctionEntry 7077->7078 7078->7076 7078->7077 7080 7ff76d57428c 7079->7080 7081 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7080->7081 7083 7ff76d573681 7080->7083 7082 7ff76d5742f1 7081->7082 7084 7ff76d5735c4 7083->7084 7085 7ff76d5735e4 7084->7085 7086 7ff76d57360f 7084->7086 7085->7086 7087 7ff76d5740a0 _CreateFrameInfo 47 API calls 7085->7087 7086->6997 7087->7085 7089 7ff76d574284 __FrameHandler3::FrameUnwindToEmptyState 39 API calls 7088->7089 7090 7ff76d5755d1 7089->7090 7091 7ff76d5736b8 __GetUnwindTryBlock 40 API calls 7090->7091 7092 7ff76d5755e6 7091->7092 7169 7ff76d574210 7092->7169 7095 7ff76d57561b 7097 7ff76d574210 __GetUnwindTryBlock 40 API calls 7095->7097 7096 7ff76d5755f8 __FrameHandler3::GetHandlerSearchState 7172 7ff76d574248 7096->7172 7099 7ff76d5746ea 7097->7099 7099->7014 7099->7047 7099->7061 7101 7ff76d5740a0 _CreateFrameInfo 47 API calls 7100->7101 7102 7ff76d573a9e 7101->7102 7102->7043 7102->7047 7104 7ff76d57572b 7103->7104 7108 7ff76d57566f 7103->7108 7105 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7104->7105 7107 7ff76d575730 7105->7107 7106 7ff76d5747b6 7106->7060 7106->7061 7108->7106 7109 7ff76d573a64 47 API calls 7108->7109 7110 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7108->7110 7111 7ff76d574dc8 47 API calls 7108->7111 7109->7108 7110->7108 7111->7108 7113 7ff76d5757a1 7112->7113 7115 7ff76d575751 Is_bad_exception_allowed 7112->7115 7113->7065 7114 7ff76d573a50 47 API calls Is_bad_exception_allowed 7114->7115 7115->7113 7115->7114 7117 7ff76d574284 __FrameHandler3::FrameUnwindToEmptyState 39 API calls 7116->7117 7118 7ff76d5737c6 7117->7118 7119 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7118->7119 7121 7ff76d5737d4 7118->7121 7120 7ff76d5738b8 7119->7120 7121->7057 7123 7ff76d574df5 7122->7123 7134 7ff76d574e84 7122->7134 7124 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7123->7124 7125 7ff76d574dfe 7124->7125 7126 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7125->7126 7127 7ff76d574e17 7125->7127 7125->7134 7126->7127 7128 7ff76d574e43 7127->7128 7129 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7127->7129 7127->7134 7130 7ff76d573a64 47 API calls 7128->7130 7129->7128 7131 7ff76d574e57 7130->7131 7132 7ff76d574e70 7131->7132 7133 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7131->7133 7131->7134 7135 7ff76d573a64 47 API calls 7132->7135 7133->7132 7134->7057 7135->7134 7137 7ff76d5736b8 __GetUnwindTryBlock 40 API calls 7136->7137 7138 7ff76d5745f1 7137->7138 7139 7ff76d573a50 Is_bad_exception_allowed 47 API calls 7138->7139 7140 7ff76d574629 7139->7140 7141 7ff76d5738bc 5 API calls 7140->7141 7142 7ff76d57466d 7141->7142 7142->7057 7144 7ff76d574284 __FrameHandler3::FrameUnwindToEmptyState 39 API calls 7143->7144 7145 7ff76d57363c 7144->7145 7146 7ff76d5735c4 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 7145->7146 7147 7ff76d573646 7146->7147 7147->7027 7149 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 7148->7149 7150 7ff76d5739b6 7149->7150 7150->7052 7152 7ff76d574da4 7151->7152 7153 7ff76d574b91 7151->7153 7152->7052 7154 7ff76d5740a0 _CreateFrameInfo 47 API calls 7153->7154 7155 7ff76d574b96 7154->7155 7156 7ff76d574bb5 RtlEncodePointer 7155->7156 7157 7ff76d574c08 7155->7157 7160 7ff76d5740a0 _CreateFrameInfo 47 API calls 7156->7160 7157->7152 7158 7ff76d574c28 7157->7158 7159 7ff76d574dbf 7157->7159 7161 7ff76d573788 39 API calls 7158->7161 7162 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7159->7162 7164 7ff76d574bc5 7160->7164 7167 7ff76d574c4a 7161->7167 7163 7ff76d574dc4 7162->7163 7164->7157 7175 7ff76d573570 7164->7175 7166 7ff76d5745b4 49 API calls 7166->7167 7167->7152 7167->7166 7168 7ff76d573a50 47 API calls Is_bad_exception_allowed 7167->7168 7168->7167 7170 7ff76d5736b8 __GetUnwindTryBlock 40 API calls 7169->7170 7171 7ff76d574223 7170->7171 7171->7095 7171->7096 7173 7ff76d5736b8 __GetUnwindTryBlock 40 API calls 7172->7173 7174 7ff76d574262 7173->7174 7174->7099 7176 7ff76d5740a0 _CreateFrameInfo 47 API calls 7175->7176 7177 7ff76d57359c 7176->7177 7177->7157 7781 7ff76d574014 7788 7ff76d57587c 7781->7788 7784 7ff76d574021 7786 7ff76d57402a 7786->7784 7787 7ff76d5758c4 __vcrt_uninitialize_locks RtlDeleteCriticalSection 7786->7787 7787->7784 7789 7ff76d575884 7788->7789 7791 7ff76d5758b5 7789->7791 7792 7ff76d57401d 7789->7792 7798 7ff76d575b78 7789->7798 7793 7ff76d5758c4 __vcrt_uninitialize_locks RtlDeleteCriticalSection 7791->7793 7792->7784 7794 7ff76d57417c 7792->7794 7793->7792 7795 7ff76d57418c 7794->7795 7796 7ff76d575b24 _CreateFrameInfo 6 API calls 7795->7796 7797 7ff76d5741a5 __vcrt_uninitialize_ptd 7795->7797 7796->7797 7797->7786 7799 7ff76d5758fc __vcrt_InitializeCriticalSectionEx 5 API calls 7798->7799 7800 7ff76d575bae 7799->7800 7801 7ff76d575bc3 InitializeCriticalSectionAndSpinCount 7800->7801 7802 7ff76d575bb8 7800->7802 7801->7802 7802->7789 6679 7ff76d57c490 6680 7ff76d57c4bd 6679->6680 6681 7ff76d578284 _set_fmode 9 API calls 6680->6681 6686 7ff76d57c4d2 6680->6686 6682 7ff76d57c4c7 6681->6682 6683 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6682->6683 6683->6686 6684 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6685 7ff76d57c890 6684->6685 6686->6684 6686->6686 7570 7ff76d57c990 7571 7ff76d57c9af 7570->7571 7572 7ff76d57ca28 7571->7572 7573 7ff76d57c9bf 7571->7573 7578 7ff76d572a74 7572->7578 7576 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 7573->7576 7577 7ff76d57ca1e 7576->7577 7581 7ff76d572a88 IsProcessorFeaturePresent 7578->7581 7580 7ff76d572a82 7582 7ff76d572a9f 7581->7582 7585 7ff76d572b28 RtlCaptureContext RtlLookupFunctionEntry 7582->7585 7584 7ff76d572ab3 7584->7580 7586 7ff76d572b8a 7585->7586 7587 7ff76d572b58 RtlVirtualUnwind 7585->7587 7586->7584 7587->7586 7588 7ff76d575d5d 7589 7ff76d577dc8 39 API calls 7588->7589 7590 7ff76d575d62 7589->7590 7591 7ff76d575d89 GetModuleHandleW 7590->7591 7592 7ff76d575dd3 7590->7592 7591->7592 7598 7ff76d575d96 7591->7598 7605 7ff76d575c60 7592->7605 7594 7ff76d575e0f 7595 7ff76d575e16 7594->7595 7609 7ff76d575e2c 7594->7609 7598->7592 7600 7ff76d575e84 GetModuleHandleExW 7598->7600 7601 7ff76d575eb8 GetProcAddress 7600->7601 7604 7ff76d575eca 7600->7604 7601->7604 7602 7ff76d575eed 7602->7592 7603 7ff76d575ee6 FreeLibrary 7603->7602 7604->7602 7604->7603 7606 7ff76d575c7c 7605->7606 7615 7ff76d575c98 7606->7615 7608 7ff76d575c85 7608->7594 7611 7ff76d575e39 _invalid_parameter_noinfo_noreturn 7609->7611 7610 7ff76d575e4e 7612 7ff76d575e84 3 API calls 7610->7612 7611->7610 7614 7ff76d575e43 TerminateProcess 7611->7614 7613 7ff76d575e55 ExitProcess 7612->7613 7614->7610 7616 7ff76d575cae 7615->7616 7618 7ff76d575d11 7615->7618 7616->7618 7619 7ff76d577b74 7616->7619 7618->7608 7622 7ff76d577858 7619->7622 7621 7ff76d577bb1 7621->7618 7623 7ff76d577874 7622->7623 7626 7ff76d577a44 7623->7626 7625 7ff76d57787d 7625->7621 7627 7ff76d577a72 7626->7627 7628 7ff76d577a6a 7626->7628 7627->7628 7629 7ff76d578b3c __free_lconv_num 9 API calls 7627->7629 7628->7625 7629->7628 5945 7ff76d5727dc 5971 7ff76d572c70 5945->5971 5948 7ff76d572928 6027 7ff76d572fb4 IsProcessorFeaturePresent 5948->6027 5949 7ff76d5727f8 5951 7ff76d572932 5949->5951 5958 7ff76d572816 __scrt_release_startup_lock 5949->5958 5952 7ff76d572fb4 6 API calls 5951->5952 5954 7ff76d57293d __CxxCallCatchBlock 5952->5954 5953 7ff76d57283b 6036 7ff76d572e74 5954->6036 5957 7ff76d5728c1 5977 7ff76d5730fc 5957->5977 5958->5953 5958->5957 6016 7ff76d575f28 5958->6016 5960 7ff76d5728c6 5980 7ff76d57756c 5960->5980 5968 7ff76d5728ed 6023 7ff76d572df4 5968->6023 5972 7ff76d572c78 5971->5972 5973 7ff76d572c84 __scrt_dllmain_crt_thread_attach 5972->5973 5974 7ff76d572c91 5973->5974 5975 7ff76d5727f0 5973->5975 5974->5975 6039 7ff76d57403c 5974->6039 5975->5948 5975->5949 5978 7ff76d57fd80 5977->5978 5979 7ff76d573113 GetStartupInfoW 5978->5979 5979->5960 6047 7ff76d57a000 5980->6047 5982 7ff76d5728ce 5985 7ff76d571290 GetCommandLineW CommandLineToArgvW 5982->5985 5983 7ff76d57757b 5983->5982 6053 7ff76d57a3b0 5983->6053 5986 7ff76d5712d4 5985->5986 5997 7ff76d571313 5986->5997 6538 7ff76d5723f0 5986->6538 5988 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 5990 7ff76d571612 5988->5990 5989 7ff76d571433 5991 7ff76d5723f0 41 API calls 5989->5991 6021 7ff76d573140 GetModuleHandleW 5990->6021 5992 7ff76d57144e 5991->5992 5994 7ff76d5714db 5992->5994 5995 7ff76d571557 5992->5995 5993 7ff76d57161d 6560 7ff76d576c50 5993->6560 6552 7ff76d5767f8 5994->6552 5995->5993 5995->5997 5997->5988 6002 7ff76d571623 CloseHandle 6004 7ff76d57162c 6002->6004 6003 7ff76d571503 Sleep OpenProcess 6003->6004 6005 7ff76d571525 GetExitCodeProcess 6003->6005 6007 7ff76d5723f0 41 API calls 6004->6007 6005->6002 6006 7ff76d57153a 6005->6006 6006->6002 6008 7ff76d571547 CloseHandle 6006->6008 6009 7ff76d571ac3 6007->6009 6008->6003 6565 7ff76d5711c0 CreateProcessW 6009->6565 6011 7ff76d571ad4 6012 7ff76d5723f0 41 API calls 6011->6012 6013 7ff76d57207a 6012->6013 6014 7ff76d5711c0 8 API calls 6013->6014 6015 7ff76d57208e 6014->6015 6017 7ff76d575f3f 6016->6017 6018 7ff76d575f60 6016->6018 6017->5957 6650 7ff76d577dc8 6018->6650 6022 7ff76d5728e9 6021->6022 6022->5954 6022->5968 6024 7ff76d572e05 6023->6024 6025 7ff76d572900 6024->6025 6026 7ff76d57403c RtlDeleteCriticalSection 6024->6026 6025->5953 6026->6025 6028 7ff76d572fda _invalid_parameter_noinfo_noreturn 6027->6028 6029 7ff76d572ff9 RtlCaptureContext RtlLookupFunctionEntry 6028->6029 6030 7ff76d57305e 6029->6030 6031 7ff76d573022 RtlVirtualUnwind 6029->6031 6032 7ff76d573090 IsDebuggerPresent 6030->6032 6031->6030 6033 7ff76d581068 _invalid_parameter_noinfo_noreturn 6032->6033 6034 7ff76d5730cf UnhandledExceptionFilter 6033->6034 6035 7ff76d5730de _invalid_parameter_noinfo_noreturn 6034->6035 6035->5951 6037 7ff76d572959 6036->6037 6038 7ff76d572e97 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6036->6038 6038->6037 6040 7ff76d57404e 6039->6040 6041 7ff76d574044 __vcrt_uninitialize_ptd 6039->6041 6040->5975 6043 7ff76d5758c4 6041->6043 6044 7ff76d5758ef 6043->6044 6045 7ff76d5758f3 6044->6045 6046 7ff76d5758d2 RtlDeleteCriticalSection 6044->6046 6045->6040 6046->6044 6048 7ff76d57a00d 6047->6048 6049 7ff76d57a052 6047->6049 6057 7ff76d5787d4 6048->6057 6049->5983 6054 7ff76d57a33c 6053->6054 6055 7ff76d578114 39 API calls 6054->6055 6056 7ff76d57a360 6055->6056 6056->5983 6058 7ff76d5787e5 FlsGetValue 6057->6058 6059 7ff76d578800 FlsSetValue 6057->6059 6060 7ff76d5787fa 6058->6060 6061 7ff76d5787f2 6058->6061 6059->6061 6062 7ff76d57880d 6059->6062 6060->6059 6063 7ff76d5787f8 6061->6063 6116 7ff76d577df4 6061->6116 6100 7ff76d578ac4 6062->6100 6077 7ff76d579ccc 6063->6077 6068 7ff76d57883a FlsSetValue 6070 7ff76d578858 6068->6070 6071 7ff76d578846 FlsSetValue 6068->6071 6069 7ff76d57882a FlsSetValue 6072 7ff76d578833 6069->6072 6112 7ff76d5784a4 6070->6112 6071->6072 6106 7ff76d578b3c 6072->6106 6076 7ff76d578b3c __free_lconv_num 9 API calls 6076->6063 6382 7ff76d579f3c 6077->6382 6079 7ff76d579d01 6393 7ff76d5799cc 6079->6393 6084 7ff76d579d37 6085 7ff76d578b3c __free_lconv_num 9 API calls 6084->6085 6097 7ff76d579d1e 6085->6097 6086 7ff76d579d46 6086->6086 6406 7ff76d57a07c 6086->6406 6089 7ff76d579e42 6090 7ff76d578284 _set_fmode 9 API calls 6089->6090 6092 7ff76d579e47 6090->6092 6091 7ff76d579e5c 6093 7ff76d579e9d 6091->6093 6098 7ff76d578b3c __free_lconv_num 9 API calls 6091->6098 6094 7ff76d578b3c __free_lconv_num 9 API calls 6092->6094 6095 7ff76d579f04 6093->6095 6417 7ff76d5797fc 6093->6417 6094->6097 6096 7ff76d578b3c __free_lconv_num 9 API calls 6095->6096 6096->6097 6097->6049 6098->6093 6105 7ff76d578ad5 _set_fmode 6100->6105 6101 7ff76d578b0a RtlAllocateHeap 6103 7ff76d57881c 6101->6103 6101->6105 6102 7ff76d578b26 6131 7ff76d578284 6102->6131 6103->6068 6103->6069 6105->6101 6105->6102 6107 7ff76d578b41 HeapFree 6106->6107 6109 7ff76d578b72 6106->6109 6108 7ff76d578b5c GetLastError 6107->6108 6107->6109 6110 7ff76d578b69 __free_lconv_num 6108->6110 6109->6061 6111 7ff76d578284 _set_fmode 7 API calls 6110->6111 6111->6109 6113 7ff76d578556 _set_fmode 6112->6113 6151 7ff76d5783fc 6113->6151 6115 7ff76d57856b 6115->6076 6117 7ff76d577dfd __CxxCallCatchBlock 6116->6117 6118 7ff76d577e0c 6117->6118 6271 7ff76d57bb80 6117->6271 6120 7ff76d577e15 IsProcessorFeaturePresent 6118->6120 6123 7ff76d577e3f __CxxCallCatchBlock 6118->6123 6121 7ff76d577e24 6120->6121 6287 7ff76d576964 6121->6287 6124 7ff76d577e63 6123->6124 6126 7ff76d577e7e 6123->6126 6125 7ff76d578284 _set_fmode 9 API calls 6124->6125 6130 7ff76d577e6a 6125->6130 6128 7ff76d577e76 6126->6128 6129 7ff76d578284 _set_fmode 9 API calls 6126->6129 6129->6130 6297 7ff76d576c30 6130->6297 6134 7ff76d578878 GetLastError 6131->6134 6133 7ff76d57828d 6133->6103 6135 7ff76d5788b9 FlsSetValue 6134->6135 6141 7ff76d57889c 6134->6141 6136 7ff76d5788cb 6135->6136 6140 7ff76d5788a9 6135->6140 6138 7ff76d578ac4 _set_fmode 3 API calls 6136->6138 6137 7ff76d578925 SetLastError 6137->6133 6139 7ff76d5788da 6138->6139 6142 7ff76d5788f8 FlsSetValue 6139->6142 6143 7ff76d5788e8 FlsSetValue 6139->6143 6140->6137 6141->6135 6141->6140 6145 7ff76d578916 6142->6145 6146 7ff76d578904 FlsSetValue 6142->6146 6144 7ff76d5788f1 6143->6144 6147 7ff76d578b3c __free_lconv_num 3 API calls 6144->6147 6148 7ff76d5784a4 _set_fmode 3 API calls 6145->6148 6146->6144 6147->6140 6149 7ff76d57891e 6148->6149 6150 7ff76d578b3c __free_lconv_num 3 API calls 6149->6150 6150->6137 6152 7ff76d578418 6151->6152 6155 7ff76d578698 6152->6155 6154 7ff76d57842e 6154->6115 6156 7ff76d5786e0 Concurrency::details::SchedulerProxy::DeleteThis 6155->6156 6157 7ff76d5786b4 Concurrency::details::SchedulerProxy::DeleteThis 6155->6157 6156->6154 6157->6156 6159 7ff76d57b110 6157->6159 6160 7ff76d57b1ac 6159->6160 6163 7ff76d57b133 6159->6163 6161 7ff76d57b1ff 6160->6161 6164 7ff76d578b3c __free_lconv_num 9 API calls 6160->6164 6225 7ff76d57b2b0 6161->6225 6163->6160 6165 7ff76d57b172 6163->6165 6169 7ff76d578b3c __free_lconv_num 9 API calls 6163->6169 6166 7ff76d57b1d0 6164->6166 6168 7ff76d57b194 6165->6168 6174 7ff76d578b3c __free_lconv_num 9 API calls 6165->6174 6167 7ff76d578b3c __free_lconv_num 9 API calls 6166->6167 6170 7ff76d57b1e4 6167->6170 6171 7ff76d578b3c __free_lconv_num 9 API calls 6168->6171 6172 7ff76d57b166 6169->6172 6173 7ff76d578b3c __free_lconv_num 9 API calls 6170->6173 6176 7ff76d57b1a0 6171->6176 6185 7ff76d57ac40 6172->6185 6180 7ff76d57b1f3 6173->6180 6181 7ff76d57b188 6174->6181 6175 7ff76d57b26a 6177 7ff76d578b3c __free_lconv_num 9 API calls 6176->6177 6177->6160 6178 7ff76d578b3c 9 API calls __free_lconv_num 6182 7ff76d57b20b 6178->6182 6183 7ff76d578b3c __free_lconv_num 9 API calls 6180->6183 6213 7ff76d57ad4c 6181->6213 6182->6175 6182->6178 6183->6161 6186 7ff76d57ad44 6185->6186 6187 7ff76d57ac49 6185->6187 6186->6165 6188 7ff76d57ac63 6187->6188 6190 7ff76d578b3c __free_lconv_num 9 API calls 6187->6190 6189 7ff76d57ac75 6188->6189 6191 7ff76d578b3c __free_lconv_num 9 API calls 6188->6191 6192 7ff76d57ac87 6189->6192 6193 7ff76d578b3c __free_lconv_num 9 API calls 6189->6193 6190->6188 6191->6189 6194 7ff76d57ac99 6192->6194 6195 7ff76d578b3c __free_lconv_num 9 API calls 6192->6195 6193->6192 6196 7ff76d57acab 6194->6196 6197 7ff76d578b3c __free_lconv_num 9 API calls 6194->6197 6195->6194 6198 7ff76d57acbd 6196->6198 6200 7ff76d578b3c __free_lconv_num 9 API calls 6196->6200 6197->6196 6199 7ff76d57accf 6198->6199 6201 7ff76d578b3c __free_lconv_num 9 API calls 6198->6201 6202 7ff76d57ace1 6199->6202 6203 7ff76d578b3c __free_lconv_num 9 API calls 6199->6203 6200->6198 6201->6199 6204 7ff76d57acf3 6202->6204 6205 7ff76d578b3c __free_lconv_num 9 API calls 6202->6205 6203->6202 6206 7ff76d57ad05 6204->6206 6207 7ff76d578b3c __free_lconv_num 9 API calls 6204->6207 6205->6204 6208 7ff76d57ad1a 6206->6208 6209 7ff76d578b3c __free_lconv_num 9 API calls 6206->6209 6207->6206 6210 7ff76d57ad2f 6208->6210 6211 7ff76d578b3c __free_lconv_num 9 API calls 6208->6211 6209->6208 6210->6186 6212 7ff76d578b3c __free_lconv_num 9 API calls 6210->6212 6211->6210 6212->6186 6214 7ff76d57ad51 6213->6214 6222 7ff76d57adb2 6213->6222 6215 7ff76d578b3c __free_lconv_num 9 API calls 6214->6215 6216 7ff76d57ad6a 6214->6216 6215->6216 6217 7ff76d578b3c __free_lconv_num 9 API calls 6216->6217 6219 7ff76d57ad7c 6216->6219 6217->6219 6218 7ff76d57ad8e 6221 7ff76d57ada0 6218->6221 6223 7ff76d578b3c __free_lconv_num 9 API calls 6218->6223 6219->6218 6220 7ff76d578b3c __free_lconv_num 9 API calls 6219->6220 6220->6218 6221->6222 6224 7ff76d578b3c __free_lconv_num 9 API calls 6221->6224 6222->6168 6223->6221 6224->6222 6226 7ff76d57b2e1 6225->6226 6227 7ff76d57b2b5 6225->6227 6226->6182 6227->6226 6231 7ff76d57adec 6227->6231 6230 7ff76d578b3c __free_lconv_num 9 API calls 6230->6226 6232 7ff76d57adf5 6231->6232 6233 7ff76d57aee4 6231->6233 6267 7ff76d57adb8 6232->6267 6233->6230 6236 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6237 7ff76d57ae1e 6236->6237 6238 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6237->6238 6239 7ff76d57ae2c 6238->6239 6240 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6239->6240 6241 7ff76d57ae3a 6240->6241 6242 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6241->6242 6243 7ff76d57ae49 6242->6243 6244 7ff76d578b3c __free_lconv_num 9 API calls 6243->6244 6245 7ff76d57ae55 6244->6245 6246 7ff76d578b3c __free_lconv_num 9 API calls 6245->6246 6247 7ff76d57ae61 6246->6247 6248 7ff76d578b3c __free_lconv_num 9 API calls 6247->6248 6249 7ff76d57ae6d 6248->6249 6250 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6249->6250 6251 7ff76d57ae7b 6250->6251 6252 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6251->6252 6253 7ff76d57ae89 6252->6253 6254 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6253->6254 6255 7ff76d57ae97 6254->6255 6256 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6255->6256 6257 7ff76d57aea5 6256->6257 6258 7ff76d57adb8 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6257->6258 6259 7ff76d57aeb4 6258->6259 6260 7ff76d578b3c __free_lconv_num 9 API calls 6259->6260 6261 7ff76d57aec0 6260->6261 6262 7ff76d578b3c __free_lconv_num 9 API calls 6261->6262 6263 7ff76d57aecc 6262->6263 6264 7ff76d578b3c __free_lconv_num 9 API calls 6263->6264 6265 7ff76d57aed8 6264->6265 6266 7ff76d578b3c __free_lconv_num 9 API calls 6265->6266 6266->6233 6268 7ff76d57adce 6267->6268 6269 7ff76d57addf 6267->6269 6268->6269 6270 7ff76d578b3c __free_lconv_num 9 API calls 6268->6270 6269->6236 6270->6268 6272 7ff76d57bbb0 6271->6272 6280 7ff76d57bbd7 6271->6280 6273 7ff76d578878 _set_fmode 9 API calls 6272->6273 6275 7ff76d57bbc4 6272->6275 6272->6280 6273->6275 6274 7ff76d57bc14 6274->6118 6275->6274 6276 7ff76d57bc59 6275->6276 6275->6280 6277 7ff76d578284 _set_fmode 9 API calls 6276->6277 6279 7ff76d57bc5e 6277->6279 6278 7ff76d57bde0 __CxxCallCatchBlock 6281 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6279->6281 6280->6278 6283 7ff76d57bd13 6280->6283 6300 7ff76d578700 GetLastError 6280->6300 6281->6274 6286 7ff76d578700 39 API calls __CxxCallCatchBlock 6283->6286 6285 7ff76d578700 __CxxCallCatchBlock 39 API calls 6285->6283 6286->6283 6288 7ff76d57699e _invalid_parameter_noinfo_noreturn 6287->6288 6289 7ff76d5769c6 RtlCaptureContext RtlLookupFunctionEntry 6288->6289 6290 7ff76d576a36 IsDebuggerPresent 6289->6290 6291 7ff76d576a00 RtlVirtualUnwind 6289->6291 6322 7ff76d581068 6290->6322 6291->6290 6324 7ff76d576ac8 6297->6324 6301 7ff76d578724 FlsGetValue 6300->6301 6302 7ff76d578741 FlsSetValue 6300->6302 6303 7ff76d57873b 6301->6303 6320 7ff76d578731 6301->6320 6304 7ff76d578753 6302->6304 6302->6320 6303->6302 6306 7ff76d578ac4 _set_fmode 9 API calls 6304->6306 6305 7ff76d5787ad SetLastError 6307 7ff76d5787cd 6305->6307 6308 7ff76d5787ba 6305->6308 6309 7ff76d578762 6306->6309 6310 7ff76d577df4 __CxxCallCatchBlock 32 API calls 6307->6310 6308->6285 6311 7ff76d578780 FlsSetValue 6309->6311 6312 7ff76d578770 FlsSetValue 6309->6312 6315 7ff76d5787d2 6310->6315 6313 7ff76d57879e 6311->6313 6314 7ff76d57878c FlsSetValue 6311->6314 6316 7ff76d578779 6312->6316 6317 7ff76d5784a4 _set_fmode 9 API calls 6313->6317 6314->6316 6318 7ff76d578b3c __free_lconv_num 9 API calls 6316->6318 6319 7ff76d5787a6 6317->6319 6318->6320 6321 7ff76d578b3c __free_lconv_num 9 API calls 6319->6321 6320->6305 6321->6305 6323 7ff76d58106a 6322->6323 6325 7ff76d576af3 6324->6325 6332 7ff76d576b64 6325->6332 6327 7ff76d576b1a 6328 7ff76d576b3d 6327->6328 6342 7ff76d576710 6327->6342 6330 7ff76d576b52 6328->6330 6331 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6328->6331 6330->6128 6331->6330 6351 7ff76d5768ac 6332->6351 6338 7ff76d576b9f 6338->6327 6343 7ff76d576768 6342->6343 6344 7ff76d57671f GetLastError 6342->6344 6343->6328 6345 7ff76d576734 6344->6345 6346 7ff76d578940 _invalid_parameter_noinfo_noreturn 14 API calls 6345->6346 6347 7ff76d57674e SetLastError 6346->6347 6347->6343 6348 7ff76d576771 6347->6348 6349 7ff76d577df4 __CxxCallCatchBlock 37 API calls 6348->6349 6350 7ff76d576776 6349->6350 6352 7ff76d5768c8 GetLastError 6351->6352 6353 7ff76d576903 6351->6353 6354 7ff76d5768d8 6352->6354 6353->6338 6357 7ff76d576918 6353->6357 6365 7ff76d578940 6354->6365 6358 7ff76d576934 GetLastError SetLastError 6357->6358 6359 7ff76d57694c 6357->6359 6358->6359 6359->6338 6360 7ff76d576c80 IsProcessorFeaturePresent 6359->6360 6361 7ff76d576c93 6360->6361 6362 7ff76d576964 _invalid_parameter_noinfo_noreturn 9 API calls 6361->6362 6363 7ff76d576cae _invalid_parameter_noinfo_noreturn 6362->6363 6364 7ff76d576cb4 TerminateProcess 6363->6364 6366 7ff76d57897a FlsSetValue 6365->6366 6367 7ff76d57895f FlsGetValue 6365->6367 6369 7ff76d578987 6366->6369 6380 7ff76d5768f3 SetLastError 6366->6380 6368 7ff76d578974 6367->6368 6367->6380 6368->6366 6370 7ff76d578ac4 _set_fmode 9 API calls 6369->6370 6371 7ff76d578996 6370->6371 6372 7ff76d5789b4 FlsSetValue 6371->6372 6373 7ff76d5789a4 FlsSetValue 6371->6373 6374 7ff76d5789d2 6372->6374 6375 7ff76d5789c0 FlsSetValue 6372->6375 6376 7ff76d5789ad 6373->6376 6377 7ff76d5784a4 _set_fmode 9 API calls 6374->6377 6375->6376 6378 7ff76d578b3c __free_lconv_num 9 API calls 6376->6378 6379 7ff76d5789da 6377->6379 6378->6380 6381 7ff76d578b3c __free_lconv_num 9 API calls 6379->6381 6380->6353 6381->6380 6387 7ff76d579f5f 6382->6387 6383 7ff76d579fdb 6383->6079 6384 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6386 7ff76d579ff3 6384->6386 6385 7ff76d579f69 6385->6383 6385->6384 6388 7ff76d57a052 6386->6388 6390 7ff76d5787d4 44 API calls 6386->6390 6387->6385 6389 7ff76d578b3c __free_lconv_num 9 API calls 6387->6389 6388->6079 6389->6385 6391 7ff76d57a03c 6390->6391 6392 7ff76d579ccc 57 API calls 6391->6392 6392->6388 6429 7ff76d578114 6393->6429 6396 7ff76d5799fe 6398 7ff76d579a13 6396->6398 6399 7ff76d579a03 GetACP 6396->6399 6397 7ff76d5799ec GetOEMCP 6397->6398 6398->6097 6400 7ff76d578a64 6398->6400 6399->6398 6401 7ff76d578a73 _set_fmode 6400->6401 6402 7ff76d578aaf 6400->6402 6401->6402 6404 7ff76d578a96 RtlAllocateHeap 6401->6404 6403 7ff76d578284 _set_fmode 9 API calls 6402->6403 6405 7ff76d578aad 6403->6405 6404->6401 6404->6405 6405->6084 6405->6086 6407 7ff76d5799cc 41 API calls 6406->6407 6408 7ff76d57a0a9 6407->6408 6409 7ff76d57a1ff 6408->6409 6410 7ff76d57a0e6 IsValidCodePage 6408->6410 6416 7ff76d57a100 6408->6416 6471 7ff76d572650 6409->6471 6410->6409 6412 7ff76d57a0f7 6410->6412 6414 7ff76d57a126 GetCPInfo 6412->6414 6412->6416 6413 7ff76d579e39 6413->6089 6413->6091 6414->6409 6414->6416 6460 7ff76d579ae4 6416->6460 6418 7ff76d579818 6417->6418 6419 7ff76d578284 _set_fmode 9 API calls 6418->6419 6422 7ff76d579845 6418->6422 6420 7ff76d5798b4 6419->6420 6421 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6420->6421 6421->6422 6423 7ff76d578284 _set_fmode 9 API calls 6422->6423 6426 7ff76d5798f7 6422->6426 6424 7ff76d579955 6423->6424 6425 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6424->6425 6425->6426 6427 7ff76d579991 6426->6427 6428 7ff76d578b3c __free_lconv_num 9 API calls 6426->6428 6427->6095 6428->6427 6430 7ff76d578138 6429->6430 6436 7ff76d578133 6429->6436 6431 7ff76d578700 __CxxCallCatchBlock 39 API calls 6430->6431 6430->6436 6432 7ff76d578153 6431->6432 6437 7ff76d5782a4 6432->6437 6436->6396 6436->6397 6438 7ff76d5782b9 6437->6438 6440 7ff76d578176 6437->6440 6438->6440 6445 7ff76d57b3b8 6438->6445 6441 7ff76d578310 6440->6441 6442 7ff76d578338 6441->6442 6443 7ff76d578325 6441->6443 6442->6436 6443->6442 6457 7ff76d57a060 6443->6457 6446 7ff76d578700 __CxxCallCatchBlock 39 API calls 6445->6446 6448 7ff76d57b3c7 6446->6448 6447 7ff76d57b412 6447->6440 6448->6447 6453 7ff76d57b428 6448->6453 6450 7ff76d57b400 6450->6447 6451 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6450->6451 6452 7ff76d57b425 6451->6452 6454 7ff76d57b43a Concurrency::details::SchedulerProxy::DeleteThis 6453->6454 6456 7ff76d57b447 6453->6456 6455 7ff76d57b110 Concurrency::details::SchedulerProxy::DeleteThis 9 API calls 6454->6455 6454->6456 6455->6456 6456->6450 6458 7ff76d578700 __CxxCallCatchBlock 39 API calls 6457->6458 6459 7ff76d57a069 6458->6459 6461 7ff76d579b21 GetCPInfo 6460->6461 6462 7ff76d579c17 6460->6462 6461->6462 6464 7ff76d579b34 6461->6464 6463 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6462->6463 6465 7ff76d579cb6 6463->6465 6478 7ff76d57aef4 6464->6478 6465->6409 6470 7ff76d57d1c8 46 API calls 6470->6462 6472 7ff76d572659 6471->6472 6473 7ff76d572664 6472->6473 6474 7ff76d5729a0 IsProcessorFeaturePresent 6472->6474 6473->6413 6475 7ff76d5729b8 6474->6475 6534 7ff76d572b98 RtlCaptureContext 6475->6534 6477 7ff76d5729cb 6477->6413 6479 7ff76d578114 39 API calls 6478->6479 6480 7ff76d57af36 6479->6480 6481 7ff76d57af73 6480->6481 6483 7ff76d578a64 10 API calls 6480->6483 6485 7ff76d57b030 6480->6485 6487 7ff76d57af9c 6480->6487 6482 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6481->6482 6484 7ff76d579bab 6482->6484 6483->6487 6489 7ff76d57d1c8 6484->6489 6485->6481 6486 7ff76d578b3c __free_lconv_num 9 API calls 6485->6486 6486->6481 6487->6485 6488 7ff76d57b016 GetStringTypeW 6487->6488 6488->6485 6490 7ff76d578114 39 API calls 6489->6490 6491 7ff76d57d1ed 6490->6491 6494 7ff76d57ce94 6491->6494 6495 7ff76d57ced5 6494->6495 6498 7ff76d57d19d 6495->6498 6499 7ff76d57d055 6495->6499 6500 7ff76d578a64 10 API calls 6495->6500 6502 7ff76d57cf57 6495->6502 6496 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6497 7ff76d579bde 6496->6497 6497->6470 6498->6496 6499->6498 6501 7ff76d578b3c __free_lconv_num 9 API calls 6499->6501 6500->6502 6501->6498 6502->6499 6516 7ff76d57b778 6502->6516 6504 7ff76d57cffd 6504->6499 6505 7ff76d57d066 6504->6505 6506 7ff76d57d015 6504->6506 6507 7ff76d578a64 10 API calls 6505->6507 6509 7ff76d57d138 6505->6509 6510 7ff76d57d084 6505->6510 6506->6499 6508 7ff76d57b778 6 API calls 6506->6508 6507->6510 6508->6499 6509->6499 6511 7ff76d578b3c __free_lconv_num 9 API calls 6509->6511 6510->6499 6512 7ff76d57b778 6 API calls 6510->6512 6511->6499 6513 7ff76d57d104 6512->6513 6513->6509 6514 7ff76d57d152 6513->6514 6514->6499 6515 7ff76d578b3c __free_lconv_num 9 API calls 6514->6515 6515->6499 6522 7ff76d57b490 6516->6522 6519 7ff76d57b7be 6519->6504 6521 7ff76d57b827 LCMapStringW 6521->6519 6523 7ff76d57b4ed 6522->6523 6529 7ff76d57b4e8 __vcrt_InitializeCriticalSectionEx 6522->6529 6523->6519 6531 7ff76d57b864 6523->6531 6524 7ff76d57b51d LoadLibraryExW 6526 7ff76d57b5f2 6524->6526 6527 7ff76d57b542 GetLastError 6524->6527 6525 7ff76d57b612 GetProcAddress 6525->6523 6526->6525 6528 7ff76d57b609 FreeLibrary 6526->6528 6527->6529 6528->6525 6529->6523 6529->6524 6529->6525 6530 7ff76d57b57c LoadLibraryExW 6529->6530 6530->6526 6530->6529 6532 7ff76d57b490 5 API calls 6531->6532 6533 7ff76d57b892 6532->6533 6533->6521 6535 7ff76d572bb2 RtlLookupFunctionEntry 6534->6535 6536 7ff76d572bc8 RtlVirtualUnwind 6535->6536 6537 7ff76d572c01 6535->6537 6536->6535 6536->6537 6537->6477 6541 7ff76d572420 6538->6541 6539 7ff76d572528 6583 7ff76d5711a0 6539->6583 6541->6539 6543 7ff76d572522 6541->6543 6544 7ff76d57248c 6541->6544 6545 7ff76d5724e0 6541->6545 6549 7ff76d572448 6541->6549 6577 7ff76d571100 6543->6577 6544->6543 6570 7ff76d572670 6544->6570 6547 7ff76d572670 41 API calls 6545->6547 6547->6549 6549->5989 6551 7ff76d576c50 _invalid_parameter_noinfo_noreturn 39 API calls 6551->6543 6553 7ff76d576828 6552->6553 6616 7ff76d575f74 6553->6616 6556 7ff76d57687d 6558 7ff76d5714ed 6556->6558 6559 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6556->6559 6557 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6557->6556 6558->6003 6559->6558 6561 7ff76d576ac8 _invalid_parameter_noinfo_noreturn 39 API calls 6560->6561 6562 7ff76d576c69 6561->6562 6563 7ff76d576c80 _invalid_parameter_noinfo_noreturn 11 API calls 6562->6563 6564 7ff76d576c7e 6563->6564 6566 7ff76d571278 6565->6566 6567 7ff76d571252 WaitForSingleObject CloseHandle CloseHandle 6565->6567 6568 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6566->6568 6567->6566 6569 7ff76d571288 6568->6569 6569->6011 6573 7ff76d57267b _set_fmode 6570->6573 6571 7ff76d5724a1 6571->6549 6571->6551 6572 7ff76d5726a5 6575 7ff76d571100 Concurrency::cancel_current_task 41 API calls 6572->6575 6573->6571 6573->6572 6586 7ff76d572c0c 6573->6586 6576 7ff76d5726ab 6575->6576 6578 7ff76d57110e Concurrency::cancel_current_task 6577->6578 6579 7ff76d573d54 Concurrency::cancel_current_task 2 API calls 6578->6579 6580 7ff76d57111f 6579->6580 6595 7ff76d573b30 6580->6595 6582 7ff76d571149 6582->6539 6608 7ff76d572610 6583->6608 6587 7ff76d572c1a std::bad_alloc::bad_alloc 6586->6587 6590 7ff76d573d54 6587->6590 6589 7ff76d572c2b 6591 7ff76d573d73 6590->6591 6592 7ff76d573dbe RaiseException 6591->6592 6593 7ff76d573d9c RtlPcToFileHeader 6591->6593 6592->6589 6594 7ff76d573db4 6593->6594 6594->6592 6596 7ff76d573b51 6595->6596 6597 7ff76d573b86 __std_exception_destroy 6595->6597 6596->6597 6599 7ff76d577e4c 6596->6599 6597->6582 6600 7ff76d577e59 6599->6600 6601 7ff76d577e63 6599->6601 6600->6601 6603 7ff76d577e7e 6600->6603 6602 7ff76d578284 _set_fmode 9 API calls 6601->6602 6607 7ff76d577e6a 6602->6607 6605 7ff76d577e76 6603->6605 6606 7ff76d578284 _set_fmode 9 API calls 6603->6606 6604 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6604->6605 6605->6597 6606->6607 6607->6604 6613 7ff76d57258c 6608->6613 6611 7ff76d573d54 Concurrency::cancel_current_task 2 API calls 6612 7ff76d572632 6611->6612 6614 7ff76d573b30 __std_exception_copy 39 API calls 6613->6614 6615 7ff76d5725c0 6614->6615 6615->6611 6617 7ff76d575fbe 6616->6617 6618 7ff76d575fac 6616->6618 6620 7ff76d576008 6617->6620 6622 7ff76d575fcc 6617->6622 6619 7ff76d578284 _set_fmode 9 API calls 6618->6619 6621 7ff76d575fb1 6619->6621 6626 7ff76d576023 6620->6626 6635 7ff76d576780 6620->6635 6624 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6621->6624 6625 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6622->6625 6633 7ff76d575fbc 6624->6633 6625->6633 6627 7ff76d5763a9 6626->6627 6628 7ff76d578284 _set_fmode 9 API calls 6626->6628 6629 7ff76d578284 _set_fmode 9 API calls 6627->6629 6627->6633 6630 7ff76d57639e 6628->6630 6631 7ff76d57663a 6629->6631 6632 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6630->6632 6634 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6631->6634 6632->6627 6633->6556 6633->6557 6634->6633 6636 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6635->6636 6637 7ff76d576797 6636->6637 6642 7ff76d5782d8 6637->6642 6643 7ff76d5782f1 6642->6643 6645 7ff76d5767bf 6642->6645 6644 7ff76d57b3b8 39 API calls 6643->6644 6643->6645 6644->6645 6646 7ff76d578344 6645->6646 6647 7ff76d57835d 6646->6647 6648 7ff76d5767cf 6646->6648 6647->6648 6649 7ff76d57a060 39 API calls 6647->6649 6648->6626 6649->6648 6651 7ff76d578700 __CxxCallCatchBlock 39 API calls 6650->6651 6652 7ff76d577dd1 6651->6652 6653 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6652->6653 6654 7ff76d577df1 6653->6654 7630 7ff76d580959 7631 7ff76d5739fc __CxxCallCatchBlock 47 API calls 7630->7631 7634 7ff76d58096c 7631->7634 7632 7ff76d5740a0 _CreateFrameInfo 47 API calls 7633 7ff76d5809bf 7632->7633 7635 7ff76d5740a0 _CreateFrameInfo 47 API calls 7633->7635 7636 7ff76d573c64 __CxxCallCatchBlock 47 API calls 7634->7636 7638 7ff76d5809ab __CxxCallCatchBlock 7634->7638 7637 7ff76d5809cf 7635->7637 7636->7638 7638->7632 6687 7ff76d57d260 6688 7ff76d57a000 57 API calls 6687->6688 6689 7ff76d57d269 6688->6689 7803 7ff76d57b9e0 GetProcessHeap 6690 7ff76d57a85f 6691 7ff76d57a8f6 6690->6691 6692 7ff76d57a884 6690->6692 6693 7ff76d578284 _set_fmode 9 API calls 6691->6693 6692->6691 6698 7ff76d57a8b7 6692->6698 6694 7ff76d57a8fb 6693->6694 6699 7ff76d578264 6694->6699 6696 7ff76d57a8e8 6697 7ff76d57a8e0 SetStdHandle 6697->6696 6698->6696 6698->6697 6700 7ff76d578878 _set_fmode 9 API calls 6699->6700 6701 7ff76d57826d 6700->6701 6701->6696 7178 7ff76d577ce0 7179 7ff76d577d11 7178->7179 7180 7ff76d577cf9 7178->7180 7180->7179 7181 7ff76d578b3c __free_lconv_num 9 API calls 7180->7181 7181->7179 7804 7ff76d5809df 7807 7ff76d573cb8 7804->7807 7808 7ff76d573ce2 7807->7808 7809 7ff76d573cd0 7807->7809 7811 7ff76d5740a0 _CreateFrameInfo 47 API calls 7808->7811 7809->7808 7810 7ff76d573cd8 7809->7810 7812 7ff76d5740a0 _CreateFrameInfo 47 API calls 7810->7812 7813 7ff76d573ce0 7810->7813 7814 7ff76d573ce7 7811->7814 7816 7ff76d573d07 7812->7816 7814->7813 7815 7ff76d5740a0 _CreateFrameInfo 47 API calls 7814->7815 7815->7813 7817 7ff76d5740a0 _CreateFrameInfo 47 API calls 7816->7817 7818 7ff76d573d14 7817->7818 7819 7ff76d577dc8 39 API calls 7818->7819 7820 7ff76d573d1d 7819->7820 7821 7ff76d5807f6 7822 7ff76d5740a0 _CreateFrameInfo 47 API calls 7821->7822 7823 7ff76d58080e 7822->7823 7824 7ff76d5740a0 _CreateFrameInfo 47 API calls 7823->7824 7825 7ff76d580829 7824->7825 7826 7ff76d5740a0 _CreateFrameInfo 47 API calls 7825->7826 7827 7ff76d58083d 7826->7827 7828 7ff76d5740a0 _CreateFrameInfo 47 API calls 7827->7828 7829 7ff76d58087f 7828->7829 7830 7ff76d5809f5 7831 7ff76d5740a0 _CreateFrameInfo 47 API calls 7830->7831 7832 7ff76d580a03 7831->7832 7833 7ff76d580a0e 7832->7833 7834 7ff76d5740a0 _CreateFrameInfo 47 API calls 7832->7834 7834->7833 7642 7ff76d57d371 7643 7ff76d578284 _set_fmode 9 API calls 7642->7643 7644 7ff76d57d376 7643->7644 7645 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7644->7645 7646 7ff76d57d381 7645->7646 6702 7ff76d57c270 6703 7ff76d57c27b 6702->6703 6711 7ff76d57e170 6703->6711 6705 7ff76d57c280 6717 7ff76d57e224 6705->6717 6708 7ff76d57c2b1 6709 7ff76d578b3c __free_lconv_num 9 API calls 6708->6709 6710 7ff76d57c2bd 6709->6710 6716 7ff76d57e189 6711->6716 6712 7ff76d57e209 6712->6705 6713 7ff76d57e1d4 RtlDeleteCriticalSection 6715 7ff76d578b3c __free_lconv_num 9 API calls 6713->6715 6715->6716 6716->6712 6716->6713 6721 7ff76d57e6dc 6716->6721 6718 7ff76d57e238 6717->6718 6720 7ff76d57c292 RtlDeleteCriticalSection 6717->6720 6719 7ff76d578b3c __free_lconv_num 9 API calls 6718->6719 6718->6720 6719->6720 6720->6705 6720->6708 6722 7ff76d57e70c 6721->6722 6729 7ff76d57e5b8 6722->6729 6724 7ff76d57e725 6725 7ff76d57e74a 6724->6725 6726 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6724->6726 6727 7ff76d57e75f 6725->6727 6728 7ff76d576710 _invalid_parameter_noinfo_noreturn 39 API calls 6725->6728 6726->6725 6727->6716 6728->6727 6730 7ff76d57e5d3 6729->6730 6732 7ff76d57e601 6729->6732 6731 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6730->6731 6734 7ff76d57e5f3 6731->6734 6732->6734 6735 7ff76d57e634 6732->6735 6734->6724 6736 7ff76d57e674 6735->6736 6737 7ff76d57e64f 6735->6737 6740 7ff76d57e66f 6736->6740 6749 7ff76d57bfdc 6736->6749 6738 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6737->6738 6738->6740 6740->6734 6742 7ff76d57e224 9 API calls 6743 7ff76d57e691 6742->6743 6755 7ff76d57c45c 6743->6755 6748 7ff76d578b3c __free_lconv_num 9 API calls 6748->6740 6750 7ff76d57c002 6749->6750 6751 7ff76d57c033 6749->6751 6750->6751 6752 7ff76d57c45c 39 API calls 6750->6752 6751->6742 6753 7ff76d57c023 6752->6753 6768 7ff76d57dd48 6753->6768 6756 7ff76d57c465 6755->6756 6758 7ff76d57c475 6755->6758 6757 7ff76d578284 _set_fmode 9 API calls 6756->6757 6759 7ff76d57c46a 6757->6759 6761 7ff76d57f0d4 6758->6761 6760 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6759->6760 6760->6758 6762 7ff76d57e6a3 6761->6762 6764 7ff76d57f100 6761->6764 6762->6740 6762->6748 6763 7ff76d57f164 6765 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6763->6765 6764->6763 6766 7ff76d57f130 6764->6766 6765->6762 6865 7ff76d57f05c 6766->6865 6769 7ff76d57dd9e 6768->6769 6773 7ff76d57dd71 6768->6773 6770 7ff76d57ddb7 6769->6770 6772 7ff76d57de0e 6769->6772 6771 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6770->6771 6771->6773 6772->6773 6775 7ff76d57de68 6772->6775 6773->6751 6776 7ff76d57de93 6775->6776 6780 7ff76d57dec7 6775->6780 6777 7ff76d57de98 6776->6777 6779 7ff76d57df06 6776->6779 6778 7ff76d576b64 _invalid_parameter_noinfo_noreturn 39 API calls 6777->6778 6778->6780 6781 7ff76d57df1c 6779->6781 6805 7ff76d57e574 6779->6805 6780->6773 6812 7ff76d57e268 6781->6812 6784 7ff76d57e044 6785 7ff76d57e0a8 WriteFile 6784->6785 6786 7ff76d57e056 6784->6786 6785->6780 6789 7ff76d57e0cf GetLastError 6785->6789 6790 7ff76d57e05e 6786->6790 6791 7ff76d57e094 6786->6791 6788 7ff76d57df54 6788->6784 6793 7ff76d57df77 GetConsoleMode 6788->6793 6789->6780 6795 7ff76d57e063 6790->6795 6796 7ff76d57e080 6790->6796 6846 7ff76d57d9b8 6791->6846 6792 7ff76d576780 39 API calls 6792->6788 6793->6784 6798 7ff76d57df92 6793->6798 6795->6780 6832 7ff76d57dabc 6795->6832 6839 7ff76d57dbd8 6796->6839 6800 7ff76d57e021 6798->6800 6804 7ff76d57df9e 6798->6804 6820 7ff76d57d540 GetConsoleOutputCP 6800->6820 6802 7ff76d57e00f GetLastError 6802->6780 6803 7ff76d57e57c 6 API calls 6803->6804 6804->6780 6804->6802 6804->6803 6806 7ff76d57e4c8 6805->6806 6853 7ff76d57a924 6806->6853 6809 7ff76d57e506 SetFilePointerEx 6810 7ff76d57e51e GetLastError 6809->6810 6811 7ff76d57e4f5 6809->6811 6810->6811 6811->6781 6813 7ff76d57e27e 6812->6813 6814 7ff76d57e271 6812->6814 6816 7ff76d578284 _set_fmode 9 API calls 6813->6816 6817 7ff76d57df28 6813->6817 6815 7ff76d578284 _set_fmode 9 API calls 6814->6815 6815->6817 6818 7ff76d57e2b5 6816->6818 6817->6784 6817->6788 6817->6792 6819 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6818->6819 6819->6817 6821 7ff76d57d5d4 6820->6821 6830 7ff76d57d5dc 6820->6830 6822 7ff76d576780 39 API calls 6821->6822 6822->6830 6823 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6824 7ff76d57d99a 6823->6824 6824->6780 6825 7ff76d57c2e4 39 API calls 6825->6830 6826 7ff76d57d908 6826->6823 6827 7ff76d57e30c IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 6827->6830 6828 7ff76d57d870 WriteFile 6829 7ff76d57d983 GetLastError 6828->6829 6828->6830 6829->6826 6830->6825 6830->6826 6830->6827 6830->6828 6831 7ff76d57d8b0 WriteFile 6830->6831 6831->6829 6831->6830 6834 7ff76d57dad4 6832->6834 6833 7ff76d57dba0 6835 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6833->6835 6834->6833 6836 7ff76d57db63 WriteFile 6834->6836 6837 7ff76d57dbbd 6835->6837 6836->6834 6838 7ff76d57dba2 GetLastError 6836->6838 6837->6780 6838->6833 6843 7ff76d57dbf4 6839->6843 6840 7ff76d57dd19 6841 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6840->6841 6842 7ff76d57dd2c 6841->6842 6842->6780 6843->6840 6844 7ff76d57dd11 GetLastError 6843->6844 6845 7ff76d57dcce WriteFile 6843->6845 6844->6840 6845->6843 6845->6844 6847 7ff76d57d9d0 6846->6847 6850 7ff76d57da4e WriteFile 6847->6850 6852 7ff76d57da85 6847->6852 6848 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 6849 7ff76d57daa2 6848->6849 6849->6780 6850->6847 6851 7ff76d57da87 GetLastError 6850->6851 6851->6852 6852->6848 6854 7ff76d57a92d 6853->6854 6855 7ff76d57a942 6853->6855 6856 7ff76d578264 9 API calls 6854->6856 6858 7ff76d578264 9 API calls 6855->6858 6861 7ff76d57a93a 6855->6861 6857 7ff76d57a932 6856->6857 6859 7ff76d578284 _set_fmode 9 API calls 6857->6859 6860 7ff76d57a97d 6858->6860 6859->6861 6862 7ff76d578284 _set_fmode 9 API calls 6860->6862 6861->6809 6861->6811 6863 7ff76d57a985 6862->6863 6864 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 6863->6864 6864->6861 6866 7ff76d57f078 6865->6866 6868 7ff76d57f0ad 6866->6868 6869 7ff76d57f198 6866->6869 6868->6762 6870 7ff76d57a924 39 API calls 6869->6870 6873 7ff76d57f1b4 6870->6873 6871 7ff76d57f1ba 6882 7ff76d57a868 6871->6882 6873->6871 6874 7ff76d57f1f7 6873->6874 6876 7ff76d57a924 39 API calls 6873->6876 6874->6871 6875 7ff76d57a924 39 API calls 6874->6875 6877 7ff76d57f203 CloseHandle 6875->6877 6878 7ff76d57f1ea 6876->6878 6877->6871 6879 7ff76d57f210 GetLastError 6877->6879 6880 7ff76d57a924 39 API calls 6878->6880 6879->6871 6880->6874 6881 7ff76d57f21f 6881->6868 6883 7ff76d57a8f6 6882->6883 6884 7ff76d57a884 6882->6884 6885 7ff76d578284 _set_fmode 9 API calls 6883->6885 6884->6883 6889 7ff76d57a8b7 6884->6889 6886 7ff76d57a8fb 6885->6886 6887 7ff76d578264 9 API calls 6886->6887 6888 7ff76d57a8e8 6887->6888 6888->6881 6889->6888 6890 7ff76d57a8e0 SetStdHandle 6889->6890 6890->6888 7182 7ff76d5726f0 7183 7ff76d572700 7182->7183 7197 7ff76d577668 7183->7197 7185 7ff76d57270c 7203 7ff76d572cac 7185->7203 7187 7ff76d572fb4 6 API calls 7189 7ff76d5727a5 7187->7189 7188 7ff76d572724 _RTC_Initialize 7195 7ff76d572779 7188->7195 7208 7ff76d572e5c 7188->7208 7191 7ff76d572739 7211 7ff76d577198 7191->7211 7193 7ff76d572745 7193->7195 7242 7ff76d577760 7193->7242 7195->7187 7196 7ff76d572795 7195->7196 7198 7ff76d577679 7197->7198 7199 7ff76d578284 _set_fmode 9 API calls 7198->7199 7200 7ff76d577681 7198->7200 7201 7ff76d577690 7199->7201 7200->7185 7202 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7201->7202 7202->7200 7204 7ff76d572cbd 7203->7204 7207 7ff76d572cc2 __scrt_release_startup_lock 7203->7207 7205 7ff76d572fb4 6 API calls 7204->7205 7204->7207 7206 7ff76d572d36 7205->7206 7207->7188 7249 7ff76d572e20 7208->7249 7210 7ff76d572e65 7210->7191 7212 7ff76d5771b8 7211->7212 7233 7ff76d5771cf 7211->7233 7213 7ff76d5771d6 7212->7213 7214 7ff76d5771c0 7212->7214 7216 7ff76d57a000 57 API calls 7213->7216 7215 7ff76d578284 _set_fmode 9 API calls 7214->7215 7217 7ff76d5771c5 7215->7217 7218 7ff76d5771db 7216->7218 7219 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7217->7219 7288 7ff76d5796d8 GetModuleFileNameW 7218->7288 7219->7233 7226 7ff76d57724d 7228 7ff76d578284 _set_fmode 9 API calls 7226->7228 7227 7ff76d577265 7229 7ff76d576f70 39 API calls 7227->7229 7230 7ff76d577252 7228->7230 7231 7ff76d577281 7229->7231 7232 7ff76d578b3c __free_lconv_num 9 API calls 7230->7232 7235 7ff76d5772cc 7231->7235 7236 7ff76d5772b3 7231->7236 7240 7ff76d577287 7231->7240 7232->7233 7233->7193 7234 7ff76d578b3c __free_lconv_num 9 API calls 7234->7233 7238 7ff76d578b3c __free_lconv_num 9 API calls 7235->7238 7237 7ff76d578b3c __free_lconv_num 9 API calls 7236->7237 7239 7ff76d5772bc 7237->7239 7238->7240 7241 7ff76d578b3c __free_lconv_num 9 API calls 7239->7241 7240->7234 7241->7233 7243 7ff76d578700 __CxxCallCatchBlock 39 API calls 7242->7243 7244 7ff76d57776d 7243->7244 7245 7ff76d5777a1 7244->7245 7246 7ff76d578284 _set_fmode 9 API calls 7244->7246 7245->7195 7247 7ff76d577796 7246->7247 7248 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7247->7248 7248->7245 7250 7ff76d572e3a 7249->7250 7252 7ff76d572e33 7249->7252 7253 7ff76d577be0 7250->7253 7252->7210 7256 7ff76d57781c 7253->7256 7255 7ff76d577c22 7255->7252 7257 7ff76d577838 7256->7257 7260 7ff76d577894 7257->7260 7259 7ff76d577841 7259->7255 7261 7ff76d5778c0 7260->7261 7269 7ff76d577955 7260->7269 7262 7ff76d577931 7261->7262 7261->7269 7270 7ff76d57b944 7261->7270 7264 7ff76d57b944 11 API calls 7262->7264 7262->7269 7266 7ff76d57794b 7264->7266 7265 7ff76d577927 7267 7ff76d578b3c __free_lconv_num 9 API calls 7265->7267 7268 7ff76d578b3c __free_lconv_num 9 API calls 7266->7268 7267->7262 7268->7269 7269->7259 7271 7ff76d57b966 7270->7271 7274 7ff76d57b983 7270->7274 7272 7ff76d57b974 7271->7272 7271->7274 7273 7ff76d578284 _set_fmode 9 API calls 7272->7273 7276 7ff76d57b979 7273->7276 7277 7ff76d57d3a4 7274->7277 7276->7265 7278 7ff76d57d3b9 7277->7278 7279 7ff76d57d3c3 7277->7279 7280 7ff76d578a64 10 API calls 7278->7280 7281 7ff76d57d3c8 7279->7281 7282 7ff76d57d3cf _set_fmode 7279->7282 7286 7ff76d57d3c1 7280->7286 7283 7ff76d578b3c __free_lconv_num 9 API calls 7281->7283 7284 7ff76d57d3d5 7282->7284 7285 7ff76d57d402 RtlReAllocateHeap 7282->7285 7283->7286 7287 7ff76d578284 _set_fmode 9 API calls 7284->7287 7285->7282 7285->7286 7286->7276 7287->7286 7289 7ff76d57971d GetLastError 7288->7289 7290 7ff76d579731 7288->7290 7310 7ff76d5781f8 7289->7310 7292 7ff76d578114 39 API calls 7290->7292 7297 7ff76d57975f 7292->7297 7293 7ff76d572650 _invalid_parameter_noinfo_noreturn 4 API calls 7294 7ff76d5771f2 7293->7294 7298 7ff76d576f70 7294->7298 7296 7ff76d57972a 7296->7293 7315 7ff76d5795bc 7297->7315 7300 7ff76d576fae 7298->7300 7299 7ff76d57a3b0 39 API calls 7299->7300 7300->7299 7302 7ff76d57701a 7300->7302 7301 7ff76d57710b 7304 7ff76d577138 7301->7304 7302->7301 7303 7ff76d57a3b0 39 API calls 7302->7303 7303->7302 7305 7ff76d577188 7304->7305 7306 7ff76d577150 7304->7306 7305->7226 7305->7227 7306->7305 7307 7ff76d578ac4 _set_fmode 9 API calls 7306->7307 7308 7ff76d57717e 7307->7308 7309 7ff76d578b3c __free_lconv_num 9 API calls 7308->7309 7309->7305 7311 7ff76d578878 _set_fmode 9 API calls 7310->7311 7312 7ff76d578205 __free_lconv_num 7311->7312 7313 7ff76d578878 _set_fmode 9 API calls 7312->7313 7314 7ff76d578227 7313->7314 7314->7296 7317 7ff76d5795e0 7315->7317 7318 7ff76d5795fb 7315->7318 7316 7ff76d579600 7316->7317 7319 7ff76d578284 _set_fmode 9 API calls 7316->7319 7317->7296 7318->7316 7320 7ff76d57965e GetLastError 7318->7320 7322 7ff76d579689 7318->7322 7319->7317 7321 7ff76d5781f8 9 API calls 7320->7321 7323 7ff76d57966b 7321->7323 7322->7317 7322->7320 7324 7ff76d578284 _set_fmode 9 API calls 7323->7324 7324->7317 7647 7ff76d57553c 7659 7ff76d57546f __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7647->7659 7648 7ff76d575563 7649 7ff76d5740a0 _CreateFrameInfo 47 API calls 7648->7649 7651 7ff76d575568 7649->7651 7650 7ff76d57559e 7652 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7650->7652 7653 7ff76d575573 7651->7653 7654 7ff76d5740a0 _CreateFrameInfo 47 API calls 7651->7654 7652->7653 7655 7ff76d575580 __FrameHandler3::GetHandlerSearchState 7653->7655 7656 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7653->7656 7654->7653 7657 7ff76d5755a9 7656->7657 7658 7ff76d573a50 47 API calls Is_bad_exception_allowed 7658->7659 7659->7648 7659->7650 7659->7658 7660 7ff76d573a78 __FrameHandler3::FrameUnwindToEmptyState 47 API calls 7659->7660 7660->7659 7325 7ff76d57fcc0 7335 7ff76d573dfc 7325->7335 7327 7ff76d57fce8 7329 7ff76d5740a0 _CreateFrameInfo 47 API calls 7330 7ff76d57fcf8 7329->7330 7331 7ff76d5740a0 _CreateFrameInfo 47 API calls 7330->7331 7332 7ff76d57fd01 7331->7332 7333 7ff76d577dc8 39 API calls 7332->7333 7334 7ff76d57fd0a 7333->7334 7338 7ff76d573e2c __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 7335->7338 7336 7ff76d573f2d 7336->7327 7336->7329 7337 7ff76d573ef0 RtlUnwindEx 7337->7338 7338->7336 7338->7337 6891 7ff76d57fc40 6892 7ff76d57fc78 __GSHandlerCheckCommon 6891->6892 6893 7ff76d57fca4 6892->6893 6895 7ff76d573aa8 6892->6895 6902 7ff76d5740a0 6895->6902 6898 7ff76d5740a0 _CreateFrameInfo 47 API calls 6899 7ff76d573adf 6898->6899 6900 7ff76d5740a0 _CreateFrameInfo 47 API calls 6899->6900 6901 7ff76d573ae8 6900->6901 6901->6893 6908 7ff76d5740bc 6902->6908 6905 7ff76d573ad2 6905->6898 6906 7ff76d577df4 __CxxCallCatchBlock 39 API calls 6907 7ff76d5740b8 6906->6907 6909 7ff76d5740db GetLastError 6908->6909 6910 7ff76d5740a9 6908->6910 6912 7ff76d5740ee 6909->6912 6910->6905 6910->6906 6911 7ff76d574160 SetLastError 6911->6910 6912->6911 6918 7ff76d5740fe __std_exception_destroy 6912->6918 6919 7ff76d575b24 6912->6919 6914 7ff76d57410e 6914->6911 6915 7ff76d574135 6914->6915 6916 7ff76d575b24 _CreateFrameInfo 6 API calls 6914->6916 6917 7ff76d575b24 _CreateFrameInfo 6 API calls 6915->6917 6915->6918 6916->6915 6917->6918 6918->6911 6924 7ff76d5758fc 6919->6924 6922 7ff76d575b64 TlsSetValue 6923 7ff76d575b5c 6922->6923 6923->6914 6925 7ff76d5759e6 6924->6925 6930 7ff76d575940 __vcrt_InitializeCriticalSectionEx 6924->6930 6925->6922 6925->6923 6926 7ff76d57596e LoadLibraryExW 6927 7ff76d575a0d 6926->6927 6928 7ff76d57598f GetLastError 6926->6928 6929 7ff76d575a2d GetProcAddress 6927->6929 6931 7ff76d575a24 FreeLibrary 6927->6931 6928->6930 6929->6925 6930->6925 6930->6926 6930->6929 6932 7ff76d5759b1 LoadLibraryExW 6930->6932 6931->6929 6932->6927 6932->6930 7835 7ff76d57abc0 7836 7ff76d57abd0 7835->7836 7843 7ff76d57a770 7836->7843 7838 7ff76d57abd9 7841 7ff76d57abe7 7838->7841 7851 7ff76d57a9bc GetStartupInfoW 7838->7851 7844 7ff76d57a78f 7843->7844 7848 7ff76d57a7b8 7843->7848 7845 7ff76d578284 _set_fmode 9 API calls 7844->7845 7846 7ff76d57a794 7845->7846 7847 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7846->7847 7850 7ff76d57a7a0 7847->7850 7848->7850 7862 7ff76d57a678 7848->7862 7850->7838 7852 7ff76d57aa8b 7851->7852 7853 7ff76d57a9f1 7851->7853 7857 7ff76d57aaac 7852->7857 7853->7852 7854 7ff76d57a770 45 API calls 7853->7854 7855 7ff76d57aa1a 7854->7855 7855->7852 7856 7ff76d57aa44 GetFileType 7855->7856 7856->7855 7861 7ff76d57aaca 7857->7861 7858 7ff76d57ab99 7858->7841 7859 7ff76d57ab25 GetStdHandle 7860 7ff76d57ab38 GetFileType 7859->7860 7859->7861 7860->7861 7861->7858 7861->7859 7863 7ff76d578ac4 _set_fmode 9 API calls 7862->7863 7868 7ff76d57a699 7863->7868 7864 7ff76d578b3c __free_lconv_num 9 API calls 7866 7ff76d57a705 7864->7866 7865 7ff76d57a6fb 7865->7864 7866->7848 7867 7ff76d57b708 6 API calls 7867->7868 7868->7865 7868->7867 7869 7ff76d5807c0 7872 7ff76d576d50 7869->7872 7871 7ff76d5807d6 7873 7ff76d578878 _set_fmode 9 API calls 7872->7873 7874 7ff76d576d6e 7873->7874 7874->7871 7875 7ff76d5727c0 7882 7ff76d573194 SetUnhandledExceptionFilter 7875->7882 7667 7ff76d57c150 7668 7ff76d57c17a 7667->7668 7669 7ff76d578ac4 _set_fmode 9 API calls 7668->7669 7670 7ff76d57c199 7669->7670 7671 7ff76d578b3c __free_lconv_num 9 API calls 7670->7671 7672 7ff76d57c1a7 7671->7672 7673 7ff76d578ac4 _set_fmode 9 API calls 7672->7673 7676 7ff76d57c1d1 7672->7676 7675 7ff76d57c1c3 7673->7675 7674 7ff76d57b708 6 API calls 7674->7676 7677 7ff76d578b3c __free_lconv_num 9 API calls 7675->7677 7676->7674 7678 7ff76d57c1da 7676->7678 7677->7676 7886 7ff76d57a3d0 GetCommandLineA GetCommandLineW 7339 7ff76d58089e 7340 7ff76d580921 7339->7340 7341 7ff76d5808b6 7339->7341 7341->7340 7342 7ff76d5740a0 _CreateFrameInfo 47 API calls 7341->7342 7343 7ff76d580903 7342->7343 7344 7ff76d5740a0 _CreateFrameInfo 47 API calls 7343->7344 7345 7ff76d580918 7344->7345 7346 7ff76d577dc8 39 API calls 7345->7346 7346->7340 7347 7ff76d578e9c 7348 7ff76d578ec1 7347->7348 7357 7ff76d578ed8 7347->7357 7349 7ff76d578284 _set_fmode 9 API calls 7348->7349 7351 7ff76d578ec6 7349->7351 7350 7ff76d578f90 7353 7ff76d577138 9 API calls 7350->7353 7352 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7351->7352 7354 7ff76d578ed1 7352->7354 7355 7ff76d578fe8 7353->7355 7358 7ff76d578ff0 7355->7358 7367 7ff76d579022 7355->7367 7357->7350 7362 7ff76d578f25 7357->7362 7363 7ff76d578f68 7357->7363 7379 7ff76d5790e0 7357->7379 7360 7ff76d578b3c __free_lconv_num 9 API calls 7358->7360 7359 7ff76d579081 7361 7ff76d578b3c __free_lconv_num 9 API calls 7359->7361 7364 7ff76d578ff7 7360->7364 7366 7ff76d57908c 7361->7366 7365 7ff76d578f48 7362->7365 7372 7ff76d578b3c __free_lconv_num 9 API calls 7362->7372 7363->7365 7370 7ff76d578b3c __free_lconv_num 9 API calls 7363->7370 7364->7365 7368 7ff76d578b3c __free_lconv_num 9 API calls 7364->7368 7371 7ff76d578b3c __free_lconv_num 9 API calls 7365->7371 7369 7ff76d5790a5 7366->7369 7373 7ff76d578b3c __free_lconv_num 9 API calls 7366->7373 7367->7359 7367->7367 7376 7ff76d5790c7 7367->7376 7397 7ff76d57c8a0 7367->7397 7368->7364 7374 7ff76d578b3c __free_lconv_num 9 API calls 7369->7374 7370->7363 7371->7354 7372->7362 7373->7366 7374->7354 7377 7ff76d576c80 _invalid_parameter_noinfo_noreturn 11 API calls 7376->7377 7378 7ff76d5790dc 7377->7378 7380 7ff76d57910e 7379->7380 7380->7380 7381 7ff76d578ac4 _set_fmode 9 API calls 7380->7381 7382 7ff76d579159 7381->7382 7383 7ff76d57c8a0 39 API calls 7382->7383 7384 7ff76d57918f 7383->7384 7385 7ff76d576c80 _invalid_parameter_noinfo_noreturn 11 API calls 7384->7385 7386 7ff76d579263 7385->7386 7387 7ff76d578114 39 API calls 7386->7387 7388 7ff76d579346 7387->7388 7406 7ff76d578b94 7388->7406 7391 7ff76d57940d 7392 7ff76d578114 39 API calls 7391->7392 7393 7ff76d57943d 7392->7393 7424 7ff76d578d10 7393->7424 7396 7ff76d5790e0 42 API calls 7401 7ff76d57c8bd 7397->7401 7398 7ff76d57c8c2 7399 7ff76d57c8d8 7398->7399 7400 7ff76d578284 _set_fmode 9 API calls 7398->7400 7399->7367 7402 7ff76d57c8cc 7400->7402 7401->7398 7401->7399 7404 7ff76d57c90c 7401->7404 7403 7ff76d576c30 _invalid_parameter_noinfo 39 API calls 7402->7403 7403->7399 7404->7399 7405 7ff76d578284 _set_fmode 9 API calls 7404->7405 7405->7402 7407 7ff76d578bbe 7406->7407 7408 7ff76d578be2 7406->7408 7410 7ff76d578b3c __free_lconv_num 9 API calls 7407->7410 7414 7ff76d578bcd FindFirstFileExW 7407->7414 7409 7ff76d578be7 7408->7409 7412 7ff76d578c3c 7408->7412 7411 7ff76d578bfc 7409->7411 7409->7414 7415 7ff76d578b3c __free_lconv_num 9 API calls 7409->7415 7410->7414 7416 7ff76d578a64 10 API calls 7411->7416 7413 7ff76d578c5f GetLastError 7412->7413 7418 7ff76d578c9a 7412->7418 7420 7ff76d578c8d 7412->7420 7422 7ff76d578b3c __free_lconv_num 9 API calls 7412->7422 7417 7ff76d5781f8 9 API calls 7413->7417 7414->7391 7415->7411 7416->7414 7419 7ff76d578c6c 7417->7419 7418->7413 7418->7414 7421 7ff76d578284 _set_fmode 9 API calls 7419->7421 7423 7ff76d578a64 10 API calls 7420->7423 7421->7414 7422->7420 7423->7418 7425 7ff76d578d5e 7424->7425 7427 7ff76d578d3a 7424->7427 7426 7ff76d578d64 7425->7426 7430 7ff76d578db8 7425->7430 7429 7ff76d578d79 7426->7429 7432 7ff76d578d49 7426->7432 7433 7ff76d578b3c __free_lconv_num 9 API calls 7426->7433 7428 7ff76d578b3c __free_lconv_num 9 API calls 7427->7428 7427->7432 7428->7432 7434 7ff76d578a64 10 API calls 7429->7434 7431 7ff76d578de3 GetLastError 7430->7431 7436 7ff76d578e20 7430->7436 7438 7ff76d578e14 7430->7438 7440 7ff76d578b3c __free_lconv_num 9 API calls 7430->7440 7435 7ff76d5781f8 9 API calls 7431->7435 7432->7396 7433->7429 7434->7432 7437 7ff76d578df0 7435->7437 7436->7431 7436->7432 7439 7ff76d578284 _set_fmode 9 API calls 7437->7439 7441 7ff76d578a64 10 API calls 7438->7441 7439->7432 7440->7438 7441->7436 7682 7ff76d577d20 7683 7ff76d578b3c __free_lconv_num 9 API calls 7682->7683 7684 7ff76d577d30 7683->7684 7685 7ff76d578b3c __free_lconv_num 9 API calls 7684->7685 7686 7ff76d577d44 7685->7686 7687 7ff76d578b3c __free_lconv_num 9 API calls 7686->7687 7688 7ff76d577d58 7687->7688 7689 7ff76d578b3c __free_lconv_num 9 API calls 7688->7689 7690 7ff76d577d6c 7689->7690 7691 7ff76d577320 7692 7ff76d577339 7691->7692 7693 7ff76d577335 7691->7693 7694 7ff76d57a000 57 API calls 7692->7694 7695 7ff76d57733e 7694->7695 7706 7ff76d57a568 GetEnvironmentStringsW 7695->7706 7698 7ff76d57734b 7700 7ff76d578b3c __free_lconv_num 9 API calls 7698->7700 7699 7ff76d577357 7722 7ff76d577394 7699->7722 7700->7693 7703 7ff76d578b3c __free_lconv_num 9 API calls 7704 7ff76d57737e 7703->7704 7705 7ff76d578b3c __free_lconv_num 9 API calls 7704->7705 7705->7693 7707 7ff76d577343 7706->7707 7708 7ff76d57a598 7706->7708 7707->7698 7707->7699 7709 7ff76d57a5f0 FreeEnvironmentStringsW 7708->7709 7710 7ff76d578a64 10 API calls 7708->7710 7709->7707 7711 7ff76d57a603 7710->7711 7712 7ff76d57a60b 7711->7712 7713 7ff76d57a614 7711->7713 7714 7ff76d578b3c __free_lconv_num 9 API calls 7712->7714 7716 7ff76d57a63b 7713->7716 7717 7ff76d57a645 7713->7717 7715 7ff76d57a612 7714->7715 7715->7709 7718 7ff76d578b3c __free_lconv_num 9 API calls 7716->7718 7719 7ff76d578b3c __free_lconv_num 9 API calls 7717->7719 7720 7ff76d57a643 FreeEnvironmentStringsW 7718->7720 7719->7720 7720->7707 7723 7ff76d5773b9 7722->7723 7724 7ff76d578ac4 _set_fmode 9 API calls 7723->7724 7729 7ff76d5773ef 7724->7729 7725 7ff76d578b3c __free_lconv_num 9 API calls 7727 7ff76d57735f 7725->7727 7726 7ff76d57746a 7728 7ff76d578b3c __free_lconv_num 9 API calls 7726->7728 7727->7703 7728->7727 7729->7726 7730 7ff76d578ac4 _set_fmode 9 API calls 7729->7730 7731 7ff76d577459 7729->7731 7732 7ff76d577e4c __std_exception_copy 39 API calls 7729->7732 7735 7ff76d57748f 7729->7735 7737 7ff76d5773f7 7729->7737 7739 7ff76d578b3c __free_lconv_num 9 API calls 7729->7739 7730->7729 7733 7ff76d5774a4 9 API calls 7731->7733 7732->7729 7734 7ff76d577461 7733->7734 7736 7ff76d578b3c __free_lconv_num 9 API calls 7734->7736 7738 7ff76d576c80 _invalid_parameter_noinfo_noreturn 11 API calls 7735->7738 7736->7737 7737->7725 7740 7ff76d5774a2 7738->7740 7739->7729 7442 7ff76d5752aa 7443 7ff76d5740a0 _CreateFrameInfo 47 API calls 7442->7443 7445 7ff76d5752b7 __CxxCallCatchBlock 7443->7445 7444 7ff76d5752fb RaiseException 7446 7ff76d575322 7444->7446 7445->7444 7455 7ff76d5739fc 7446->7455 7448 7ff76d5740a0 _CreateFrameInfo 47 API calls 7449 7ff76d575366 7448->7449 7451 7ff76d5740a0 _CreateFrameInfo 47 API calls 7449->7451 7453 7ff76d57536f 7451->7453 7454 7ff76d575353 __CxxCallCatchBlock 7454->7448 7456 7ff76d5740a0 _CreateFrameInfo 47 API calls 7455->7456 7457 7ff76d573a0e 7456->7457 7458 7ff76d573a49 7457->7458 7459 7ff76d5740a0 _CreateFrameInfo 47 API calls 7457->7459 7460 7ff76d577df4 __CxxCallCatchBlock 39 API calls 7458->7460 7461 7ff76d573a19 7459->7461 7462 7ff76d573a4e 7460->7462 7461->7458 7463 7ff76d573a35 7461->7463 7464 7ff76d5740a0 _CreateFrameInfo 47 API calls 7463->7464 7465 7ff76d573a3a 7464->7465 7465->7454 7466 7ff76d573c64 7465->7466 7467 7ff76d5740a0 _CreateFrameInfo 47 API calls 7466->7467 7468 7ff76d573c72 7467->7468 7468->7454 7741 7ff76d580934 7744 7ff76d57539c 7741->7744 7745 7ff76d5753b6 7744->7745 7747 7ff76d575403 7744->7747 7746 7ff76d5740a0 _CreateFrameInfo 47 API calls 7745->7746 7745->7747 7746->7747 7748 7ff76d577730 7751 7ff76d5776a8 7748->7751 7750 7ff76d577759 7752 7ff76d5776c6 7751->7752 7753 7ff76d5776ff 7752->7753 7754 7ff76d57b428 9 API calls 7752->7754 7753->7750 7754->7752 7890 7ff76d5731b0 7891 7ff76d5731c8 7890->7891 7892 7ff76d5731e4 7890->7892 7891->7892 7899 7ff76d573d20 7891->7899 7897 7ff76d577dc8 39 API calls 7898 7ff76d57320a 7897->7898 7900 7ff76d5740a0 _CreateFrameInfo 47 API calls 7899->7900 7901 7ff76d5731f6 7900->7901 7902 7ff76d573d34 7901->7902 7903 7ff76d5740a0 _CreateFrameInfo 47 API calls 7902->7903 7904 7ff76d573202 7903->7904 7904->7897 7905 7ff76d5751b0 7906 7ff76d5740a0 _CreateFrameInfo 47 API calls 7905->7906 7907 7ff76d5751e5 7906->7907 7908 7ff76d5740a0 _CreateFrameInfo 47 API calls 7907->7908 7909 7ff76d5751f3 __except_validate_context_record 7908->7909 7910 7ff76d5740a0 _CreateFrameInfo 47 API calls 7909->7910 7911 7ff76d575237 7910->7911 7912 7ff76d5740a0 _CreateFrameInfo 47 API calls 7911->7912 7913 7ff76d575240 7912->7913 7914 7ff76d5740a0 _CreateFrameInfo 47 API calls 7913->7914 7915 7ff76d575249 7914->7915 7928 7ff76d5739c0 7915->7928 7918 7ff76d5740a0 _CreateFrameInfo 47 API calls 7919 7ff76d575279 __CxxCallCatchBlock 7918->7919 7920 7ff76d5739fc __CxxCallCatchBlock 47 API calls 7919->7920 7922 7ff76d57532a 7920->7922 7921 7ff76d5740a0 _CreateFrameInfo 47 API calls 7923 7ff76d575366 7921->7923 7925 7ff76d573c64 __CxxCallCatchBlock 47 API calls 7922->7925 7927 7ff76d575353 __CxxCallCatchBlock 7922->7927 7924 7ff76d5740a0 _CreateFrameInfo 47 API calls 7923->7924 7926 7ff76d57536f 7924->7926 7925->7927 7927->7921 7929 7ff76d5740a0 _CreateFrameInfo 47 API calls 7928->7929 7930 7ff76d5739d1 7929->7930 7931 7ff76d5739dc 7930->7931 7932 7ff76d5740a0 _CreateFrameInfo 47 API calls 7930->7932 7933 7ff76d5740a0 _CreateFrameInfo 47 API calls 7931->7933 7932->7931 7934 7ff76d5739ed 7933->7934 7934->7918 7934->7919

    Executed Functions

    Function 00007FF76D571290 Relevance: 56.7, APIs: 8, Strings: 24, Instructions: 707sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff76d571290-7ff76d5712d2 GetCommandLineW CommandLineToArgvW 1 7ff76d5712da-7ff76d571311 0->1 2 7ff76d5712d4 0->2 3 7ff76d57131e-7ff76d57146f call 7ff76d5723f0 * 2 1->3 4 7ff76d571313-7ff76d571319 1->4 2->1 12 7ff76d571472-7ff76d57147c 3->12 5 7ff76d5715d1-7ff76d57161c call 7ff76d572650 4->5 13 7ff76d57147e-7ff76d571484 12->13 14 7ff76d571486-7ff76d571496 12->14 13->12 13->14 15 7ff76d57149c-7ff76d5714b5 14->15 16 7ff76d571557-7ff76d571566 14->16 17 7ff76d5714c0-7ff76d5714cc 15->17 18 7ff76d57159a-7ff76d57159e 16->18 19 7ff76d571568-7ff76d57157a 16->19 20 7ff76d5714ce-7ff76d5714d4 17->20 21 7ff76d5714d6-7ff76d5714d9 17->21 18->5 22 7ff76d5715a0-7ff76d5715b2 18->22 23 7ff76d57157c-7ff76d57158f 19->23 24 7ff76d571595 call 7ff76d5726ac 19->24 20->17 20->21 21->16 27 7ff76d5714db-7ff76d5714f6 call 7ff76d5767f8 21->27 28 7ff76d5715c9-7ff76d5715cc call 7ff76d5726ac 22->28 29 7ff76d5715b4-7ff76d5715c7 22->29 23->24 25 7ff76d57161d-7ff76d571622 call 7ff76d576c50 23->25 24->18 37 7ff76d571623-7ff76d571626 CloseHandle 25->37 35 7ff76d5714fe 27->35 36 7ff76d5714f8 27->36 28->5 29->25 29->28 38 7ff76d571503-7ff76d57151f Sleep OpenProcess 35->38 36->35 39 7ff76d57162c-7ff76d572098 call 7ff76d572130 call 7ff76d5723f0 call 7ff76d5723e0 call 7ff76d5711c0 call 7ff76d5720a0 call 7ff76d5723f0 call 7ff76d5723e0 call 7ff76d5711c0 call 7ff76d575f68 37->39 38->39 40 7ff76d571525-7ff76d571534 GetExitCodeProcess 38->40 40->37 43 7ff76d57153a-7ff76d571541 40->43 43->37 45 7ff76d571547-7ff76d571555 CloseHandle 43->45 45->38
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle$Process$CommandLine_invalid_parameter_noinfo_noreturn$ArgvCodeConcurrency::cancel_current_taskCreateExitObjectOpenSingleSleepWait
    • String ID: "$1$4$E$O$^$^$c$e$e$e$f$f$g$g$k$o$q$q$u$v$v$y${
    • API String ID: 2156799773-2036417650
    • Opcode ID: c1d2bd5ecab1e29387099a9231fbbf5fdd0bd6c6d5006ae6e3c12c42f7bb96a7
    • Instruction ID: 6659e96aead91932a26f2e5ef3a1063c5af0cb44c7e9373e1e81d557be4793cd
    • Opcode Fuzzy Hash: c1d2bd5ecab1e29387099a9231fbbf5fdd0bd6c6d5006ae6e3c12c42f7bb96a7
    • Instruction Fuzzy Hash: 24828659A29262C9E320BF71F4012FD77B0FF18709B405136EE884BA6AFB7C9545C729
    Function 00007FF76D5727DC Relevance: 3.1, APIs: 2, Instructions: 98COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: __scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
    • String ID:
    • API String ID: 3070443116-0
    • Opcode ID: 4fc66f674771a642c276f3b7107815a4453248af2fe5cf5af13cbfa4e39b06b6
    • Instruction ID: 66eb7ce107a4fea10c5e6d9d9ac9b7105b286c0465a6a7fd74eaccf405226d96
    • Opcode Fuzzy Hash: 4fc66f674771a642c276f3b7107815a4453248af2fe5cf5af13cbfa4e39b06b6
    • Instruction Fuzzy Hash: FA315920E2D243C5FA24BB2594527BDE290AF41744FE44435EE4E87ED3FE2DA6458630

    Non-executed Functions

    Function 00007FF76D572FB4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 3140674995-0
    • Opcode ID: 8f52d899b0c822738a6be879117695353cf3926ba201aa6cbb5a93e39f724cd6
    • Instruction ID: de6b913445a9baa9436bb62bc3f2d441ff7e4683ab6e2b0463d21f4383ac6ab3
    • Opcode Fuzzy Hash: 8f52d899b0c822738a6be879117695353cf3926ba201aa6cbb5a93e39f724cd6
    • Instruction Fuzzy Hash: 49314D72619BC1C6EB60AF61E8407EDB360FB84745F90403ADA4D47B99EF38D648C720
    Function 00007FF76D576964 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: e2ea2adcc270ce3856cbe536865dde51c27872e812a40651d9b59811c8af80ab
    • Instruction ID: 61377cf07b6c4ea6476dd516c92f1279c0928970fcbd9ce1c7193541c5d5bfca
    • Opcode Fuzzy Hash: e2ea2adcc270ce3856cbe536865dde51c27872e812a40651d9b59811c8af80ab
    • Instruction Fuzzy Hash: 9C316232618B81C6D760DF25E8446AEB3A0FB88754FA00136EE9D43B55EF3CD545C710
    Function 00007FF76D572E74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: 9a9e087552f48f16067c4e9381aaf7e9c0349c56c42918a85502eba34d99e3bf
    • Instruction ID: d471e0e4755bfc02c342a5b787397105f549be1609ea4e150ba17f81ee77dba4
    • Opcode Fuzzy Hash: 9a9e087552f48f16067c4e9381aaf7e9c0349c56c42918a85502eba34d99e3bf
    • Instruction Fuzzy Hash: 74115E22B28F51CAEB00DF60EC552B873A4FB18759F840E31DE2D42BA5EF38D1548350
    Function 00007FF76D57F688 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionRaise_clrfp
    • String ID:
    • API String ID: 15204871-0
    • Opcode ID: 70e5190aba0a30e8a3c6e13cd35a682bc11a1b788da8d991d999369683fb2a1e
    • Instruction ID: 85a5c2c417012c33c8491fa9e521d0b4cf2f53e8fc1138b6fda91fc71980bbf4
    • Opcode Fuzzy Hash: 70e5190aba0a30e8a3c6e13cd35a682bc11a1b788da8d991d999369683fb2a1e
    • Instruction Fuzzy Hash: B6B16A73A28B89CAEB15CF29C44636CB7A0F744B48F648831DE5D83BA5DB39D451C710
    Function 00007FF76D5790E0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bbda48c13a26031c3bdccd200ab5162332e8f0bd19a724b6d25107ba2d5d4a5c
    • Instruction ID: ecfd1047610c6f2de0533197e108ef9c0800c0126bd79c2c218901d6a9a4bcab
    • Opcode Fuzzy Hash: bbda48c13a26031c3bdccd200ab5162332e8f0bd19a724b6d25107ba2d5d4a5c
    • Instruction Fuzzy Hash: 2A51E422B2C691C5FB20EB72A8445AEBBA5FB447D4F644134EE5C27E96EE3CD501C710
    Function 00007FF76D57B9E0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: cd4e955e899a76dec8afab3bdd2be66e80efb0135898893da86be88b405ecd2f
    • Instruction ID: 552c3ed07f60a2607768bf0a579e7f724fd2fea3b51143bdbef2673555cd3ba4
    • Opcode Fuzzy Hash: cd4e955e899a76dec8afab3bdd2be66e80efb0135898893da86be88b405ecd2f
    • Instruction Fuzzy Hash: F9B09220E2BA12C6EA083B166C82A28A2E47F88710FC8013AC80D80721EF2C20A56720
    Function 00007FF76D572130 Relevance: .1, Instructions: 126COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dd508fb2eb488edaf68b778ccb69d5fbf80095a4700453bc25d13363f741229f
    • Instruction ID: 309deaad0c6c40aa60fb7082b7f0a284561dd79ceb3608c97e66cf29be50ae22
    • Opcode Fuzzy Hash: dd508fb2eb488edaf68b778ccb69d5fbf80095a4700453bc25d13363f741229f
    • Instruction Fuzzy Hash: 3171996320638286D354CB79C149A8F7372FB25E08F3AC5398A48DE421E7AB854FD75D
    Function 00007FF76D577894 Relevance: .1, Instructions: 126COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast
    • String ID:
    • API String ID: 485612231-0
    • Opcode ID: db086ef1d692fc8f0d6d882fc253e1940d9ace901fd5ef3b7d5fb5e85eb7b0fe
    • Instruction ID: 2d32d93a43ec6a70690c2136b7e80f7805ede7fbb6c6d4b3ef6723feb64dcd3a
    • Opcode Fuzzy Hash: db086ef1d692fc8f0d6d882fc253e1940d9ace901fd5ef3b7d5fb5e85eb7b0fe
    • Instruction Fuzzy Hash: F441D462B28A55C2EF04DF2AE914579A3A1FB48FD4B999136DE0D87F59EF3CD1418300
    Function 00007FF76D581010 Relevance: .1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 39478ef81b2f468aebf7aa4282a7d7dfe579628b5dfd2fc3f6e3175151e907a2
    • Instruction ID: d4e60f523f0b475c7648ac335fbed9ba99b3b6e90374566dad41d8f17f05bc3d
    • Opcode Fuzzy Hash: 39478ef81b2f468aebf7aa4282a7d7dfe579628b5dfd2fc3f6e3175151e907a2
    • Instruction Fuzzy Hash: 3021D997C1DBD1C7F3931E788C6656A7F90EB92E0678E8076CB94425C3FD1D28058762
    Function 00007FF76D57F4D0 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 203a0647e2d6663912e41e03e962fd136856b41587daf9f3029637f2d9a5f9f9
    • Instruction ID: 4c252a6857ececc2ea55a454f22deb6b6cf3bfc9c8eecea59c9351d4b9b5380f
    • Opcode Fuzzy Hash: 203a0647e2d6663912e41e03e962fd136856b41587daf9f3029637f2d9a5f9f9
    • Instruction Fuzzy Hash: 6BF01871B2D665CEDB94DF2DB44262977D0EB88394F90803BD98D83F15D63C94518F14
    Function 00007FF76D573194 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c532a7e7973e6521e9087c9948b46ec7f20e37d18fef3b9412a635c7f6f5707b
    • Instruction ID: 570430bb8e47309bd66686d50981e2443be521f0be792f95ac2996b19c053c49
    • Opcode Fuzzy Hash: c532a7e7973e6521e9087c9948b46ec7f20e37d18fef3b9412a635c7f6f5707b
    • Instruction Fuzzy Hash: 13A0022192CED2D1F744AB01EC51830A330FB91311FD00032D82D418A2FF3CA548D321
    Function 00007FF76D574688 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 124 7ff76d574688-7ff76d5746f0 call 7ff76d5755ac 127 7ff76d5746f6-7ff76d5746f9 124->127 128 7ff76d574b51-7ff76d574b57 call 7ff76d577df4 124->128 127->128 130 7ff76d5746ff-7ff76d574705 127->130 132 7ff76d57470b-7ff76d57470f 130->132 133 7ff76d5747d4-7ff76d5747e6 130->133 132->133 136 7ff76d574715-7ff76d574720 132->136 134 7ff76d5747ec-7ff76d5747f0 133->134 135 7ff76d574aa1-7ff76d574aa5 133->135 134->135 140 7ff76d5747f6-7ff76d574801 134->140 138 7ff76d574ade-7ff76d574ae8 call 7ff76d5740a0 135->138 139 7ff76d574aa7-7ff76d574aae 135->139 136->133 137 7ff76d574726-7ff76d57472b 136->137 137->133 142 7ff76d574731-7ff76d57473b call 7ff76d5740a0 137->142 138->128 152 7ff76d574aea-7ff76d574b09 call 7ff76d572650 138->152 139->128 143 7ff76d574ab4-7ff76d574ad9 call 7ff76d574b58 139->143 140->135 141 7ff76d574807-7ff76d57480b 140->141 145 7ff76d5749d1-7ff76d5749dd 141->145 146 7ff76d574811-7ff76d57484c call 7ff76d573788 141->146 142->152 155 7ff76d574741-7ff76d57476c call 7ff76d5740a0 * 2 call 7ff76d573a90 142->155 143->138 145->138 153 7ff76d5749e3-7ff76d5749e7 145->153 146->145 161 7ff76d574852-7ff76d57485b 146->161 157 7ff76d5749e9-7ff76d5749f5 call 7ff76d573a50 153->157 158 7ff76d5749f7-7ff76d5749ff 153->158 191 7ff76d57476e-7ff76d574772 155->191 192 7ff76d57478c-7ff76d574796 call 7ff76d5740a0 155->192 157->158 168 7ff76d574a18-7ff76d574a20 157->168 158->138 160 7ff76d574a05-7ff76d574a12 call 7ff76d573628 158->160 160->138 160->168 166 7ff76d57485f-7ff76d574891 161->166 170 7ff76d574897-7ff76d5748a3 166->170 171 7ff76d5749c4-7ff76d5749cb 166->171 173 7ff76d574a26-7ff76d574a2a 168->173 174 7ff76d574b34-7ff76d574b50 call 7ff76d5740a0 * 2 call 7ff76d577dc8 168->174 170->171 175 7ff76d5748a9-7ff76d5748c8 170->175 171->145 171->166 177 7ff76d574a3d 173->177 178 7ff76d574a2c-7ff76d574a3b call 7ff76d573a50 173->178 174->128 179 7ff76d5748ce-7ff76d57490b call 7ff76d573a64 * 2 175->179 180 7ff76d5749b4-7ff76d5749b9 175->180 187 7ff76d574a3f-7ff76d574a49 call 7ff76d575644 177->187 178->187 206 7ff76d57493e-7ff76d574941 179->206 180->171 187->138 203 7ff76d574a4f-7ff76d574a9f call 7ff76d5736b8 call 7ff76d5738bc 187->203 191->192 196 7ff76d574774-7ff76d57477f 191->196 192->133 205 7ff76d574798-7ff76d5747b8 call 7ff76d5740a0 * 2 call 7ff76d575644 192->205 196->192 202 7ff76d574781-7ff76d574786 196->202 202->128 202->192 203->138 229 7ff76d5747ba-7ff76d5747c4 call 7ff76d575734 205->229 230 7ff76d5747cf 205->230 210 7ff76d57490d-7ff76d574933 call 7ff76d573a64 call 7ff76d574dc8 206->210 211 7ff76d574943-7ff76d57494a 206->211 225 7ff76d574955-7ff76d5749b2 call 7ff76d5745b4 210->225 226 7ff76d574935-7ff76d574938 210->226 214 7ff76d5749bb 211->214 215 7ff76d57494c-7ff76d574950 211->215 219 7ff76d5749c0 214->219 215->179 219->171 225->219 226->206 234 7ff76d574b2e-7ff76d574b33 call 7ff76d577dc8 229->234 235 7ff76d5747ca-7ff76d574b2d call 7ff76d573bf0 call 7ff76d575184 call 7ff76d573d54 229->235 230->133 234->174 235->234
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
    • String ID: csm$csm$csm
    • API String ID: 849930591-393685449
    • Opcode ID: 16a4851235c6518bd57d75e0bbaaf0572c504870d06300cd69717d705a9622f7
    • Instruction ID: 05efc45acc86e9f7866b26f79732aa446c25357ba94bde8ada8ad6e9d4d9451e
    • Opcode Fuzzy Hash: 16a4851235c6518bd57d75e0bbaaf0572c504870d06300cd69717d705a9622f7
    • Instruction Fuzzy Hash: C9D19032A2C741C6EB20AB65D4413ADB7A0FB59798FA00135EE4D57F96EF38E251C710
    Function 00007FF76D57B490 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID: api-ms-$ext-ms-
    • API String ID: 3013587201-537541572
    • Opcode ID: b30e28bd0cd48f27bf1a31ff5ea156d3804f5e8b499c2477a6b867bb355f5e73
    • Instruction ID: c0276e05441292d6caf8cd060f86dadaff26a8366d6d298d6d72569c46d4d37b
    • Opcode Fuzzy Hash: b30e28bd0cd48f27bf1a31ff5ea156d3804f5e8b499c2477a6b867bb355f5e73
    • Instruction Fuzzy Hash: C841F521B3DA22C1EB15FB16A8105B5A392BF49BE0FA94135DD1E47B86FF3CE5058320
    Function 00007FF76D575F74 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: f$p$p
    • API String ID: 3215553584-1995029353
    • Opcode ID: 2db86bdd0b4c4cd621bef344b6d918bb67484dc4c7676120007631029398bba2
    • Instruction ID: 064b804ccec52d54cb1aed2e124d264b2430122b082088152355b984d4055144
    • Opcode Fuzzy Hash: 2db86bdd0b4c4cd621bef344b6d918bb67484dc4c7676120007631029398bba2
    • Instruction Fuzzy Hash: AC12A262A2C343C6FBA07A159154279F6A1FB40750FE44035EE9947EC6EF3CE6809BA1
    Function 00007FF76D5758FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: ed90df822e7d59495b79f906fc16800e7d9b52045c0eb292820e9cf29d7ca3ef
    • Instruction ID: 46fc08221f089ef10053d41c98e976c32a2249c5d7e861ab27be38a39c20235a
    • Opcode Fuzzy Hash: ed90df822e7d59495b79f906fc16800e7d9b52045c0eb292820e9cf29d7ca3ef
    • Instruction Fuzzy Hash: 6931C222A2E752C1EE61AB12E8005B5A3A4BF44BB0FE90135DD2D47B96FE3CE540C320
    Function 00007FF76D578700 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: 8b63ef19f9df0f4c288cac1842f9729c2262ba617c372d28031ee4c08f10457d
    • Instruction ID: f7d8210d2421447c121825562899cd3b552e2971dcf75c10c09a5cc52f342a51
    • Opcode Fuzzy Hash: 8b63ef19f9df0f4c288cac1842f9729c2262ba617c372d28031ee4c08f10457d
    • Instruction Fuzzy Hash: 57215724B2D286C2FA587321695513DE6525F447F0FF44735DD3E06EC7FE2CA6009222
    Function 00007FF76D57EF9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
    • String ID: CONOUT$
    • API String ID: 3230265001-3130406586
    • Opcode ID: da70c63ec7be9f21d8993bfcef2884285bdc39009cb66d938cb2b7c8fc8294fa
    • Instruction ID: e48846db547d4c3f7905b22c37d31c0063170021c8f56719ceb7579f82af375e
    • Opcode Fuzzy Hash: da70c63ec7be9f21d8993bfcef2884285bdc39009cb66d938cb2b7c8fc8294fa
    • Instruction Fuzzy Hash: 12118431B2CA91C6E3509B42E844725A2A0FB48BE5F544234ED6E87F95EF3CD5448754
    Function 00007FF76D578878 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: afbb12fcad02bafca9b27522c9550e3d77d0b2974f4a39fa0265fdc4056edb3d
    • Instruction ID: 1ce1d61e975ede22c2965390da2fe640dd3faece4bb9cdd3569afd9075e33747
    • Opcode Fuzzy Hash: afbb12fcad02bafca9b27522c9550e3d77d0b2974f4a39fa0265fdc4056edb3d
    • Instruction Fuzzy Hash: A3114920B2D696C2FA54B721A55517DEA525F847F0FE44B35DC2E06FC7FE2CA6018222
    Function 00007FF76D5711C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44processsynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle$CreateObjectProcessSingleWait
    • String ID: h
    • API String ID: 2059082233-2439710439
    • Opcode ID: 5b8cf0092febe8dd4bed2618a947a67060a1088977b281d69a45aa787853e3eb
    • Instruction ID: aadec912eac7ab7023574f34934a414049bea161759314c0fcbc9df953a8e0b8
    • Opcode Fuzzy Hash: 5b8cf0092febe8dd4bed2618a947a67060a1088977b281d69a45aa787853e3eb
    • Instruction Fuzzy Hash: 4B110722E2CBC1C2E7509B24E85436EB3A0F7D9784F516339EA9D46A25EF78D1958B00
    Function 00007FF76D575E84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 601fe3a390ecbed2954148d0ced979f55aad1695c3df72d69a231db1b69d0d0c
    • Instruction ID: 3ef7e9954dd6b61905be4649cc223bc5ca44854b5e1d2e83277d1cca350ceaad
    • Opcode Fuzzy Hash: 601fe3a390ecbed2954148d0ced979f55aad1695c3df72d69a231db1b69d0d0c
    • Instruction Fuzzy Hash: 59F0AF61A2C616C1EB10AB24E454779A320AF487A1F940235CD6E45AE5EF2CD5848320
    Function 00007FF76D57F2EC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
    • Instruction ID: 48bd21dddc09fb5631e6fd05c09dacf77ab774549c897852845cbf1eabc25916
    • Opcode Fuzzy Hash: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
    • Instruction Fuzzy Hash: 6B118222E3CA03D5F7A8B139E44137990416F993E0FA80675ED6E47ADBAE2CAA414130
    Function 00007FF76D578940 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • FlsGetValue.KERNEL32(?,?,?,00007FF76D5768F3,?,?,00000000,00007FF76D576B8E,?,?,?,?,?,00007FF76D576B1A), ref: 00007FF76D57895F
    • FlsSetValue.KERNEL32(?,?,?,00007FF76D5768F3,?,?,00000000,00007FF76D576B8E,?,?,?,?,?,00007FF76D576B1A), ref: 00007FF76D57897E
    • FlsSetValue.KERNEL32(?,?,?,00007FF76D5768F3,?,?,00000000,00007FF76D576B8E,?,?,?,?,?,00007FF76D576B1A), ref: 00007FF76D5789A6
    • FlsSetValue.KERNEL32(?,?,?,00007FF76D5768F3,?,?,00000000,00007FF76D576B8E,?,?,?,?,?,00007FF76D576B1A), ref: 00007FF76D5789B7
    • FlsSetValue.KERNEL32(?,?,?,00007FF76D5768F3,?,?,00000000,00007FF76D576B8E,?,?,?,?,?,00007FF76D576B1A), ref: 00007FF76D5789C8
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 0f9621ba38eac4d4c9221c1909a7449da67151443a31084acbc08cdd0f3ab668
    • Instruction ID: 2dab1938f130165ec83f6a0d8fec5cb52455972bef505755ffeaacf4300eafbd
    • Opcode Fuzzy Hash: 0f9621ba38eac4d4c9221c1909a7449da67151443a31084acbc08cdd0f3ab668
    • Instruction Fuzzy Hash: 57116D20B2D64AC5FA58B326A55117DE9525F843F0FE84335EC7E06FC7FE2CA6018222
    Function 00007FF76D5787D4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 894ac61070d366438315e3218e1dfb48ca6c91d06236f37a1e460a36819cefe7
    • Instruction ID: f0fa371b038395e801e7ec72c54db17731c19dfad30042b0fe04dd054b2767bd
    • Opcode Fuzzy Hash: 894ac61070d366438315e3218e1dfb48ca6c91d06236f37a1e460a36819cefe7
    • Instruction Fuzzy Hash: 88111810E2D24BC5FA58726258111BDA5515F443B4EF80B35DD3E0AED3FE2CB6018232
    Function 00007FF76D573DFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
    • String ID: csm
    • API String ID: 2395640692-1018135373
    • Opcode ID: 9ec0b71a165466a9c67599c9ab78e621c696c82d4bac01c73983b7531b60d568
    • Instruction ID: ab043edafbc18c1ce605ea42bf2f526a6571e17620cd8f869903ce75adf28b97
    • Opcode Fuzzy Hash: 9ec0b71a165466a9c67599c9ab78e621c696c82d4bac01c73983b7531b60d568
    • Instruction Fuzzy Hash: 9A51B421B2D542CAEB14EF15D444A78B3A1EB44BA4FA04135EE6E43B86FF3DE941C710
    Function 00007FF76D574F08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
    • String ID: csm$csm
    • API String ID: 3896166516-3733052814
    • Opcode ID: 78f3bdf085cd92ad20dc991ed7b11ee6dea2a72f9a24a56b215421e1564ee266
    • Instruction ID: 9a1c1d1acc55ef3a0bbeece8b6250cba09c5028d13e0f48326e975a2f54f0778
    • Opcode Fuzzy Hash: 78f3bdf085cd92ad20dc991ed7b11ee6dea2a72f9a24a56b215421e1564ee266
    • Instruction Fuzzy Hash: 6F51AF3292C242CAEB64AF119054378B794FB54B95FA84135DE9C47F86EF3CE651C710
    Function 00007FF76D574B58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: 582590e0508bbd1300525430ea8ab693eb7a7b7207769477c28eb59a10e6996e
    • Instruction ID: f0ee57938e4c92dcb0680d35550b6930cae7fad79134844dcc95b343891b8a0c
    • Opcode Fuzzy Hash: 582590e0508bbd1300525430ea8ab693eb7a7b7207769477c28eb59a10e6996e
    • Instruction Fuzzy Hash: 39617E3291CB85C6E760AB15E4407AAB7A4FB88794F544235EF9C07B56EF7CD290CB10
    Function 00007FF76D57D540 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileWrite$ConsoleErrorLastOutput
    • String ID:
    • API String ID: 2718003287-0
    • Opcode ID: d3fb5c5a4305f20a5b910567b94ca3d6b86f08d4eb07c482a73a96056ee82046
    • Instruction ID: bedf0fc5214b52f3127d968bd5c0a93ac3400c7181e3fd861bef6e07f8e746f2
    • Opcode Fuzzy Hash: d3fb5c5a4305f20a5b910567b94ca3d6b86f08d4eb07c482a73a96056ee82046
    • Instruction Fuzzy Hash: 6FD1D132B2CA41C9E711DF65D4402ECB7B1FB85B98BA44236CE5D97B9AEE38D506C310
    Function 00007FF76D57DE68 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode
    • String ID:
    • API String ID: 953036326-0
    • Opcode ID: 197305ce307c94d7c752f16767a557a4ae6d33c22abbc4c6e91266b11f46d5a1
    • Instruction ID: 333686606c2addd5ad867be2b9808fd5372e0977c0fa75e1a4b1fb3d6ca8e7f3
    • Opcode Fuzzy Hash: 197305ce307c94d7c752f16767a557a4ae6d33c22abbc4c6e91266b11f46d5a1
    • Instruction Fuzzy Hash: EC91C972F2C752C5F750AF6584806BDABA0BB45788FA44139DE0E97E86EE3CD542C720
    Function 00007FF76D57DBD8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: U
    • API String ID: 442123175-4171548499
    • Opcode ID: 6d23fd177495eb1cf3c6af8b1d658aefedd24363c73960ae3563ba64990bfd83
    • Instruction ID: 5d82cea5d21a87a370727eba4493578b0f1b78dfb12c6aa6c5f7b93067612b97
    • Opcode Fuzzy Hash: 6d23fd177495eb1cf3c6af8b1d658aefedd24363c73960ae3563ba64990bfd83
    • Instruction Fuzzy Hash: DD41C522B2CA81C1DB20EF25E4447A9A7A5FB88784FA14032EE4D87B59FF7CD501C760
    Function 00007FF76D573D54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1415567108.00007FF76D571000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF76D570000, based on PE: true
    • Associated: 00000000.00000002.1415551620.00007FF76D570000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D58C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415567108.00007FF76D592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415612652.00007FF76D593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1415625778.00007FF76D594000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff76d570000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFileHeaderRaise
    • String ID: csm
    • API String ID: 2573137834-1018135373
    • Opcode ID: 4316c429adb968347ab1774c5765e22e2dafea5f83a08b0f330515f8cecce910
    • Instruction ID: 65a27bc0eca43366682c45391795a412058c1a312d50facb50c4dd56bffb57de
    • Opcode Fuzzy Hash: 4316c429adb968347ab1774c5765e22e2dafea5f83a08b0f330515f8cecce910
    • Instruction Fuzzy Hash: EA115B3662CB81C2EB609F15F400269B7E0FB88B94FA84230DE9D07B59EF3DC5558B00