Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522707
MD5:dcb556280972bcbd51ba0fa8ee7b6a46
SHA1:152c09b925cb120c0fd646e0a3cbf2120c8e7ce6
SHA256:2e96b64287a0b741837c9f8179e8e1596d0f854d66108b38e4b84cc71c02e6c3
Tags:exeuser-jstrosch
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gandcrab
Yara detected ReflectiveLoader
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
One or more processes crash
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DCB556280972BCBD51BA0FA8EE7B6A46)
    • WerFault.exe (PID: 6436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GandcrabGandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.In a surprising announcement on May 31, 2019, the GandCrabs operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If theres one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.
  • Pinchy Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
    file.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
      file.exeGandcrabGandcrab Payloadkevoreilly
      • 0x1f2e8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
      file.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x1fda1:$s1: _ReflectiveLoader@
      • 0x1fda2:$s2: ReflectiveLoader@

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
        00000001.00000000.2280026514.0000000000351000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          Process Memory Space: file.exe PID: 6884JoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            Process Memory Space: file.exe PID: 6884JoeSecurity_GandcrabYara detected GandcrabJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.file.exe.3520c0.1.raw.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                1.2.file.exe.3520c0.1.raw.unpackGandcrabGandcrab Payloadkevoreilly
                • 0xee28:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
                1.2.file.exe.3520c0.1.raw.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                • 0xf8e1:$s1: _ReflectiveLoader@
                • 0xf8e2:$s2: ReflectiveLoader@
                1.2.file.exe.3520c0.1.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                  1.2.file.exe.3520c0.1.unpackGandcrabGandcrab Payloadkevoreilly
                  • 0xe028:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
                  Click to see the 13 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 92%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected Gandcrab
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: file.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: file.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                  Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003498311_2_00349831
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003480521_2_00348052
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00347AE01_2_00347AE0
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0034693C1_2_0034693C
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0034A79D1_2_0034A79D
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00341D9B1_2_00341D9B
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003485C41_2_003485C4
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: file.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                  Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: classification engineClassification label: mal88.rans.evad.winEXE@2/5@0/0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6884
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ec361043-d9a8-4f3e-b23d-ce934839d82bJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: >C41_2_00344290
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeReversingLabs: Detection: 92%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Yara detected ReflectiveLoader
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.2280026514.0000000000351000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00342975 push ecx; ret 1_2_00342988
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00341D9B EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00341D9B
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeAPI coverage: 1.2 %
                  Source: Amcache.hve.4.drBinary or memory string: VMware
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                  Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-5271
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0034330E __mtinitlocknum,LdrInitializeThunk,1_2_0034330E
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00344070 _memset,IsDebuggerPresent,1_2_00344070
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00344D5A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00344D5A
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00341F80 GetProcessHeap,1_2_00341F80
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003432F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_003432F8
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003432C7 SetUnhandledExceptionFilter,1_2_003432C7
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00342C5C cpuid 1_2_00342C5C
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003427C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_003427C0
                  Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  Process Injection                  		1
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Process Injection                  		LSASS Memory51
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe92%ReversingLabsWin32.Ransomware.GandCrab
                  file.exe100%AviraHEUR/AGEN.1317528
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.4.drfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1522707
                  Start date and time:2024-09-30 15:47:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 21s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal88.rans.evad.winEXE@2/5@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 1
                  • Number of non-executed functions: 11
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 13.89.179.12
                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, g.bing.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:48:20API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4fbe18952d61b9ae40bb3841a1ba97fc25a62c_f84a56e5_99b26695-cd85-4ab3-90ba-f16152b8840b\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.6761429324392154
                  Encrypted:false
                  SSDEEP:192:+/RbXvYPA0BU/b03juqzuiFYZ24IO8ThB:aYTBU/wj7zuiFYY4IO8L
                  MD5:692FBCA37E235E884BD5E16108FB14F1
                  SHA1:9EF40A67701C76616F07542E338100FA76476C4D
                  SHA-256:5E6BCB2374BCD2E1A197ABE4DE213B14A85B7406D6392DC2411E0B60595BB133
                  SHA-512:9537547AE1DF45FA8F40EE63D4ACD76D7E5224AC9218126A21F644577A40E1119370DB42E7D0751AB09EC0BCB8E78B49C2271ACAF2B4BCDEC72D8B6172360EF4
                  Malicious:true
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.7.6.9.8.1.7.1.8.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.7.6.9.8.5.9.3.6.9.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.b.2.6.6.9.5.-.c.d.8.5.-.4.a.b.3.-.9.0.b.a.-.f.1.6.1.5.2.b.8.8.4.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.2.2.9.4.b.e.-.2.1.d.8.-.4.d.f.d.-.8.d.b.c.-.1.5.f.9.d.9.6.b.5.b.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.4.-.0.0.0.1.-.0.0.1.5.-.9.1.0.7.-.7.7.6.7.3.f.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.2.c.0.9.b.9.2.5.c.b.1.2.0.c.0.f.d.6.4.6.e.0.a.3.c.b.f.2.1.2.0.c.8.e.7.c.e.6.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.0.4.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER69C1.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Mon Sep 30 13:48:18 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):41372
                  Entropy (8bit):1.6426375316816377
                  Encrypted:false
                  SSDEEP:192:EKLA8JYp8HtOaBpz6aRngrW6qQsgDcFcJ:88A5mng3Rcm
                  MD5:34ED12D8DE0669085A52353CE080B0D4
                  SHA1:D055A0C9CE4666BD16A343FFA601EFF47A60797B
                  SHA-256:196EE366812E1F383BBDC89F5B9B179D76B26CE9A7D50BB705A48E02805B48B5
                  SHA-512:943C8D9D883177FAA9B971E1622F81FC4A3A1E344322A6885429B2BBF07E5618BE1F5CEAF2CFEB1BEC8FA58E90415C4CC724F820F63C1F553DC4CC88B4235BE0
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... ......."..f........................................<...........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........!..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A3F.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8270
                  Entropy (8bit):3.689866710440127
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJ+Cd6U6Y2DLSUOGLgmfBUJjnprP89bDusfuBm:R6lXJX6U6YGSUOGLgmf+JjKDtfp
                  MD5:72DC839581A05E1072EFBB63B593EDA7
                  SHA1:A0F351943DAACE9596F6B1C0021BF2CF331D696D
                  SHA-256:45841A9024376839E3FA52ADE054C7A70DCBD25A966FC6C8C1ABC60B4BA5E89C
                  SHA-512:40466BE9651BD6B1509A3DBF08CFE0FFB2A5B2E1FC0FA078A51CD11AA24084708450FCD6F4EBD0F8F472850E5162B1AB179EF1B277554FD97FCB6579E48114AB
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.4.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A6F.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4555
                  Entropy (8bit):4.428483558745421
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsPJg77aI9n8WpW8VYRYm8M4Jz8Fco+q83fR8uPXWd:uIjfxI7B17VBJ7oq7PXWd
                  MD5:FC71BB530CA7A92D8D52B2142F24FA2A
                  SHA1:D79F4C36BEA1298A48BAFABFFB49413DE0218E2F
                  SHA-256:CBAD787DB221A55D0FF14C9C5410868BFCAB73B3570AFD5BDF85275F99525CCB
                  SHA-512:CE730F0A54F3B54400F24B17BCB2897431423E6452989B179C2D9E7EF0BE67EF990CD9BEB48C6D2FD399446DC41B17B4AF059045F0DEBF6CBC76CE906A06C931
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523010" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.468411858057873
                  Encrypted:false
                  SSDEEP:6144:szZfpi6ceLPx9skLmb0fuZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:SZHtuZWOKnMM6bFp9j4
                  MD5:2021284BD4C262F8503FA1583E39D7AB
                  SHA1:F7D3BE50344BB31E6B6C4C8F751559113A57F1F8
                  SHA-256:5193B641540181732EC19797A547FEF74E172C33B74A8C8AEB7F6024EFED0CB4
                  SHA-512:7ABE6AC5579A8F8D512E229CD237E60673F07567FB1B3C43100204F7DBEC21049CFF4A90696411C387859AC7D31027FEC8EB195E0298D19CDC7207761F23F32C
                  Malicious:false
                  Reputation:low
                  Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.g.g?...............................................................................................................................................................................................................................................................................................................................................S..S........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.446354373550859
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:146'432 bytes
                  MD5:dcb556280972bcbd51ba0fa8ee7b6a46
                  SHA1:152c09b925cb120c0fd646e0a3cbf2120c8e7ce6
                  SHA256:2e96b64287a0b741837c9f8179e8e1596d0f854d66108b38e4b84cc71c02e6c3
                  SHA512:026024db8d9068c405b673aa185a9a891eed834ca17dc0e890600fe20e046b6b1b76d193b60487a4d785b19bff4741d63f3d480803a92859e09e58be9be2bb3e
                  SSDEEP:3072:o+HcL2ICfNTntqSQRruiMZMqqDL2/Awvdr7Vjp9:h1DtORruiMyqqDL6tvdRp9
                  TLSH:5DE37B1B72D190B2F0F30675E9B4AD21092F3D202F949EEB26E655ED1D210F1AD3AB53
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~...............ND......Nz......NE......g6..............MA......M{.....Rich............PE..L...^..Z...........................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x401548
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x5ACFC45E [Thu Apr 12 20:41:02 2018 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:4b0a5cb1aa0992ea9901768198fd3e7e

                  Entrypoint Preview

                  Instruction
                  call 00007F4BBC8137F8h
                  jmp 00007F4BBC812400h
                  cmp ecx, dword ptr [00411050h]
                  jne 00007F4BBC812584h
                  rep ret
                  jmp 00007F4BBC813B85h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  mov ecx, dword ptr [esp+08h]
                  mov eax, dword ptr [esp+04h]
                  push edi
                  push ebx
                  push esi
                  cmp dword ptr [00425460h], 01h
                  jc 00007F4BBC812754h
                  ja 00007F4BBC812683h
                  movzx edx, byte ptr [ecx]
                  mov ebx, edx
                  shl edx, 08h
                  or edx, ebx
                  je 00007F4BBC81266Fh
                  movd xmm3, edx
                  pshuflw xmm3, xmm3, 00h
                  movlhps xmm3, xmm3
                  pxor xmm0, xmm0
                  mov esi, ecx
                  or edi, FFFFFFFFh
                  movzx ebx, byte ptr [ecx]
                  add ecx, 01h
                  test ebx, ebx
                  je 00007F4BBC81259Fh
                  test ecx, 0000000Fh
                  jne 00007F4BBC812570h
                  movdqa xmm2, dqword ptr [ecx]
                  pcmpeqb xmm2, xmm0
                  pmovmskb ebx, xmm2
                  test ebx, ebx
                  jne 00007F4BBC812587h
                  mov edi, 0000000Fh
                  movd edx, xmm3
                  mov ebx, 00000FFFh
                  and ebx, eax
                  cmp ebx, 00000FF0h
                  jnbe 00007F4BBC8125A9h
                  movdqu xmm1, dqword ptr [eax]
                  pxor xmm2, xmm2
                  pcmpeqb xmm2, xmm1
                  pcmpeqb xmm1, xmm3
                  por xmm1, xmm2
                  pmovmskb ebx, xmm1
                  add eax, 10h
                  test ebx, ebx
                  je 00007F4BBC812554h
                  bsf ebx, ebx

                  Rich Headers

                  Programming Language:
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2013 build 21005

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x100440x50.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000xcc4.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfce80x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0xc0000x114.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000xa6360xa8005c29e900a781b9d86e5b9ec3fd48a242False0.5902390252976191data6.684915855353336IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0xc0000x467e0x4800902455cb5d03cf09ed5a649ca52d5a34False0.3879665798611111data4.5720862205325465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x110000x157240x13a0074bd8911a6d9febcbe78ce92c1ea0bbfFalse0.46954617834394907data6.401183667445254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .reloc0x270000xcc40xe00941233e7b15967ef37c2fc67184d8917False0.7600446428571429data6.265825312774808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Imports

                  DLLImport
                  KERNEL32.dllVirtualProtect, ExitProcess, OpenProcess, Sleep, GetFileAttributesW, GetModuleFileNameW, CreateFileW, ExitThread, lstrlenW, GetLastError, GetProcAddress, CloseHandle, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetCommandLineA, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, OutputDebugStringW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW, WriteConsoleW
                  USER32.dllMessageBoxW
                  ntdll.dllRtlUnwind

                  Network Behavior

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 30, 2024 15:48:37.790086985 CEST53593131.1.1.1192.168.2.6

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:09:48:17
                  Start date:30/09/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x340000
                  File size:146'432 bytes
                  MD5 hash:DCB556280972BCBD51BA0FA8EE7B6A46
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000000.2280026514.0000000000351000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:4
                  Start time:09:48:18
                  Start date:30/09/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280
                  Imagebase:0x8d0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:0.6%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:8.9%
                    Total number of Nodes:1491
                    Total number of Limit Nodes:1
                    execution_graph 6109 344830 6110 344842 6109->6110 6112 344850 @_EH4_CallFilterFunc@8 6109->6112 6111 341552 __cftoe2_l 6 API calls 6110->6111 6111->6112 6193 3448f2 6194 3448ff 6193->6194 6195 3434c5 __calloc_crt 58 API calls 6194->6195 6196 344919 6195->6196 6197 344932 6196->6197 6198 3434c5 __calloc_crt 58 API calls 6196->6198 6198->6197 6199 34197d 6201 341989 __fcloseall 6199->6201 6200 3419a2 6204 3419b1 6200->6204 6205 34348d _free 58 API calls 6200->6205 6201->6200 6202 341a91 __fcloseall 6201->6202 6203 34348d _free 58 API calls 6201->6203 6203->6200 6206 3419c0 6204->6206 6208 34348d _free 58 API calls 6204->6208 6205->6204 6207 3419cf 6206->6207 6209 34348d _free 58 API calls 6206->6209 6210 34348d _free 58 API calls 6207->6210 6211 3419de 6207->6211 6208->6206 6209->6207 6210->6211 6212 3419ed 6211->6212 6213 34348d _free 58 API calls 6211->6213 6214 3419fc 6212->6214 6216 34348d _free 58 API calls 6212->6216 6213->6212 6215 341a0e 6214->6215 6217 34348d _free 58 API calls 6214->6217 6218 34330e __lock 58 API calls 6215->6218 6216->6214 6217->6215 6221 341a16 6218->6221 6219 341a39 6231 341a9d 6219->6231 6221->6219 6223 34348d _free 58 API calls 6221->6223 6223->6219 6224 34330e __lock 58 API calls 6229 341a4d ___removelocaleref 6224->6229 6225 341a7e 6234 341aa9 6225->6234 6228 34348d _free 58 API calls 6228->6202 6229->6225 6230 343633 ___freetlocinfo 58 API calls 6229->6230 6230->6225 6237 343478 LeaveCriticalSection 6231->6237 6233 341a46 6233->6224 6238 343478 LeaveCriticalSection 6234->6238 6236 341a8b 6236->6228 6237->6233 6238->6236 6239 3414f8 6240 341507 6239->6240 6241 34150d 6239->6241 6242 341d87 _raise 58 API calls 6240->6242 6245 341ce5 6241->6245 6242->6241 6244 341512 __fcloseall 6246 341e3d _doexit 58 API calls 6245->6246 6247 341cf0 6246->6247 6247->6244 6248 347a64 6249 347a6c __cfltcvt_init 6248->6249 6250 347a77 6249->6250 6252 34980a 6249->6252 6258 34a68f 6252->6258 6254 34981d 6255 349824 6254->6255 6256 3441dd __invoke_watson 8 API calls 6254->6256 6255->6250 6257 349830 6256->6257 6259 34a6ab __control87 6258->6259 6263 34a6cb __control87 6258->6263 6260 34423c __cftoe2_l 58 API calls 6259->6260 6261 34a6c1 6260->6261 6262 3441cd __cftoe2_l 9 API calls 6261->6262 6262->6263 6263->6254 6264 3414e4 6267 341822 6264->6267 6268 341aca __getptd_noexit 58 API calls 6267->6268 6269 3414f5 6268->6269 6270 344965 6277 346346 6270->6277 6273 344978 6275 34348d _free 58 API calls 6273->6275 6276 344983 6275->6276 6290 34634f 6277->6290 6279 34496a 6279->6273 6280 346577 6279->6280 6281 346583 __fcloseall 6280->6281 6282 34330e __lock 58 API calls 6281->6282 6283 34658f 6282->6283 6284 3465f4 6283->6284 6288 3465c8 DeleteCriticalSection 6283->6288 6318 34720d 6283->6318 6331 34660b 6284->6331 6286 346600 __fcloseall 6286->6273 6289 34348d _free 58 API calls 6288->6289 6289->6283 6291 34635b __fcloseall 6290->6291 6292 34330e __lock 58 API calls 6291->6292 6298 34636a 6292->6298 6293 346408 6308 34642a 6293->6308 6296 346414 __fcloseall 6296->6279 6298->6293 6299 34629c 82 API calls __fflush_nolock 6298->6299 6300 3449cb 6298->6300 6305 3463f7 6298->6305 6299->6298 6301 3449d6 6300->6301 6302 3449ec EnterCriticalSection 6300->6302 6303 34330e __lock 58 API calls 6301->6303 6302->6298 6304 3449df 6303->6304 6304->6298 6311 344a35 6305->6311 6307 346405 6307->6298 6317 343478 LeaveCriticalSection 6308->6317 6310 346431 6310->6296 6312 344a56 LeaveCriticalSection 6311->6312 6313 344a43 6311->6313 6312->6307 6316 343478 LeaveCriticalSection 6313->6316 6315 344a53 6315->6307 6316->6315 6317->6310 6319 347219 __fcloseall 6318->6319 6320 347245 6319->6320 6321 34722d 6319->6321 6328 34723d __fcloseall 6320->6328 6334 34498c 6320->6334 6322 34423c __cftoe2_l 58 API calls 6321->6322 6324 347232 6322->6324 6326 3441cd __cftoe2_l 9 API calls 6324->6326 6326->6328 6328->6283 6586 343478 LeaveCriticalSection 6331->6586 6333 346612 6333->6286 6335 34499c 6334->6335 6336 3449be EnterCriticalSection 6334->6336 6335->6336 6338 3449a4 6335->6338 6337 3449b4 6336->6337 6340 3471a1 6337->6340 6339 34330e __lock 58 API calls 6338->6339 6339->6337 6341 3471c4 6340->6341 6342 3471b0 6340->6342 6348 3471c0 6341->6348 6359 3462e2 6341->6359 6343 34423c __cftoe2_l 58 API calls 6342->6343 6345 3471b5 6343->6345 6347 3441cd __cftoe2_l 9 API calls 6345->6347 6347->6348 6356 34727c 6348->6356 6352 3471de 6376 34766a 6352->6376 6354 3471e4 6354->6348 6355 34348d _free 58 API calls 6354->6355 6355->6348 6579 3449fb 6356->6579 6358 347282 6358->6328 6360 3462f5 6359->6360 6361 346319 6359->6361 6360->6361 6362 346224 __fclose_nolock 58 API calls 6360->6362 6365 3477df 6361->6365 6363 346312 6362->6363 6402 34684d 6363->6402 6366 3471d8 6365->6366 6367 3477ec 6365->6367 6369 346224 6366->6369 6367->6366 6368 34348d _free 58 API calls 6367->6368 6368->6366 6370 346243 6369->6370 6371 34622e 6369->6371 6370->6352 6372 34423c __cftoe2_l 58 API calls 6371->6372 6373 346233 6372->6373 6374 3441cd __cftoe2_l 9 API calls 6373->6374 6375 34623e 6374->6375 6375->6352 6377 347676 __fcloseall 6376->6377 6378 347683 6377->6378 6379 34769a 6377->6379 6381 344208 __commit 58 API calls 6378->6381 6380 347725 6379->6380 6383 3476aa 6379->6383 6384 344208 __commit 58 API calls 6380->6384 6382 347688 6381->6382 6385 34423c __cftoe2_l 58 API calls 6382->6385 6386 3476d2 6383->6386 6387 3476c8 6383->6387 6388 3476cd 6384->6388 6399 34768f __fcloseall 6385->6399 6390 3472bb ___lock_fhandle 59 API calls 6386->6390 6389 344208 __commit 58 API calls 6387->6389 6391 34423c __cftoe2_l 58 API calls 6388->6391 6389->6388 6392 3476d8 6390->6392 6393 347731 6391->6393 6394 3476f6 6392->6394 6395 3476eb 6392->6395 6397 3441cd __cftoe2_l 9 API calls 6393->6397 6396 34423c __cftoe2_l 58 API calls 6394->6396 6551 347745 6395->6551 6400 3476f1 6396->6400 6397->6399 6399->6354 6566 34771d 6400->6566 6403 346859 __fcloseall 6402->6403 6404 346866 6403->6404 6405 34687d 6403->6405 6430 344208 6404->6430 6407 34691c 6405->6407 6409 346891 6405->6409 6410 344208 __commit 58 API calls 6407->6410 6413 3468af 6409->6413 6414 3468b9 6409->6414 6411 3468b4 6410->6411 6417 34423c __cftoe2_l 58 API calls 6411->6417 6412 34423c __cftoe2_l 58 API calls 6425 346872 __fcloseall 6412->6425 6416 344208 __commit 58 API calls 6413->6416 6433 3472bb 6414->6433 6416->6411 6419 346928 6417->6419 6418 3468bf 6420 3468e5 6418->6420 6421 3468d2 6418->6421 6422 3441cd __cftoe2_l 9 API calls 6419->6422 6424 34423c __cftoe2_l 58 API calls 6420->6424 6442 34693c 6421->6442 6422->6425 6427 3468ea 6424->6427 6425->6361 6426 3468de 6501 346914 6426->6501 6428 344208 __commit 58 API calls 6427->6428 6428->6426 6431 341aca __getptd_noexit 58 API calls 6430->6431 6432 34420d 6431->6432 6432->6412 6434 3472c7 __fcloseall 6433->6434 6435 347316 EnterCriticalSection 6434->6435 6437 34330e __lock 58 API calls 6434->6437 6436 34733c __fcloseall 6435->6436 6436->6418 6438 3472ec 6437->6438 6439 342fce __mtinitlocks InitializeCriticalSectionAndSpinCount 6438->6439 6441 347304 6438->6441 6439->6441 6504 347340 6441->6504 6443 346949 __write_nolock 6442->6443 6444 3469a7 6443->6444 6445 346988 6443->6445 6473 34697d 6443->6473 6449 3469ff 6444->6449 6450 3469e3 6444->6450 6446 344208 __commit 58 API calls 6445->6446 6448 34698d 6446->6448 6447 341552 __cftoe2_l 6 API calls 6451 34719d 6447->6451 6452 34423c __cftoe2_l 58 API calls 6448->6452 6453 346a18 6449->6453 6508 3474a7 6449->6508 6454 344208 __commit 58 API calls 6450->6454 6451->6426 6455 346994 6452->6455 6517 346248 6453->6517 6458 3469e8 6454->6458 6459 3441cd __cftoe2_l 9 API calls 6455->6459 6461 34423c __cftoe2_l 58 API calls 6458->6461 6459->6473 6460 346a26 6462 346d7f 6460->6462 6467 341ab2 __setmbcp 58 API calls 6460->6467 6463 3469ef 6461->6463 6464 347112 WriteFile 6462->6464 6465 346d9d 6462->6465 6466 3441cd __cftoe2_l 9 API calls 6463->6466 6468 346d72 GetLastError 6464->6468 6475 346d3f 6464->6475 6469 346ec1 6465->6469 6478 346db3 6465->6478 6466->6473 6470 346a52 GetConsoleMode 6467->6470 6468->6475 6479 346ecc 6469->6479 6493 346fb6 6469->6493 6470->6462 6472 346a91 6470->6472 6471 34714b 6471->6473 6474 34423c __cftoe2_l 58 API calls 6471->6474 6472->6462 6476 346aa1 GetConsoleCP 6472->6476 6473->6447 6480 347179 6474->6480 6475->6471 6475->6473 6481 346e9f 6475->6481 6476->6471 6497 346ad0 6476->6497 6477 346e22 WriteFile 6477->6468 6477->6478 6478->6471 6478->6475 6478->6477 6479->6471 6479->6475 6482 346f31 WriteFile 6479->6482 6483 344208 __commit 58 API calls 6480->6483 6484 347142 6481->6484 6485 346eaa 6481->6485 6482->6468 6482->6479 6483->6473 6529 34421b 6484->6529 6487 34423c __cftoe2_l 58 API calls 6485->6487 6486 34702b WideCharToMultiByte 6486->6468 6486->6493 6490 346eaf 6487->6490 6489 34707a WriteFile 6492 3470cd GetLastError 6489->6492 6489->6493 6494 344208 __commit 58 API calls 6490->6494 6492->6493 6493->6471 6493->6475 6493->6486 6493->6489 6494->6473 6495 34760f 60 API calls __write_nolock 6495->6497 6496 347627 WriteConsoleW CreateFileW __putwch_nolock 6496->6497 6497->6468 6497->6475 6497->6495 6497->6496 6498 346bb9 WideCharToMultiByte 6497->6498 6500 346c4e WriteFile 6497->6500 6526 347496 6497->6526 6498->6475 6499 346bf4 WriteFile 6498->6499 6499->6468 6499->6497 6500->6468 6500->6497 6550 347436 LeaveCriticalSection 6501->6550 6503 34691a 6503->6425 6507 343478 LeaveCriticalSection 6504->6507 6506 347347 6506->6435 6507->6506 6534 3473cf 6508->6534 6510 3474b7 6511 3474d0 SetFilePointerEx 6510->6511 6512 3474bf 6510->6512 6514 3474e8 GetLastError 6511->6514 6516 3474c4 6511->6516 6513 34423c __cftoe2_l 58 API calls 6512->6513 6513->6516 6515 34421b __dosmaperr 58 API calls 6514->6515 6515->6516 6516->6453 6518 346253 6517->6518 6520 346260 6517->6520 6519 34423c __cftoe2_l 58 API calls 6518->6519 6521 346258 6519->6521 6522 34626c 6520->6522 6523 34423c __cftoe2_l 58 API calls 6520->6523 6521->6460 6522->6460 6524 34628d 6523->6524 6525 3441cd __cftoe2_l 9 API calls 6524->6525 6525->6521 6547 34745c 6526->6547 6530 344208 __commit 58 API calls 6529->6530 6531 344224 __dosmaperr 6530->6531 6532 34423c __cftoe2_l 58 API calls 6531->6532 6533 344237 6532->6533 6533->6473 6535 3473da 6534->6535 6537 3473ef 6534->6537 6536 344208 __commit 58 API calls 6535->6536 6538 3473df 6536->6538 6539 344208 __commit 58 API calls 6537->6539 6541 347414 6537->6541 6540 34423c __cftoe2_l 58 API calls 6538->6540 6542 34741e 6539->6542 6543 3473e7 6540->6543 6541->6510 6544 34423c __cftoe2_l 58 API calls 6542->6544 6543->6510 6545 347426 6544->6545 6546 3441cd __cftoe2_l 9 API calls 6545->6546 6546->6543 6548 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6547->6548 6549 34746d 6548->6549 6549->6497 6550->6503 6552 3473cf __commit 58 API calls 6551->6552 6555 347753 6552->6555 6553 3477a9 6569 347349 6553->6569 6555->6553 6558 3473cf __commit 58 API calls 6555->6558 6565 347787 6555->6565 6556 3473cf __commit 58 API calls 6560 347793 CloseHandle 6556->6560 6559 34777e 6558->6559 6561 3473cf __commit 58 API calls 6559->6561 6560->6553 6562 34779f GetLastError 6560->6562 6561->6565 6562->6553 6563 34421b __dosmaperr 58 API calls 6564 3477d3 6563->6564 6564->6400 6565->6553 6565->6556 6578 347436 LeaveCriticalSection 6566->6578 6568 347723 6568->6399 6570 3473b5 6569->6570 6571 347355 6569->6571 6572 34423c __cftoe2_l 58 API calls 6570->6572 6571->6570 6577 34737e 6571->6577 6573 3473ba 6572->6573 6574 344208 __commit 58 API calls 6573->6574 6575 3473a6 6574->6575 6575->6563 6575->6564 6576 3473a0 SetStdHandle 6576->6575 6577->6575 6577->6576 6578->6568 6580 344a29 LeaveCriticalSection 6579->6580 6581 344a0a 6579->6581 6580->6358 6581->6580 6582 344a11 6581->6582 6585 343478 LeaveCriticalSection 6582->6585 6584 344a26 6584->6358 6585->6584 6586->6333 6591 348d6c 6594 348d8d 6591->6594 6593 348d88 6595 348df7 6594->6595 6596 348d98 6594->6596 6662 3492de 6595->6662 6596->6595 6598 348d9d 6596->6598 6600 348da2 6598->6600 6601 348dbb 6598->6601 6599 348ddc 6599->6593 6608 349498 6600->6608 6603 348dde 6601->6603 6606 348dc5 6601->6606 6649 348e13 6603->6649 6627 349559 6606->6627 6679 34a4ff 6608->6679 6611 3494dd 6614 3494f5 6611->6614 6615 3494e5 6611->6615 6612 3494cd 6613 34423c __cftoe2_l 58 API calls 6612->6613 6616 3494d2 6613->6616 6691 34a387 6614->6691 6617 34423c __cftoe2_l 58 API calls 6615->6617 6618 3441cd __cftoe2_l 9 API calls 6616->6618 6619 3494ea 6617->6619 6621 3494d9 6618->6621 6622 3441cd __cftoe2_l 9 API calls 6619->6622 6625 341552 __cftoe2_l 6 API calls 6621->6625 6622->6621 6623 349528 6623->6621 6700 3493ac 6623->6700 6626 348db6 6625->6626 6626->6593 6628 34a4ff __fltout2 58 API calls 6627->6628 6629 349587 6628->6629 6630 3495a1 6629->6630 6631 34958e 6629->6631 6633 3495bc 6630->6633 6634 3495a9 6630->6634 6632 34423c __cftoe2_l 58 API calls 6631->6632 6635 349593 6632->6635 6637 34a387 __fptostr 58 API calls 6633->6637 6636 34423c __cftoe2_l 58 API calls 6634->6636 6638 3441cd __cftoe2_l 9 API calls 6635->6638 6639 3495ae 6636->6639 6640 3495e8 6637->6640 6642 34959a 6638->6642 6641 3441cd __cftoe2_l 9 API calls 6639->6641 6640->6642 6644 34962e 6640->6644 6647 349608 6640->6647 6641->6642 6643 341552 __cftoe2_l 6 API calls 6642->6643 6646 349654 6643->6646 6720 34918d 6644->6720 6646->6599 6648 3493ac __cftof2_l 58 API calls 6647->6648 6648->6642 6650 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6649->6650 6651 348e38 6650->6651 6652 348e4f 6651->6652 6653 348e58 6651->6653 6654 34423c __cftoe2_l 58 API calls 6652->6654 6656 348e75 6653->6656 6657 348e61 6653->6657 6655 348e54 6654->6655 6659 3441cd __cftoe2_l 9 API calls 6655->6659 6661 348e70 _memset __alldvrm __cftoa_l _strrchr 6656->6661 6752 34916f 6656->6752 6658 34423c __cftoe2_l 58 API calls 6657->6658 6658->6655 6659->6661 6661->6599 6663 34a4ff __fltout2 58 API calls 6662->6663 6664 349310 6663->6664 6665 349327 6664->6665 6666 349317 6664->6666 6668 34932e 6665->6668 6669 349338 6665->6669 6667 34423c __cftoe2_l 58 API calls 6666->6667 6670 34931c 6667->6670 6671 34423c __cftoe2_l 58 API calls 6668->6671 6672 34a387 __fptostr 58 API calls 6669->6672 6673 3441cd __cftoe2_l 9 API calls 6670->6673 6671->6670 6675 349378 6672->6675 6674 349323 6673->6674 6677 341552 __cftoe2_l 6 API calls 6674->6677 6675->6674 6676 34918d __cftoe2_l 58 API calls 6675->6676 6676->6674 6678 3493a8 6677->6678 6678->6599 6680 34a528 ___dtold 6679->6680 6707 34a79d 6680->6707 6683 344ad2 __cftoe2_l 58 API calls 6684 34a563 6683->6684 6685 34a580 6684->6685 6686 34a56a 6684->6686 6688 3441dd __invoke_watson 8 API calls 6685->6688 6687 341552 __cftoe2_l 6 API calls 6686->6687 6689 3494c6 6687->6689 6690 34a58c 6688->6690 6689->6611 6689->6612 6692 34a3af 6691->6692 6693 34a399 6691->6693 6692->6693 6696 34a3b5 6692->6696 6694 34423c __cftoe2_l 58 API calls 6693->6694 6695 34a39e 6694->6695 6697 3441cd __cftoe2_l 9 API calls 6695->6697 6698 34423c __cftoe2_l 58 API calls 6696->6698 6699 34a3a8 _memmove _strlen 6696->6699 6697->6699 6698->6695 6699->6623 6701 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6700->6701 6702 3493c9 6701->6702 6703 34423c __cftoe2_l 58 API calls 6702->6703 6706 3493e5 _memset __shift 6702->6706 6704 3493db 6703->6704 6705 3441cd __cftoe2_l 9 API calls 6704->6705 6705->6706 6706->6621 6709 34a7f2 6707->6709 6708 34a864 6711 344ad2 __cftoe2_l 58 API calls 6708->6711 6709->6708 6713 34a87d 6709->6713 6717 34a804 6709->6717 6710 341552 __cftoe2_l 6 API calls 6712 34a543 6710->6712 6711->6717 6712->6683 6714 344ad2 __cftoe2_l 58 API calls 6713->6714 6714->6717 6715 3441dd __invoke_watson 8 API calls 6716 34b170 6715->6716 6718 34b139 6717->6718 6719 34a815 6717->6719 6718->6715 6719->6710 6721 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6720->6721 6722 3491a0 6721->6722 6723 3491ad 6722->6723 6724 3491b6 6722->6724 6725 34423c __cftoe2_l 58 API calls 6723->6725 6727 3491cb 6724->6727 6730 3491df __shift 6724->6730 6726 3491b2 6725->6726 6729 3441cd __cftoe2_l 9 API calls 6726->6729 6728 34423c __cftoe2_l 58 API calls 6727->6728 6728->6726 6735 3491da _memmove 6729->6735 6731 344ad2 __cftoe2_l 58 API calls 6730->6731 6732 349256 6731->6732 6733 3441dd __invoke_watson 8 API calls 6732->6733 6732->6735 6734 3492dd 6733->6734 6736 34a4ff __fltout2 58 API calls 6734->6736 6735->6642 6737 349310 6736->6737 6738 349327 6737->6738 6739 349317 6737->6739 6741 34932e 6738->6741 6742 349338 6738->6742 6740 34423c __cftoe2_l 58 API calls 6739->6740 6743 34931c 6740->6743 6744 34423c __cftoe2_l 58 API calls 6741->6744 6745 34a387 __fptostr 58 API calls 6742->6745 6746 3441cd __cftoe2_l 9 API calls 6743->6746 6744->6743 6747 349378 6745->6747 6748 349323 6746->6748 6747->6748 6749 34918d __cftoe2_l 58 API calls 6747->6749 6750 341552 __cftoe2_l 6 API calls 6748->6750 6749->6748 6751 3493a8 6750->6751 6751->6642 6753 3492de __cftoe_l 58 API calls 6752->6753 6754 349188 6753->6754 6754->6661 6755 3411ee 6756 3411fa 6755->6756 6757 341552 __cftoe2_l 6 API calls 6756->6757 6758 341212 6757->6758 6113 342f2f 6114 342f32 6113->6114 6117 344f48 6114->6117 6128 344570 DecodePointer 6117->6128 6119 344f4d 6120 344f58 6119->6120 6129 344599 6119->6129 6122 344f62 IsProcessorFeaturePresent 6120->6122 6127 344f80 6120->6127 6123 344f6d 6122->6123 6126 344070 __call_reportfault 7 API calls 6123->6126 6124 341d87 _raise 58 API calls 6125 344f8a 6124->6125 6126->6127 6127->6124 6128->6119 6136 3445a5 __fcloseall 6129->6136 6130 34460f 6131 3445ec DecodePointer 6130->6131 6135 34461e 6130->6135 6137 3445db _siglookup 6131->6137 6132 3445d6 6133 341aca __getptd_noexit 58 API calls 6132->6133 6133->6137 6138 34423c __cftoe2_l 58 API calls 6135->6138 6136->6130 6136->6131 6136->6132 6139 3445d2 6136->6139 6140 34467c 6137->6140 6142 341d87 _raise 58 API calls 6137->6142 6149 3445e4 __fcloseall 6137->6149 6141 344623 6138->6141 6139->6132 6139->6135 6144 34330e __lock 58 API calls 6140->6144 6147 344687 6140->6147 6143 3441cd __cftoe2_l 9 API calls 6141->6143 6142->6140 6143->6149 6144->6147 6145 3446e9 EncodePointer 6146 3446bc 6145->6146 6150 34471a 6146->6150 6147->6145 6147->6146 6149->6120 6151 344725 6150->6151 6152 34471e 6150->6152 6151->6149 6154 343478 LeaveCriticalSection 6152->6154 6154->6151 6759 3496e9 6762 349701 6759->6762 6763 349712 6762->6763 6764 34972b 6762->6764 6768 347989 6763->6768 6777 347a17 6764->6777 6767 3496fc 6769 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6768->6769 6770 3479ad 6769->6770 6780 3485c4 6770->6780 6775 341552 __cftoe2_l 6 API calls 6776 347a13 6775->6776 6776->6767 6792 3478e5 6777->6792 6781 34860c 6780->6781 6787 34861c ___mtold12 6780->6787 6782 34423c __cftoe2_l 58 API calls 6781->6782 6783 348611 6782->6783 6784 3441cd __cftoe2_l 9 API calls 6783->6784 6784->6787 6785 341552 __cftoe2_l 6 API calls 6786 3479c5 6785->6786 6788 347ae0 6786->6788 6787->6785 6791 347b38 6788->6791 6789 341552 __cftoe2_l 6 API calls 6790 3479d2 6789->6790 6790->6775 6791->6789 6793 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6792->6793 6794 347912 6793->6794 6795 3485c4 ___strgtold12_l 58 API calls 6794->6795 6796 34792a 6795->6796 6801 348052 6796->6801 6799 341552 __cftoe2_l 6 API calls 6800 347985 6799->6800 6800->6767 6802 3480aa 6801->6802 6803 341552 __cftoe2_l 6 API calls 6802->6803 6804 347947 6803->6804 6804->6799 6155 346614 6156 346620 __fcloseall 6155->6156 6157 346657 __fcloseall 6156->6157 6158 34330e __lock 58 API calls 6156->6158 6159 346634 6158->6159 6160 3438ad __updatetlocinfoEx_nolock 58 API calls 6159->6160 6161 346644 6160->6161 6163 34665d 6161->6163 6166 343478 LeaveCriticalSection 6163->6166 6165 346664 6165->6157 6166->6165 6805 341357 6806 341360 6805->6806 6806->6806 6807 341130 8 API calls 6806->6807 6808 3413c0 6807->6808 6809 3413c6 ExitThread 6808->6809 6810 34134b ExitProcess 6808->6810 6167 342990 6168 3429c7 6167->6168 6169 3429ba 6167->6169 6171 341552 __cftoe2_l 6 API calls 6168->6171 6170 341552 __cftoe2_l 6 API calls 6169->6170 6170->6168 6173 3429d7 __except_handler4 6171->6173 6172 342aef 6173->6172 6174 342aa4 __except_handler4 6173->6174 6179 342a2e __IsNonwritableInCurrentImage 6173->6179 6174->6172 6175 342adf 6174->6175 6176 341552 __cftoe2_l 6 API calls 6174->6176 6177 341552 __cftoe2_l 6 API calls 6175->6177 6176->6175 6177->6172 6185 3448c2 RtlUnwind 6179->6185 6180 342b06 6182 341552 __cftoe2_l 6 API calls 6180->6182 6181 342a6c __except_handler4 6181->6180 6183 341552 __cftoe2_l 6 API calls 6181->6183 6184 342b16 __except_handler4 6182->6184 6183->6180 6185->6181 6186 345a91 6187 341cc9 __lock 58 API calls 6186->6187 6188 345a98 6187->6188 6811 3443d1 6812 3434c5 __calloc_crt 58 API calls 6811->6812 6813 3443db EncodePointer 6812->6813 6814 3443f4 6813->6814 6815 3417d3 6816 341808 6815->6816 6817 3417e3 6815->6817 6817->6816 6822 342f0b 6817->6822 6823 342f17 __fcloseall 6822->6823 6824 341ab2 __setmbcp 58 API calls 6823->6824 6825 342f1c 6824->6825 6826 344f48 _abort 62 API calls 6825->6826 6827 342f3e 6826->6827 6828 342c5c IsProcessorFeaturePresent 6829 342c82 6828->6829 6836 346440 RtlUnwind 6837 349743 6840 349754 6837->6840 6841 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6840->6841 6842 349766 6841->6842 6849 349bd1 6842->6849 6844 349772 6845 349786 6844->6845 6854 349a63 6844->6854 6847 349bd1 __forcdecpt_l 65 API calls 6845->6847 6848 349750 6847->6848 6850 349bef 6849->6850 6851 349bdd 6849->6851 6859 349a8e 6850->6859 6851->6844 6855 349a80 6854->6855 6856 349a6f 6854->6856 6878 349a11 6855->6878 6856->6844 6860 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6859->6860 6861 349aa1 6860->6861 6862 349b0d 6861->6862 6863 349aad 6861->6863 6864 349b2b 6862->6864 6865 34745c __isleadbyte_l 58 API calls 6862->6865 6870 349ac2 6863->6870 6871 34a6ec 6863->6871 6866 34423c __cftoe2_l 58 API calls 6864->6866 6868 349b31 6864->6868 6865->6864 6866->6868 6869 345829 ___crtLCMapStringA 62 API calls 6868->6869 6869->6870 6870->6844 6872 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6871->6872 6873 34a6fe 6872->6873 6874 34745c __isleadbyte_l 58 API calls 6873->6874 6877 34a70b 6873->6877 6875 34a72f 6874->6875 6876 345985 ___crtGetStringTypeA 61 API calls 6875->6876 6876->6877 6877->6870 6879 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 6878->6879 6880 349a22 6879->6880 6881 349a39 6880->6881 6882 34a6ec __isctype_l 61 API calls 6880->6882 6881->6844 6882->6881 5127 3413cd 5128 3413d9 __fcloseall 5127->5128 5163 341f80 GetProcessHeap 5128->5163 5130 34142e 5131 341439 5130->5131 5204 341521 5130->5204 5164 341bec 5131->5164 5134 34143f 5135 34144a __RTC_Initialize 5134->5135 5136 341521 _fast_error_exit 58 API calls 5134->5136 5185 341f95 5135->5185 5136->5135 5138 341459 5139 341465 GetCommandLineA 5138->5139 5140 34145d 5138->5140 5212 34289c GetEnvironmentStringsW 5139->5212 5141 341521 _fast_error_exit 58 API calls 5140->5141 5143 341464 5141->5143 5143->5139 5147 34148a 5243 342478 5147->5243 5151 34149b 5259 341d03 5151->5259 5152 341cc9 __lock 58 API calls 5152->5151 5154 3414a3 5155 3414ae 5154->5155 5156 341cc9 __lock 58 API calls 5154->5156 5265 341220 5155->5265 5156->5155 5163->5130 5275 341d9b EncodePointer 5164->5275 5166 341bf1 5280 34343f 5166->5280 5169 341bfa 5284 341c62 5169->5284 5174 341c17 5296 3434c5 5174->5296 5177 341c59 5179 341c62 __mtterm 61 API calls 5177->5179 5181 341c5e 5179->5181 5180 341c38 5180->5177 5182 341c3e 5180->5182 5181->5134 5304 341b39 5182->5304 5184 341c46 GetCurrentThreadId 5184->5134 5186 341fa1 __fcloseall 5185->5186 5187 34330e __lock 58 API calls 5186->5187 5188 341fa8 5187->5188 5189 3434c5 __calloc_crt 58 API calls 5188->5189 5191 341fb9 5189->5191 5190 342024 GetStartupInfoW 5192 342168 5190->5192 5193 342039 5190->5193 5191->5190 5194 341fc4 __fcloseall @_EH4_CallFilterFunc@8 5191->5194 5195 342230 5192->5195 5198 3421b5 GetStdHandle 5192->5198 5199 3421c8 GetFileType 5192->5199 5203 342fce __mtinitlocks InitializeCriticalSectionAndSpinCount 5192->5203 5193->5192 5197 3434c5 __calloc_crt 58 API calls 5193->5197 5200 342087 5193->5200 5194->5138 5563 342240 5195->5563 5197->5193 5198->5192 5199->5192 5200->5192 5201 3420bb GetFileType 5200->5201 5202 342fce __mtinitlocks InitializeCriticalSectionAndSpinCount 5200->5202 5201->5200 5202->5200 5203->5192 5205 341532 5204->5205 5206 34152d 5204->5206 5207 3425b6 __NMSG_WRITE 58 API calls 5205->5207 5208 342559 __FF_MSGBANNER 58 API calls 5206->5208 5209 34153a 5207->5209 5208->5205 5210 341cb3 _doexit 3 API calls 5209->5210 5211 341544 5210->5211 5211->5131 5214 3428af 5212->5214 5218 341475 5212->5218 5213 3428c7 WideCharToMultiByte 5215 3428e2 5213->5215 5216 342919 FreeEnvironmentStringsW 5213->5216 5214->5213 5214->5214 5217 34350d __malloc_crt 58 API calls 5215->5217 5216->5218 5219 3428e8 5217->5219 5225 342249 5218->5225 5219->5216 5220 3428ef WideCharToMultiByte 5219->5220 5221 342905 5220->5221 5222 34290e FreeEnvironmentStringsW 5220->5222 5223 34348d _free 58 API calls 5221->5223 5222->5218 5224 34290b 5223->5224 5224->5222 5226 342257 5225->5226 5227 34225c GetModuleFileNameA 5225->5227 5567 3438f8 5226->5567 5229 342289 5227->5229 5571 3422fc 5229->5571 5232 34350d __malloc_crt 58 API calls 5233 3422c2 5232->5233 5234 3422fc _parse_cmdline 58 API calls 5233->5234 5235 34147f 5233->5235 5234->5235 5235->5147 5236 341cc9 5235->5236 5237 342559 __FF_MSGBANNER 58 API calls 5236->5237 5238 341cd1 5237->5238 5239 3425b6 __NMSG_WRITE 58 API calls 5238->5239 5240 341cd9 5239->5240 5993 341d87 5240->5993 5244 342481 5243->5244 5248 342486 _strlen 5243->5248 5245 3438f8 ___initmbctable 70 API calls 5244->5245 5245->5248 5246 341490 5246->5151 5246->5152 5247 3434c5 __calloc_crt 58 API calls 5251 3424bc _strlen 5247->5251 5248->5246 5248->5247 5249 34250e 5250 34348d _free 58 API calls 5249->5250 5250->5246 5251->5246 5251->5249 5252 3434c5 __calloc_crt 58 API calls 5251->5252 5253 342535 5251->5253 5256 34254c 5251->5256 6023 344ad2 5251->6023 5252->5251 5254 34348d _free 58 API calls 5253->5254 5254->5246 5257 3441dd __invoke_watson 8 API calls 5256->5257 5258 342558 5257->5258 5261 341d0f __IsNonwritableInCurrentImage 5259->5261 6032 344511 5261->6032 5262 341d2d __initterm_e 5264 341d4c _doexit __IsNonwritableInCurrentImage 5262->5264 6035 3444fc 5262->6035 5264->5154 5266 3412c2 5265->5266 5267 3412e5 OpenProcess GetLastError 5266->5267 5268 3412c7 lstrlenW MessageBoxW 5266->5268 5269 341351 5267->5269 5270 341349 5267->5270 5268->5267 6101 341130 5269->6101 5271 34134b ExitProcess 5270->5271 5274 3413c6 ExitThread 5276 341dac __init_pointers __initp_misc_winsig 5275->5276 5314 342f3f EncodePointer 5276->5314 5278 341dc4 __init_pointers 5279 34303c 34 API calls 5278->5279 5279->5166 5281 34344b 5280->5281 5283 341bf6 5281->5283 5315 342fce 5281->5315 5283->5169 5293 342f50 5283->5293 5285 341c6c 5284->5285 5286 341c72 5284->5286 5318 342f6e 5285->5318 5288 343358 DeleteCriticalSection 5286->5288 5290 343374 5286->5290 5321 34348d 5288->5321 5291 343380 DeleteCriticalSection 5290->5291 5292 341bff 5290->5292 5291->5290 5292->5134 5294 342f67 TlsAlloc 5293->5294 5295 341c0c 5293->5295 5295->5169 5295->5174 5300 3434cc 5296->5300 5298 341c24 5298->5177 5301 342fac 5298->5301 5300->5298 5347 3450c8 5300->5347 5355 3432d5 Sleep 5300->5355 5302 342fc6 TlsSetValue 5301->5302 5303 342fc2 5301->5303 5302->5180 5303->5180 5305 341b45 __fcloseall 5304->5305 5358 34330e 5305->5358 5307 341b82 5365 341bda 5307->5365 5310 34330e __lock 58 API calls 5311 341ba3 ___addlocaleref 5310->5311 5368 341be3 5311->5368 5313 341bce __fcloseall 5313->5184 5314->5278 5316 342fde 5315->5316 5317 342feb InitializeCriticalSectionAndSpinCount 5315->5317 5316->5281 5317->5281 5319 342f85 TlsFree 5318->5319 5320 342f81 5318->5320 5319->5286 5320->5286 5322 343496 HeapFree 5321->5322 5323 3434bf __dosmaperr 5321->5323 5322->5323 5324 3434ab 5322->5324 5323->5286 5327 34423c 5324->5327 5330 341aca GetLastError 5327->5330 5329 3434b1 GetLastError 5329->5323 5344 342f8d 5330->5344 5332 341adf 5333 341b2d SetLastError 5332->5333 5334 3434c5 __calloc_crt 55 API calls 5332->5334 5333->5329 5335 341af2 5334->5335 5335->5333 5336 342fac __getptd_noexit TlsSetValue 5335->5336 5337 341b06 5336->5337 5338 341b24 5337->5338 5339 341b0c 5337->5339 5341 34348d _free 55 API calls 5338->5341 5340 341b39 __initptd 55 API calls 5339->5340 5342 341b14 GetCurrentThreadId 5340->5342 5343 341b2a 5341->5343 5342->5333 5343->5333 5345 342fa4 TlsGetValue 5344->5345 5346 342fa0 5344->5346 5345->5332 5346->5332 5348 3450d3 5347->5348 5349 3450ee 5347->5349 5348->5349 5350 3450df 5348->5350 5351 3450fe HeapAlloc 5349->5351 5353 3450e4 5349->5353 5356 344530 DecodePointer 5349->5356 5352 34423c __cftoe2_l 57 API calls 5350->5352 5351->5349 5351->5353 5352->5353 5353->5300 5355->5300 5357 344543 5356->5357 5357->5349 5359 343332 LdrInitializeThunk 5358->5359 5360 34331f 5358->5360 5359->5307 5371 343396 5360->5371 5362 343325 5362->5359 5363 341cc9 __lock 57 API calls 5362->5363 5364 343331 5363->5364 5364->5359 5561 343478 LeaveCriticalSection 5365->5561 5367 341b9c 5367->5310 5562 343478 LeaveCriticalSection 5368->5562 5370 341bea 5370->5313 5372 3433a2 __fcloseall 5371->5372 5373 3433c1 5372->5373 5393 342559 5372->5393 5382 3433e4 __fcloseall 5373->5382 5435 34350d 5373->5435 5380 3433ee 5385 34330e __lock 58 API calls 5380->5385 5381 3433df 5384 34423c __cftoe2_l 58 API calls 5381->5384 5382->5362 5384->5382 5386 3433f5 5385->5386 5387 343402 5386->5387 5388 34341a 5386->5388 5390 342fce __mtinitlocks InitializeCriticalSectionAndSpinCount 5387->5390 5389 34348d _free 58 API calls 5388->5389 5391 34340e 5389->5391 5390->5391 5440 343436 5391->5440 5443 342780 5393->5443 5395 342560 5396 34256d 5395->5396 5397 342780 __NMSG_WRITE 58 API calls 5395->5397 5398 3425b6 __NMSG_WRITE 58 API calls 5396->5398 5401 34258f 5396->5401 5397->5396 5399 342585 5398->5399 5400 3425b6 __NMSG_WRITE 58 API calls 5399->5400 5400->5401 5402 3425b6 5401->5402 5403 3425d4 __NMSG_WRITE 5402->5403 5405 342780 __NMSG_WRITE 55 API calls 5403->5405 5431 3426fb 5403->5431 5407 3425e7 5405->5407 5406 342764 5432 341cb3 5406->5432 5408 342700 GetStdHandle 5407->5408 5410 342780 __NMSG_WRITE 55 API calls 5407->5410 5409 34270e _strlen 5408->5409 5408->5431 5414 342747 WriteFile 5409->5414 5409->5431 5411 3425f8 5410->5411 5411->5408 5412 34260a 5411->5412 5412->5431 5473 344c27 5412->5473 5414->5431 5416 342637 GetModuleFileNameW 5418 342657 5416->5418 5422 342667 __NMSG_WRITE 5416->5422 5417 342768 5419 3441dd __invoke_watson 8 API calls 5417->5419 5420 344c27 __NMSG_WRITE 55 API calls 5418->5420 5421 342772 5419->5421 5420->5422 5422->5417 5423 3426ad 5422->5423 5482 344c9c 5422->5482 5423->5417 5491 344bbb 5423->5491 5427 344bbb __NMSG_WRITE 55 API calls 5428 3426e4 5427->5428 5428->5417 5429 3426eb 5428->5429 5500 344d5a EncodePointer 5429->5500 5525 341552 5431->5525 5540 341c7f GetModuleHandleExW 5432->5540 5439 34351b 5435->5439 5437 3433d8 5437->5380 5437->5381 5439->5437 5543 344f8b 5439->5543 5559 3432d5 Sleep 5439->5559 5560 343478 LeaveCriticalSection 5440->5560 5442 34343d 5442->5382 5444 34278a 5443->5444 5445 34423c __cftoe2_l 58 API calls 5444->5445 5446 342794 5444->5446 5447 3427b0 5445->5447 5446->5395 5450 3441cd 5447->5450 5453 3441a2 DecodePointer 5450->5453 5454 3441b5 5453->5454 5459 3441dd IsProcessorFeaturePresent 5454->5459 5457 3441a2 __cftoe2_l 8 API calls 5458 3427bb 5457->5458 5458->5395 5460 3441e8 5459->5460 5465 344070 5460->5465 5464 3441cc 5464->5457 5466 34408a _memset __call_reportfault 5465->5466 5467 3440aa IsDebuggerPresent 5466->5467 5468 3432f8 __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 5467->5468 5471 34416e __call_reportfault 5468->5471 5469 341552 __cftoe2_l 6 API calls 5470 344191 5469->5470 5472 3432e3 GetCurrentProcess TerminateProcess 5470->5472 5471->5469 5472->5464 5474 344c40 5473->5474 5475 344c32 5473->5475 5476 34423c __cftoe2_l 58 API calls 5474->5476 5475->5474 5480 344c59 5475->5480 5477 344c4a 5476->5477 5478 3441cd __cftoe2_l 9 API calls 5477->5478 5479 34262a 5478->5479 5479->5416 5479->5417 5480->5479 5481 34423c __cftoe2_l 58 API calls 5480->5481 5481->5477 5486 344caa 5482->5486 5483 344cae 5484 34423c __cftoe2_l 58 API calls 5483->5484 5485 344cb3 5483->5485 5490 344cde 5484->5490 5485->5423 5486->5483 5486->5485 5488 344ced 5486->5488 5487 3441cd __cftoe2_l 9 API calls 5487->5485 5488->5485 5489 34423c __cftoe2_l 58 API calls 5488->5489 5489->5490 5490->5487 5492 344bd5 5491->5492 5495 344bc7 5491->5495 5493 34423c __cftoe2_l 58 API calls 5492->5493 5494 344bdf 5493->5494 5496 3441cd __cftoe2_l 9 API calls 5494->5496 5495->5492 5498 344c01 5495->5498 5497 3426cd 5496->5497 5497->5417 5497->5427 5498->5497 5499 34423c __cftoe2_l 58 API calls 5498->5499 5499->5494 5501 344d8e ___crtIsPackagedApp 5500->5501 5502 344e4d IsDebuggerPresent 5501->5502 5503 344d9d LoadLibraryExW 5501->5503 5504 344e57 5502->5504 5505 344e72 5502->5505 5506 344db4 GetLastError 5503->5506 5507 344dda GetProcAddress 5503->5507 5508 344e65 5504->5508 5509 344e5e OutputDebugStringW 5504->5509 5505->5508 5510 344e77 DecodePointer 5505->5510 5511 344dc3 LoadLibraryExW 5506->5511 5513 344e6a 5506->5513 5512 344dee 7 API calls 5507->5512 5507->5513 5508->5513 5514 344eb6 5508->5514 5519 344e9e DecodePointer DecodePointer 5508->5519 5509->5508 5510->5513 5511->5507 5511->5513 5515 344e36 GetProcAddress EncodePointer 5512->5515 5516 344e4a 5512->5516 5517 341552 __cftoe2_l 6 API calls 5513->5517 5518 344eee DecodePointer 5514->5518 5524 344eda DecodePointer 5514->5524 5515->5516 5516->5502 5520 344f3c 5517->5520 5522 344ef5 5518->5522 5518->5524 5519->5514 5520->5431 5523 344f06 DecodePointer 5522->5523 5522->5524 5523->5524 5524->5513 5526 34155c IsProcessorFeaturePresent 5525->5526 5527 34155a 5525->5527 5529 342b75 5526->5529 5527->5406 5532 342b24 IsDebuggerPresent 5529->5532 5533 342b39 __call_reportfault 5532->5533 5538 3432f8 SetUnhandledExceptionFilter UnhandledExceptionFilter 5533->5538 5535 342b41 __call_reportfault 5539 3432e3 GetCurrentProcess TerminateProcess 5535->5539 5537 342b5e 5537->5406 5538->5535 5539->5537 5541 341c98 GetProcAddress 5540->5541 5542 341caa ExitProcess 5540->5542 5541->5542 5544 345006 5543->5544 5552 344f97 5543->5552 5545 344530 __calloc_impl DecodePointer 5544->5545 5546 34500c 5545->5546 5547 34423c __cftoe2_l 57 API calls 5546->5547 5551 344ffe 5547->5551 5548 342559 __FF_MSGBANNER 57 API calls 5548->5552 5549 344fca HeapAlloc 5549->5551 5549->5552 5550 3425b6 __NMSG_WRITE 57 API calls 5550->5552 5551->5439 5552->5548 5552->5549 5552->5550 5553 344ff2 5552->5553 5554 341cb3 _doexit 3 API calls 5552->5554 5555 344530 __calloc_impl DecodePointer 5552->5555 5557 344ff0 5552->5557 5556 34423c __cftoe2_l 57 API calls 5553->5556 5554->5552 5555->5552 5556->5557 5558 34423c __cftoe2_l 57 API calls 5557->5558 5558->5551 5559->5439 5560->5442 5561->5367 5562->5370 5566 343478 LeaveCriticalSection 5563->5566 5565 342247 5565->5194 5566->5565 5568 343901 5567->5568 5569 343908 5567->5569 5577 343cdd 5568->5577 5569->5227 5572 34231e 5571->5572 5576 342382 5572->5576 5987 344abc 5572->5987 5574 34229f 5574->5232 5574->5235 5575 344abc _parse_cmdline 58 API calls 5575->5576 5576->5574 5576->5575 5578 343ce9 __fcloseall 5577->5578 5602 341ab2 5578->5602 5582 343cfb 5619 3439d8 5582->5619 5585 34350d __malloc_crt 58 API calls 5586 343d1d 5585->5586 5587 343e4a __fcloseall 5586->5587 5626 343e85 5586->5626 5587->5569 5590 343d53 5592 343d73 5590->5592 5594 34348d _free 58 API calls 5590->5594 5591 343e5a 5591->5587 5593 343e6d 5591->5593 5595 34348d _free 58 API calls 5591->5595 5592->5587 5597 34330e __lock 58 API calls 5592->5597 5596 34423c __cftoe2_l 58 API calls 5593->5596 5594->5592 5595->5593 5596->5587 5599 343da2 5597->5599 5598 343e30 5636 343e4f 5598->5636 5599->5598 5601 34348d _free 58 API calls 5599->5601 5601->5598 5603 341aca __getptd_noexit 58 API calls 5602->5603 5604 341ab8 5603->5604 5605 341ac5 5604->5605 5606 341cc9 __lock 58 API calls 5604->5606 5607 343c37 5605->5607 5606->5605 5608 343c43 __fcloseall 5607->5608 5609 341ab2 __setmbcp 58 API calls 5608->5609 5610 343c4d 5609->5610 5611 34330e __lock 58 API calls 5610->5611 5612 343c5f 5610->5612 5617 343c7d 5611->5617 5613 343c6d __fcloseall 5612->5613 5615 341cc9 __lock 58 API calls 5612->5615 5613->5582 5614 343caa 5639 343cd4 5614->5639 5615->5613 5617->5614 5618 34348d _free 58 API calls 5617->5618 5618->5614 5643 343916 5619->5643 5622 3439f7 GetOEMCP 5625 343a20 5622->5625 5623 343a09 5624 343a0e GetACP 5623->5624 5623->5625 5624->5625 5625->5585 5625->5587 5627 3439d8 getSystemCP 60 API calls 5626->5627 5628 343ea2 5627->5628 5631 343ef3 IsValidCodePage 5628->5631 5633 343ea9 setSBCS 5628->5633 5635 343f18 _memset __setmbcp_nolock 5628->5635 5629 341552 __cftoe2_l 6 API calls 5630 343d44 5629->5630 5630->5590 5630->5591 5632 343f05 GetCPInfo 5631->5632 5631->5633 5632->5633 5632->5635 5633->5629 5920 343aa5 GetCPInfo 5635->5920 5986 343478 LeaveCriticalSection 5636->5986 5638 343e56 5638->5587 5642 343478 LeaveCriticalSection 5639->5642 5641 343cdb 5641->5612 5642->5641 5644 343927 5643->5644 5650 343974 5643->5650 5645 341ab2 __setmbcp 58 API calls 5644->5645 5646 34392d 5645->5646 5647 343954 5646->5647 5651 34382d 5646->5651 5649 343c37 __setmbcp 58 API calls 5647->5649 5647->5650 5649->5650 5650->5622 5650->5623 5652 343839 __fcloseall 5651->5652 5653 341ab2 __setmbcp 58 API calls 5652->5653 5654 343842 5653->5654 5655 343871 5654->5655 5657 343855 5654->5657 5656 34330e __lock 58 API calls 5655->5656 5658 343878 5656->5658 5659 341ab2 __setmbcp 58 API calls 5657->5659 5666 3438ad 5658->5666 5661 34385a 5659->5661 5664 343868 __fcloseall 5661->5664 5665 341cc9 __lock 58 API calls 5661->5665 5664->5647 5665->5664 5667 3438b8 ___addlocaleref ___removelocaleref 5666->5667 5669 34388c 5666->5669 5667->5669 5673 343633 5667->5673 5670 3438a4 5669->5670 5919 343478 LeaveCriticalSection 5670->5919 5672 3438ab 5672->5661 5674 343648 5673->5674 5675 3436ac 5673->5675 5674->5675 5678 343679 5674->5678 5685 34348d _free 58 API calls 5674->5685 5676 3436f9 5675->5676 5677 34348d _free 58 API calls 5675->5677 5695 343722 5676->5695 5743 3452a5 5676->5743 5680 3436cd 5677->5680 5682 343697 5678->5682 5689 34348d _free 58 API calls 5678->5689 5683 34348d _free 58 API calls 5680->5683 5684 34348d _free 58 API calls 5682->5684 5688 3436e0 5683->5688 5691 3436a1 5684->5691 5692 34366e 5685->5692 5686 34348d _free 58 API calls 5686->5695 5687 343781 5693 34348d _free 58 API calls 5687->5693 5690 34348d _free 58 API calls 5688->5690 5694 34368c 5689->5694 5696 3436ee 5690->5696 5697 34348d _free 58 API calls 5691->5697 5703 345142 5692->5703 5700 343787 5693->5700 5731 34523e 5694->5731 5695->5687 5698 34348d 58 API calls _free 5695->5698 5702 34348d _free 58 API calls 5696->5702 5697->5675 5698->5695 5700->5669 5702->5676 5704 345151 5703->5704 5730 34523a 5703->5730 5705 345162 5704->5705 5706 34348d _free 58 API calls 5704->5706 5707 345174 5705->5707 5709 34348d _free 58 API calls 5705->5709 5706->5705 5708 345186 5707->5708 5710 34348d _free 58 API calls 5707->5710 5711 345198 5708->5711 5712 34348d _free 58 API calls 5708->5712 5709->5707 5710->5708 5713 34348d _free 58 API calls 5711->5713 5714 3451aa 5711->5714 5712->5711 5713->5714 5715 3451bc 5714->5715 5717 34348d _free 58 API calls 5714->5717 5716 3451ce 5715->5716 5718 34348d _free 58 API calls 5715->5718 5719 3451e0 5716->5719 5720 34348d _free 58 API calls 5716->5720 5717->5715 5718->5716 5721 3451f2 5719->5721 5722 34348d _free 58 API calls 5719->5722 5720->5719 5723 345204 5721->5723 5725 34348d _free 58 API calls 5721->5725 5722->5721 5724 345216 5723->5724 5726 34348d _free 58 API calls 5723->5726 5727 345228 5724->5727 5728 34348d _free 58 API calls 5724->5728 5725->5723 5726->5724 5729 34348d _free 58 API calls 5727->5729 5727->5730 5728->5727 5729->5730 5730->5678 5732 345249 5731->5732 5742 3452a1 5731->5742 5733 345259 5732->5733 5734 34348d _free 58 API calls 5732->5734 5735 34526b 5733->5735 5736 34348d _free 58 API calls 5733->5736 5734->5733 5737 34527d 5735->5737 5738 34348d _free 58 API calls 5735->5738 5736->5735 5739 34528f 5737->5739 5740 34348d _free 58 API calls 5737->5740 5738->5737 5741 34348d _free 58 API calls 5739->5741 5739->5742 5740->5739 5741->5742 5742->5682 5744 3452b4 5743->5744 5745 343717 5743->5745 5746 34348d _free 58 API calls 5744->5746 5745->5686 5747 3452bc 5746->5747 5748 34348d _free 58 API calls 5747->5748 5749 3452c4 5748->5749 5750 34348d _free 58 API calls 5749->5750 5751 3452cc 5750->5751 5752 34348d _free 58 API calls 5751->5752 5753 3452d4 5752->5753 5754 34348d _free 58 API calls 5753->5754 5755 3452dc 5754->5755 5756 34348d _free 58 API calls 5755->5756 5757 3452e4 5756->5757 5758 34348d _free 58 API calls 5757->5758 5759 3452eb 5758->5759 5760 34348d _free 58 API calls 5759->5760 5761 3452f3 5760->5761 5762 34348d _free 58 API calls 5761->5762 5763 3452fb 5762->5763 5764 34348d _free 58 API calls 5763->5764 5765 345303 5764->5765 5766 34348d _free 58 API calls 5765->5766 5767 34530b 5766->5767 5768 34348d _free 58 API calls 5767->5768 5769 345313 5768->5769 5770 34348d _free 58 API calls 5769->5770 5771 34531b 5770->5771 5772 34348d _free 58 API calls 5771->5772 5773 345323 5772->5773 5774 34348d _free 58 API calls 5773->5774 5775 34532b 5774->5775 5776 34348d _free 58 API calls 5775->5776 5777 345333 5776->5777 5778 34348d _free 58 API calls 5777->5778 5779 34533e 5778->5779 5780 34348d _free 58 API calls 5779->5780 5781 345346 5780->5781 5782 34348d _free 58 API calls 5781->5782 5783 34534e 5782->5783 5784 34348d _free 58 API calls 5783->5784 5785 345356 5784->5785 5786 34348d _free 58 API calls 5785->5786 5787 34535e 5786->5787 5788 34348d _free 58 API calls 5787->5788 5789 345366 5788->5789 5790 34348d _free 58 API calls 5789->5790 5791 34536e 5790->5791 5792 34348d _free 58 API calls 5791->5792 5793 345376 5792->5793 5794 34348d _free 58 API calls 5793->5794 5795 34537e 5794->5795 5796 34348d _free 58 API calls 5795->5796 5797 345386 5796->5797 5798 34348d _free 58 API calls 5797->5798 5799 34538e 5798->5799 5800 34348d _free 58 API calls 5799->5800 5801 345396 5800->5801 5802 34348d _free 58 API calls 5801->5802 5803 34539e 5802->5803 5804 34348d _free 58 API calls 5803->5804 5805 3453a6 5804->5805 5806 34348d _free 58 API calls 5805->5806 5807 3453ae 5806->5807 5808 34348d _free 58 API calls 5807->5808 5809 3453b6 5808->5809 5810 34348d _free 58 API calls 5809->5810 5811 3453c4 5810->5811 5812 34348d _free 58 API calls 5811->5812 5813 3453cf 5812->5813 5814 34348d _free 58 API calls 5813->5814 5815 3453da 5814->5815 5816 34348d _free 58 API calls 5815->5816 5817 3453e5 5816->5817 5818 34348d _free 58 API calls 5817->5818 5819 3453f0 5818->5819 5820 34348d _free 58 API calls 5819->5820 5821 3453fb 5820->5821 5822 34348d _free 58 API calls 5821->5822 5823 345406 5822->5823 5824 34348d _free 58 API calls 5823->5824 5825 345411 5824->5825 5826 34348d _free 58 API calls 5825->5826 5827 34541c 5826->5827 5828 34348d _free 58 API calls 5827->5828 5829 345427 5828->5829 5830 34348d _free 58 API calls 5829->5830 5831 345432 5830->5831 5832 34348d _free 58 API calls 5831->5832 5833 34543d 5832->5833 5834 34348d _free 58 API calls 5833->5834 5835 345448 5834->5835 5836 34348d _free 58 API calls 5835->5836 5837 345453 5836->5837 5838 34348d _free 58 API calls 5837->5838 5839 34545e 5838->5839 5840 34348d _free 58 API calls 5839->5840 5841 345469 5840->5841 5842 34348d _free 58 API calls 5841->5842 5843 345477 5842->5843 5844 34348d _free 58 API calls 5843->5844 5845 345482 5844->5845 5846 34348d _free 58 API calls 5845->5846 5847 34548d 5846->5847 5848 34348d _free 58 API calls 5847->5848 5849 345498 5848->5849 5850 34348d _free 58 API calls 5849->5850 5851 3454a3 5850->5851 5852 34348d _free 58 API calls 5851->5852 5853 3454ae 5852->5853 5854 34348d _free 58 API calls 5853->5854 5855 3454b9 5854->5855 5856 34348d _free 58 API calls 5855->5856 5857 3454c4 5856->5857 5858 34348d _free 58 API calls 5857->5858 5859 3454cf 5858->5859 5860 34348d _free 58 API calls 5859->5860 5861 3454da 5860->5861 5862 34348d _free 58 API calls 5861->5862 5863 3454e5 5862->5863 5864 34348d _free 58 API calls 5863->5864 5865 3454f0 5864->5865 5866 34348d _free 58 API calls 5865->5866 5867 3454fb 5866->5867 5868 34348d _free 58 API calls 5867->5868 5869 345506 5868->5869 5870 34348d _free 58 API calls 5869->5870 5871 345511 5870->5871 5872 34348d _free 58 API calls 5871->5872 5873 34551c 5872->5873 5874 34348d _free 58 API calls 5873->5874 5875 34552a 5874->5875 5876 34348d _free 58 API calls 5875->5876 5877 345535 5876->5877 5878 34348d _free 58 API calls 5877->5878 5879 345540 5878->5879 5880 34348d _free 58 API calls 5879->5880 5881 34554b 5880->5881 5882 34348d _free 58 API calls 5881->5882 5883 345556 5882->5883 5884 34348d _free 58 API calls 5883->5884 5885 345561 5884->5885 5886 34348d _free 58 API calls 5885->5886 5887 34556c 5886->5887 5888 34348d _free 58 API calls 5887->5888 5889 345577 5888->5889 5890 34348d _free 58 API calls 5889->5890 5891 345582 5890->5891 5892 34348d _free 58 API calls 5891->5892 5893 34558d 5892->5893 5894 34348d _free 58 API calls 5893->5894 5895 345598 5894->5895 5896 34348d _free 58 API calls 5895->5896 5897 3455a3 5896->5897 5898 34348d _free 58 API calls 5897->5898 5899 3455ae 5898->5899 5900 34348d _free 58 API calls 5899->5900 5901 3455b9 5900->5901 5902 34348d _free 58 API calls 5901->5902 5903 3455c4 5902->5903 5904 34348d _free 58 API calls 5903->5904 5905 3455cf 5904->5905 5906 34348d _free 58 API calls 5905->5906 5907 3455dd 5906->5907 5908 34348d _free 58 API calls 5907->5908 5909 3455e8 5908->5909 5910 34348d _free 58 API calls 5909->5910 5911 3455f3 5910->5911 5912 34348d _free 58 API calls 5911->5912 5913 3455fe 5912->5913 5914 34348d _free 58 API calls 5913->5914 5915 345609 5914->5915 5916 34348d _free 58 API calls 5915->5916 5917 345614 5916->5917 5918 34348d _free 58 API calls 5917->5918 5918->5745 5919->5672 5921 343b87 5920->5921 5922 343add 5920->5922 5925 341552 __cftoe2_l 6 API calls 5921->5925 5930 345985 5922->5930 5926 343c33 5925->5926 5926->5633 5929 345829 ___crtLCMapStringA 62 API calls 5929->5921 5931 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 5930->5931 5932 345996 5931->5932 5940 34588d 5932->5940 5935 345829 5936 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 5935->5936 5937 34583a 5936->5937 5957 345625 5937->5957 5941 3458b4 MultiByteToWideChar 5940->5941 5942 3458a7 5940->5942 5944 3458e0 5941->5944 5952 3458d9 5941->5952 5942->5941 5943 341552 __cftoe2_l 6 API calls 5945 343b3e 5943->5945 5946 344f8b __crtLCMapStringA_stat 58 API calls 5944->5946 5948 345902 _memset __alloca_probe_16 5944->5948 5945->5935 5946->5948 5947 34593e MultiByteToWideChar 5949 345968 5947->5949 5950 345958 GetStringTypeW 5947->5950 5948->5947 5948->5952 5953 34586f 5949->5953 5950->5949 5952->5943 5954 345879 5953->5954 5956 34588a 5953->5956 5955 34348d _free 58 API calls 5954->5955 5954->5956 5955->5956 5956->5952 5959 34563e MultiByteToWideChar 5957->5959 5960 34569d 5959->5960 5963 3456a4 5959->5963 5961 341552 __cftoe2_l 6 API calls 5960->5961 5964 343b5f 5961->5964 5962 345703 MultiByteToWideChar 5965 34576a 5962->5965 5966 34571c 5962->5966 5969 344f8b __crtLCMapStringA_stat 58 API calls 5963->5969 5971 3456cc __alloca_probe_16 5963->5971 5964->5929 5968 34586f __freea 58 API calls 5965->5968 5982 345b12 5966->5982 5968->5960 5969->5971 5970 345730 5970->5965 5972 345746 5970->5972 5974 345772 5970->5974 5971->5960 5971->5962 5972->5965 5973 345b12 __crtLCMapStringA_stat LCMapStringW 5972->5973 5973->5965 5976 344f8b __crtLCMapStringA_stat 58 API calls 5974->5976 5979 34579a __alloca_probe_16 5974->5979 5975 345b12 __crtLCMapStringA_stat LCMapStringW 5977 3457dd 5975->5977 5976->5979 5978 345805 5977->5978 5981 3457f7 WideCharToMultiByte 5977->5981 5980 34586f __freea 58 API calls 5978->5980 5979->5965 5979->5975 5980->5965 5981->5978 5983 345b22 5982->5983 5984 345b3d __crtLCMapStringA_stat 5982->5984 5983->5970 5985 345b54 LCMapStringW 5984->5985 5985->5970 5986->5638 5990 344a62 5987->5990 5991 343916 _LocaleUpdate::_LocaleUpdate 58 API calls 5990->5991 5992 344a74 5991->5992 5992->5572 5996 341e3d 5993->5996 5995 341ce4 5997 341e49 __fcloseall 5996->5997 5998 34330e __lock 51 API calls 5997->5998 5999 341e50 5998->5999 6000 341e7e DecodePointer 5999->6000 6003 341f09 _doexit 5999->6003 6002 341e95 DecodePointer 6000->6002 6000->6003 6009 341ea5 6002->6009 6016 341f57 6003->6016 6005 341f66 __fcloseall 6005->5995 6007 341f4e 6010 341cb3 _doexit 3 API calls 6007->6010 6008 341eb2 EncodePointer 6008->6009 6009->6003 6009->6008 6011 341ec2 DecodePointer EncodePointer 6009->6011 6012 341f57 6010->6012 6014 341ed4 DecodePointer DecodePointer 6011->6014 6013 341f64 6012->6013 6021 343478 LeaveCriticalSection 6012->6021 6013->5995 6014->6009 6017 341f37 6016->6017 6018 341f5d 6016->6018 6017->6005 6020 343478 LeaveCriticalSection 6017->6020 6022 343478 LeaveCriticalSection 6018->6022 6020->6007 6021->6013 6022->6017 6024 344aeb 6023->6024 6025 344add 6023->6025 6026 34423c __cftoe2_l 58 API calls 6024->6026 6025->6024 6030 344b01 6025->6030 6027 344af2 6026->6027 6028 3441cd __cftoe2_l 9 API calls 6027->6028 6029 344afc 6028->6029 6029->5251 6030->6029 6031 34423c __cftoe2_l 58 API calls 6030->6031 6031->6027 6033 344514 EncodePointer 6032->6033 6033->6033 6034 34452e 6033->6034 6034->5262 6038 344400 6035->6038 6037 344507 6037->5264 6039 34440c __fcloseall 6038->6039 6046 341e2b 6039->6046 6045 344433 __fcloseall 6045->6037 6047 34330e __lock 58 API calls 6046->6047 6048 341e32 6047->6048 6049 344444 DecodePointer DecodePointer 6048->6049 6050 344471 6049->6050 6051 344421 6049->6051 6050->6051 6063 345a60 6050->6063 6060 34443e 6051->6060 6053 3444d4 EncodePointer EncodePointer 6053->6051 6054 344483 6054->6053 6055 3444a8 6054->6055 6070 343554 6054->6070 6055->6051 6057 343554 __realloc_crt 61 API calls 6055->6057 6059 3444c2 EncodePointer 6055->6059 6058 3444bc 6057->6058 6058->6051 6058->6059 6059->6053 6097 341e34 6060->6097 6064 345a7e HeapSize 6063->6064 6065 345a69 6063->6065 6064->6054 6066 34423c __cftoe2_l 58 API calls 6065->6066 6067 345a6e 6066->6067 6068 3441cd __cftoe2_l 9 API calls 6067->6068 6069 345a79 6068->6069 6069->6054 6072 34355b 6070->6072 6073 343598 6072->6073 6075 34501d 6072->6075 6096 3432d5 Sleep 6072->6096 6073->6055 6076 345026 6075->6076 6077 345031 6075->6077 6078 344f8b __crtLCMapStringA_stat 58 API calls 6076->6078 6079 345039 6077->6079 6088 345046 6077->6088 6080 34502e 6078->6080 6081 34348d _free 58 API calls 6079->6081 6080->6072 6095 345041 __dosmaperr 6081->6095 6082 34507e 6083 344530 __calloc_impl DecodePointer 6082->6083 6085 345084 6083->6085 6084 34504e HeapReAlloc 6084->6088 6084->6095 6086 34423c __cftoe2_l 58 API calls 6085->6086 6086->6095 6087 3450ae 6090 34423c __cftoe2_l 58 API calls 6087->6090 6088->6082 6088->6084 6088->6087 6089 344530 __calloc_impl DecodePointer 6088->6089 6092 345096 6088->6092 6089->6088 6091 3450b3 GetLastError 6090->6091 6091->6095 6093 34423c __cftoe2_l 58 API calls 6092->6093 6094 34509b GetLastError 6093->6094 6094->6095 6095->6072 6096->6072 6100 343478 LeaveCriticalSection 6097->6100 6099 341e3b 6099->6045 6100->6099 6102 341187 6101->6102 6103 3411dc 6102->6103 6104 34118b VirtualProtect 6102->6104 6105 341552 __cftoe2_l 6 API calls 6103->6105 6104->6103 6108 3411ab VirtualProtect 6104->6108 6106 341212 6105->6106 6106->5271 6106->5274 6108->6103 6189 34780f 6190 347825 6189->6190 6191 347819 6189->6191 6191->6190 6192 34781e CloseHandle 6191->6192 6192->6190 6883 341548 6886 3427c0 6883->6886 6885 34154d 6885->6885 6887 3427f0 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6886->6887 6888 3427e3 6886->6888 6889 3427e7 6887->6889 6888->6887 6888->6889 6889->6885

                    Executed Functions

                    Function 003413CD Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__setargv__setenvp
                    • String ID: .$
                    • API String ID: 3919536372-2223841709
                    • Opcode ID: ea5ee0f50b77f23cbe7c5a7265dedd557f3c0ff846e2624e76e82db4c8c4e736
                    • Instruction ID: ac0812978959ab0e09315f75788122f777e0ebf34f352dbfc7711cc534b70a6f
                    • Opcode Fuzzy Hash: ea5ee0f50b77f23cbe7c5a7265dedd557f3c0ff846e2624e76e82db4c8c4e736
                    • Instruction Fuzzy Hash: 0A21F730A40B009EDB137BF1AD8276D32E8AF01344F118429F5049F2D3EBB5B9C08B55

                    Non-executed Functions

                    Function 003432F8 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0034416E,?,?,?,00000000), ref: 003432FD
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00343306
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: bee3bffc2677855d0a1e9b11e8fa69ecc55e4a97ed40d0e517d80af54d3f46d9
                    • Instruction ID: 0f44e0a0d6790cea6b35e77288a9e190426cc281f2d87554c0da7060731a311d
                    • Opcode Fuzzy Hash: bee3bffc2677855d0a1e9b11e8fa69ecc55e4a97ed40d0e517d80af54d3f46d9
                    • Instruction Fuzzy Hash: 61B0923506520CEBCB822BA1EC09B58BF2CEB06756F405010F60E480618F72A4108AA1
                    Function 003432C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?,?,0034181E,003417D3), ref: 003432CD
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 29bb4036d9b6f1ab41e81f8ddf84ef98399f0a8d2c0c56620ccf1e1817b684be
                    • Instruction ID: a16bb69f4bbf264b837a1770c3fbb71b2373116d37cc4d8f534ee738327db76d
                    • Opcode Fuzzy Hash: 29bb4036d9b6f1ab41e81f8ddf84ef98399f0a8d2c0c56620ccf1e1817b684be
                    • Instruction Fuzzy Hash: 3AA0113000020CEB8F022B82EC088883F2CEA022A8B800020F80E080208B23A8208A80
                    Function 00341F80 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(0034142E,0034FD70,00000014), ref: 00341F80
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 2506b704b4c81faf452e7e268c6953db6d1c90930d1276bff2b8d91aec17e6bb
                    • Instruction ID: 569beeb139baba7ce6e511a17ccfd7bba2427f9a94ea5feab8868da6b413943a
                    • Opcode Fuzzy Hash: 2506b704b4c81faf452e7e268c6953db6d1c90930d1276bff2b8d91aec17e6bb
                    • Instruction Fuzzy Hash: 88B012B070230387474A4F797C1410935DC6708301700807DB003C6170DF20C4109F00
                    Function 00341220 Relevance: 49.1, APIs: 7, Strings: 21, Instructions: 97stringwindowthreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 137 341220-3412c5 139 3412e5-341347 OpenProcess GetLastError 137->139 140 3412c7-3412df lstrlenW MessageBoxW 137->140 141 341351-341355 139->141 142 341349 139->142 140->139 144 341360-3413b9 141->144 143 34134b ExitProcess 142->143 144->144 145 3413bb-3413c4 call 341130 144->145 145->143 148 3413c6 ExitThread 145->148
                    APIs
                    • GetFileAttributesW.KERNEL32(?), ref: 003412BC
                    • lstrlenW.KERNEL32(003A0043,0034FCE0,00000040), ref: 003412D2
                    • MessageBoxW.USER32(00000000,?), ref: 003412DF
                    • OpenProcess.KERNEL32(00000000,00000000,00000000), ref: 00341338
                    • GetLastError.KERNEL32 ref: 0034133E
                    • ExitProcess.KERNEL32(00000000), ref: 0034134B
                    • ExitThread.KERNEL32 ref: 003413C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$AttributesErrorFileLastMessageOpenThreadlstrlen
                    • String ID: $ $"$)$@3#v$A$C$H$\$a$a$b$c$l$l$o$r$s$s$t$w
                    • API String ID: 3477480091-3518619610
                    • Opcode ID: ef9708b68583c2915b20da6bf324e731a323ac851983d13dacd1ea136b199f92
                    • Instruction ID: 73f771af0f34e29403567a3953f74d2164555da63bf3c7e54fd84750c59f68ea
                    • Opcode Fuzzy Hash: ef9708b68583c2915b20da6bf324e731a323ac851983d13dacd1ea136b199f92
                    • Instruction Fuzzy Hash: DE419AB0900208DBEB16CFE5D89879EBFB5FB05708F20451CE411AF192C7B99989CF94
                    Function 00341BEC Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __init_pointers.LIBCMT ref: 00341BEC
                      • Part of subcall function 00341D9B: EncodePointer.KERNEL32(00000000,?,00341BF1,0034143F,0034FD70,00000014), ref: 00341D9E
                      • Part of subcall function 00341D9B: __initp_misc_winsig.LIBCMT ref: 00341DB9
                      • Part of subcall function 00341D9B: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00343043
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00343057
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0034306A
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0034307D
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00343090
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003430A3
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003430B6
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003430C9
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003430DC
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003430EF
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00343102
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00343115
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00343128
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0034313B
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0034314E
                      • Part of subcall function 00341D9B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00343161
                    • __mtinitlocks.LIBCMT ref: 00341BF1
                    • __mtterm.LIBCMT ref: 00341BFA
                      • Part of subcall function 00341C62: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00341BFF,0034143F,0034FD70,00000014), ref: 00343359
                      • Part of subcall function 00341C62: _free.LIBCMT ref: 00343360
                      • Part of subcall function 00341C62: DeleteCriticalSection.KERNEL32(pT6,?,?,00341BFF,0034143F,0034FD70,00000014), ref: 00343382
                    • __calloc_crt.LIBCMT ref: 00341C1F
                    • __initptd.LIBCMT ref: 00341C41
                    • GetCurrentThreadId.KERNEL32 ref: 00341C48
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                    • String ID:
                    • API String ID: 3567560977-0
                    • Opcode ID: 7f855602a166841801a6aa255ca58540f2d7ac4ff3ba61dff6acb762d6ffb62e
                    • Instruction ID: 748a54f69ee54590d59f84d30e39c2a30ed2184f801ce103698afd5396bb1f0c
                    • Opcode Fuzzy Hash: 7f855602a166841801a6aa255ca58540f2d7ac4ff3ba61dff6acb762d6ffb62e
                    • Instruction Fuzzy Hash: 1CF0F032168B2199E227BB747C43B8B27C8CF01771F220619F064DE0E5FF10B8C04190
                    Function 00341C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 172 341c7f-341c96 GetModuleHandleExW 173 341caf-341cb2 172->173 174 341c98-341ca8 GetProcAddress 172->174 174->173 175 341caa 174->175 175->173
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00341CBE,00000000,?,00344FB8,000000FF,0000001E,00000000,00000000,00000000,?,00343523), ref: 00341C8E
                    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00341CA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 1646373207-1276376045
                    • Opcode ID: 23cc7e8d0a4dbae24f1783cf6151cc38acec7dc04c63db320fdce8bd3bab3cfc
                    • Instruction ID: ebff6fa58461cc5d70a25481b0c81ecd64b912cc67b092c9f113ff8eddde9ed7
                    • Opcode Fuzzy Hash: 23cc7e8d0a4dbae24f1783cf6151cc38acec7dc04c63db320fdce8bd3bab3cfc
                    • Instruction Fuzzy Hash: FED01235691208BBDB939B91DD45F9D77ADDB01781F041154F808E8051DE71FE549650
                    Function 0034751A Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 176 34751a-347527 177 347541 176->177 178 347529-34752e 176->178 180 347543-347548 177->180 178->177 179 347530-347533 178->179 181 347535-34753a 179->181 182 347549-34755f call 343916 179->182 181->177 183 34753c-34753e 181->183 186 347576-347587 call 34745c 182->186 187 347561-347566 182->187 183->177 195 3475c9-3475ea MultiByteToWideChar 186->195 196 347589-347590 186->196 188 34756e-347571 187->188 189 347568-34756b 187->189 191 3475fa-3475fe 188->191 189->188 193 347607-34760a 191->193 194 347600-347603 191->194 193->180 194->193 195->191 199 3475ec-3475f4 call 34423c 195->199 197 347592-347595 196->197 198 3475b9 196->198 200 347597-3475b7 MultiByteToWideChar 197->200 201 3475bc 197->201 198->201 199->191 200->198 203 3475c4-3475c7 200->203 201->199 204 3475be-3475c2 201->204 203->191 204->199 204->203
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00347550
                    • __isleadbyte_l.LIBCMT ref: 0034757E
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 003475AC
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 003475E2
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 6bccfea978309457a230727f7f4b1a237a311272952979d237a119f7ef739d18
                    • Instruction ID: 403ba7373f3a37599cee59831cd589a6cd90b4d5261499605a4bb46229f8a22a
                    • Opcode Fuzzy Hash: 6bccfea978309457a230727f7f4b1a237a311272952979d237a119f7ef739d18
                    • Instruction Fuzzy Hash: 9B31AC31608256AFDB229F66CC44BAA7BE9BF42310F1644A9E8158F1A0E730F850DB90
                    Function 0034501D Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 206 34501d-345024 207 345026 206->207 208 345031-345037 206->208 209 345029 call 344f8b 207->209 210 345046-345047 208->210 211 345039-345044 call 34348d 208->211 212 34502e-345030 209->212 214 345079-34507c 210->214 219 345093-345095 211->219 215 34507e-34508a call 344530 call 34423c 214->215 216 345049-34504b 214->216 234 345090 215->234 220 34504d 216->220 221 34504e-345064 HeapReAlloc 216->221 220->221 223 3450c4-3450c6 221->223 224 345066-34506c 221->224 226 345092 223->226 227 3450ae-3450c2 call 34423c GetLastError call 34424f 224->227 228 34506e-345077 call 344530 224->228 226->219 227->223 228->214 235 345096-3450ac call 34423c GetLastError call 34424f 228->235 234->226 235->234
                    APIs
                    • _free.LIBCMT ref: 0034503C
                      • Part of subcall function 00344F8B: __FF_MSGBANNER.LIBCMT ref: 00344FA2
                      • Part of subcall function 00344F8B: __NMSG_WRITE.LIBCMT ref: 00344FA9
                      • Part of subcall function 00344F8B: HeapAlloc.KERNEL32(009C0000,00000000,00000001,00000000,00000000,00000000,?,00343523,00000000,00000000,00000000,00000000,?,003433D8,00000018,0034FE40), ref: 00344FCE
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocHeap_free
                    • String ID:
                    • API String ID: 1080816511-0
                    • Opcode ID: cefd973072523b50968d3a0e4c67dd8ccec8e7ca926fdefc19cf1b3ed4d8873f
                    • Instruction ID: 05e44f402a38b6fa28d17020e599da0fb51e38a03470d3160ef269a63d93156d
                    • Opcode Fuzzy Hash: cefd973072523b50968d3a0e4c67dd8ccec8e7ca926fdefc19cf1b3ed4d8873f
                    • Instruction Fuzzy Hash: 7011A03AD05A11ABCB332FB4BC0475936DCAF15361F214935F9049E192EB74F8408AD4
                    Function 00348D8D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 242 348d8d-348d96 243 348df7-348e09 call 3492de 242->243 244 348d98-348d9b 242->244 247 348e0e-348e12 243->247 244->243 246 348d9d-348da0 244->246 248 348da2-348dba call 349498 246->248 249 348dbb-348dbe 246->249 251 348dc0-348dc3 249->251 252 348dde-348df5 call 348e13 249->252 251->252 255 348dc5-348ddc call 349559 251->255 252->247 255->247
                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 2cb3898d52a2afa3b80efc2dabade83c3dd21bdc7efb1f811b0d780245f9d57c
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: D9014B3280014EBBCF135F88CC118EE3FA6BB19354B598815FA185C171D736EAB1AB81
                    Function 00341552 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 259 341552-341558 260 34155c-342b73 IsProcessorFeaturePresent 259->260 261 34155a 259->261 263 342b75-342b78 260->263 264 342b7a-342c5b call 342b24 260->264 263->264
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00342B6C
                    • ___raise_securityfailure.LIBCMT ref: 00342C53
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: @Q6
                    • API String ID: 3761405300-3821120862
                    • Opcode ID: c8ca9d6a9dbb769425ce814054293e62864144dee0497e74a178c537812df8e3
                    • Instruction ID: d43d50502b326b83065e573f08b49a0d9c81a1bf641ccf340dbdd23f6baf85fb
                    • Opcode Fuzzy Hash: c8ca9d6a9dbb769425ce814054293e62864144dee0497e74a178c537812df8e3
                    • Instruction Fuzzy Hash: 642104B8511B049ADB22CF14F9A67447BECFB58311F50993AE9089B3B0E3F05884CF59
                    Function 003448F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 267 3448f2-3448fd 268 344906-344908 267->268 269 3448ff-344904 267->269 271 344911-344922 call 3434c5 268->271 272 34490a 268->272 270 34490c 269->270 270->271 275 344924-34493b call 3434c5 271->275 276 344942-344944 271->276 272->270 275->276 282 34493d-344941 275->282 278 344949-344958 276->278 280 344961-344964 278->280 281 34495a-34495f 278->281 281->278
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.2310919959.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                    • Associated: 00000001.00000002.2310905336.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310937303.000000000034C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310957115.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2310993708.0000000000364000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000001.00000002.2311010690.0000000000367000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_340000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: `V6
                    • API String ID: 3494438863-2496494969
                    • Opcode ID: e9e47454973560999052c1681ea4dc70042edee9fb995108e17ea2f336acbd73
                    • Instruction ID: 863484485e286614db2e6692937a92460e846b84866c23a312e698b59f2b5f66
                    • Opcode Fuzzy Hash: e9e47454973560999052c1681ea4dc70042edee9fb995108e17ea2f336acbd73
                    • Instruction Fuzzy Hash: EBF0627120D3119AF71BCF69FD12FA667D8E7147B0F11803AE604CF6A0E7B0AC519681