Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZJGkxGuyIT.dll

Overview

General Information

Sample name:ZJGkxGuyIT.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:2ebf32f4a6b63b8dad4dac4bddf1cbee.exe
Analysis ID:1542665
MD5:2ebf32f4a6b63b8dad4dac4bddf1cbee
SHA1:8b9f7739a9a64168b50d3bde17c8e8ee1127671c
SHA256:fde4f048bb013ec3caabbe5862dcb8df0f701659bc9ac04e5bb1c5a3eee58b61
Tags:64exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6556 cmdline: loaddll64.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6772 cmdline: rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 3004 cmdline: C:\Windows\system32\WerFault.exe -u -p 6772 -s 400 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • regsvr32.exe (PID: 6720 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • WerFault.exe (PID: 8 cmdline: C:\Windows\system32\WerFault.exe -u -p 6720 -s 452 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6796 cmdline: rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 6976 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580 MD5: EF3179D498793BF4234F708D3BE28633)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 3912 cmdline: rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 6220 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4412 cmdline: rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 6296 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220 MD5: EF3179D498793BF4234F708D3BE28633)
    • loaddll64.exe (PID: 5804 cmdline: C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296 MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Conhost Spawned By Uncommon Parent Process
Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6796, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5804, ProcessName: conhost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ZJGkxGuyIT.dllVirustotal: Detection: 10%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: ZJGkxGuyIT.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement,0_2_00007FFE0E14D520
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E146D40 memcpy,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,0_2_00007FFE0E146D40
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B51B10 NtProtectVirtualMemory,NtCreateSection,6_2_0000027B70B51B10
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B51BA8 NtCreateSection,6_2_0000027B70B51BA8
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE701B10 NtProtectVirtualMemory,NtCreateSection,13_2_000001E0BE701B10
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE701BA8 NtCreateSection,13_2_000001E0BE701BA8
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE1B10 NtProtectVirtualMemory,NtCreateSection,15_2_00000224A1FE1B10
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE1BA8 NtCreateSection,15_2_00000224A1FE1BA8
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A31B10 NtProtectVirtualMemory,NtCreateSection,17_2_0000026F88A31B10
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A31BA8 NtCreateSection,17_2_0000026F88A31BA8
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14C8700_2_00007FFE0E14C870
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14F0D00_2_00007FFE0E14F0D0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E146D400_2_00007FFE0E146D40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E135E400_2_00007FFE0E135E40
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14B6400_2_00007FFE0E14B640
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13D3100_2_00007FFE0E13D310
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13D7600_2_00007FFE0E13D760
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E1357700_2_00007FFE0E135770
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E140B700_2_00007FFE0E140B70
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14A3500_2_00007FFE0E14A350
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E1347A00_2_00007FFE0E1347A0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14FFC00_2_00007FFE0E14FFC0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13FC600_2_00007FFE0E13FC60
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E1378700_2_00007FFE0E137870
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E15505A0_2_00007FFE0E15505A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E137CE00_2_00007FFE0E137CE0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13D9700_2_00007FFE0E13D970
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13DD800_2_00007FFE0E13DD80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13BD800_2_00007FFE0E13BD80
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14C8703_2_00007FFE0E14C870
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14F0D03_2_00007FFE0E14F0D0
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E135E403_2_00007FFE0E135E40
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14B6403_2_00007FFE0E14B640
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13D3103_2_00007FFE0E13D310
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13D7603_2_00007FFE0E13D760
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E1357703_2_00007FFE0E135770
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E140B703_2_00007FFE0E140B70
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14A3503_2_00007FFE0E14A350
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E1347A03_2_00007FFE0E1347A0
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14FFC03_2_00007FFE0E14FFC0
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13FC603_2_00007FFE0E13FC60
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E1378703_2_00007FFE0E137870
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E15505A3_2_00007FFE0E15505A
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E137CE03_2_00007FFE0E137CE0
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13D9703_2_00007FFE0E13D970
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E146D403_2_00007FFE0E146D40
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13DD803_2_00007FFE0E13DD80
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E13BD803_2_00007FFE0E13BD80
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14C8704_2_00007FFE0E14C870
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14F0D04_2_00007FFE0E14F0D0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E135E404_2_00007FFE0E135E40
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14B6404_2_00007FFE0E14B640
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13D3104_2_00007FFE0E13D310
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13D7604_2_00007FFE0E13D760
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E1357704_2_00007FFE0E135770
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E140B704_2_00007FFE0E140B70
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14A3504_2_00007FFE0E14A350
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E1347A04_2_00007FFE0E1347A0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14FFC04_2_00007FFE0E14FFC0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13FC604_2_00007FFE0E13FC60
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E1378704_2_00007FFE0E137870
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E15505A4_2_00007FFE0E15505A
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E137CE04_2_00007FFE0E137CE0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13D9704_2_00007FFE0E13D970
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E146D404_2_00007FFE0E146D40
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13DD804_2_00007FFE0E13DD80
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E13BD804_2_00007FFE0E13BD80
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B507306_2_0000027B70B50730
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B50BAD6_2_0000027B70B50BAD
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B50AB36_2_0000027B70B50AB3
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B50B366_2_0000027B70B50B36
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000027B70B509996_2_0000027B70B50999
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE70073013_2_000001E0BE700730
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE700AB313_2_000001E0BE700AB3
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE700B3613_2_000001E0BE700B36
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE700BAD13_2_000001E0BE700BAD
Source: C:\Windows\System32\rundll32.exeCode function: 13_2_000001E0BE70099913_2_000001E0BE700999
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE099915_2_00000224A1FE0999
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE0B3615_2_00000224A1FE0B36
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE0AB315_2_00000224A1FE0AB3
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE073015_2_00000224A1FE0730
Source: C:\Windows\System32\rundll32.exeCode function: 15_2_00000224A1FE0BAD15_2_00000224A1FE0BAD
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A3073017_2_0000026F88A30730
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A30B3617_2_0000026F88A30B36
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A30AB317_2_0000026F88A30AB3
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A3099917_2_0000026F88A30999
Source: C:\Windows\System32\loaddll64.exeCode function: 17_2_0000026F88A30BAD17_2_0000026F88A30BAD
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6720 -s 452
Source: ZJGkxGuyIT.dllStatic PE information: Number of sections : 12 > 10
Source: classification engineClassification label: mal60.evad.winDLL@25/9@0/0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,0_2_00007FFE0E14D040
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6772
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6720
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d0677b87-b77c-4db0-83a1-98f8c6085e6cJump to behavior
Source: ZJGkxGuyIT.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: ZJGkxGuyIT.dllVirustotal: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6720 -s 452
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6772 -s 400
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstallJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580 Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976 Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220 Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ZJGkxGuyIT.dllStatic PE information: Image base 0x357620000 > 0x60000000
Source: ZJGkxGuyIT.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement,0_2_00007FFE0E14D520
Source: ZJGkxGuyIT.dllStatic PE information: section name: .eh_fram
Source: ZJGkxGuyIT.dllStatic PE information: section name: .xdata
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E13C670 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FFE0E13C670
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,0_2_00007FFE0E14D040
Source: C:\Windows\System32\regsvr32.exeAPI coverage: 9.1 %
Source: C:\Windows\System32\rundll32.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,0_2_00007FFE0E14D040
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,0_2_00007FFE0E14D040
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement,0_2_00007FFE0E14D520
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14C870 CreateFileA,GetFileSize,ReadFile,strcmp,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,0_2_00007FFE0E14C870
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,0_2_00007FFE0E14D040
Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,3_2_00007FFE0E14D040
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,4_2_00007FFE0E14D040

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\loaddll64.exeNtAllocateVirtualMemory: Indirect: 0x7FFE0E14D9BEJump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFE0E146E1AJump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFE0E14DB26Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtWriteVirtualMemory: Indirect: 0x7FFE0E146E3EJump to behavior
Source: C:\Windows\System32\loaddll64.exeNtWriteVirtualMemory: Indirect: 0x7FFE0E14DAF1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFE0E146E90Jump to behavior
Hijacks the control flow in another process
Source: C:\Windows\System32\loaddll64.exeMemory written: PID: 5804 base: 26F88A30000 value: E9Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 6976 base: 27B70B50000 value: E9Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 6220 base: 1E0BE700000 value: E9Jump to behavior
Source: C:\Windows\System32\rundll32.exeMemory written: PID: 6296 base: 224A1FE0000 value: E9Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580 Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976 Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220 Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE0E14F0D0 RtlGetVersion,GetTickCount,memcpy,exit,exit,0_2_00007FFE0E14F0D0
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		111
Process Injection		1
Regsvr32		OS Credential Dumping41
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Rundll32		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		111
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Abuse Elevation Control Mechanism		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542665 Sample: ZJGkxGuyIT.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 AI detected suspicious sample 2->36 8 loaddll64.exe 1 2->8         started        process3 signatures4 38 Hijacks the control flow in another process 8->38 40 Found direct / indirect Syscall (likely to bypass EDR) 8->40 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 42 Hijacks the control flow in another process 11->42 20 conhost.exe 11->20         started        22 rundll32.exe 11->22         started        24 rundll32.exe 14->24         started        26 rundll32.exe 16->26         started        28 rundll32.exe 18->28         started        30 WerFault.exe 20 16 18->30         started        process7 process8 32 WerFault.exe 20 18 28->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZJGkxGuyIT.dll8%ReversingLabs
ZJGkxGuyIT.dll11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.10.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542665
Start date and time:2024-10-26 05:35:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ZJGkxGuyIT.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:2ebf32f4a6b63b8dad4dac4bddf1cbee.exe
Detection:MAL
Classification:mal60.evad.winDLL@25/9@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 50
  • Number of non-executed functions: 138

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 13.89.179.12
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

TimeTypeDescription
23:36:20API Interceptor2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_535451c67ed13a7d61656632ce4c87290bfb9a_e29f7403_f08926e4-7646-4698-b05e-04c478fb93ab\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8234442945424231
Encrypted:false
SSDEEP:96:2pFXMvEAh+6J+AECyyssm+9sn2Gj5MSRQXIDcQec6OcE2cw3Tdadz+nbHg/BwAS5:OszcAESslc0QKs7eTPzuiFNZ24lO8w
MD5:F9CB05D2F7397B75FE99BF8FE29C6645
SHA1:CDCE580C475EA130AC702A585215A623A70150F2
SHA-256:F67B75AB5F82CA836E2A6846C13AC33489C940AFC4F61EB41BF3C934E378F890
SHA-512:153D12AC07C2CDC933EAA74B2A4F06870E117B8BAD183494091F47624386FDEDDB51BB0896051589B3561FCF2715D3D492C290B7D326D56D6717A7F6A82A77DB
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.8.7.3.6.1.7.6.7.6.2.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.8.7.3.6.2.4.0.8.2.6.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.8.9.2.6.e.4.-.7.6.4.6.-.4.6.9.8.-.b.0.5.e.-.0.4.c.4.7.8.f.b.9.3.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.1.1.5.4.d.e.-.0.c.4.6.-.4.1.e.d.-.8.1.8.0.-.d.c.8.1.0.6.3.b.f.8.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.0.-.0.0.0.1.-.0.0.1.4.-.3.3.5.d.-.3.3.2.c.5.8.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.d.7.c.2.f.d.3.5.4.3.6.3.d.a.e.e.6.3.e.8.f.5.9.1.e.c.5.2.f.a.5.d.0.e.2.3.f.6.f.!.r.e.g.s.v.r.3.2...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ZJG_21de29d3d03af62e3c347fc53eb90afbeb77c51_8423aa97_ca914613-ecdc-4770-9312-bb71d7b1943e\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8005334179435284
Encrypted:false
SSDEEP:96:3LFwULi7yKy0sjS4Rv2Gj5MSRQXIDcQUc6kAmGcEUFcw3UyXaXz+nbHgSQgJj1h9:7ti7y0R0qNmGSFY8VszuiFNZ24lO8iL
MD5:5C1A635F4A6783791C156E7F1D35D1EE
SHA1:401B9F6D01EC6797CA01E77654498247AD3853C9
SHA-256:2772A3B7AE658DBEAD4678FC83323F74F666B9FDF6D9448DBC7372BA03DF8825
SHA-512:DBAA27F3EA25EC672EFF12935FEBD3F28082102B5AAB743BC0F9A873EA51A7DCAB77D4F5AA2A66415E80EB630BE930E853FE9C7CD37CBC1AC792F2CE39B342A0
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.8.7.3.6.1.8.4.1.7.3.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.8.7.3.6.2.5.1.3.5.8.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.9.1.4.6.1.3.-.e.c.d.c.-.4.7.7.0.-.9.3.1.2.-.b.b.7.1.d.7.b.1.9.4.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.2.d.2.8.8.c.-.c.2.9.0.-.4.a.2.a.-.b.d.e.c.-.0.5.0.4.1.0.1.9.3.e.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.Z.J.G.k.x.G.u.y.I.T...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.4.-.0.0.0.1.-.0.0.1.4.-.2.b.4.7.-.3.5.2.c.5.8.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER460A.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 03:36:01 2024, 0x1205a4 type
Category:dropped
Size (bytes):57422
Entropy (8bit):1.6444097497596473
Encrypted:false
SSDEEP:96:5W86W+cZCMtuYkrvVmgQz+RT7y2ePXloi75BL63u/WU9MS4VS+v2rXqdFa+wA+Yt:TTTIIUGJSO50+/T9kV/v2U7qla
MD5:CF9474486094D1E929A3F00647BEE87A
SHA1:36560A7AB6DB785FCFDEF5AC31A0A1E5E7D21D8A
SHA-256:42015496F47B62FD26C6A4EDC813C79454C85548326D76465EE7A7AF0B8C84BC
SHA-512:0B5D3C8104E92DE8CBB1652B0DC9E376069D0A873AC54419472B55236C2A4F70DFE8685B95912AB5CA3FE87A971EAD391F7463E5BC4908073B28A74100585B0F
Malicious:false
Preview:MDMP..a..... ........c.g....................................$...x-..........T.......8...........T...............F...........H...........4...............................................................................eJ..............Lw......................T.......@....c.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4658.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 03:36:01 2024, 0x1205a4 type
Category:dropped
Size (bytes):52566
Entropy (8bit):1.520529918881532
Encrypted:false
SSDEEP:96:5W8njjIYqDqxUowLlaBTpZxH+AOIOgLoi7Mc+6e+JSRC6jryEWnpWIFTIBbjqYH0:TnjcNyVHlOgcOMG0DGE5qY0xxu2
MD5:BF7131ABF4BE27F8331FE1899BAF5AD2
SHA1:D7907056B9DB8BC12A09913CAFF55CD7E1FB208D
SHA-256:0CC734C49F1651556EF2FD84A2E5E5DBB506A13DDFEA0E8013259622AB9DDE0F
SHA-512:F5D14D2DC4D19E752E81EA9BA91133B6AF2ED58E5BC8BFED9F24C7B2943AD216F6B7A28EBB68EAF1BF18068EA5F47C41B5EEDE66A030082890E0BCF85AEAC7A9
Malicious:false
Preview:MDMP..a..... ........c.g........................................X+..........T.......8...........T...............V.......................................................................................................eJ..............Lw......................T.......t....c.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER46F6.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8590
Entropy (8bit):3.6896074328161466
Encrypted:false
SSDEEP:192:R6l7wVeJEfiqP6YJC/Bgmf8BnyRcpDy89bnF0fANm:R6lXJ0X6Yspgmf8BnyR6nWfH
MD5:16BEA2AC469AEFC294FD77B0B022D4E6
SHA1:214F85866CEF923D457C70AD9A9DA0B9E26C4FDC
SHA-256:4F2401A085B183EAF83A21C9FC30C94425FFCBD852F88301910D99702F5C7B6D
SHA-512:1E8B9A8082C03FF99D226DAEFD6EB5AB95A0601936FB3D51C2CF8FFB3D864AA676DBE4A0D29CCC41A410D88C59D62538C620E011225CE949FC65D526617CE72F
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4725.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4826
Entropy (8bit):4.4415034413212355
Encrypted:false
SSDEEP:48:cvIwWl8zsiJg771I9RizWpW8VY8Ym8M4JPNoF8fcyq8vkN4tEfsigd:uIjfwI7TC7VAJPvkWkqKfsigd
MD5:AAF11E71B65BAA05FE3E2A289815BF83
SHA1:88700177344100128B06B25B304F6B6E304D7CAC
SHA-256:90B6932843A952CFECC4D9F95D9E63B5DA2F7DD7649CEF7D0A3EE7755988C062
SHA-512:EB38F2F1A8E7E2F4A1706756783840B57AC0CB37527E235AF3073881F6795C5094A37FBAB07AAB27558DB11062662F3EE4919C9E8F83E23F75EA9B3871C7C5FC
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559838" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4783.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8884
Entropy (8bit):3.6988325818191132
Encrypted:false
SSDEEP:192:R6l7wVeJB05TqYe6YsEt5gmfz7ncm2a9RcpDG89bn96f2Nm:R6lXJC5TU6Ynzgmfz7nz2a9R+nwfd
MD5:CEE42678D958FA5414E376BD5E8A5EC9
SHA1:AC85C7F9A06B6801BA3D39C21106CAC2F2EEFC4B
SHA-256:100454CB621EDCB78D30237DBD60F9230DD2233C8C1A9815A88AAC560CA24863
SHA-512:9C6998BA194388673926044DB2088E71A74D9C5CC8165E133A262E36C772E354C9047BB19AFE631C6734126D524CCA4C28B9C83CE6526A2F0155115AD404FB7C
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4801.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4877
Entropy (8bit):4.487115316534731
Encrypted:false
SSDEEP:48:cvIwWl8zsiJg771I9RizWpW8VYrw0Ym8M4JCbCjoFXyq8vhj8ptSTStd:uIjfwI7TC7VSwBJ0WypoOtd
MD5:55C497F7868EA21C51543348FE110320
SHA1:2E8CBF663AD2E8F0E188CF866F232AC0639F29BE
SHA-256:FF7799C4583EDC2BD9F8586A212442A6D4341490DA8ECE62B34F016B0F2953D7
SHA-512:BA195B1E8DD0C696B8B4C0D9A3FB839DB1F2AE8E0AEB502C5B6F08AF048697A5DF6458136B10899C726C9E00117C33F8052209717F214AE7381EDED18946C11A
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559838" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.469866079576607
Encrypted:false
SSDEEP:6144:mIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSbNX:LXD94+WlLZMM6YFHx+N
MD5:59146C3ADFBEB5A73FA6CFC649106D1F
SHA1:A52F9E1459DABE0E5FE9A99314371256DD4F5175
SHA-256:EC86EB274C41BD6B09C9CCFA860DDA5217A081E52DCED6501C75CF38DBA13775
SHA-512:C8EB5B63FAB832CB1528D428132F896C66EFB2DF1746EF637152A6DDE9D50173EEDE28568154CFEE731B669988753996EDF4FB530C18916DAF20187204179702
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...-X'...............................................................................................................................................................................................................................................................................................................................................[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.663904734307042
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:ZJGkxGuyIT.dll
File size:249'344 bytes
MD5:2ebf32f4a6b63b8dad4dac4bddf1cbee
SHA1:8b9f7739a9a64168b50d3bde17c8e8ee1127671c
SHA256:fde4f048bb013ec3caabbe5862dcb8df0f701659bc9ac04e5bb1c5a3eee58b61
SHA512:a52273a23daaec0ea1b07c97e850809ea23a09f75907a0d3573faa5aef9dd1f91936b4926b17d8434fed06756905074c35e9e2d9f5b8fb76f19e2f6fdde47539
SSDEEP:6144:ycPbDxd4SjM1N2GZpnqQs8vlOIUtUCHBYcHvG23JJJ655ZZo:hFjEASqN8vQIGCcH
TLSH:BA346B3BE36358BCC86BC2745A9B99B27571FC540270A82B06949B303F1BC605B7EF59
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,..g..........."...$.x.......`............bW..........................................`... ............................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x357621290
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x357620000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x670F7F2C [Wed Oct 16 08:54:04 2024 UTC]
TLS Callbacks:0x57641210, 0x3, 0x576412cf, 0x3
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:9dee5c6e2779603605dedf99c35cff63

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
dec eax
mov eax, dword ptr [00038D96h]
mov dword ptr [eax], 00000000h
dec eax
mov edx, dword ptr [ebp+20h]
mov eax, dword ptr [ebp+18h]
dec ecx
mov eax, edx
mov edx, eax
dec eax
mov ecx, dword ptr [ebp+10h]
call 00007FA31547CE3Bh
dec eax
add esp, 20h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
mov dword ptr [ebp-04h], 00000001h
dec eax
mov eax, dword ptr [00038BD4h]
mov edx, dword ptr [ebp+18h]
mov dword ptr [eax], edx
cmp dword ptr [ebp+18h], 00000000h
jne 00007FA31547CE48h
mov eax, dword ptr [0003ED03h]
test eax, eax
jne 00007FA31547CE3Eh
mov dword ptr [ebp-04h], 00000000h
jmp 00007FA31547CF65h
call 00007FA31549D5A0h
cmp dword ptr [ebp+18h], 01h
je 00007FA31547CE38h
cmp dword ptr [ebp+18h], 02h
jne 00007FA31547CE96h
dec eax
mov edx, dword ptr [ebp+20h]
mov eax, dword ptr [ebp+18h]
dec ecx
mov eax, edx
mov edx, eax
dec eax
mov ecx, dword ptr [ebp+10h]
call 00007FA31547CB1Fh
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007FA31547CF2Ch
dec eax
mov edx, dword ptr [ebp+20h]
mov eax, dword ptr [ebp+18h]
dec ecx
mov eax, edx
mov edx, eax
dec eax
mov ecx, dword ptr [ebp+10h]
call 00007FA31549DE10h
mov dword ptr [ebp-04h], eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x560000xb4.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x570000x730.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3c0000x1824.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000x1e0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x390400x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x571e40x1a8.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x276980x27800b83dfeff50b262410611caa9fac8bcf6False0.499443730221519data6.325811919972983IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x290000x1500x20050870ec7f383fcc2e8b6eeb64e3f814fFalse0.24609375data1.9503265794495694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x2a0000x10c000x10c0031ad200d256fac9c7ff0039eeb5d36acFalse0.7173361707089553data7.2062052344397065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x3b0000x40x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x3c0000x18240x1a00f7ec1b89acfcae13c1867c658aef9224False0.455078125data5.0663982156105885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x3e0000x16340x18005999f7e98daf8952ea12949c796e07c6False0.22998046875, SYS \003\001P4.237229923920545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x400000x15fa00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x560000xb40x2006682e61b2c562c12d63076a4958b3874False0.283203125data2.181347600828191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x570000x7300x800c7295d857041e582edf3b60ba0dac05bFalse0.32958984375data3.8466687637486072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x580000x580x200de4da1b0adc00fecedc43206b7235f08False0.0546875data0.25470559145657956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x590000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x5a0000x1e00x200719b62a08a0d64bf647b428942335524False0.697265625data4.767069455457626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte
msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __iob_func, _amsg_exit, _errno, _fileno, _initterm, _lock, _setjmp, _setmode, _unlock, abort, calloc, exit, fflush, fputc, free, fwrite, localeconv, longjmp, malloc, memchr, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, strstr, vfprintf, wcslen

Exports

NameOrdinalAddress
DllInstall10x35763ebd0
DllRegisterServer20x35763eb70
DllUnregisterServer30x35763eba0
NimMain40x35763eb40
main50x357648640

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 26, 2024 05:36:20.414817095 CEST53568111.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll"
Imagebase:0x7ff64d9b0000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Imagebase:0x7ff658d00000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):false
Commandline:regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll
Imagebase:0x7ff78ec50000
File size:25'088 bytes
MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:23:35:58
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:23:36:01
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:23:36:01
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 6720 -s 452
Imagebase:0x7ff651ef0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:23:36:01
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 6772 -s 400
Imagebase:0x7ff651ef0000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:23:36:02
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:23:36:03
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:23:36:05
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:23:36:06
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220
Imagebase:0x7ff780440000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:23:36:09
Start date:25/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296
Imagebase:0x7ff64d9b0000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:23:36:20
Start date:25/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:29.5%
    Total number of Nodes:1803
    Total number of Limit Nodes:15
    execution_graph 10805 7ffe0e14eb70 10806 7ffe0e14eb79 10805->10806 10810 7ffe0e14d520 10806->10810 10976 7ffe0e14f0d0 10806->10976 10807 7ffe0e14eb96 10811 7ffe0e136b50 33 API calls 10810->10811 10812 7ffe0e14d544 10811->10812 11054 7ffe0e13fc60 10812->11054 10814 7ffe0e14d563 11059 7ffe0e144e70 10814->11059 10817 7ffe0e14d59a 10818 7ffe0e13fc60 33 API calls 10817->10818 10819 7ffe0e14d5dc 10818->10819 10820 7ffe0e144e70 38 API calls 10819->10820 10821 7ffe0e14d5e9 10820->10821 11076 7ffe0e14c870 10821->11076 10824 7ffe0e13fc60 33 API calls 10825 7ffe0e14d61a 10824->10825 10826 7ffe0e144e70 38 API calls 10825->10826 10827 7ffe0e14d627 10826->10827 10828 7ffe0e14c870 52 API calls 10827->10828 10829 7ffe0e14d647 10828->10829 10830 7ffe0e13fc60 33 API calls 10829->10830 10831 7ffe0e14d658 10830->10831 10832 7ffe0e144e70 38 API calls 10831->10832 10833 7ffe0e14d665 10832->10833 10834 7ffe0e14c870 52 API calls 10833->10834 10835 7ffe0e14d685 10834->10835 10836 7ffe0e13fc60 33 API calls 10835->10836 10837 7ffe0e14d6ac 10836->10837 10838 7ffe0e144e70 38 API calls 10837->10838 10839 7ffe0e14d6b9 10838->10839 10840 7ffe0e14c870 52 API calls 10839->10840 10841 7ffe0e14d6d9 10840->10841 10842 7ffe0e13fc60 33 API calls 10841->10842 10843 7ffe0e14d70e 10842->10843 10844 7ffe0e144e70 38 API calls 10843->10844 10845 7ffe0e14d71b 10844->10845 10846 7ffe0e14c870 52 API calls 10845->10846 10847 7ffe0e14d73b 10846->10847 10848 7ffe0e144e70 38 API calls 10847->10848 10849 7ffe0e14d74c 10848->10849 10850 7ffe0e14c870 52 API calls 10849->10850 10851 7ffe0e14d76c VirtualProtect 10850->10851 10852 7ffe0e144e70 38 API calls 10851->10852 10853 7ffe0e14d798 10852->10853 10854 7ffe0e14d7e7 10853->10854 10855 7ffe0e144e70 38 API calls 10853->10855 10856 7ffe0e144e70 38 API calls 10854->10856 10857 7ffe0e14d7d2 10855->10857 10858 7ffe0e14d7f8 10856->10858 11259 7ffe0e14ef30 10857->11259 10860 7ffe0e14dfc8 10858->10860 10861 7ffe0e14d828 10858->10861 10862 7ffe0e144e70 38 API calls 10860->10862 11096 7ffe0e145ff0 10861->11096 10865 7ffe0e14dfd9 10862->10865 10867 7ffe0e14ef30 6 API calls 10865->10867 10866 7ffe0e14db80 11193 7ffe0e14c1d0 10866->11193 10911 7ffe0e14dedf 10867->10911 10871 7ffe0e14db88 10871->10807 10873 7ffe0e14d899 10873->10866 10875 7ffe0e145ff0 41 API calls 10873->10875 10874 7ffe0e150d30 32 API calls 10874->10911 10877 7ffe0e14d8a6 10875->10877 10878 7ffe0e14d8be 10877->10878 10880 7ffe0e1464c0 45 API calls 10877->10880 10881 7ffe0e144e70 38 API calls 10878->10881 10920 7ffe0e14da4b 10878->10920 10884 7ffe0e14d8b6 10880->10884 10882 7ffe0e14d8d7 LoadLibraryA 10881->10882 10887 7ffe0e144e70 38 API calls 10882->10887 10883 7ffe0e131680 18 API calls 10883->10911 10886 7ffe0e14d400 39 API calls 10884->10886 10886->10878 10889 7ffe0e14d909 GetProcAddress 10887->10889 10893 7ffe0e139150 37 API calls 10889->10893 10891 7ffe0e138e60 37 API calls 10891->10911 10892 7ffe0e145ff0 41 API calls 10894 7ffe0e14db2f 10892->10894 10901 7ffe0e14d945 10893->10901 10895 7ffe0e14db4b ResumeThread 10894->10895 10896 7ffe0e1464c0 45 API calls 10894->10896 10898 7ffe0e14db6c exit 10895->10898 10897 7ffe0e14db3f 10896->10897 10900 7ffe0e14d400 39 API calls 10897->10900 10898->10866 10899 7ffe0e14fc90 37 API calls 10899->10911 10902 7ffe0e14db47 10900->10902 10901->10898 11147 7ffe0e146d40 10901->11147 10902->10895 10904 7ffe0e14db90 10902->10904 10905 7ffe0e144e70 38 API calls 10904->10905 10908 7ffe0e14dba6 10905->10908 10906 7ffe0e14e0f0 10910 7ffe0e144e70 38 API calls 10908->10910 10913 7ffe0e14dbbb 10910->10913 10911->10874 10911->10883 10911->10891 10911->10899 11402 7ffe0e147e60 10911->11402 11421 7ffe0e146830 10911->11421 11444 7ffe0e144cb0 10911->11444 11462 7ffe0e14fd80 10911->11462 10912 7ffe0e14df2a SafeArrayPutElement 10914 7ffe0e14b1e0 110 API calls 10912->10914 10915 7ffe0e144e70 38 API calls 10913->10915 10916 7ffe0e14df6e 10914->10916 10917 7ffe0e14dc18 10915->10917 10916->10807 10918 7ffe0e144e70 38 API calls 10917->10918 10919 7ffe0e14dc29 10918->10919 10921 7ffe0e144e70 38 API calls 10919->10921 10920->10892 10920->10898 10920->10906 10922 7ffe0e14dc3a 10921->10922 10923 7ffe0e144e70 38 API calls 10922->10923 10924 7ffe0e14dc4b 10923->10924 10925 7ffe0e144e70 38 API calls 10924->10925 10926 7ffe0e14dc5c Sleep 10925->10926 11265 7ffe0e14d040 10926->11265 10928 7ffe0e14dc6c 10929 7ffe0e144e70 38 API calls 10928->10929 10930 7ffe0e14dc7d 10929->10930 10931 7ffe0e144e70 38 API calls 10930->10931 10932 7ffe0e14dc8e 10931->10932 10933 7ffe0e144e70 38 API calls 10932->10933 10934 7ffe0e14dc9f 10933->10934 10935 7ffe0e144e70 38 API calls 10934->10935 10936 7ffe0e14dcb0 10935->10936 11304 7ffe0e147370 10936->11304 10938 7ffe0e14dcdc 11323 7ffe0e14bf00 10938->11323 10941 7ffe0e145ff0 41 API calls 10942 7ffe0e14dd00 10941->10942 10943 7ffe0e1464c0 45 API calls 10942->10943 10966 7ffe0e14dd20 10942->10966 10945 7ffe0e14dd10 10943->10945 10944 7ffe0e145ff0 41 API calls 10944->10966 10946 7ffe0e14d400 39 API calls 10945->10946 10948 7ffe0e14dd18 10946->10948 10947 7ffe0e14de00 10949 7ffe0e145ff0 41 API calls 10947->10949 10950 7ffe0e1464c0 45 API calls 10948->10950 10948->10966 10951 7ffe0e14de05 10949->10951 10953 7ffe0e14e0d2 10950->10953 10954 7ffe0e14de25 10951->10954 10956 7ffe0e1464c0 45 API calls 10951->10956 10952 7ffe0e1464c0 45 API calls 10952->10966 11466 7ffe0e13b7f0 10953->11466 10957 7ffe0e144e70 38 API calls 10954->10957 10959 7ffe0e14de15 10956->10959 10960 7ffe0e14de36 10957->10960 10958 7ffe0e1391b0 37 API calls 10958->10966 10961 7ffe0e14d400 39 API calls 10959->10961 11352 7ffe0e150ed0 10960->11352 10963 7ffe0e14de1d 10961->10963 10963->10954 11414 7ffe0e139dc0 10963->11414 10965 7ffe0e136f20 32 API calls 10968 7ffe0e14ddd3 memcpy 10965->10968 10966->10944 10966->10947 10966->10952 10966->10958 10966->10965 10969 7ffe0e14f010 18 API calls 10966->10969 10968->10966 10969->10966 10971 7ffe0e14de7c 10972 7ffe0e14deb2 10971->10972 10973 7ffe0e14dea3 CoInitialize 10971->10973 11394 7ffe0e1507e0 10972->11394 10973->10972 10977 7ffe0e14f0f4 10976->10977 10977->10976 10978 7ffe0e14f231 RtlGetVersion 10977->10978 10982 7ffe0e14f25f 10978->10982 10979 7ffe0e13fc60 33 API calls 10979->10982 10980 7ffe0e144e70 38 API calls 10980->10982 10981 7ffe0e136f90 33 API calls 10981->10982 10982->10979 10982->10980 10982->10981 10983 7ffe0e14f010 18 API calls 10982->10983 10984 7ffe0e139150 37 API calls 10982->10984 10983->10982 10985 7ffe0e14f312 memcpy 10984->10985 10991 7ffe0e14f33f 10985->10991 10986 7ffe0e139150 37 API calls 10986->10991 10987 7ffe0e13fc60 33 API calls 10987->10991 10988 7ffe0e14f010 18 API calls 10988->10991 10989 7ffe0e144e70 38 API calls 10989->10991 10990 7ffe0e13c390 35 API calls 10990->10991 10991->10986 10991->10987 10991->10988 10991->10989 10991->10990 10992 7ffe0e14ece0 38 API calls 10991->10992 10993 7ffe0e145220 42 API calls 10991->10993 10994 7ffe0e14e130 33 API calls 10991->10994 10995 7ffe0e14ef30 6 API calls 10991->10995 10997 7ffe0e14f97c exit 10991->10997 10998 7ffe0e14fa7a 10991->10998 10992->10991 10993->10991 10994->10991 10996 7ffe0e14f9b0 exit 10995->10996 10996->10982 10997->10991 12263 7ffe0e1458c0 10998->12263 11000 7ffe0e14fa7f 11001 7ffe0e13fc60 33 API calls 11000->11001 11053 7ffe0e14fbc4 11000->11053 11003 7ffe0e14fa98 11001->11003 11002 7ffe0e13fc60 33 API calls 11004 7ffe0e14fc19 11002->11004 11005 7ffe0e144e70 38 API calls 11003->11005 11007 7ffe0e136ee0 33 API calls 11004->11007 11013 7ffe0e14fc4a 11004->11013 11006 7ffe0e14faa5 11005->11006 11008 7ffe0e131680 18 API calls 11006->11008 11010 7ffe0e14fc37 11007->11010 11011 7ffe0e14fab4 11008->11011 11009 7ffe0e136ee0 33 API calls 11009->11013 11010->11013 12359 7ffe0e138760 memcpy 11010->12359 12272 7ffe0e14e130 11011->12272 11013->11009 11017 7ffe0e131680 18 API calls 11013->11017 12360 7ffe0e138760 memcpy 11013->12360 11017->11013 11022 7ffe0e14e130 33 API calls 11023 7ffe0e14fae2 11022->11023 11024 7ffe0e14ece0 38 API calls 11023->11024 11025 7ffe0e14faea 11024->11025 11026 7ffe0e145220 42 API calls 11025->11026 11027 7ffe0e14faff 11026->11027 11028 7ffe0e14e130 33 API calls 11027->11028 11029 7ffe0e14fb0b 11028->11029 11030 7ffe0e14ece0 38 API calls 11029->11030 11031 7ffe0e14fb13 11030->11031 11032 7ffe0e145220 42 API calls 11031->11032 11033 7ffe0e14fb28 11032->11033 12223 7ffe0e145cc0 GetTickCount Sleep SleepEx 11033->12223 11035 7ffe0e14fb34 12241 7ffe0e146c30 11035->12241 11040 7ffe0e13fc60 33 API calls 11041 7ffe0e14fb4f 11040->11041 11042 7ffe0e144e70 38 API calls 11041->11042 11043 7ffe0e14fb5c 11042->11043 11044 7ffe0e131680 18 API calls 11043->11044 11045 7ffe0e14fb6b 11044->11045 11046 7ffe0e13fc60 33 API calls 11045->11046 11047 7ffe0e14fb7c 11046->11047 11048 7ffe0e144e70 38 API calls 11047->11048 11049 7ffe0e14fb89 11048->11049 11050 7ffe0e13fc60 33 API calls 11049->11050 11051 7ffe0e14fbb7 11050->11051 11052 7ffe0e144e70 38 API calls 11051->11052 11052->11053 11053->11002 11055 7ffe0e13fcb7 11054->11055 11058 7ffe0e13fd05 11054->11058 11055->11058 11477 7ffe0e150560 11055->11477 11058->10814 11058->11058 11060 7ffe0e13fc60 33 API calls 11059->11060 11061 7ffe0e144ea1 11060->11061 11062 7ffe0e14501a HeapCreate 11061->11062 11063 7ffe0e150560 32 API calls 11061->11063 11072 7ffe0e144f16 11061->11072 11062->10817 11064 7ffe0e144ee1 memcpy 11063->11064 11064->11072 11065 7ffe0e13fc60 33 API calls 11065->11072 11066 7ffe0e1450d8 11070 7ffe0e136b50 33 API calls 11066->11070 11067 7ffe0e136b50 33 API calls 11071 7ffe0e144f97 memcpy 11067->11071 11068 7ffe0e136b50 33 API calls 11068->11072 11069 7ffe0e136b50 33 API calls 11073 7ffe0e14509d memcpy 11069->11073 11074 7ffe0e1450e5 11070->11074 11075 7ffe0e144fcc memcpy 11071->11075 11072->11062 11072->11065 11072->11066 11072->11067 11072->11068 11072->11069 11072->11075 11073->11072 11075->11072 11077 7ffe0e139150 37 API calls 11076->11077 11078 7ffe0e14c8b9 11077->11078 11079 7ffe0e13fc60 33 API calls 11078->11079 11080 7ffe0e14c8f4 11079->11080 11081 7ffe0e144e70 38 API calls 11080->11081 11082 7ffe0e14c901 CreateFileA GetFileSize 11081->11082 11084 7ffe0e14c96e ReadFile 11082->11084 11085 7ffe0e14cdb6 GetProcessHeap RtlAllocateHeap 11082->11085 11094 7ffe0e14c9df 11084->11094 11095 7ffe0e14ca9d 11084->11095 11085->11095 11087 7ffe0e14cbfd 11087->10824 11088 7ffe0e136b50 33 API calls 11088->11094 11089 7ffe0e144e70 38 API calls 11089->11094 11090 7ffe0e14cb93 GetModuleHandleA GetProcAddress 11092 7ffe0e14cb84 11090->11092 11091 7ffe0e14cb22 strcmp 11091->11095 11092->11090 11092->11095 11094->11088 11094->11089 11094->11095 11485 7ffe0e13b590 11094->11485 11095->11087 11095->11090 11095->11091 11095->11092 11097 7ffe0e146005 GetCommandLineW 11096->11097 11103 7ffe0e146055 11096->11103 11492 7ffe0e137270 11097->11492 11102 7ffe0e14f010 18 API calls 11102->11103 11103->10866 11104 7ffe0e1464c0 11103->11104 11105 7ffe0e1464e2 GetCommandLineW 11104->11105 11109 7ffe0e146503 11104->11109 11106 7ffe0e137270 34 API calls 11105->11106 11108 7ffe0e1464fb 11106->11108 11107 7ffe0e146580 11110 7ffe0e150d30 32 API calls 11107->11110 11111 7ffe0e1449a0 40 API calls 11108->11111 11109->11107 11116 7ffe0e14f010 18 API calls 11109->11116 11112 7ffe0e146593 11110->11112 11111->11109 11113 7ffe0e1465b7 11112->11113 11114 7ffe0e146630 11112->11114 11115 7ffe0e136f90 33 API calls 11113->11115 11508 7ffe0e137ce0 11114->11508 11118 7ffe0e1465c7 11115->11118 11116->11109 11122 7ffe0e14f010 18 API calls 11118->11122 11139 7ffe0e1465eb 11118->11139 11119 7ffe0e14fd80 18 API calls 11123 7ffe0e1465f4 11119->11123 11120 7ffe0e146649 11121 7ffe0e137ce0 35 API calls 11120->11121 11124 7ffe0e146679 11121->11124 11122->11139 11125 7ffe0e138e60 37 API calls 11123->11125 11126 7ffe0e146760 11124->11126 11127 7ffe0e146687 11124->11127 11128 7ffe0e146616 11125->11128 11129 7ffe0e146765 11126->11129 11130 7ffe0e1467cb 11126->11130 11132 7ffe0e136b50 33 API calls 11127->11132 11140 7ffe0e14d400 _setjmp 11128->11140 11133 7ffe0e136b50 33 API calls 11129->11133 11131 7ffe0e136b50 33 API calls 11130->11131 11134 7ffe0e14674a 11131->11134 11135 7ffe0e1466b2 memcpy 11132->11135 11136 7ffe0e146792 11133->11136 11518 7ffe0e131680 11134->11518 11135->11134 11137 7ffe0e14672e memcpy 11135->11137 11136->11137 11137->11134 11139->11119 11141 7ffe0e14d444 11140->11141 11142 7ffe0e14d478 11140->11142 11143 7ffe0e13b7f0 38 API calls 11141->11143 11145 7ffe0e14d4d1 11142->11145 11146 7ffe0e14f010 18 API calls 11142->11146 11144 7ffe0e14d451 11143->11144 11144->10873 11145->10873 11146->11145 11148 7ffe0e139150 37 API calls 11147->11148 11149 7ffe0e146d6d 11148->11149 11150 7ffe0e146dcc 11149->11150 11151 7ffe0e146de0 memcpy 11149->11151 11154 7ffe0e146dec 11149->11154 11150->10920 11151->11154 11152 7ffe0e1472b6 11153 7ffe0e144e70 38 API calls 11152->11153 11155 7ffe0e1472d5 11153->11155 11154->11152 11156 7ffe0e147010 11154->11156 11159 7ffe0e144e70 38 API calls 11154->11159 11157 7ffe0e136b50 33 API calls 11155->11157 11158 7ffe0e144e70 38 API calls 11156->11158 11164 7ffe0e147046 11157->11164 11160 7ffe0e147024 11158->11160 11161 7ffe0e146e64 11159->11161 11162 7ffe0e136b50 33 API calls 11160->11162 11163 7ffe0e14ef30 6 API calls 11161->11163 11162->11164 11166 7ffe0e146e71 11163->11166 11546 7ffe0e14ef90 11164->11546 11165 7ffe0e14728e 11168 7ffe0e144e70 38 API calls 11165->11168 11166->11165 11167 7ffe0e144e70 38 API calls 11166->11167 11169 7ffe0e146ea9 11167->11169 11170 7ffe0e1472a9 11168->11170 11172 7ffe0e14ef30 6 API calls 11169->11172 11173 7ffe0e14ef30 6 API calls 11170->11173 11175 7ffe0e146eb6 11172->11175 11173->11152 11176 7ffe0e147270 11175->11176 11177 7ffe0e146edd 11175->11177 11179 7ffe0e144e70 38 API calls 11176->11179 11178 7ffe0e144e70 38 API calls 11177->11178 11181 7ffe0e146ef3 11178->11181 11180 7ffe0e147281 11179->11180 11182 7ffe0e14ef30 6 API calls 11180->11182 11183 7ffe0e136b50 33 API calls 11181->11183 11182->11165 11185 7ffe0e146f0d 11183->11185 11184 7ffe0e1471ed 11184->10920 11185->11184 11186 7ffe0e146fa7 11185->11186 11534 7ffe0e14ee30 11186->11534 11189 7ffe0e14ee30 5 API calls 11190 7ffe0e146fdb fwrite 11189->11190 11192 7ffe0e147003 fflush 11190->11192 11192->11156 11557 7ffe0e136cd0 11193->11557 11195 7ffe0e14c2d4 GetModuleFileNameW 11196 7ffe0e14c2e8 11195->11196 11198 7ffe0e14c2b1 11195->11198 11199 7ffe0e13fc60 33 API calls 11196->11199 11197 7ffe0e14c330 11200 7ffe0e137270 34 API calls 11197->11200 11198->11195 11198->11197 11201 7ffe0e136cd0 33 API calls 11198->11201 11202 7ffe0e14c2fc 11199->11202 11203 7ffe0e14c33e 11200->11203 11201->11198 11565 7ffe0e146bb0 11202->11565 11205 7ffe0e13fc60 33 API calls 11203->11205 11207 7ffe0e14c352 11205->11207 11210 7ffe0e146bb0 44 API calls 11207->11210 11212 7ffe0e14c35a 11210->11212 11213 7ffe0e13fc60 33 API calls 11212->11213 11214 7ffe0e14c36e 11213->11214 11215 7ffe0e1464c0 45 API calls 11214->11215 11216 7ffe0e14c325 11215->11216 11217 7ffe0e136b50 33 API calls 11216->11217 11218 7ffe0e14c3c9 11217->11218 11219 7ffe0e14c3e5 memcpy 11218->11219 11220 7ffe0e14c860 11218->11220 11221 7ffe0e14c42b 11219->11221 11222 7ffe0e14c40b memcpy 11219->11222 11223 7ffe0e14c450 11221->11223 11224 7ffe0e14c430 memcpy 11221->11224 11222->11221 11225 7ffe0e14c475 11223->11225 11226 7ffe0e14c455 memcpy 11223->11226 11224->11223 11227 7ffe0e14c47a memcpy 11225->11227 11228 7ffe0e14c496 11225->11228 11226->11225 11227->11228 11229 7ffe0e13fc60 33 API calls 11228->11229 11240 7ffe0e14c4a7 11229->11240 11230 7ffe0e145ff0 41 API calls 11230->11240 11231 7ffe0e14c599 11232 7ffe0e13fc60 33 API calls 11231->11232 11234 7ffe0e14c5af 11232->11234 11233 7ffe0e13fc60 33 API calls 11233->11240 11236 7ffe0e137ce0 35 API calls 11234->11236 11235 7ffe0e1464c0 45 API calls 11235->11240 11237 7ffe0e14c5e8 11236->11237 11239 7ffe0e13fc60 33 API calls 11237->11239 11238 7ffe0e136b50 33 API calls 11238->11240 11244 7ffe0e14c5fe 11239->11244 11240->11230 11240->11231 11240->11233 11240->11235 11240->11238 11241 7ffe0e14c523 memcpy 11240->11241 11242 7ffe0e14c543 memcpy 11240->11242 11243 7ffe0e14c56b memcpy 11240->11243 11241->11240 11242->11240 11243->11240 11245 7ffe0e136b50 33 API calls 11244->11245 11246 7ffe0e14c646 memcpy 11245->11246 11247 7ffe0e14c67e memcpy 11246->11247 11248 7ffe0e14c69c 11246->11248 11247->11248 11249 7ffe0e14c6bf 11248->11249 11250 7ffe0e14c6a1 memcpy 11248->11250 11251 7ffe0e14c6e4 11249->11251 11252 7ffe0e14c6c4 memcpy 11249->11252 11250->11249 11253 7ffe0e14c707 11251->11253 11254 7ffe0e14c6e9 memcpy 11251->11254 11252->11251 11255 7ffe0e136cd0 33 API calls 11253->11255 11254->11253 11256 7ffe0e14c722 11255->11256 11560 7ffe0e13c390 11256->11560 11258 7ffe0e14c7ca CreateProcessW 11258->10871 11260 7ffe0e14ef48 11259->11260 11261 7ffe0e14ee30 5 API calls 11260->11261 11262 7ffe0e14ef53 fwrite 11261->11262 11264 7ffe0e14ef7b 11262->11264 11266 7ffe0e14d052 11265->11266 11267 7ffe0e14d070 RtlAddVectoredExceptionHandler memset 11266->11267 11268 7ffe0e14d276 11266->11268 11270 7ffe0e14d0b0 CreateToolhelp32Snapshot 11267->11270 11269 7ffe0e13fc60 33 API calls 11268->11269 11271 7ffe0e14d287 11269->11271 11276 7ffe0e14d114 Thread32First 11270->11276 11277 7ffe0e14d104 11270->11277 11272 7ffe0e144e70 38 API calls 11271->11272 11273 7ffe0e14d294 GetModuleHandleA 11272->11273 11296 7ffe0e14d2bc 11273->11296 11278 7ffe0e14d3d0 11276->11278 11279 7ffe0e14d161 11276->11279 11277->10928 11280 7ffe0e13fc60 33 API calls 11278->11280 11283 7ffe0e14d16f GetCurrentProcessId 11279->11283 11284 7ffe0e14d197 CloseHandle 11279->11284 11281 7ffe0e14d3e1 11280->11281 11282 7ffe0e144e70 38 API calls 11281->11282 11287 7ffe0e14d3ee 11282->11287 11283->11279 11285 7ffe0e14d26c 11284->11285 11286 7ffe0e14d1a8 11284->11286 11626 7ffe0e14ce10 11285->11626 11289 7ffe0e14d1be OpenThread 11286->11289 11287->10928 11288 7ffe0e144e70 38 API calls 11288->11296 11289->11277 11291 7ffe0e14d1da GetThreadContext 11289->11291 11291->11277 11295 7ffe0e14d1ee 11291->11295 11292 7ffe0e14d2ff GetProcAddress 11292->11296 11294 7ffe0e13fc60 33 API calls 11294->11296 11297 7ffe0e14d24f CloseHandle 11295->11297 11298 7ffe0e144e70 38 API calls 11295->11298 11296->11288 11296->11292 11296->11294 11299 7ffe0e13c390 35 API calls 11296->11299 11297->11285 11297->11289 11300 7ffe0e14d20c SetThreadContext 11298->11300 11301 7ffe0e14d39d RtlInitUnicodeString LdrLoadDll 11299->11301 11300->11277 11302 7ffe0e14d242 11300->11302 11301->11296 11303 7ffe0e144e70 38 API calls 11302->11303 11303->11297 11305 7ffe0e1478f0 11304->11305 11306 7ffe0e147392 11304->11306 11307 7ffe0e136b50 33 API calls 11305->11307 11308 7ffe0e136b50 33 API calls 11306->11308 11309 7ffe0e147901 11307->11309 11310 7ffe0e1473c3 11308->11310 11311 7ffe0e139150 37 API calls 11309->11311 11312 7ffe0e139150 37 API calls 11310->11312 11315 7ffe0e14741f 11311->11315 11312->11315 11313 7ffe0e139150 37 API calls 11314 7ffe0e14755f 11313->11314 11316 7ffe0e14756e 11314->11316 11317 7ffe0e1479d8 11314->11317 11315->11313 11321 7ffe0e147579 11315->11321 11322 7ffe0e147720 11315->11322 11319 7ffe0e139150 37 API calls 11316->11319 11318 7ffe0e139150 37 API calls 11317->11318 11318->11321 11319->11321 11320 7ffe0e139150 37 API calls 11320->11321 11321->11320 11321->11322 11322->10938 11324 7ffe0e14c040 11323->11324 11328 7ffe0e14bf24 11323->11328 11704 7ffe0e14a350 11324->11704 11326 7ffe0e14c047 11332 7ffe0e150d30 32 API calls 11326->11332 11327 7ffe0e14bf3e 11330 7ffe0e14bf5f 11327->11330 11331 7ffe0e14bf50 CoInitialize 11327->11331 11328->11327 11652 7ffe0e149920 11328->11652 11333 7ffe0e1507e0 32 API calls 11330->11333 11331->11330 11334 7ffe0e14c06b 11332->11334 11335 7ffe0e14bf6b 11333->11335 11336 7ffe0e146830 39 API calls 11334->11336 11339 7ffe0e147e60 37 API calls 11335->11339 11343 7ffe0e14c09c 11335->11343 11337 7ffe0e14c08d 11336->11337 11340 7ffe0e144cb0 36 API calls 11337->11340 11338 7ffe0e14fc90 37 API calls 11338->11343 11341 7ffe0e14bf9d SafeArrayCreate 11339->11341 11340->11343 11341->11326 11344 7ffe0e14bfd3 11341->11344 11342 7ffe0e14c008 11694 7ffe0e14a190 11342->11694 11343->11338 11346 7ffe0e14fd80 18 API calls 11343->11346 11347 7ffe0e14f010 18 API calls 11343->11347 11351 7ffe0e138e60 37 API calls 11343->11351 11344->11342 11679 7ffe0e148890 11344->11679 11346->11343 11347->11343 11351->11343 11353 7ffe0e150ef0 11352->11353 11354 7ffe0e1507e0 32 API calls 11353->11354 11355 7ffe0e150f0a 11354->11355 11356 7ffe0e150f1e 11355->11356 11357 7ffe0e14fc90 37 API calls 11355->11357 11358 7ffe0e14fc90 37 API calls 11356->11358 11370 7ffe0e150f31 11356->11370 11359 7ffe0e150fd5 11357->11359 11358->11370 11359->11356 11361 7ffe0e14f010 18 API calls 11359->11361 11360 7ffe0e147e60 37 API calls 11360->11370 11361->11356 11362 7ffe0e14de4b 11372 7ffe0e14b1e0 11362->11372 11363 7ffe0e150d30 32 API calls 11363->11370 11364 7ffe0e14f010 18 API calls 11364->11370 11366 7ffe0e146830 39 API calls 11366->11370 11367 7ffe0e150f7e 11367->11362 12023 7ffe0e149470 11367->12023 11368 7ffe0e144cb0 36 API calls 11368->11370 11369 7ffe0e14fd80 18 API calls 11369->11370 11370->11360 11370->11363 11370->11364 11370->11366 11370->11367 11370->11368 11370->11369 11371 7ffe0e138e60 37 API calls 11370->11371 11371->11370 11373 7ffe0e14b45d 11372->11373 11374 7ffe0e14b219 _setjmp 11372->11374 11376 7ffe0e149920 54 API calls 11373->11376 11375 7ffe0e14b28a 11374->11375 11379 7ffe0e14b2e0 11374->11379 11378 7ffe0e14b2d3 11375->11378 11381 7ffe0e139650 59 API calls 11375->11381 11377 7ffe0e14b471 11376->11377 11377->10971 11378->10971 11384 7ffe0e14b36d 11379->11384 12046 7ffe0e14b110 11379->12046 11381->11373 11383 7ffe0e14b476 11386 7ffe0e14b110 109 API calls 11383->11386 11387 7ffe0e14b3ce 11384->11387 11388 7ffe0e149920 54 API calls 11384->11388 11385 7ffe0e14b110 109 API calls 11390 7ffe0e14b337 11385->11390 11391 7ffe0e14b483 11386->11391 11389 7ffe0e149da0 91 API calls 11387->11389 11388->11387 11389->11375 11390->11383 11392 7ffe0e14b34a 11390->11392 11392->11384 11393 7ffe0e149920 54 API calls 11392->11393 11393->11384 11395 7ffe0e1507ff 11394->11395 11396 7ffe0e15080c 11395->11396 11397 7ffe0e14ffc0 31 API calls 11395->11397 11398 7ffe0e1327d0 12 API calls 11396->11398 11397->11396 11399 7ffe0e15081a 11398->11399 11400 7ffe0e133730 18 API calls 11399->11400 11401 7ffe0e14debe 11399->11401 11400->11401 11401->10911 11403 7ffe0e147e79 11402->11403 11404 7ffe0e147ea3 11403->11404 11405 7ffe0e139150 37 API calls 11403->11405 11407 7ffe0e139150 37 API calls 11404->11407 11411 7ffe0e147eef 11404->11411 11406 7ffe0e147e98 11405->11406 11408 7ffe0e1374c0 18 API calls 11406->11408 11409 7ffe0e147f77 11407->11409 11408->11404 11410 7ffe0e1374c0 18 API calls 11409->11410 11410->11411 11413 7ffe0e147f3a SafeArrayCreate 11411->11413 12200 7ffe0e147cf0 11411->12200 11413->10911 11413->10912 11415 7ffe0e139150 37 API calls 11414->11415 11417 7ffe0e139df8 11415->11417 11416 7ffe0e139e06 11416->10954 11417->11416 11418 7ffe0e136f20 32 API calls 11417->11418 11419 7ffe0e14f010 18 API calls 11417->11419 11420 7ffe0e139e7c memcpy 11418->11420 11419->11417 11420->11417 11422 7ffe0e14684a 11421->11422 11431 7ffe0e14688c 11421->11431 11423 7ffe0e146856 11422->11423 11425 7ffe0e150560 32 API calls 11422->11425 11424 7ffe0e14685f 11423->11424 11426 7ffe0e137040 33 API calls 11423->11426 11427 7ffe0e14693e 11424->11427 11428 7ffe0e146868 11424->11428 11425->11423 11426->11424 11430 7ffe0e137040 33 API calls 11427->11430 11428->11431 11432 7ffe0e1469a7 11428->11432 11433 7ffe0e146875 11428->11433 11429 7ffe0e136b50 33 API calls 11429->11431 11430->11432 11431->11429 11434 7ffe0e137040 33 API calls 11431->11434 11438 7ffe0e1468c1 11431->11438 11436 7ffe0e137ce0 35 API calls 11432->11436 11435 7ffe0e137040 33 API calls 11433->11435 11437 7ffe0e146a7f memcpy 11434->11437 11435->11431 11439 7ffe0e1469e6 11436->11439 11437->11431 11440 7ffe0e137040 33 API calls 11438->11440 11439->11431 11442 7ffe0e136b50 33 API calls 11439->11442 11441 7ffe0e1468cc memcpy 11440->11441 11441->10911 11443 7ffe0e146a18 memcpy 11442->11443 11443->11431 11445 7ffe0e144cc1 11444->11445 11446 7ffe0e144ccb 11444->11446 11445->11446 11447 7ffe0e144e10 11445->11447 11448 7ffe0e1395b0 33 API calls 11446->11448 11449 7ffe0e1395b0 33 API calls 11447->11449 11450 7ffe0e144cd3 11448->11450 11449->11450 11451 7ffe0e144cdf 11450->11451 11452 7ffe0e144da8 11450->11452 11455 7ffe0e136b50 33 API calls 11451->11455 11453 7ffe0e144e20 11452->11453 11454 7ffe0e144dad 11452->11454 11457 7ffe0e136b50 33 API calls 11453->11457 11456 7ffe0e136b50 33 API calls 11454->11456 11458 7ffe0e144d0a memcpy 11455->11458 11459 7ffe0e144dd0 11456->11459 11460 7ffe0e144d95 11457->11460 11458->11460 11461 7ffe0e144d79 memcpy 11458->11461 11459->11461 11460->10911 11461->11460 11463 7ffe0e14fd90 11462->11463 11464 7ffe0e14fda6 11462->11464 11463->11464 11465 7ffe0e14f010 18 API calls 11463->11465 11464->10911 11465->11464 12206 7ffe0e13adb0 11466->12206 11468 7ffe0e13b816 11469 7ffe0e150d30 32 API calls 11468->11469 11470 7ffe0e13b837 11468->11470 11471 7ffe0e136b50 33 API calls 11468->11471 11472 7ffe0e136b50 33 API calls 11468->11472 11474 7ffe0e14fd80 18 API calls 11468->11474 11475 7ffe0e14f010 18 API calls 11468->11475 11476 7ffe0e138e60 37 API calls 11468->11476 11469->11468 11470->10966 11471->11468 11473 7ffe0e13b899 memcpy 11472->11473 11473->11468 11474->11468 11475->11468 11476->11468 11478 7ffe0e15057e 11477->11478 11479 7ffe0e15058b 11478->11479 11480 7ffe0e14ffc0 31 API calls 11478->11480 11481 7ffe0e1327d0 12 API calls 11479->11481 11480->11479 11483 7ffe0e150598 11481->11483 11482 7ffe0e13fcdd memcpy 11482->11058 11483->11482 11484 7ffe0e133730 18 API calls 11483->11484 11484->11482 11486 7ffe0e13b5ac 11485->11486 11487 7ffe0e13b738 11486->11487 11488 7ffe0e13b5d4 11486->11488 11491 7ffe0e13b60f 11486->11491 11489 7ffe0e13b74d memchr 11487->11489 11487->11491 11490 7ffe0e13b5f6 strstr 11488->11490 11488->11491 11489->11491 11490->11491 11491->11094 11493 7ffe0e136b50 33 API calls 11492->11493 11494 7ffe0e1372a9 11493->11494 11495 7ffe0e1373f9 11494->11495 11496 7ffe0e137140 33 API calls 11494->11496 11497 7ffe0e1449a0 11495->11497 11496->11494 11500 7ffe0e1449d0 11497->11500 11498 7ffe0e136b50 33 API calls 11498->11500 11499 7ffe0e1391b0 37 API calls 11499->11500 11500->11498 11500->11499 11501 7ffe0e144b21 11500->11501 11502 7ffe0e144c58 11500->11502 11503 7ffe0e1506b0 33 API calls 11500->11503 11504 7ffe0e137140 33 API calls 11500->11504 11507 7ffe0e14f010 18 API calls 11500->11507 11501->11102 11501->11103 11505 7ffe0e136f20 32 API calls 11502->11505 11503->11500 11504->11500 11506 7ffe0e144c7d memcpy 11505->11506 11506->11501 11507->11500 11509 7ffe0e1380a0 11508->11509 11510 7ffe0e137cf9 11508->11510 11511 7ffe0e137740 35 API calls 11509->11511 11516 7ffe0e137fc9 11510->11516 11522 7ffe0e137740 11510->11522 11512 7ffe0e1380cb 11511->11512 11529 7ffe0e1374c0 11512->11529 11515 7ffe0e14f010 18 API calls 11517 7ffe0e138007 11515->11517 11516->11515 11516->11517 11517->11120 11517->11517 11520 7ffe0e131691 11518->11520 11519 7ffe0e1316b4 11519->11139 11520->11519 11521 7ffe0e14f010 18 API calls 11520->11521 11521->11519 11523 7ffe0e137830 11522->11523 11524 7ffe0e137769 11522->11524 11525 7ffe0e136b50 33 API calls 11523->11525 11526 7ffe0e137810 11524->11526 11527 7ffe0e150560 32 API calls 11524->11527 11525->11526 11526->11516 11528 7ffe0e1377cf memcpy memset 11527->11528 11528->11526 11531 7ffe0e1374d1 11529->11531 11530 7ffe0e137500 11530->11516 11531->11530 11532 7ffe0e14f010 18 API calls 11531->11532 11533 7ffe0e137515 11532->11533 11533->11516 11535 7ffe0e14ee43 11534->11535 11536 7ffe0e14eec0 11534->11536 11554 7ffe0e14e100 11535->11554 11537 7ffe0e14e100 3 API calls 11536->11537 11545 7ffe0e14eed6 11537->11545 11539 7ffe0e146fc9 11539->11189 11540 7ffe0e14eeed fputc 11540->11539 11540->11545 11541 7ffe0e14ee65 11541->11539 11542 7ffe0e14ee76 fputc 11541->11542 11544 7ffe0e14e100 3 API calls 11541->11544 11542->11539 11542->11541 11543 7ffe0e14e100 3 API calls 11543->11545 11544->11541 11545->11539 11545->11540 11545->11543 11547 7ffe0e14efac 11546->11547 11548 7ffe0e14ee30 5 API calls 11547->11548 11549 7ffe0e14efb7 11548->11549 11550 7ffe0e14ee30 5 API calls 11549->11550 11551 7ffe0e14efcd fwrite 11550->11551 11553 7ffe0e14eff5 11551->11553 11555 7ffe0e152370 3 API calls 11554->11555 11556 7ffe0e14e124 11555->11556 11556->11541 11558 7ffe0e136b50 33 API calls 11557->11558 11559 7ffe0e136cf5 11558->11559 11559->11198 11561 7ffe0e13c3aa MultiByteToWideChar 11560->11561 11563 7ffe0e136b50 33 API calls 11561->11563 11564 7ffe0e13c420 MultiByteToWideChar 11563->11564 11564->11258 11566 7ffe0e136cd0 33 API calls 11565->11566 11572 7ffe0e146bd2 11566->11572 11567 7ffe0e146bd8 GetCurrentDirectoryW 11568 7ffe0e146c00 GetLastError 11567->11568 11567->11572 11573 7ffe0e146480 11568->11573 11570 7ffe0e146c18 11571 7ffe0e136cd0 33 API calls 11571->11572 11572->11567 11572->11570 11572->11571 11578 7ffe0e146140 11573->11578 11575 7ffe0e146489 11576 7ffe0e138e60 37 API calls 11575->11576 11577 7ffe0e1464af 11576->11577 11577->11572 11579 7ffe0e136b50 33 API calls 11578->11579 11580 7ffe0e146160 11579->11580 11581 7ffe0e146184 FormatMessageW 11580->11581 11587 7ffe0e1461c3 11580->11587 11582 7ffe0e1463b0 11581->11582 11581->11587 11583 7ffe0e137270 34 API calls 11582->11583 11585 7ffe0e1463c5 11583->11585 11584 7ffe0e14633a 11589 7ffe0e146430 11584->11589 11590 7ffe0e146343 11584->11590 11586 7ffe0e1463d2 LocalFree 11585->11586 11585->11587 11586->11587 11588 7ffe0e14f010 18 API calls 11587->11588 11597 7ffe0e1461ea 11587->11597 11588->11597 11592 7ffe0e136f20 32 API calls 11589->11592 11591 7ffe0e1463a1 11590->11591 11595 7ffe0e136f20 32 API calls 11590->11595 11591->11575 11596 7ffe0e146441 11592->11596 11593 7ffe0e146256 11618 7ffe0e137040 11593->11618 11598 7ffe0e14635b 11595->11598 11596->11575 11597->11584 11597->11593 11611 7ffe0e137140 11597->11611 11598->11591 11600 7ffe0e14f010 18 API calls 11598->11600 11602 7ffe0e146405 11600->11602 11601 7ffe0e14629a 11604 7ffe0e137040 33 API calls 11601->11604 11602->11575 11603 7ffe0e146268 11603->11601 11605 7ffe0e14f010 18 API calls 11603->11605 11609 7ffe0e1462de 11604->11609 11605->11601 11607 7ffe0e146310 memcpy 11607->11584 11608 7ffe0e14f010 18 API calls 11608->11593 11609->11607 11610 7ffe0e14f010 18 API calls 11609->11610 11610->11607 11612 7ffe0e137238 11611->11612 11615 7ffe0e13715a 11611->11615 11613 7ffe0e150560 32 API calls 11612->11613 11614 7ffe0e1371df 11613->11614 11614->11593 11614->11608 11615->11614 11616 7ffe0e150560 32 API calls 11615->11616 11617 7ffe0e1371b2 memcpy 11616->11617 11617->11614 11619 7ffe0e1370f8 11618->11619 11622 7ffe0e137055 11618->11622 11620 7ffe0e150560 32 API calls 11619->11620 11623 7ffe0e137117 11620->11623 11621 7ffe0e1370e6 11621->11603 11622->11621 11624 7ffe0e150560 32 API calls 11622->11624 11623->11603 11625 7ffe0e1370ba memcpy 11624->11625 11625->11621 11627 7ffe0e13fc60 33 API calls 11626->11627 11628 7ffe0e14ce36 11627->11628 11629 7ffe0e144e70 38 API calls 11628->11629 11630 7ffe0e14ce43 GetModuleHandleA 11629->11630 11632 7ffe0e13fc60 33 API calls 11630->11632 11633 7ffe0e14ce7f 11632->11633 11634 7ffe0e144e70 38 API calls 11633->11634 11642 7ffe0e14ce90 11634->11642 11635 7ffe0e14cff1 11636 7ffe0e13fc60 33 API calls 11635->11636 11638 7ffe0e14d002 11636->11638 11637 7ffe0e136b50 33 API calls 11637->11642 11639 7ffe0e144e70 38 API calls 11638->11639 11651 7ffe0e14cfe8 11639->11651 11640 7ffe0e13fc60 33 API calls 11640->11642 11641 7ffe0e144e70 38 API calls 11641->11642 11642->11635 11642->11637 11642->11640 11642->11641 11643 7ffe0e13b590 2 API calls 11642->11643 11644 7ffe0e14cf5e 11642->11644 11643->11642 11645 7ffe0e13fc60 33 API calls 11644->11645 11646 7ffe0e14cf83 11645->11646 11647 7ffe0e144e70 38 API calls 11646->11647 11650 7ffe0e14cf96 11647->11650 11648 7ffe0e13fc60 33 API calls 11648->11650 11649 7ffe0e144e70 38 API calls 11649->11650 11650->11648 11650->11649 11650->11651 11651->10928 11653 7ffe0e149c70 11652->11653 11654 7ffe0e14993d 11652->11654 11654->11653 11655 7ffe0e136b50 33 API calls 11654->11655 11656 7ffe0e149993 11655->11656 11657 7ffe0e136b50 33 API calls 11656->11657 11658 7ffe0e1499ba 11657->11658 11778 7ffe0e13d310 11658->11778 11660 7ffe0e1499dd 11661 7ffe0e137040 33 API calls 11660->11661 11662 7ffe0e1499ec 11661->11662 11663 7ffe0e136b50 33 API calls 11662->11663 11664 7ffe0e149a14 11663->11664 11665 7ffe0e13d310 53 API calls 11664->11665 11666 7ffe0e149b10 11665->11666 11667 7ffe0e137040 33 API calls 11666->11667 11668 7ffe0e149b1f 11667->11668 11669 7ffe0e149b4e 11668->11669 11670 7ffe0e149c28 11668->11670 11671 7ffe0e149b77 11669->11671 11676 7ffe0e14f010 18 API calls 11669->11676 11672 7ffe0e136f20 32 API calls 11670->11672 11674 7ffe0e14fd80 18 API calls 11671->11674 11673 7ffe0e149c43 memcpy 11672->11673 11673->11653 11675 7ffe0e149b81 11674->11675 11677 7ffe0e138e60 37 API calls 11675->11677 11676->11671 11678 7ffe0e149ba8 11677->11678 11678->11327 11680 7ffe0e1488b3 11679->11680 11681 7ffe0e1488a4 CoInitialize 11679->11681 11682 7ffe0e1507e0 32 API calls 11680->11682 11681->11680 11683 7ffe0e1488bf 11682->11683 11689 7ffe0e1488cc 11683->11689 11872 7ffe0e14fc90 11683->11872 11684 7ffe0e1488d8 11687 7ffe0e147e60 37 API calls 11684->11687 11686 7ffe0e14fc90 37 API calls 11691 7ffe0e148954 11686->11691 11688 7ffe0e1488e9 SafeArrayPutElement 11687->11688 11688->11342 11688->11344 11689->11684 11689->11686 11690 7ffe0e14890d 11690->11689 11692 7ffe0e14f010 18 API calls 11690->11692 11691->11684 11693 7ffe0e14f010 18 API calls 11691->11693 11692->11689 11693->11684 11695 7ffe0e14a1c4 _setjmp 11694->11695 11696 7ffe0e14a338 11694->11696 11700 7ffe0e14a21a 11695->11700 11697 7ffe0e149920 54 API calls 11696->11697 11698 7ffe0e14a349 11697->11698 11698->11698 11701 7ffe0e149920 54 API calls 11700->11701 11703 7ffe0e14a322 11700->11703 11882 7ffe0e139650 11700->11882 11908 7ffe0e149da0 11700->11908 11701->11700 11703->10941 11705 7ffe0e1395b0 33 API calls 11704->11705 11706 7ffe0e14a375 11705->11706 11707 7ffe0e14a389 _setjmp 11706->11707 11708 7ffe0e14a462 _setjmp 11706->11708 11709 7ffe0e14a580 CLRCreateInstance 11707->11709 11716 7ffe0e14a3f8 11707->11716 11712 7ffe0e14a900 CLRCreateInstance 11708->11712 11720 7ffe0e14a4f7 11708->11720 11710 7ffe0e14a700 11709->11710 11711 7ffe0e14a5aa 11709->11711 11715 7ffe0e149920 54 API calls 11710->11715 11722 7ffe0e149920 54 API calls 11711->11722 11734 7ffe0e14a5ce 11711->11734 11713 7ffe0e14a934 11712->11713 11714 7ffe0e14a926 11712->11714 11718 7ffe0e13c390 35 API calls 11713->11718 11717 7ffe0e149920 54 API calls 11714->11717 11719 7ffe0e14a70e 11715->11719 11716->11708 11716->11720 11723 7ffe0e149920 54 API calls 11716->11723 11717->11713 11726 7ffe0e14a93e 11718->11726 11719->11326 11721 7ffe0e139650 59 API calls 11720->11721 11724 7ffe0e14a563 11720->11724 11721->11710 11722->11734 11723->11708 11724->11326 11725 7ffe0e14a5fe _setjmp 11725->11734 11727 7ffe0e136ee0 33 API calls 11726->11727 11732 7ffe0e14a9b9 11726->11732 11728 7ffe0e14a988 11727->11728 12021 7ffe0e138760 memcpy 11728->12021 11730 7ffe0e14a661 _setjmp 11730->11734 11731 7ffe0e149920 54 API calls 11735 7ffe0e14ac46 11731->11735 11740 7ffe0e149920 54 API calls 11732->11740 11741 7ffe0e14aa1f 11732->11741 11777 7ffe0e14ac20 11732->11777 11733 7ffe0e14a99a 11736 7ffe0e14a9af 11733->11736 12022 7ffe0e138760 memcpy 11733->12022 11734->11720 11734->11725 11734->11730 11734->11735 11737 7ffe0e136b50 33 API calls 11734->11737 11756 7ffe0e14acc6 11734->11756 11758 7ffe0e1395b0 33 API calls 11734->11758 12016 7ffe0e13c170 11734->12016 11735->11326 11739 7ffe0e149920 54 API calls 11736->11739 11737->11734 11739->11732 11740->11741 11742 7ffe0e14aaed 11741->11742 11743 7ffe0e14aa84 11741->11743 11744 7ffe0e14ac70 11741->11744 11745 7ffe0e14ab33 11742->11745 11746 7ffe0e14ab24 CoInitialize 11742->11746 11749 7ffe0e14ac7e 11743->11749 11764 7ffe0e14aab3 11743->11764 11747 7ffe0e149920 54 API calls 11744->11747 11748 7ffe0e1507e0 32 API calls 11745->11748 11746->11745 11747->11749 11750 7ffe0e14ab3f 11748->11750 11753 7ffe0e149920 54 API calls 11749->11753 11752 7ffe0e14ad31 11750->11752 11755 7ffe0e14ab60 11750->11755 11750->11756 11757 7ffe0e14fc90 37 API calls 11752->11757 11754 7ffe0e14ac96 11753->11754 11765 7ffe0e149920 54 API calls 11754->11765 11759 7ffe0e147e60 37 API calls 11755->11759 11760 7ffe0e14fc90 37 API calls 11756->11760 11768 7ffe0e14ad45 11757->11768 11758->11734 11763 7ffe0e14ab71 11759->11763 11769 7ffe0e14acfd 11760->11769 11761 7ffe0e14acae 11762 7ffe0e149920 54 API calls 11761->11762 11762->11756 11766 7ffe0e14b1e0 103 API calls 11763->11766 11764->11742 11764->11754 11764->11761 11765->11761 11767 7ffe0e14abbd 11766->11767 11770 7ffe0e14b1e0 103 API calls 11767->11770 11768->11735 11771 7ffe0e14f010 18 API calls 11768->11771 11769->11752 11772 7ffe0e14f010 18 API calls 11769->11772 11773 7ffe0e14abe9 11770->11773 11771->11735 11772->11752 11774 7ffe0e14b1e0 103 API calls 11773->11774 11775 7ffe0e14ac11 11774->11775 11776 7ffe0e131680 18 API calls 11775->11776 11776->11777 11777->11731 11805 7ffe0e13ca70 11778->11805 11780 7ffe0e13d362 11819 7ffe0e1395b0 11780->11819 11783 7ffe0e13d4cf 11824 7ffe0e13cfc0 11783->11824 11784 7ffe0e150d30 32 API calls 11786 7ffe0e13d57b 11784->11786 11788 7ffe0e136b50 33 API calls 11786->11788 11787 7ffe0e13d4eb 11789 7ffe0e13d690 11787->11789 11790 7ffe0e13d4f7 11787->11790 11800 7ffe0e13d37e 11788->11800 11793 7ffe0e137040 33 API calls 11789->11793 11792 7ffe0e137040 33 API calls 11790->11792 11791 7ffe0e14f010 18 API calls 11791->11800 11794 7ffe0e13d503 11792->11794 11795 7ffe0e13d69b 11793->11795 11798 7ffe0e1374c0 18 API calls 11794->11798 11799 7ffe0e1374c0 18 API calls 11795->11799 11796 7ffe0e137740 35 API calls 11796->11783 11797 7ffe0e14fd80 18 API calls 11797->11800 11801 7ffe0e13d50e memcpy 11798->11801 11802 7ffe0e13d6a6 11799->11802 11800->11783 11800->11791 11800->11797 11803 7ffe0e138e60 37 API calls 11800->11803 11804 7ffe0e13d396 11800->11804 11801->11660 11802->11660 11803->11800 11804->11783 11804->11796 11817 7ffe0e13cacc 11805->11817 11806 7ffe0e136b50 33 API calls 11807 7ffe0e13cd9a memcpy 11806->11807 11809 7ffe0e13ce36 11807->11809 11810 7ffe0e13ce1b 11807->11810 11808 7ffe0e13ce65 11808->11780 11811 7ffe0e14fd80 18 API calls 11809->11811 11810->11809 11813 7ffe0e14f010 18 API calls 11810->11813 11814 7ffe0e13ce43 11811->11814 11812 7ffe0e150d30 32 API calls 11812->11817 11813->11809 11815 7ffe0e138e60 37 API calls 11814->11815 11815->11808 11816 7ffe0e136b50 33 API calls 11816->11817 11817->11808 11817->11812 11817->11816 11818 7ffe0e13cc8f 11817->11818 11818->11806 11820 7ffe0e139610 11819->11820 11821 7ffe0e1395c0 11819->11821 11820->11784 11820->11800 11821->11820 11822 7ffe0e150560 32 API calls 11821->11822 11823 7ffe0e1395e6 memcpy 11822->11823 11823->11820 11825 7ffe0e13cfea 11824->11825 11826 7ffe0e13d0f8 11824->11826 11825->11826 11827 7ffe0e13d1f5 11825->11827 11830 7ffe0e13d027 11825->11830 11829 7ffe0e136b50 33 API calls 11826->11829 11828 7ffe0e136b50 33 API calls 11827->11828 11831 7ffe0e13d22a memset 11828->11831 11832 7ffe0e13d15b 11829->11832 11833 7ffe0e136b50 33 API calls 11830->11833 11834 7ffe0e13d24f 11831->11834 11842 7ffe0e13d2a0 11831->11842 11835 7ffe0e13d176 11832->11835 11836 7ffe0e13d166 memset 11832->11836 11838 7ffe0e13d057 memset 11833->11838 11839 7ffe0e136ee0 33 API calls 11834->11839 11837 7ffe0e136b50 33 API calls 11835->11837 11836->11835 11841 7ffe0e13d19f 11837->11841 11838->11842 11843 7ffe0e13d079 11838->11843 11844 7ffe0e13d257 memcpy 11839->11844 11840 7ffe0e136ee0 33 API calls 11840->11842 11845 7ffe0e13d1ba 11841->11845 11846 7ffe0e13d1aa memset 11841->11846 11842->11840 11848 7ffe0e13d27d memcpy 11842->11848 11849 7ffe0e136b50 33 API calls 11842->11849 11847 7ffe0e136b50 33 API calls 11843->11847 11844->11848 11850 7ffe0e13d2f0 11845->11850 11851 7ffe0e13d1c6 11845->11851 11846->11845 11852 7ffe0e13d095 memcpy memcpy 11847->11852 11848->11842 11853 7ffe0e13d2ab memcpy 11849->11853 11855 7ffe0e136ee0 33 API calls 11850->11855 11865 7ffe0e136ee0 11851->11865 11852->11787 11853->11842 11856 7ffe0e13d2f8 11855->11856 11871 7ffe0e138760 memcpy 11856->11871 11860 7ffe0e13d306 11860->11860 11861 7ffe0e13d1df 11869 7ffe0e138760 memcpy 11861->11869 11863 7ffe0e13d1ea 11870 7ffe0e138760 memcpy 11863->11870 11866 7ffe0e136b50 33 API calls 11865->11866 11867 7ffe0e136f04 11866->11867 11868 7ffe0e138760 memcpy 11867->11868 11868->11861 11869->11863 11870->11827 11871->11860 11873 7ffe0e136b50 33 API calls 11872->11873 11875 7ffe0e14fca8 11873->11875 11874 7ffe0e14fcdd 11876 7ffe0e139150 37 API calls 11874->11876 11875->11874 11877 7ffe0e14f010 18 API calls 11875->11877 11879 7ffe0e14fd02 11876->11879 11877->11874 11878 7ffe0e14fd3d 11878->11690 11879->11878 11880 7ffe0e14f010 18 API calls 11879->11880 11881 7ffe0e14fd55 11880->11881 11881->11690 11883 7ffe0e139671 11882->11883 11884 7ffe0e139662 longjmp 11882->11884 11939 7ffe0e1389d0 11883->11939 11884->11883 11886 7ffe0e139691 exit 11887 7ffe0e1396d0 11886->11887 11888 7ffe0e139843 11887->11888 11890 7ffe0e1396f5 11887->11890 11889 7ffe0e1390c0 37 API calls 11888->11889 11891 7ffe0e139848 11889->11891 11892 7ffe0e136b50 33 API calls 11890->11892 11893 7ffe0e1398a5 11891->11893 11894 7ffe0e13988c 11891->11894 11898 7ffe0e139701 11892->11898 11895 7ffe0e1390c0 37 API calls 11893->11895 11896 7ffe0e136b50 33 API calls 11894->11896 11897 7ffe0e1398aa 11895->11897 11899 7ffe0e139898 11896->11899 11900 7ffe0e139a60 11897->11900 11901 7ffe0e1398c5 11897->11901 11898->11700 11899->11700 11905 7ffe0e139150 37 API calls 11900->11905 11907 7ffe0e1398e0 11900->11907 11902 7ffe0e1398d1 11901->11902 11903 7ffe0e139a40 11901->11903 11906 7ffe0e139150 37 API calls 11902->11906 11904 7ffe0e139150 37 API calls 11903->11904 11904->11907 11905->11907 11906->11907 11907->11700 11909 7ffe0e13c390 35 API calls 11908->11909 11910 7ffe0e149ddb SysAllocString _setjmp 11909->11910 11911 7ffe0e149e4c 11910->11911 11937 7ffe0e14a038 SysFreeString 11910->11937 11913 7ffe0e14a0b5 11911->11913 11918 7ffe0e149fc4 11911->11918 11922 7ffe0e136b50 33 API calls 11911->11922 11938 7ffe0e14a174 11911->11938 11988 7ffe0e148270 11913->11988 11914 7ffe0e14a082 11914->11700 11915 7ffe0e14a0b0 11917 7ffe0e139650 59 API calls 11915->11917 11917->11913 11919 7ffe0e149fee CoInitialize 11918->11919 11920 7ffe0e149ffd 11918->11920 11919->11920 11923 7ffe0e1507e0 32 API calls 11920->11923 11921 7ffe0e14a0d3 11924 7ffe0e14fc90 37 API calls 11921->11924 11925 7ffe0e149f2b 11922->11925 11926 7ffe0e14a009 11923->11926 11927 7ffe0e14a13d 11924->11927 11928 7ffe0e149f83 memcpy 11925->11928 11929 7ffe0e149fba 11925->11929 11926->11921 11930 7ffe0e14a14c 11926->11930 11935 7ffe0e147e60 37 API calls 11926->11935 11931 7ffe0e131680 18 API calls 11927->11931 11928->11929 11933 7ffe0e149920 54 API calls 11929->11933 11932 7ffe0e14fc90 37 API calls 11930->11932 11931->11930 11934 7ffe0e14a165 11932->11934 11933->11918 11936 7ffe0e131680 18 API calls 11934->11936 11935->11937 11936->11938 11937->11914 11937->11915 11940 7ffe0e138a08 11939->11940 11941 7ffe0e138a12 11939->11941 11940->11941 11955 7ffe0e1381d0 11940->11955 11943 7ffe0e138a63 memcpy 11941->11943 11953 7ffe0e138a82 11941->11953 11954 7ffe0e138b39 11941->11954 11943->11953 11944 7ffe0e138a8f 11947 7ffe0e138aab strlen 11944->11947 11950 7ffe0e138ac6 11944->11950 11945 7ffe0e138c06 11946 7ffe0e138c13 strlen 11945->11946 11945->11950 11948 7ffe0e138c2e memcpy strlen 11946->11948 11946->11950 11947->11948 11947->11950 11948->11950 11949 7ffe0e138aec strlen 11952 7ffe0e150560 32 API calls 11949->11952 11950->11948 11950->11949 11950->11954 11968 7ffe0e138800 11950->11968 11952->11950 11953->11944 11953->11945 11954->11886 11956 7ffe0e136b50 33 API calls 11955->11956 11967 7ffe0e1381f9 11956->11967 11957 7ffe0e138572 11957->11941 11958 7ffe0e137ce0 35 API calls 11958->11967 11959 7ffe0e150560 32 API calls 11959->11967 11960 7ffe0e137040 33 API calls 11960->11967 11961 7ffe0e14ffc0 31 API calls 11961->11967 11962 7ffe0e137140 33 API calls 11962->11967 11963 7ffe0e1327d0 12 API calls 11963->11967 11964 7ffe0e13845a memcpy 11964->11967 11965 7ffe0e14f010 18 API calls 11965->11967 11966 7ffe0e133730 18 API calls 11966->11967 11967->11957 11967->11958 11967->11959 11967->11960 11967->11961 11967->11962 11967->11963 11967->11964 11967->11965 11967->11966 11969 7ffe0e138835 _setjmp 11968->11969 11970 7ffe0e1388f7 11968->11970 11969->11970 11973 7ffe0e138920 11969->11973 11971 7ffe0e138904 11970->11971 11972 7ffe0e1389a3 fwrite fflush 11970->11972 11971->11950 11972->11971 11973->11970 11975 7ffe0e139290 11973->11975 11976 7ffe0e1392a5 11975->11976 11977 7ffe0e150d30 32 API calls 11976->11977 11978 7ffe0e1392c6 11977->11978 11979 7ffe0e136f90 33 API calls 11978->11979 11981 7ffe0e1392ea 11979->11981 11980 7ffe0e13930f 11982 7ffe0e138e60 37 API calls 11980->11982 11981->11980 11983 7ffe0e14f010 18 API calls 11981->11983 11984 7ffe0e139331 strlen 11982->11984 11983->11980 11986 7ffe0e138800 40 API calls 11984->11986 11987 7ffe0e1393a3 exit signal signal signal signal 11986->11987 11989 7ffe0e14829f 11988->11989 11990 7ffe0e148290 CoInitialize 11988->11990 11991 7ffe0e1507e0 32 API calls 11989->11991 11990->11989 11992 7ffe0e1482ab 11991->11992 11994 7ffe0e147e60 37 API calls 11992->11994 12014 7ffe0e148439 11992->12014 11993 7ffe0e14fc90 37 API calls 11993->12014 11995 7ffe0e1482df SafeArrayCreate 11994->11995 11996 7ffe0e148316 11995->11996 11997 7ffe0e1483f8 11995->11997 11999 7ffe0e148363 11996->11999 12001 7ffe0e148327 11996->12001 12002 7ffe0e1483c8 11996->12002 11998 7ffe0e150d30 32 API calls 11997->11998 12000 7ffe0e14840b 11998->12000 11999->11921 12004 7ffe0e146830 39 API calls 12000->12004 12005 7ffe0e148336 12001->12005 12006 7ffe0e148378 SafeArrayPutElement 12001->12006 12003 7ffe0e1483d0 SafeArrayPutElement 12002->12003 12003->11999 12003->12003 12007 7ffe0e14842a 12004->12007 12008 7ffe0e1483a0 SafeArrayPutElement 12005->12008 12009 7ffe0e14833b 12005->12009 12006->11999 12006->12006 12011 7ffe0e144cb0 36 API calls 12007->12011 12008->11999 12008->12008 12010 7ffe0e148340 SafeArrayPutElement 12009->12010 12010->11999 12010->12010 12011->12014 12012 7ffe0e14f010 18 API calls 12012->12014 12013 7ffe0e14fd80 18 API calls 12013->12014 12014->11993 12014->12012 12014->12013 12015 7ffe0e138e60 37 API calls 12014->12015 12015->12014 12017 7ffe0e13c238 12016->12017 12018 7ffe0e13c18e WideCharToMultiByte 12016->12018 12017->11734 12019 7ffe0e136b50 33 API calls 12018->12019 12020 7ffe0e13c1f1 WideCharToMultiByte 12019->12020 12020->12017 12021->11733 12022->11736 12024 7ffe0e149494 12023->12024 12025 7ffe0e149485 CoInitialize 12023->12025 12026 7ffe0e1507e0 32 API calls 12024->12026 12025->12024 12027 7ffe0e1494a0 12026->12027 12028 7ffe0e14fc90 37 API calls 12027->12028 12033 7ffe0e1494b1 12027->12033 12034 7ffe0e149535 12028->12034 12029 7ffe0e1494c1 12030 7ffe0e147e60 37 API calls 12029->12030 12032 7ffe0e1494d2 12030->12032 12031 7ffe0e14fc90 37 API calls 12037 7ffe0e149580 12031->12037 12041 7ffe0e13c2c0 12032->12041 12033->12029 12033->12031 12034->12033 12035 7ffe0e14f010 18 API calls 12034->12035 12035->12033 12037->12029 12038 7ffe0e14f010 18 API calls 12037->12038 12038->12029 12042 7ffe0e13c369 SysAllocString 12041->12042 12043 7ffe0e13c2dd MultiByteToWideChar 12041->12043 12042->11367 12044 7ffe0e136b50 33 API calls 12043->12044 12045 7ffe0e13c334 MultiByteToWideChar 12044->12045 12045->12042 12057 7ffe0e14afd0 12046->12057 12048 7ffe0e14b13f 12051 7ffe0e14a190 92 API calls 12048->12051 12049 7ffe0e14b122 12049->12048 12050 7ffe0e149920 54 API calls 12049->12050 12050->12048 12052 7ffe0e14b167 12051->12052 12053 7ffe0e14b191 12052->12053 12054 7ffe0e149920 54 API calls 12052->12054 12072 7ffe0e1486a0 12053->12072 12054->12053 12056 7ffe0e14b1b6 12056->11383 12056->11385 12058 7ffe0e14afe0 12057->12058 12059 7ffe0e14aff8 12057->12059 12060 7ffe0e14afec 12058->12060 12104 7ffe0e14b640 12058->12104 12061 7ffe0e14a350 110 API calls 12059->12061 12060->12049 12061->12058 12064 7ffe0e14b1e0 110 API calls 12065 7ffe0e14b070 12064->12065 12066 7ffe0e149470 41 API calls 12065->12066 12067 7ffe0e14b088 12066->12067 12068 7ffe0e14b1e0 110 API calls 12067->12068 12069 7ffe0e14b0b0 12068->12069 12070 7ffe0e14b0dc 12069->12070 12071 7ffe0e14f010 18 API calls 12069->12071 12070->12049 12071->12070 12073 7ffe0e1486c6 12072->12073 12074 7ffe0e1486b7 CoInitialize 12072->12074 12075 7ffe0e1507e0 32 API calls 12073->12075 12074->12073 12076 7ffe0e1486d2 12075->12076 12078 7ffe0e1486f3 12076->12078 12079 7ffe0e1487d0 12076->12079 12084 7ffe0e1487d5 12076->12084 12077 7ffe0e14fc90 37 API calls 12080 7ffe0e148815 12077->12080 12081 7ffe0e147e60 37 API calls 12078->12081 12082 7ffe0e14fc90 37 API calls 12079->12082 12085 7ffe0e148761 12080->12085 12088 7ffe0e148860 12080->12088 12083 7ffe0e148704 VariantCopy 12081->12083 12082->12084 12086 7ffe0e148714 12083->12086 12087 7ffe0e148728 12083->12087 12084->12077 12090 7ffe0e148865 12084->12090 12094 7ffe0e14f010 18 API calls 12085->12094 12098 7ffe0e148791 12085->12098 12086->12056 12089 7ffe0e150d30 32 API calls 12087->12089 12092 7ffe0e14f010 18 API calls 12088->12092 12091 7ffe0e14873b 12089->12091 12093 7ffe0e14f010 18 API calls 12090->12093 12095 7ffe0e146830 39 API calls 12091->12095 12092->12090 12097 7ffe0e14887d 12093->12097 12094->12098 12096 7ffe0e148757 12095->12096 12099 7ffe0e144cb0 36 API calls 12096->12099 12100 7ffe0e14fd80 18 API calls 12098->12100 12099->12085 12101 7ffe0e14879e 12100->12101 12102 7ffe0e138e60 37 API calls 12101->12102 12103 7ffe0e1487c0 12102->12103 12103->12056 12162 7ffe0e14adb0 12104->12162 12106 7ffe0e14b686 12108 7ffe0e149470 41 API calls 12106->12108 12121 7ffe0e14b8e7 12106->12121 12107 7ffe0e149920 54 API calls 12107->12121 12109 7ffe0e14b6f4 12108->12109 12185 7ffe0e148560 12109->12185 12110 7ffe0e149470 41 API calls 12110->12121 12113 7ffe0e148560 38 API calls 12113->12121 12114 7ffe0e14b1e0 110 API calls 12115 7ffe0e14b74a 12114->12115 12117 7ffe0e150ed0 50 API calls 12115->12117 12116 7ffe0e14b1e0 110 API calls 12116->12121 12118 7ffe0e14b758 12117->12118 12120 7ffe0e148270 52 API calls 12118->12120 12119 7ffe0e150ed0 50 API calls 12119->12121 12122 7ffe0e14b772 12120->12122 12121->12107 12121->12110 12121->12113 12121->12116 12121->12119 12133 7ffe0e14bc38 12121->12133 12123 7ffe0e149470 41 API calls 12122->12123 12124 7ffe0e14b7d1 12123->12124 12125 7ffe0e148560 38 API calls 12124->12125 12126 7ffe0e14b7dd 12125->12126 12127 7ffe0e14b1e0 110 API calls 12126->12127 12128 7ffe0e14b82d 12127->12128 12129 7ffe0e149470 41 API calls 12128->12129 12130 7ffe0e14b841 12129->12130 12131 7ffe0e14b1e0 110 API calls 12130->12131 12132 7ffe0e14b869 12131->12132 12134 7ffe0e14b87b 12132->12134 12135 7ffe0e14bd48 12132->12135 12136 7ffe0e148560 38 API calls 12133->12136 12137 7ffe0e148560 38 API calls 12134->12137 12138 7ffe0e148560 38 API calls 12135->12138 12139 7ffe0e14bc48 12136->12139 12140 7ffe0e14b889 12137->12140 12141 7ffe0e14bd52 12138->12141 12142 7ffe0e14b1e0 110 API calls 12139->12142 12143 7ffe0e14b1e0 110 API calls 12140->12143 12144 7ffe0e14b1e0 110 API calls 12141->12144 12145 7ffe0e14bc70 12142->12145 12146 7ffe0e14b8b1 12143->12146 12147 7ffe0e14bd7a 12144->12147 12148 7ffe0e149470 41 API calls 12145->12148 12149 7ffe0e136b50 33 API calls 12146->12149 12150 7ffe0e136b50 33 API calls 12147->12150 12151 7ffe0e14bc86 12148->12151 12149->12121 12150->12121 12152 7ffe0e14b1e0 110 API calls 12151->12152 12153 7ffe0e14bcae 12152->12153 12154 7ffe0e148560 38 API calls 12153->12154 12155 7ffe0e14bcc1 12154->12155 12156 7ffe0e14b1e0 110 API calls 12155->12156 12157 7ffe0e14bce9 12156->12157 12158 7ffe0e149470 41 API calls 12157->12158 12159 7ffe0e14bcff 12158->12159 12160 7ffe0e14b1e0 110 API calls 12159->12160 12161 7ffe0e14b044 12160->12161 12161->12064 12163 7ffe0e14afb8 12162->12163 12164 7ffe0e14add8 _setjmp 12162->12164 12165 7ffe0e14a350 109 API calls 12163->12165 12168 7ffe0e14aea0 12164->12168 12169 7ffe0e14ae0b 12164->12169 12166 7ffe0e14afbf 12165->12166 12166->12166 12167 7ffe0e14ae6a 12171 7ffe0e139290 46 API calls 12167->12171 12183 7ffe0e14ae8b 12167->12183 12168->12167 12172 7ffe0e14af0c 12168->12172 12176 7ffe0e149920 54 API calls 12168->12176 12170 7ffe0e14ae2c 12169->12170 12173 7ffe0e149920 54 API calls 12169->12173 12174 7ffe0e149470 41 API calls 12170->12174 12175 7ffe0e14afa6 12171->12175 12177 7ffe0e149470 41 API calls 12172->12177 12173->12170 12178 7ffe0e14ae42 12174->12178 12175->12106 12176->12172 12179 7ffe0e14af22 12177->12179 12180 7ffe0e14a190 92 API calls 12178->12180 12181 7ffe0e14a190 92 API calls 12179->12181 12180->12167 12182 7ffe0e14af4a 12181->12182 12182->12167 12184 7ffe0e14f010 18 API calls 12182->12184 12183->12106 12184->12167 12186 7ffe0e148583 12185->12186 12187 7ffe0e148574 CoInitialize 12185->12187 12188 7ffe0e1507e0 32 API calls 12186->12188 12187->12186 12189 7ffe0e14858f 12188->12189 12190 7ffe0e14fc90 37 API calls 12189->12190 12195 7ffe0e14859c 12189->12195 12194 7ffe0e1485e5 12190->12194 12191 7ffe0e14fc90 37 API calls 12196 7ffe0e14862c 12191->12196 12192 7ffe0e147e60 37 API calls 12193 7ffe0e1485bc 12192->12193 12193->12114 12194->12195 12198 7ffe0e14f010 18 API calls 12194->12198 12195->12191 12197 7ffe0e1485a8 12195->12197 12196->12197 12199 7ffe0e14f010 18 API calls 12196->12199 12197->12192 12198->12195 12199->12197 12201 7ffe0e147d04 12200->12201 12202 7ffe0e139150 37 API calls 12201->12202 12203 7ffe0e147d16 12202->12203 12204 7ffe0e147d5b 12203->12204 12205 7ffe0e14f010 18 API calls 12203->12205 12204->11413 12205->12204 12207 7ffe0e13adce 12206->12207 12208 7ffe0e13aeb7 12207->12208 12209 7ffe0e13ae9d 12207->12209 12211 7ffe0e13acb0 37 API calls 12207->12211 12208->11468 12209->12208 12212 7ffe0e13acb0 12209->12212 12211->12207 12213 7ffe0e150d30 32 API calls 12212->12213 12214 7ffe0e13accc 12213->12214 12215 7ffe0e136f20 32 API calls 12214->12215 12217 7ffe0e13acf5 12215->12217 12216 7ffe0e13ad68 12218 7ffe0e14fd80 18 API calls 12216->12218 12217->12216 12220 7ffe0e14f010 18 API calls 12217->12220 12219 7ffe0e13ad72 12218->12219 12221 7ffe0e138e60 37 API calls 12219->12221 12220->12216 12222 7ffe0e13ad94 12221->12222 12222->12208 12224 7ffe0e145cf0 12223->12224 12225 7ffe0e145ce9 exit 12223->12225 12226 7ffe0e13fc60 33 API calls 12224->12226 12225->12224 12227 7ffe0e145d03 12226->12227 12228 7ffe0e145d1e 12227->12228 12229 7ffe0e145de8 12227->12229 12231 7ffe0e136b50 33 API calls 12228->12231 12230 7ffe0e136b50 33 API calls 12229->12230 12232 7ffe0e145e04 12230->12232 12233 7ffe0e145d3d 12231->12233 12236 7ffe0e145e22 memcpy 12232->12236 12237 7ffe0e145d96 12232->12237 12234 7ffe0e145d7d memcpy 12233->12234 12235 7ffe0e145d5c memcpy 12233->12235 12234->12237 12235->12234 12236->12237 12238 7ffe0e145dbd 12237->12238 12239 7ffe0e14f010 18 API calls 12237->12239 12238->11035 12240 7ffe0e145dd5 12239->12240 12240->11035 12242 7ffe0e13fc60 33 API calls 12241->12242 12243 7ffe0e146c47 12242->12243 12244 7ffe0e144e70 38 API calls 12243->12244 12245 7ffe0e146c54 12244->12245 12246 7ffe0e136cd0 33 API calls 12245->12246 12247 7ffe0e146c75 GetFileAttributesW 12246->12247 12248 7ffe0e13fc60 33 API calls 12247->12248 12249 7ffe0e146c8f 12248->12249 12250 7ffe0e144e70 38 API calls 12249->12250 12251 7ffe0e146c9c 12250->12251 12252 7ffe0e13fc60 33 API calls 12251->12252 12253 7ffe0e146cb0 12252->12253 12254 7ffe0e144e70 38 API calls 12253->12254 12255 7ffe0e146cbd 12254->12255 12256 7ffe0e136cd0 33 API calls 12255->12256 12257 7ffe0e146ce1 GetFileAttributesW 12256->12257 12258 7ffe0e146d00 12257->12258 12259 7ffe0e146cef 12257->12259 12261 7ffe0e136cd0 33 API calls 12258->12261 12345 7ffe0e1459a0 OpenProcess 12259->12345 12262 7ffe0e146d21 GetFileAttributesW 12261->12262 12264 7ffe0e1458e5 12263->12264 12265 7ffe0e145968 12264->12265 12266 7ffe0e13fc60 33 API calls 12264->12266 12265->11000 12267 7ffe0e145911 12266->12267 12268 7ffe0e144e70 38 API calls 12267->12268 12269 7ffe0e14591e 12268->12269 12270 7ffe0e14f010 18 API calls 12269->12270 12271 7ffe0e14594d 12269->12271 12270->12271 12271->11000 12273 7ffe0e14e174 12272->12273 12274 7ffe0e136b50 33 API calls 12273->12274 12275 7ffe0e14e1a7 12274->12275 12276 7ffe0e14ece0 12275->12276 12277 7ffe0e13fc60 33 API calls 12276->12277 12278 7ffe0e14ecfe 12277->12278 12279 7ffe0e144e70 38 API calls 12278->12279 12281 7ffe0e14ed0b 12279->12281 12280 7ffe0e13fc60 33 API calls 12280->12281 12281->12280 12282 7ffe0e144e70 38 API calls 12281->12282 12283 7ffe0e14ee16 12281->12283 12282->12281 12284 7ffe0e145220 12283->12284 12285 7ffe0e14525f 12284->12285 12286 7ffe0e145256 12284->12286 12285->11022 12286->12285 12287 7ffe0e13fc60 33 API calls 12286->12287 12288 7ffe0e1452a0 12287->12288 12289 7ffe0e144e70 38 API calls 12288->12289 12290 7ffe0e1452ad 12289->12290 12290->12285 12291 7ffe0e13fc60 33 API calls 12290->12291 12292 7ffe0e1452c4 12291->12292 12293 7ffe0e144e70 38 API calls 12292->12293 12294 7ffe0e1452d1 12293->12294 12294->12285 12295 7ffe0e13fc60 33 API calls 12294->12295 12296 7ffe0e145379 12295->12296 12297 7ffe0e144e70 38 API calls 12296->12297 12298 7ffe0e14538d 12297->12298 12299 7ffe0e145550 12298->12299 12301 7ffe0e1453be 12298->12301 12307 7ffe0e145586 12298->12307 12300 7ffe0e144e70 38 API calls 12299->12300 12344 7ffe0e145530 12300->12344 12301->12299 12303 7ffe0e1453c7 12301->12303 12302 7ffe0e145570 12304 7ffe0e144e70 38 API calls 12302->12304 12303->12302 12308 7ffe0e144e70 38 API calls 12303->12308 12312 7ffe0e1454a4 12303->12312 12313 7ffe0e145480 strlen 12303->12313 12361 7ffe0e145160 12303->12361 12304->12285 12305 7ffe0e144e70 38 API calls 12305->12307 12306 7ffe0e144e70 38 API calls 12306->12285 12307->12302 12307->12305 12309 7ffe0e145160 40 API calls 12307->12309 12311 7ffe0e1455c2 strlen 12307->12311 12307->12312 12308->12303 12309->12307 12311->12302 12311->12307 12314 7ffe0e145630 12312->12314 12315 7ffe0e1454b0 12312->12315 12313->12303 12313->12312 12316 7ffe0e14564b 12314->12316 12319 7ffe0e144e70 38 API calls 12314->12319 12317 7ffe0e144e70 38 API calls 12315->12317 12320 7ffe0e144e70 38 API calls 12316->12320 12318 7ffe0e1454ca 12317->12318 12321 7ffe0e144e70 38 API calls 12318->12321 12319->12316 12322 7ffe0e14565c 12320->12322 12323 7ffe0e1454db 12321->12323 12324 7ffe0e144e70 38 API calls 12322->12324 12325 7ffe0e144e70 38 API calls 12323->12325 12326 7ffe0e14566d 12324->12326 12327 7ffe0e1454ec 12325->12327 12328 7ffe0e144e70 38 API calls 12326->12328 12329 7ffe0e144e70 38 API calls 12327->12329 12330 7ffe0e14567e 12328->12330 12331 7ffe0e1454fd 12329->12331 12332 7ffe0e144e70 38 API calls 12330->12332 12334 7ffe0e144e70 38 API calls 12331->12334 12333 7ffe0e14568f 12332->12333 12335 7ffe0e144e70 38 API calls 12333->12335 12336 7ffe0e14550e 12334->12336 12337 7ffe0e1456a0 12335->12337 12338 7ffe0e144e70 38 API calls 12336->12338 12339 7ffe0e144e70 38 API calls 12337->12339 12340 7ffe0e14551f 12338->12340 12341 7ffe0e1456b1 12339->12341 12342 7ffe0e144e70 38 API calls 12340->12342 12343 7ffe0e144e70 38 API calls 12341->12343 12342->12344 12343->12344 12344->12306 12346 7ffe0e1459d0 12345->12346 12347 7ffe0e1459c4 12345->12347 12348 7ffe0e13fc60 33 API calls 12346->12348 12347->11040 12349 7ffe0e1459e1 12348->12349 12350 7ffe0e144e70 38 API calls 12349->12350 12351 7ffe0e1459ee 12350->12351 12352 7ffe0e145ad8 12351->12352 12354 7ffe0e1459fa 12351->12354 12353 7ffe0e145a25 12352->12353 12357 7ffe0e14f010 18 API calls 12352->12357 12353->12347 12355 7ffe0e136f20 32 API calls 12353->12355 12354->12353 12356 7ffe0e14f010 18 API calls 12354->12356 12358 7ffe0e145a9f memcpy 12355->12358 12356->12353 12357->12353 12358->12353 12359->11013 12360->11013 12362 7ffe0e13fc60 33 API calls 12361->12362 12363 7ffe0e145186 12362->12363 12364 7ffe0e144e70 38 API calls 12363->12364 12365 7ffe0e145193 12364->12365 12366 7ffe0e145198 strlen 12365->12366 12369 7ffe0e145200 12365->12369 12367 7ffe0e1451a8 12366->12367 12366->12369 12368 7ffe0e1451b0 strlen 12367->12368 12367->12369 12368->12367 12368->12369 12369->12303 12370 7ffe0e150950 12371 7ffe0e150963 _fileno _setmode 12370->12371 12372 7ffe0e150987 _fileno _setmode 12371->12372 12373 7ffe0e15099d _fileno _setmode LoadLibraryA 12372->12373 12374 7ffe0e1509cf GetProcAddress 12373->12374 12376 7ffe0e1509e6 12373->12376 12374->12376 12375 7ffe0e150d1d 12376->12375 12377 7ffe0e150be2 12376->12377 12378 7ffe0e150bd4 CoInitializeEx 12376->12378 12379 7ffe0e1507e0 32 API calls 12377->12379 12378->12377 12380 7ffe0e150bee 12379->12380 12381 7ffe0e14fc90 37 API calls 12380->12381 12386 7ffe0e150c02 12380->12386 12387 7ffe0e150cc5 12381->12387 12382 7ffe0e147e60 37 API calls 12384 7ffe0e150c22 12382->12384 12383 7ffe0e14fc90 37 API calls 12391 7ffe0e150c8d 12383->12391 12385 7ffe0e150c5e 12384->12385 12389 7ffe0e14f010 18 API calls 12384->12389 12386->12383 12388 7ffe0e150c11 12386->12388 12387->12386 12390 7ffe0e14f010 18 API calls 12387->12390 12388->12382 12392 7ffe0e150c75 12389->12392 12390->12386 12391->12388 12393 7ffe0e14f010 18 API calls 12391->12393 12393->12388 10797 7ffe0e13a9b0 LoadLibraryA 10798 7ffe0e13ac28 10797->10798 10799 7ffe0e13abfb GetProcAddress 10797->10799 10802 7ffe0e139450 5 API calls 10798->10802 10800 7ffe0e13ac13 10799->10800 10801 7ffe0e13ac34 10799->10801 10803 7ffe0e13a7c0 39 API calls 10801->10803 10802->10801 10804 7ffe0e13ac43 10803->10804 10406 7ffe0e13a6d0 10407 7ffe0e13a6e3 10406->10407 10409 7ffe0e13a6fe 10406->10409 10408 7ffe0e13a7af 10409->10408 10412 7ffe0e132be0 10409->10412 10423 7ffe0e1327d0 10412->10423 10414 7ffe0e132c3a 10415 7ffe0e1327d0 12 API calls 10414->10415 10416 7ffe0e132c91 10415->10416 10417 7ffe0e1327d0 12 API calls 10416->10417 10418 7ffe0e132ce8 10417->10418 10419 7ffe0e1327d0 12 API calls 10418->10419 10420 7ffe0e132d38 10419->10420 10421 7ffe0e1327d0 12 API calls 10420->10421 10422 7ffe0e132da9 signal signal signal signal signal 10421->10422 10424 7ffe0e132860 10423->10424 10425 7ffe0e1327f3 10423->10425 10426 7ffe0e132875 10424->10426 10427 7ffe0e1329b8 10424->10427 10428 7ffe0e1328d0 VirtualAlloc 10425->10428 10429 7ffe0e132804 10425->10429 10432 7ffe0e132a60 10426->10432 10442 7ffe0e132837 10426->10442 10431 7ffe0e132100 11 API calls 10427->10431 10428->10432 10433 7ffe0e1328f3 10428->10433 10445 7ffe0e132100 10429->10445 10431->10442 10473 7ffe0e1317f0 10432->10473 10435 7ffe0e13292f 10433->10435 10436 7ffe0e13294a 10433->10436 10462 7ffe0e131830 10435->10462 10439 7ffe0e13280c 10436->10439 10437 7ffe0e132a7a 10440 7ffe0e1327d0 11 API calls 10437->10440 10455 7ffe0e132690 10439->10455 10443 7ffe0e132a8d 10440->10443 10442->10414 10443->10414 10444 7ffe0e132a45 10444->10414 10446 7ffe0e1322c4 10445->10446 10448 7ffe0e13211b 10445->10448 10449 7ffe0e131830 8 API calls 10446->10449 10452 7ffe0e132312 10446->10452 10447 7ffe0e132424 10447->10446 10491 7ffe0e131a00 10447->10491 10448->10446 10448->10447 10450 7ffe0e131a00 11 API calls 10448->10450 10453 7ffe0e132274 10448->10453 10449->10452 10450->10447 10452->10439 10453->10446 10487 7ffe0e131d80 10453->10487 10456 7ffe0e1326bb 10455->10456 10457 7ffe0e132760 10455->10457 10459 7ffe0e132690 8 API calls 10456->10459 10460 7ffe0e1326c7 10456->10460 10458 7ffe0e13276c 10457->10458 10461 7ffe0e131830 8 API calls 10457->10461 10458->10442 10459->10460 10460->10442 10461->10458 10463 7ffe0e131880 VirtualAlloc 10462->10463 10464 7ffe0e131849 10462->10464 10466 7ffe0e1318e0 10463->10466 10467 7ffe0e13189e 10463->10467 10464->10463 10465 7ffe0e131851 memset 10464->10465 10465->10444 10468 7ffe0e1317f0 6 API calls 10466->10468 10467->10465 10470 7ffe0e1318e5 10468->10470 10469 7ffe0e13195e 10469->10444 10470->10469 10471 7ffe0e131830 6 API calls 10470->10471 10472 7ffe0e131932 10471->10472 10472->10444 10474 7ffe0e131800 10473->10474 10504 7ffe0e1315b0 10474->10504 10476 7ffe0e13181c exit 10477 7ffe0e131830 10476->10477 10478 7ffe0e131880 VirtualAlloc 10477->10478 10479 7ffe0e131851 memset 10477->10479 10480 7ffe0e1318e0 10478->10480 10481 7ffe0e13189e 10478->10481 10479->10437 10482 7ffe0e1317f0 5 API calls 10480->10482 10481->10479 10484 7ffe0e1318e5 10482->10484 10483 7ffe0e13195e 10483->10437 10484->10483 10485 7ffe0e131830 5 API calls 10484->10485 10486 7ffe0e131932 10485->10486 10486->10437 10488 7ffe0e131dd5 10487->10488 10489 7ffe0e131e4e 10488->10489 10490 7ffe0e131830 8 API calls 10488->10490 10489->10446 10490->10489 10492 7ffe0e131c68 10491->10492 10493 7ffe0e131a1c 10491->10493 10492->10453 10494 7ffe0e131a54 VirtualAlloc 10493->10494 10495 7ffe0e131c48 VirtualAlloc 10493->10495 10497 7ffe0e131c74 VirtualAlloc 10494->10497 10498 7ffe0e131a6b 10494->10498 10496 7ffe0e131c5f 10495->10496 10501 7ffe0e131a72 10495->10501 10499 7ffe0e1317f0 8 API calls 10496->10499 10497->10496 10497->10498 10498->10501 10500 7ffe0e131c64 10499->10500 10500->10492 10502 7ffe0e131830 8 API calls 10501->10502 10503 7ffe0e131ab6 10501->10503 10502->10503 10503->10453 10505 7ffe0e1315d1 fwrite 10504->10505 10506 7ffe0e1315c6 strlen 10504->10506 10507 7ffe0e157ae0 fflush 10505->10507 10506->10505 10507->10476 10508 7ffe0e1872ec 10507->10508 10509 7ffe0e13c530 LoadLibraryA 10510 7ffe0e13c610 10509->10510 10511 7ffe0e13c55d GetProcAddress 10509->10511 10530 7ffe0e139450 10510->10530 10513 7ffe0e13c61c 10511->10513 10514 7ffe0e13c57c LoadLibraryA 10511->10514 10540 7ffe0e13a7c0 10513->10540 10516 7ffe0e13c630 10514->10516 10520 7ffe0e13c59f 10514->10520 10518 7ffe0e139450 5 API calls 10516->10518 10519 7ffe0e13c63c 10518->10519 10522 7ffe0e13a7c0 39 API calls 10519->10522 10520->10519 10521 7ffe0e13c5b7 10520->10521 10523 7ffe0e13c64b 10521->10523 10524 7ffe0e13c5d9 10521->10524 10522->10523 10523->10521 10525 7ffe0e13a7c0 39 API calls 10523->10525 10526 7ffe0e13c65b 10524->10526 10527 7ffe0e13c5fb 10524->10527 10525->10526 10526->10524 10528 7ffe0e13a7c0 39 API calls 10526->10528 10529 7ffe0e13c66b 10528->10529 10529->10527 10531 7ffe0e139470 10530->10531 10532 7ffe0e1315b0 3 API calls 10531->10532 10533 7ffe0e13947f 10532->10533 10534 7ffe0e1315b0 3 API calls 10533->10534 10535 7ffe0e1394a2 GetLastError 10534->10535 10536 7ffe0e1394af 10535->10536 10537 7ffe0e1315b0 3 API calls 10536->10537 10538 7ffe0e1315b0 3 API calls 10536->10538 10539 7ffe0e1394c5 exit 10537->10539 10538->10536 10539->10536 10541 7ffe0e13a800 10540->10541 10542 7ffe0e13a897 GetProcAddress 10541->10542 10544 7ffe0e13a8b1 10541->10544 10542->10541 10543 7ffe0e13a8b9 10542->10543 10543->10514 10546 7ffe0e1394f0 10544->10546 10547 7ffe0e139508 10546->10547 10548 7ffe0e1315b0 3 API calls 10547->10548 10549 7ffe0e139517 10548->10549 10550 7ffe0e1315b0 3 API calls 10549->10550 10551 7ffe0e139529 10550->10551 10552 7ffe0e1315b0 3 API calls 10551->10552 10553 7ffe0e13953f exit 10552->10553 10554 7ffe0e139577 10553->10554 10555 7ffe0e1395a5 10554->10555 10556 7ffe0e13958c 10554->10556 10570 7ffe0e1390c0 10555->10570 10561 7ffe0e136b50 10556->10561 10560 7ffe0e139598 10560->10543 10562 7ffe0e136b71 10561->10562 10563 7ffe0e136b81 10562->10563 10577 7ffe0e14ffc0 10562->10577 10564 7ffe0e1327d0 12 API calls 10563->10564 10568 7ffe0e136b91 10564->10568 10566 7ffe0e136bcc memset 10566->10560 10568->10566 10600 7ffe0e133730 10568->10600 10747 7ffe0e150d30 10570->10747 10575 7ffe0e14f010 18 API calls 10576 7ffe0e139100 10575->10576 10576->10575 10760 7ffe0e138e60 10576->10760 10578 7ffe0e14ffd5 10577->10578 10579 7ffe0e15047a 10578->10579 10606 7ffe0e1347a0 10578->10606 10579->10563 10583 7ffe0e150085 10584 7ffe0e1500b6 10583->10584 10657 7ffe0e14f010 10583->10657 10584->10563 10585 7ffe0e1500fc 10589 7ffe0e150123 10585->10589 10664 7ffe0e1334f0 10585->10664 10586 7ffe0e150074 10586->10583 10586->10585 10588 7ffe0e135040 19 API calls 10586->10588 10588->10586 10591 7ffe0e1334f0 5 API calls 10589->10591 10592 7ffe0e150145 10591->10592 10593 7ffe0e1327d0 12 API calls 10592->10593 10594 7ffe0e150168 10593->10594 10596 7ffe0e1501e9 10594->10596 10671 7ffe0e14fdc0 10594->10671 10597 7ffe0e14fdc0 19 API calls 10596->10597 10598 7ffe0e150262 10596->10598 10597->10596 10598->10583 10599 7ffe0e1334f0 VirtualFree exit fputc _lock _unlock 10598->10599 10599->10598 10601 7ffe0e133768 10600->10601 10602 7ffe0e13374b 10600->10602 10603 7ffe0e1327d0 12 API calls 10601->10603 10602->10566 10604 7ffe0e133794 memcpy 10603->10604 10605 7ffe0e1334f0 5 API calls 10604->10605 10605->10602 10608 7ffe0e1347c8 10606->10608 10607 7ffe0e134910 10652 7ffe0e135040 10607->10652 10608->10607 10609 7ffe0e1327d0 12 API calls 10608->10609 10610 7ffe0e134928 10608->10610 10616 7ffe0e13497d 10608->10616 10611 7ffe0e1348cb memcpy 10609->10611 10612 7ffe0e1327d0 12 API calls 10610->10612 10613 7ffe0e1334f0 5 API calls 10611->10613 10614 7ffe0e13494d memcpy 10612->10614 10613->10608 10615 7ffe0e1334f0 5 API calls 10614->10615 10615->10616 10617 7ffe0e1327d0 12 API calls 10616->10617 10618 7ffe0e134f1d 10616->10618 10628 7ffe0e134de5 10616->10628 10631 7ffe0e134e4d 10616->10631 10633 7ffe0e134d15 10616->10633 10637 7ffe0e134eb5 10616->10637 10639 7ffe0e134d7d 10616->10639 10643 7ffe0e134c58 10616->10643 10651 7ffe0e134cad 10616->10651 10619 7ffe0e134c14 memcpy 10617->10619 10618->10607 10620 7ffe0e1327d0 12 API calls 10618->10620 10624 7ffe0e1334f0 5 API calls 10619->10624 10625 7ffe0e134fbf memcpy 10620->10625 10621 7ffe0e1327d0 12 API calls 10622 7ffe0e134ce5 memcpy 10621->10622 10626 7ffe0e1334f0 5 API calls 10622->10626 10623 7ffe0e1327d0 12 API calls 10627 7ffe0e134d4d memcpy 10623->10627 10624->10616 10630 7ffe0e1334f0 5 API calls 10625->10630 10626->10633 10634 7ffe0e1334f0 5 API calls 10627->10634 10632 7ffe0e1327d0 12 API calls 10628->10632 10629 7ffe0e1327d0 12 API calls 10635 7ffe0e134db5 memcpy 10629->10635 10630->10618 10638 7ffe0e1327d0 12 API calls 10631->10638 10636 7ffe0e134e1d memcpy 10632->10636 10633->10623 10634->10639 10640 7ffe0e1334f0 5 API calls 10635->10640 10641 7ffe0e1334f0 5 API calls 10636->10641 10644 7ffe0e1327d0 12 API calls 10637->10644 10642 7ffe0e134e85 memcpy 10638->10642 10639->10629 10640->10628 10641->10631 10645 7ffe0e1334f0 5 API calls 10642->10645 10646 7ffe0e1327d0 12 API calls 10643->10646 10647 7ffe0e134eed memcpy 10644->10647 10645->10637 10648 7ffe0e134c7d memcpy 10646->10648 10649 7ffe0e1334f0 5 API calls 10647->10649 10650 7ffe0e1334f0 5 API calls 10648->10650 10649->10618 10650->10651 10651->10621 10655 7ffe0e135058 10652->10655 10653 7ffe0e135170 10653->10586 10654 7ffe0e1334f0 5 API calls 10654->10655 10655->10653 10655->10654 10656 7ffe0e133e50 19 API calls 10655->10656 10656->10655 10658 7ffe0e14f023 10657->10658 10659 7ffe0e14f030 10657->10659 10658->10583 10660 7ffe0e1327d0 12 API calls 10659->10660 10661 7ffe0e14f04b 10659->10661 10662 7ffe0e14f091 memcpy 10660->10662 10661->10583 10663 7ffe0e1334f0 5 API calls 10662->10663 10663->10661 10665 7ffe0e133620 10664->10665 10667 7ffe0e133522 10664->10667 10665->10585 10666 7ffe0e1335ba VirtualFree 10666->10665 10668 7ffe0e133600 10666->10668 10667->10665 10667->10666 10679 7ffe0e14e200 10668->10679 10702 7ffe0e133990 10671->10702 10673 7ffe0e14fdf3 10709 7ffe0e134050 10673->10709 10675 7ffe0e14fed8 10675->10594 10676 7ffe0e14fe21 10676->10675 10677 7ffe0e133990 18 API calls 10676->10677 10678 7ffe0e133e50 19 API calls 10676->10678 10677->10676 10678->10676 10680 7ffe0e14e229 10679->10680 10683 7ffe0e152370 10680->10683 10690 7ffe0e158440 10683->10690 10692 7ffe0e158456 10690->10692 10691 7ffe0e152390 10694 7ffe0e15419f 10691->10694 10692->10691 10693 7ffe0e158476 _lock 10692->10693 10693->10691 10697 7ffe0e1541be 10694->10697 10695 7ffe0e1523b4 10698 7ffe0e1584d0 10695->10698 10696 7ffe0e1523d0 fputc 10696->10697 10697->10695 10697->10696 10699 7ffe0e1584e6 10698->10699 10700 7ffe0e13360c exit 10699->10700 10701 7ffe0e158519 _unlock 10699->10701 10700->10665 10701->10700 10703 7ffe0e1339c0 10702->10703 10704 7ffe0e1339df 10703->10704 10705 7ffe0e133a15 10703->10705 10713 7ffe0e1338c0 10703->10713 10704->10673 10707 7ffe0e1327d0 12 API calls 10705->10707 10708 7ffe0e133a50 10707->10708 10708->10673 10711 7ffe0e13406a 10709->10711 10710 7ffe0e134100 10710->10676 10711->10710 10719 7ffe0e133e50 10711->10719 10714 7ffe0e1327d0 12 API calls 10713->10714 10715 7ffe0e1338f5 memset 10714->10715 10716 7ffe0e13391a 10715->10716 10717 7ffe0e1334f0 5 API calls 10716->10717 10718 7ffe0e13397e 10717->10718 10718->10705 10720 7ffe0e133e65 10719->10720 10723 7ffe0e133e91 10719->10723 10721 7ffe0e133e8a 10720->10721 10720->10723 10724 7ffe0e133ec0 10720->10724 10721->10723 10727 7ffe0e133f30 10721->10727 10732 7ffe0e133d20 10721->10732 10722 7ffe0e133e50 19 API calls 10722->10724 10723->10711 10724->10722 10724->10723 10728 7ffe0e133f59 10727->10728 10730 7ffe0e133f70 10727->10730 10728->10721 10729 7ffe0e133f30 19 API calls 10729->10730 10730->10728 10730->10729 10731 7ffe0e133d20 19 API calls 10730->10731 10731->10730 10733 7ffe0e133d2e 10732->10733 10734 7ffe0e133d5b 10732->10734 10733->10734 10735 7ffe0e133d41 10733->10735 10736 7ffe0e133d80 10733->10736 10734->10721 10735->10734 10737 7ffe0e1327d0 12 API calls 10735->10737 10738 7ffe0e133990 18 API calls 10736->10738 10739 7ffe0e133dc7 memcpy 10737->10739 10740 7ffe0e14fdf3 10738->10740 10741 7ffe0e1334f0 5 API calls 10739->10741 10742 7ffe0e134050 18 API calls 10740->10742 10741->10734 10744 7ffe0e14fe21 10742->10744 10743 7ffe0e14fed8 10743->10721 10744->10743 10745 7ffe0e133990 18 API calls 10744->10745 10746 7ffe0e133e50 18 API calls 10744->10746 10745->10744 10746->10744 10748 7ffe0e150d4f 10747->10748 10749 7ffe0e150d60 10748->10749 10750 7ffe0e14ffc0 31 API calls 10748->10750 10751 7ffe0e1327d0 12 API calls 10749->10751 10750->10749 10752 7ffe0e150d6e 10751->10752 10753 7ffe0e1390dc 10752->10753 10754 7ffe0e133730 18 API calls 10752->10754 10755 7ffe0e136f90 10753->10755 10754->10753 10756 7ffe0e136fa7 10755->10756 10757 7ffe0e136fa0 10755->10757 10756->10576 10757->10756 10766 7ffe0e136f20 10757->10766 10759 7ffe0e136fdf memcpy 10759->10576 10762 7ffe0e138e7f 10760->10762 10761 7ffe0e138ed0 10762->10761 10772 7ffe0e1391b0 10762->10772 10764 7ffe0e138e9e 10764->10761 10765 7ffe0e14f010 18 API calls 10764->10765 10765->10761 10767 7ffe0e136f3c 10766->10767 10768 7ffe0e136f5b 10767->10768 10769 7ffe0e14ffc0 31 API calls 10767->10769 10770 7ffe0e1327d0 12 API calls 10768->10770 10769->10768 10771 7ffe0e136f6b memset 10770->10771 10771->10759 10773 7ffe0e139260 10772->10773 10774 7ffe0e1391c8 10772->10774 10776 7ffe0e139150 36 API calls 10773->10776 10775 7ffe0e139245 10774->10775 10781 7ffe0e139150 10774->10781 10775->10764 10777 7ffe0e13926d 10776->10777 10777->10764 10779 7ffe0e139206 memcpy 10779->10775 10782 7ffe0e139177 10781->10782 10783 7ffe0e1391a1 10782->10783 10784 7ffe0e13918f 10782->10784 10785 7ffe0e1390c0 36 API calls 10783->10785 10786 7ffe0e136b50 33 API calls 10784->10786 10787 7ffe0e1391a6 10785->10787 10788 7ffe0e139194 10786->10788 10789 7ffe0e139260 10787->10789 10793 7ffe0e1391c8 10787->10793 10788->10779 10791 7ffe0e139150 36 API calls 10789->10791 10790 7ffe0e139245 10790->10779 10792 7ffe0e13926d 10791->10792 10792->10779 10793->10790 10794 7ffe0e139150 36 API calls 10793->10794 10795 7ffe0e139206 memcpy 10794->10795 10795->10790

    Executed Functions

    Function 00007FFE0E14F0D0 Relevance: 53.2, APIs: 4, Strings: 26, Instructions: 672COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe0e14f0d0-7ffe0e14f0ee 1 7ffe0e14f0f4-7ffe0e14f114 0->1 2 7ffe0e14fc77-7ffe0e14fc80 call 7ffe0e13a920 0->2 1->2 4 7ffe0e14f11a-7ffe0e14f133 1->4 2->0 4->2 6 7ffe0e14f139-7ffe0e14f152 4->6 6->2 7 7ffe0e14f158-7ffe0e14f171 6->7 7->2 8 7ffe0e14f177-7ffe0e14f190 7->8 8->2 9 7ffe0e14f196-7ffe0e14f1af 8->9 9->2 10 7ffe0e14f1b5-7ffe0e14f1ce 9->10 10->2 11 7ffe0e14f1d4-7ffe0e14f1ed 10->11 11->2 12 7ffe0e14f1f3-7ffe0e14f20c 11->12 12->2 13 7ffe0e14f212-7ffe0e14f22b 12->13 13->2 14 7ffe0e14f231-7ffe0e14f259 RtlGetVersion 13->14 15 7ffe0e14f25f-7ffe0e14f262 14->15 16 7ffe0e14f9c0-7ffe0e14f9c9 14->16 17 7ffe0e14f264-7ffe0e14f26b 15->17 19 7ffe0e14f271-7ffe0e14f295 call 7ffe0e13fc60 call 7ffe0e144e70 15->19 16->17 18 7ffe0e14f9cf-7ffe0e14f9d2 16->18 17->19 18->17 20 7ffe0e14f9d8-7ffe0e14f9da 18->20 27 7ffe0e14f29c-7ffe0e14f2a9 19->27 28 7ffe0e14f297 19->28 20->17 23 7ffe0e14f9e0-7ffe0e14f9e3 20->23 23->17 25 7ffe0e14f9e9 23->25 25->19 29 7ffe0e14f2c5-7ffe0e14f2e2 call 7ffe0e136f90 27->29 30 7ffe0e14f2ab-7ffe0e14f2bf 27->30 28->27 35 7ffe0e14f2e4-7ffe0e14f2f8 29->35 36 7ffe0e14f2fe-7ffe0e14f33d call 7ffe0e139150 memcpy 29->36 30->29 31 7ffe0e14fa60-7ffe0e14fa65 call 7ffe0e14f010 30->31 31->29 35->36 38 7ffe0e14fa70-7ffe0e14fa75 call 7ffe0e14f010 35->38 43 7ffe0e14f33f-7ffe0e14f353 36->43 44 7ffe0e14f359-7ffe0e14f36d call 7ffe0e139150 36->44 38->36 43->44 45 7ffe0e14fa50-7ffe0e14fa55 call 7ffe0e14f010 43->45 49 7ffe0e14f374-7ffe0e14f381 44->49 50 7ffe0e14f36f 44->50 45->44 52 7ffe0e14f383-7ffe0e14f397 49->52 53 7ffe0e14f39d-7ffe0e14f3c4 call 7ffe0e13fc60 call 7ffe0e144e70 49->53 50->49 52->53 54 7ffe0e14fa40-7ffe0e14fa45 call 7ffe0e14f010 52->54 61 7ffe0e14f3cb-7ffe0e14f3d8 53->61 62 7ffe0e14f3c6 53->62 54->53 63 7ffe0e14f3f4-7ffe0e14f41b call 7ffe0e13fc60 call 7ffe0e144e70 61->63 64 7ffe0e14f3da-7ffe0e14f3ee 61->64 62->61 72 7ffe0e14f422-7ffe0e14f42f 63->72 73 7ffe0e14f41d 63->73 64->63 65 7ffe0e14fa30-7ffe0e14fa35 call 7ffe0e14f010 64->65 65->63 74 7ffe0e14f431-7ffe0e14f445 72->74 75 7ffe0e14f44b-7ffe0e14f472 call 7ffe0e13fc60 call 7ffe0e144e70 72->75 73->72 74->75 76 7ffe0e14fa20-7ffe0e14fa25 call 7ffe0e14f010 74->76 83 7ffe0e14f474 75->83 84 7ffe0e14f479-7ffe0e14f486 75->84 76->75 83->84 85 7ffe0e14f4a2-7ffe0e14f4c9 call 7ffe0e13fc60 call 7ffe0e144e70 84->85 86 7ffe0e14f488-7ffe0e14f49c 84->86 94 7ffe0e14f4d0-7ffe0e14f4dd 85->94 95 7ffe0e14f4cb 85->95 86->85 87 7ffe0e14fa10-7ffe0e14fa15 call 7ffe0e14f010 86->87 87->85 96 7ffe0e14f4df-7ffe0e14f4f3 94->96 97 7ffe0e14f4f9-7ffe0e14f58f call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 94->97 95->94 96->97 98 7ffe0e14fa00-7ffe0e14fa05 call 7ffe0e14f010 96->98 117 7ffe0e14f591 97->117 118 7ffe0e14f596-7ffe0e14f5a3 97->118 98->97 117->118 119 7ffe0e14f5a5-7ffe0e14f5b9 118->119 120 7ffe0e14f5bf-7ffe0e14f960 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 118->120 119->120 121 7ffe0e14f9f0-7ffe0e14f9f5 call 7ffe0e14f010 119->121 248 7ffe0e14f962-7ffe0e14f96f 120->248 249 7ffe0e14f990-7ffe0e14f9b7 call 7ffe0e13fc60 call 7ffe0e14ef30 exit 120->249 121->120 256 7ffe0e14f971-7ffe0e14f976 248->256 257 7ffe0e14f97c-7ffe0e14f986 exit 248->257 249->16 256->257 258 7ffe0e14fa7a-7ffe0e14fa81 call 7ffe0e1458c0 256->258 257->249 261 7ffe0e14fa87-7ffe0e14fb23 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 258->261 262 7ffe0e14fc08-7ffe0e14fc24 call 7ffe0e13fc60 258->262 305 7ffe0e14fb28-7ffe0e14fb34 call 7ffe0e145cc0 call 7ffe0e146c30 261->305 268 7ffe0e14fc26 262->268 269 7ffe0e14fc29-7ffe0e14fc2c 262->269 268->269 271 7ffe0e14fc65-7ffe0e14fc73 call 7ffe0e136ee0 269->271 272 7ffe0e14fc2e-7ffe0e14fc40 call 7ffe0e136ee0 269->272 282 7ffe0e14fc75 271->282 283 7ffe0e14fc4d-7ffe0e14fc50 call 7ffe0e138760 271->283 279 7ffe0e14fc42-7ffe0e14fc45 call 7ffe0e138760 272->279 280 7ffe0e14fc4a 272->280 279->280 280->283 287 7ffe0e14fc55-7ffe0e14fc60 call 7ffe0e131680 282->287 283->287 287->271 309 7ffe0e14fb39-7ffe0e14fb93 call 7ffe0e1459a0 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e13fc60 call 7ffe0e144e70 305->309 322 7ffe0e14fb95-7ffe0e14fb9d 309->322 323 7ffe0e14fba1-7ffe0e14fbce call 7ffe0e13fc60 call 7ffe0e144e70 309->323 322->323 329 7ffe0e14fbd0-7ffe0e14fbd8 323->329 330 7ffe0e14fbdc-7ffe0e14fbfa 323->330 329->330 330->262
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$ByteCharMultiWideexit$Version
    • String ID: CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VirtualProtect$WaitForSingleObject$T]
    • API String ID: 206777904-685478019
    • Opcode ID: 38e647b285acce572d2b06f85b1db45c1e6d2934eba878912ed0140cac11a025
    • Instruction ID: 6c2b76d9e2dcf6567f574f206e0d4934e61591816cbdcff9d8d3bd1f98a7c4b3
    • Opcode Fuzzy Hash: 38e647b285acce572d2b06f85b1db45c1e6d2934eba878912ed0140cac11a025
    • Instruction Fuzzy Hash: 726208B5F19B0781FA14ABA9E455AB923A1FF89B80F845437D98D1B7B6DE3CE011C340
    Function 00007FFE0E14D520 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 619memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 445 7ffe0e14d520-7ffe0e14d5f3 call 7ffe0e136b50 call 7ffe0e13fc60 call 7ffe0e144e70 HeapCreate call 7ffe0e13fc60 call 7ffe0e144e70 457 7ffe0e14d5f5-7ffe0e14d5fd 445->457 458 7ffe0e14d601-7ffe0e14d631 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 445->458 457->458 465 7ffe0e14d633-7ffe0e14d63b 458->465 466 7ffe0e14d63f-7ffe0e14d66f call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 458->466 465->466 473 7ffe0e14d671-7ffe0e14d679 466->473 474 7ffe0e14d67d-7ffe0e14d6c3 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 466->474 473->474 481 7ffe0e14d6c5-7ffe0e14d6cd 474->481 482 7ffe0e14d6d1-7ffe0e14d725 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 474->482 481->482 489 7ffe0e14d733-7ffe0e14d756 call 7ffe0e14c870 call 7ffe0e144e70 482->489 490 7ffe0e14d727-7ffe0e14d72f 482->490 495 7ffe0e14d764-7ffe0e14d7a2 call 7ffe0e14c870 VirtualProtect call 7ffe0e144e70 489->495 496 7ffe0e14d758-7ffe0e14d760 489->496 490->489 501 7ffe0e14d7a4-7ffe0e14d7ac 495->501 502 7ffe0e14d7b0-7ffe0e14d7bf 495->502 496->495 501->502 504 7ffe0e14d7c1-7ffe0e14d7e2 call 7ffe0e144e70 call 7ffe0e14ef30 502->504 505 7ffe0e14d7e7-7ffe0e14d802 call 7ffe0e144e70 502->505 504->505 511 7ffe0e14d804-7ffe0e14d80c 505->511 512 7ffe0e14d810-7ffe0e14d822 505->512 511->512 514 7ffe0e14dfc8-7ffe0e14dfee call 7ffe0e144e70 call 7ffe0e14ef30 512->514 515 7ffe0e14d828-7ffe0e14d881 call 7ffe0e145ff0 512->515 529 7ffe0e14dff8-7ffe0e14e072 call 7ffe0e150d30 call 7ffe0e146830 call 7ffe0e144cb0 call 7ffe0e131680 call 7ffe0e14fd80 call 7ffe0e138e60 514->529 520 7ffe0e14db80-7ffe0e14db83 call 7ffe0e14c1d0 515->520 521 7ffe0e14d887-7ffe0e14d89b call 7ffe0e1464c0 call 7ffe0e14d400 515->521 527 7ffe0e14db88 520->527 521->520 532 7ffe0e14d8a1-7ffe0e14d8aa call 7ffe0e145ff0 521->532 567 7ffe0e14e080-7ffe0e14e09e call 7ffe0e14fc90 call 7ffe0e131680 529->567 538 7ffe0e14d8ac-7ffe0e14d8c0 call 7ffe0e1464c0 call 7ffe0e14d400 532->538 539 7ffe0e14d8c6-7ffe0e14d8e1 call 7ffe0e144e70 532->539 538->539 556 7ffe0e14db2a-7ffe0e14db33 call 7ffe0e145ff0 538->556 547 7ffe0e14d8e3-7ffe0e14d8eb 539->547 548 7ffe0e14d8ef-7ffe0e14d913 LoadLibraryA call 7ffe0e144e70 539->548 547->548 557 7ffe0e14d915-7ffe0e14d91d 548->557 558 7ffe0e14d921-7ffe0e14d9f9 GetProcAddress call 7ffe0e139150 call 7ffe0e181940 548->558 565 7ffe0e14db35-7ffe0e14db49 call 7ffe0e1464c0 call 7ffe0e14d400 556->565 566 7ffe0e14db4b-7ffe0e14db65 ResumeThread 556->566 557->558 571 7ffe0e14db6c-7ffe0e14db76 exit 558->571 576 7ffe0e14d9ff-7ffe0e14da51 call 7ffe0e146d40 558->576 565->566 580 7ffe0e14db90-7ffe0e14dce8 call 7ffe0e144e70 * 7 Sleep call 7ffe0e14d040 call 7ffe0e144e70 * 4 call 7ffe0e147370 565->580 566->571 584 7ffe0e14e0a4-7ffe0e14e0bf call 7ffe0e14fc90 call 7ffe0e131680 567->584 585 7ffe0e14dedf-7ffe0e14df24 call 7ffe0e147e60 SafeArrayCreate 567->585 571->520 586 7ffe0e14e0f0 576->586 587 7ffe0e14da57-7ffe0e14da67 576->587 634 7ffe0e14dcea 580->634 635 7ffe0e14dced-7ffe0e14dd04 call 7ffe0e14bf00 call 7ffe0e145ff0 580->635 584->585 585->529 599 7ffe0e14df2a-7ffe0e14df83 SafeArrayPutElement call 7ffe0e14b1e0 585->599 591 7ffe0e14da7d-7ffe0e14da84 587->591 592 7ffe0e14da70-7ffe0e14da77 591->592 593 7ffe0e14da86-7ffe0e14da8a 591->593 592->586 592->591 593->592 598 7ffe0e14da8c-7ffe0e14da90 593->598 598->592 602 7ffe0e14da92-7ffe0e14da96 598->602 602->592 605 7ffe0e14da98-7ffe0e14da9c 602->605 605->592 609 7ffe0e14da9e-7ffe0e14daa2 605->609 609->592 611 7ffe0e14daa4-7ffe0e14db20 call 7ffe0e181a48 call 7ffe0e181a50 609->611 619 7ffe0e14db26-7ffe0e14db28 611->619 619->556 619->571 634->635 640 7ffe0e14dd20-7ffe0e14dd2f 635->640 641 7ffe0e14dd06-7ffe0e14dd1a call 7ffe0e1464c0 call 7ffe0e14d400 635->641 642 7ffe0e14dd65-7ffe0e14dd6d call 7ffe0e145ff0 640->642 641->640 654 7ffe0e14e0c8-7ffe0e14e0e5 call 7ffe0e1464c0 call 7ffe0e13b7f0 641->654 648 7ffe0e14dd73-7ffe0e14dd77 642->648 649 7ffe0e14de00-7ffe0e14de09 call 7ffe0e145ff0 642->649 652 7ffe0e14dd61 648->652 653 7ffe0e14dd79-7ffe0e14dda8 call 7ffe0e1464c0 call 7ffe0e1391b0 648->653 659 7ffe0e14de25-7ffe0e14de3b call 7ffe0e144e70 649->659 660 7ffe0e14de0b-7ffe0e14de1f call 7ffe0e1464c0 call 7ffe0e14d400 649->660 652->642 673 7ffe0e14ddaa-7ffe0e14ddaf 653->673 674 7ffe0e14dd3d-7ffe0e14dd44 653->674 654->640 671 7ffe0e14de41-7ffe0e14dea1 call 7ffe0e150ed0 call 7ffe0e14b1e0 659->671 672 7ffe0e14de3d 659->672 660->659 684 7ffe0e14df88-7ffe0e14df94 660->684 693 7ffe0e14deb2-7ffe0e14dec9 call 7ffe0e1507e0 671->693 694 7ffe0e14dea3-7ffe0e14deab CoInitialize 671->694 672->671 676 7ffe0e14ddb1-7ffe0e14ddf4 call 7ffe0e136f20 memcpy 673->676 677 7ffe0e14dd38 673->677 674->652 678 7ffe0e14dd46-7ffe0e14dd5a 674->678 676->674 677->674 678->652 683 7ffe0e14dd5c call 7ffe0e14f010 678->683 683->652 685 7ffe0e14df9e-7ffe0e14dfbe call 7ffe0e139dc0 684->685 686 7ffe0e14df96-7ffe0e14df9a 684->686 685->659 686->685 693->567 697 7ffe0e14decf-7ffe0e14ded9 693->697 694->693 697->584 697->585
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$AddressCreateHeapLibraryLoadProcProtectResumeThreadVirtualexitfwritememset
    • String ID: Jo .$VariantConversionError$com.nim$toVariant
    • API String ID: 2577474293-479195221
    • Opcode ID: e79772847887c0e1f1e5046551ef7054be59b8ca2f684dc9a77833c47d3171bc
    • Instruction ID: b180b70066d2219dc2e5d860d64a013653b37e144978ef48df02bc3f3d9c8809
    • Opcode Fuzzy Hash: e79772847887c0e1f1e5046551ef7054be59b8ca2f684dc9a77833c47d3171bc
    • Instruction Fuzzy Hash: 066246A2B09B4691EB10DB60E8543BA23A1FF85B94F804137DA9E477B6DF3CE545C380
    Function 00007FFE0E14C870 Relevance: 12.4, APIs: 8, Instructions: 352fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 779 7ffe0e14c870-7ffe0e14c909 call 7ffe0e139150 call 7ffe0e13fc60 call 7ffe0e144e70 786 7ffe0e14c90b-7ffe0e14c917 779->786 787 7ffe0e14c91c-7ffe0e14c968 CreateFileA GetFileSize 779->787 786->787 788 7ffe0e14c96e-7ffe0e14c9d9 ReadFile 787->788 789 7ffe0e14cdb6-7ffe0e14cdca GetProcessHeap RtlAllocateHeap 787->789 795 7ffe0e14c9df-7ffe0e14c9f8 788->795 796 7ffe0e14cdf7 788->796 791 7ffe0e14cdd2-7ffe0e14cdd4 789->791 792 7ffe0e14cdd8-7ffe0e14cde8 791->792 792->792 794 7ffe0e14cdea-7ffe0e14cdf2 792->794 797 7ffe0e14cb2e-7ffe0e14cb3b 794->797 800 7ffe0e14ca07-7ffe0e14ca97 call 7ffe0e136b50 call 7ffe0e144e70 call 7ffe0e13b590 795->800 803 7ffe0e14cdff-7ffe0e14ce03 796->803 798 7ffe0e14cc05-7ffe0e14cc24 797->798 799 7ffe0e14cb41-7ffe0e14cb49 797->799 801 7ffe0e14cb4c-7ffe0e14cb60 799->801 828 7ffe0e14ca00-7ffe0e14ca03 800->828 829 7ffe0e14ca9d-7ffe0e14cadf 800->829 804 7ffe0e14cb62-7ffe0e14cb82 801->804 805 7ffe0e14cb18-7ffe0e14cb1b 801->805 807 7ffe0e14cd07-7ffe0e14cd1d 803->807 810 7ffe0e14cb93-7ffe0e14cbd4 GetModuleHandleA GetProcAddress 804->810 811 7ffe0e14cb84-7ffe0e14cb8f 804->811 805->797 809 7ffe0e14cb1d-7ffe0e14cb20 805->809 812 7ffe0e14cd23-7ffe0e14cd38 807->812 813 7ffe0e14cda9-7ffe0e14cdb1 807->813 809->797 816 7ffe0e14cb22-7ffe0e14cb2c strcmp 809->816 817 7ffe0e14cbee-7ffe0e14cbf1 810->817 811->810 812->813 814 7ffe0e14cd3a-7ffe0e14cd4c 812->814 813->797 814->813 818 7ffe0e14cd4e-7ffe0e14cd60 814->818 816->797 816->804 819 7ffe0e14cbf3-7ffe0e14cbf7 817->819 820 7ffe0e14cbe0-7ffe0e14cbec 817->820 818->813 823 7ffe0e14cd62-7ffe0e14cd74 818->823 819->820 824 7ffe0e14cbf9-7ffe0e14cbfb 819->824 820->817 822 7ffe0e14cc25-7ffe0e14cc27 820->822 827 7ffe0e14cc29-7ffe0e14cc90 822->827 823->813 826 7ffe0e14cd76-7ffe0e14cd88 823->826 824->827 826->813 830 7ffe0e14cd8a-7ffe0e14cd9c 826->830 827->813 833 7ffe0e14cc96-7ffe0e14cca9 827->833 828->800 831 7ffe0e14cae5-7ffe0e14cb12 829->831 832 7ffe0e14cbfd 829->832 830->813 834 7ffe0e14cd9e-7ffe0e14cda4 830->834 831->801 832->798 833->791 835 7ffe0e14ccaf-7ffe0e14ccb3 833->835 834->813 835->791 836 7ffe0e14ccb9-7ffe0e14ccbd 835->836 836->803 837 7ffe0e14ccc3-7ffe0e14cccc 836->837 838 7ffe0e14ccd0-7ffe0e14cce2 837->838 838->838 839 7ffe0e14cce4-7ffe0e14ccf1 838->839 839->813 840 7ffe0e14ccf7-7ffe0e14cd05 839->840 840->807 840->812
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$File$CreateReadSize
    • String ID:
    • API String ID: 3349561689-0
    • Opcode ID: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction ID: 9ea9f028ffebf61283f37a72def0b60319a3bec4377fd314401ede3a39822efd
    • Opcode Fuzzy Hash: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction Fuzzy Hash: 67F112A2A0E7C182EB20CB65E45477ABFA1FB85B80F098136DADE477A5DE3CD145C350
    Function 00007FFE0E146D40 Relevance: 4.9, APIs: 3, Instructions: 364fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 929 7ffe0e146d40-7ffe0e146db7 call 7ffe0e139150 932 7ffe0e146db9-7ffe0e146dc1 929->932 933 7ffe0e146dec-7ffe0e146e1c call 7ffe0e181a50 929->933 935 7ffe0e146dc3-7ffe0e146dca 932->935 936 7ffe0e146dcc-7ffe0e146ddf 932->936 939 7ffe0e1472c0-7ffe0e147322 call 7ffe0e144e70 call 7ffe0e136b50 933->939 940 7ffe0e146e22-7ffe0e146e42 call 7ffe0e181a48 933->940 935->936 937 7ffe0e146de0-7ffe0e146de7 memcpy 935->937 937->933 953 7ffe0e147324-7ffe0e147327 939->953 954 7ffe0e14732d-7ffe0e14733f 939->954 945 7ffe0e147010-7ffe0e147071 call 7ffe0e144e70 call 7ffe0e136b50 940->945 946 7ffe0e146e48-7ffe0e146e8a call 7ffe0e144e70 call 7ffe0e14ef30 call 7ffe0e181a50 940->946 967 7ffe0e1470d0-7ffe0e1470e2 945->967 968 7ffe0e147073-7ffe0e147076 945->968 977 7ffe0e146e90-7ffe0e146e92 946->977 953->954 955 7ffe0e147078-7ffe0e147082 953->955 956 7ffe0e147341-7ffe0e147344 954->956 957 7ffe0e14734a-7ffe0e147359 954->957 964 7ffe0e147088-7ffe0e14709a 955->964 956->957 960 7ffe0e1470e9-7ffe0e1470f3 956->960 961 7ffe0e14715f-7ffe0e147162 957->961 962 7ffe0e14735f 957->962 966 7ffe0e1470f9-7ffe0e14710b 960->966 961->964 970 7ffe0e147168-7ffe0e147172 961->970 962->964 964->966 969 7ffe0e14709c-7ffe0e14709f 964->969 974 7ffe0e147178-7ffe0e14718a 966->974 975 7ffe0e14710d-7ffe0e147110 966->975 972 7ffe0e1470e4-7ffe0e1470e7 967->972 973 7ffe0e147147-7ffe0e147159 967->973 968->955 968->967 969->966 976 7ffe0e1470a1-7ffe0e1470ab 969->976 970->974 972->960 972->973 973->961 973->964 979 7ffe0e1470b1-7ffe0e1470c3 974->979 980 7ffe0e147190-7ffe0e147193 974->980 975->974 978 7ffe0e147112-7ffe0e14711c 975->978 976->979 981 7ffe0e147298-7ffe0e1472b6 call 7ffe0e144e70 call 7ffe0e14ef30 977->981 982 7ffe0e146e98-7ffe0e146ed7 call 7ffe0e144e70 call 7ffe0e14ef30 977->982 986 7ffe0e147122-7ffe0e14712a 978->986 979->986 987 7ffe0e1470c5-7ffe0e1470c8 979->987 980->979 983 7ffe0e147199-7ffe0e14719f 980->983 981->939 1000 7ffe0e147270-7ffe0e14728e call 7ffe0e144e70 call 7ffe0e14ef30 982->1000 1001 7ffe0e146edd-7ffe0e146f32 call 7ffe0e144e70 call 7ffe0e136b50 982->1001 988 7ffe0e14712d-7ffe0e147142 call 7ffe0e14ef90 983->988 986->988 987->986 991 7ffe0e1470ca-7ffe0e1470ce 987->991 988->973 991->988 1000->981 1010 7ffe0e1471a8-7ffe0e1471bb 1001->1010 1011 7ffe0e146f38-7ffe0e146f3b 1001->1011 1012 7ffe0e14720f-7ffe0e14721f 1010->1012 1013 7ffe0e1471bd-7ffe0e1471c0 1010->1013 1011->1010 1014 7ffe0e146f41-7ffe0e146f48 1011->1014 1016 7ffe0e147225-7ffe0e147228 1012->1016 1017 7ffe0e146f52-7ffe0e146f65 1012->1017 1013->1012 1015 7ffe0e1471c2-7ffe0e1471c9 1013->1015 1014->1017 1018 7ffe0e1471d3-7ffe0e1471e6 1015->1018 1016->1017 1020 7ffe0e14722e-7ffe0e147235 1016->1020 1017->1018 1019 7ffe0e146f6b-7ffe0e146f6e 1017->1019 1022 7ffe0e14723f-7ffe0e147252 1018->1022 1023 7ffe0e1471e8-7ffe0e1471eb 1018->1023 1019->1018 1021 7ffe0e146f74-7ffe0e146f7b 1019->1021 1020->1022 1024 7ffe0e146f85-7ffe0e146f98 1021->1024 1022->1024 1026 7ffe0e147258-7ffe0e14725b 1022->1026 1023->1022 1025 7ffe0e1471ed-7ffe0e1471f4 1023->1025 1027 7ffe0e1471fe-7ffe0e14720a 1024->1027 1028 7ffe0e146f9e-7ffe0e146fa1 1024->1028 1025->1027 1026->1024 1029 7ffe0e147261-7ffe0e147268 1026->1029 1028->1027 1030 7ffe0e146fa7-7ffe0e146fac 1028->1030 1031 7ffe0e146fb0-7ffe0e147006 call 7ffe0e14ee30 * 2 fwrite fflush 1029->1031 1030->1031 1031->945
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$fflushfwritememset
    • String ID:
    • API String ID: 361287032-0
    • Opcode ID: 06349382353ebc58b7a2661a41be20b74beb036f04aed4321b20beb69a80aee4
    • Instruction ID: e62a824232e9978068669e32ac81b505a21c45f5bba700f78786666fe0c17046
    • Opcode Fuzzy Hash: 06349382353ebc58b7a2661a41be20b74beb036f04aed4321b20beb69a80aee4
    • Instruction Fuzzy Hash: 07F1C2A2A1878282EA15CB12A9502793B61FF91BA4F090637DEED0B7F6DF3CD504D350
    Function 00007FFE0E14C1D0 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 396COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 332 7ffe0e14c1d0-7ffe0e14c2b4 call 7ffe0e136cd0 335 7ffe0e14c2d4-7ffe0e14c2e6 GetModuleFileNameW 332->335 336 7ffe0e14c2c0-7ffe0e14c2c5 335->336 337 7ffe0e14c2e8-7ffe0e14c325 call 7ffe0e13fc60 call 7ffe0e146bb0 call 7ffe0e13fc60 call 7ffe0e1464c0 335->337 338 7ffe0e14c330-7ffe0e14c381 call 7ffe0e137270 call 7ffe0e13fc60 call 7ffe0e146bb0 call 7ffe0e13fc60 call 7ffe0e1464c0 336->338 339 7ffe0e14c2c7-7ffe0e14c2d1 call 7ffe0e136cd0 336->339 357 7ffe0e14c328-7ffe0e14c32a 337->357 338->357 366 7ffe0e14c383 338->366 339->335 359 7ffe0e14c387-7ffe0e14c38a 357->359 361 7ffe0e14c38f-7ffe0e14c392 359->361 362 7ffe0e14c38c 359->362 364 7ffe0e14c394 361->364 365 7ffe0e14c397-7ffe0e14c39a 361->365 362->361 364->365 367 7ffe0e14c39f-7ffe0e14c3a2 365->367 368 7ffe0e14c39c 365->368 366->359 369 7ffe0e14c3a4 367->369 370 7ffe0e14c3a7-7ffe0e14c3df call 7ffe0e136b50 367->370 368->367 369->370 373 7ffe0e14c3e5-7ffe0e14c409 memcpy 370->373 374 7ffe0e14c860-7ffe0e14c865 370->374 375 7ffe0e14c42b-7ffe0e14c42e 373->375 376 7ffe0e14c40b-7ffe0e14c427 memcpy 373->376 377 7ffe0e14c450-7ffe0e14c453 375->377 378 7ffe0e14c430-7ffe0e14c44c memcpy 375->378 376->375 379 7ffe0e14c475-7ffe0e14c478 377->379 380 7ffe0e14c455-7ffe0e14c471 memcpy 377->380 378->377 381 7ffe0e14c47a-7ffe0e14c492 memcpy 379->381 382 7ffe0e14c496-7ffe0e14c4aa call 7ffe0e13fc60 379->382 380->379 381->382 385 7ffe0e14c58b-7ffe0e14c593 call 7ffe0e145ff0 382->385 388 7ffe0e14c4b0-7ffe0e14c4b4 385->388 389 7ffe0e14c599-7ffe0e14c608 call 7ffe0e13fc60 call 7ffe0e137ce0 call 7ffe0e13fc60 385->389 390 7ffe0e14c4ba-7ffe0e14c4de call 7ffe0e13fc60 call 7ffe0e1464c0 388->390 391 7ffe0e14c587 388->391 414 7ffe0e14c60a 389->414 415 7ffe0e14c60d-7ffe0e14c610 389->415 400 7ffe0e14c4e3-7ffe0e14c4e6 390->400 401 7ffe0e14c4e0 390->401 391->385 403 7ffe0e14c4eb-7ffe0e14c4ee 400->403 404 7ffe0e14c4e8 400->404 401->400 405 7ffe0e14c4f3-7ffe0e14c521 call 7ffe0e136b50 403->405 406 7ffe0e14c4f0 403->406 404->403 412 7ffe0e14c523-7ffe0e14c53a memcpy 405->412 413 7ffe0e14c53e-7ffe0e14c541 405->413 406->405 412->413 416 7ffe0e14c563-7ffe0e14c569 413->416 417 7ffe0e14c543-7ffe0e14c55f memcpy 413->417 414->415 418 7ffe0e14c612 415->418 419 7ffe0e14c615-7ffe0e14c618 415->419 416->391 420 7ffe0e14c56b-7ffe0e14c583 memcpy 416->420 417->416 418->419 421 7ffe0e14c61e-7ffe0e14c621 419->421 422 7ffe0e14c61a 419->422 420->391 423 7ffe0e14c623 421->423 424 7ffe0e14c626-7ffe0e14c67c call 7ffe0e136b50 memcpy 421->424 422->421 423->424 427 7ffe0e14c67e-7ffe0e14c699 memcpy 424->427 428 7ffe0e14c69c-7ffe0e14c69f 424->428 427->428 429 7ffe0e14c6bf-7ffe0e14c6c2 428->429 430 7ffe0e14c6a1-7ffe0e14c6bc memcpy 428->430 431 7ffe0e14c6e4-7ffe0e14c6e7 429->431 432 7ffe0e14c6c4-7ffe0e14c6e1 memcpy 429->432 430->429 433 7ffe0e14c707-7ffe0e14c776 call 7ffe0e136cd0 431->433 434 7ffe0e14c6e9-7ffe0e14c704 memcpy 431->434 432->431 441 7ffe0e14c7be-7ffe0e14c85a call 7ffe0e13c390 CreateProcessW 433->441 442 7ffe0e14c778-7ffe0e14c7b3 433->442 434->433 442->441
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$FileModuleName
    • String ID: *7;u$p
    • API String ID: 1955653913-3490293476
    • Opcode ID: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction ID: 347d2f54ae6f7b132ff34f6c40c5f5ae0114f50581e7bbe922afd297b2952dac
    • Opcode Fuzzy Hash: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction Fuzzy Hash: 89022AB2B09B8692EB54DF15E4543AAB7A1FB84B84F458037DA9C0B7A9EF3CD505C340
    Function 00007FFE0E150950 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 698 7ffe0e150950-7ffe0e1509cd _fileno _setmode _fileno _setmode _fileno _setmode LoadLibraryA 702 7ffe0e1509cf-7ffe0e1509e3 GetProcAddress 698->702 703 7ffe0e1509e6-7ffe0e1509f6 698->703 702->703 704 7ffe0e1509fc-7ffe0e150a1c 703->704 705 7ffe0e150d1d call 7ffe0e13a680 703->705 704->705 706 7ffe0e150a22-7ffe0e150a3b 704->706 709 7ffe0e150d22-7ffe0e150d28 call 7ffe0e13a920 705->709 706->705 708 7ffe0e150a41-7ffe0e150a5a 706->708 708->705 710 7ffe0e150a60-7ffe0e150a79 708->710 710->705 712 7ffe0e150a7f-7ffe0e150a98 710->712 712->705 714 7ffe0e150a9e-7ffe0e150b35 712->714 714->709 715 7ffe0e150b3b-7ffe0e150b5b 714->715 715->705 716 7ffe0e150b61-7ffe0e150b7a 715->716 716->705 717 7ffe0e150b80-7ffe0e150bd2 716->717 718 7ffe0e150be2-7ffe0e150bfc call 7ffe0e1507e0 717->718 719 7ffe0e150bd4-7ffe0e150bdf CoInitializeEx 717->719 722 7ffe0e150c02-7ffe0e150c0f 718->722 723 7ffe0e150cc0-7ffe0e150ccb call 7ffe0e14fc90 718->723 719->718 724 7ffe0e150c11-7ffe0e150c46 call 7ffe0e147e60 722->724 725 7ffe0e150c88-7ffe0e150c93 call 7ffe0e14fc90 722->725 731 7ffe0e150cd2-7ffe0e150cd8 723->731 732 7ffe0e150ccd 723->732 734 7ffe0e150c5e-7ffe0e150c69 724->734 735 7ffe0e150c48-7ffe0e150c5c 724->735 738 7ffe0e150c95 725->738 739 7ffe0e150c9a-7ffe0e150ca0 725->739 736 7ffe0e150cf0-7ffe0e150cf3 731->736 737 7ffe0e150cda-7ffe0e150cee 731->737 732->731 735->734 740 7ffe0e150c70-7ffe0e150c80 call 7ffe0e14f010 735->740 736->722 737->736 741 7ffe0e150d00-7ffe0e150d08 call 7ffe0e14f010 737->741 738->739 742 7ffe0e150ca2-7ffe0e150cb6 739->742 743 7ffe0e150cb8-7ffe0e150cbb 739->743 741->722 742->743 746 7ffe0e150d10-7ffe0e150d18 call 7ffe0e14f010 742->746 743->724 746->724
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: _fileno_setmode$AddressInitializeLibraryLoadProc
    • String ID: inet_ntop
    • API String ID: 2337794837-448242623
    • Opcode ID: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction ID: 3d0441a3fd2b9ae56ad53d10fe99b28e43d44d038bf4b2224a30da2c72688827
    • Opcode Fuzzy Hash: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction Fuzzy Hash: 81A14172A09B4A81EB119F99E8143A873A0FB89B80F948537DADC233A5DF3DE455C740
    Function 00007FFE0E13C530 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 77libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: LibraryLoad$AddressProc
    • String ID: MultiByteToWideChar$SysStringLen$WideCharToMultiByte$kernel32$lstrlenW$oleaut32
    • API String ID: 1469910268-1955535950
    • Opcode ID: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction ID: 50fddb0466cb1475f479da3eb50a48eac9ff7740cd49e34045d11df1bbe58fc8
    • Opcode Fuzzy Hash: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction Fuzzy Hash: 2031F3A5B1AA03D0ED559B22B854476B3A1BF48B88B98153BDCDD473B1EE3CE405D3A0
    Function 00007FFE0E145CC0 Relevance: 10.6, APIs: 7, Instructions: 98sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: Sleepmemcpy$CountTickexit
    • String ID:
    • API String ID: 3478675858-0
    • Opcode ID: 934748a70d9580f8422fdbc3d75066d3fc5a1298d14a71ce3d3422b9bef00fa9
    • Instruction ID: c2debfd109fb03b81b8e0001fd55044452663093610d125ae3361cfdf44075bc
    • Opcode Fuzzy Hash: 934748a70d9580f8422fdbc3d75066d3fc5a1298d14a71ce3d3422b9bef00fa9
    • Instruction Fuzzy Hash: 22413B72B09A5692EB11AF18E9943AC73A1FF44B84F448437CA8D177A5EF3CE952C340
    Function 00007FFE0E13A9B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsEqualGUID$ole32
    • API String ID: 2574300362-2239048069
    • Opcode ID: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction ID: 196fcbb036f43c9fc6d75697a3f333a8677996702306e6ec7d5d33c57413b403
    • Opcode Fuzzy Hash: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction Fuzzy Hash: 3661AE2191DB8296F6528B58F8857B573B4BF4CB44F80223BC9DD872B0EF3DA6858340
    Function 00007FFE0E1317F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • exit.MSVCRT(?,?,?,?,00007FFE0E1318E5,?,?,?,?,00007FFE0E17E968,?,3F000000,000001FFB6F2C260,00007FFE0E13244D,0000040F), ref: 00007FFE0E131821
    • memset.MSVCRT ref: 00007FFE0E131871
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: exitmemset
    • String ID: out of memory
    • API String ID: 2099101326-49810860
    • Opcode ID: aa074db8ca2f3381a55ba80d916c02d22f109c2cf6b225c79be01f7c65ade9da
    • Instruction ID: 6de8e848fd82886408c6efd7dea4b4eb269f35c18a616f8305ae4af0bc787711
    • Opcode Fuzzy Hash: aa074db8ca2f3381a55ba80d916c02d22f109c2cf6b225c79be01f7c65ade9da
    • Instruction Fuzzy Hash: 0B218132F0AB8580FB185F66E4483A963A0EB48FD4F088076DE8C0B7A5DE3CE481C340
    Function 00007FFE0E144E70 Relevance: 5.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction ID: a01483521fc8d50d56d325ca0927091d0fb8182adbaa78c166a4981e769a3133
    • Opcode Fuzzy Hash: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction Fuzzy Hash: E9614872609B8592EA21DF05E8503ED77A0FB88B84F868533DA9D4B7A5EF3CD509C340
    Function 00007FFE0E131A00 Relevance: 3.9, APIs: 3, Instructions: 159memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1040 7ffe0e131a00-7ffe0e131a16 1041 7ffe0e131c68-7ffe0e131c6f 1040->1041 1042 7ffe0e131a1c-7ffe0e131a29 1040->1042 1043 7ffe0e131ae0-7ffe0e131b16 1042->1043 1044 7ffe0e131a2f-7ffe0e131a3a 1042->1044 1045 7ffe0e131a3f-7ffe0e131a4e 1043->1045 1044->1045 1046 7ffe0e131a54-7ffe0e131a65 VirtualAlloc 1045->1046 1047 7ffe0e131c48-7ffe0e131c59 VirtualAlloc 1045->1047 1050 7ffe0e131c74-7ffe0e131c8d VirtualAlloc 1046->1050 1051 7ffe0e131a6b 1046->1051 1048 7ffe0e131c5f-7ffe0e131c64 call 7ffe0e1317f0 1047->1048 1049 7ffe0e131a72-7ffe0e131a87 1047->1049 1048->1041 1054 7ffe0e131a90-7ffe0e131a97 1049->1054 1050->1048 1053 7ffe0e131c8f-7ffe0e131c96 1050->1053 1051->1049 1053->1049 1056 7ffe0e131a9d-7ffe0e131aa7 1054->1056 1057 7ffe0e131b1b-7ffe0e131b31 1054->1057 1056->1054 1059 7ffe0e131aa9-7ffe0e131ada call 7ffe0e131830 1056->1059 1058 7ffe0e131b34-7ffe0e131b5c 1057->1058 1060 7ffe0e131b5e 1058->1060 1061 7ffe0e131b68-7ffe0e131b6c 1058->1061 1059->1058 1063 7ffe0e131b99-7ffe0e131ba6 1060->1063 1064 7ffe0e131b60-7ffe0e131b66 1061->1064 1065 7ffe0e131b6e-7ffe0e131b8b 1061->1065 1068 7ffe0e131bb2-7ffe0e131bcd 1063->1068 1069 7ffe0e131ba8-7ffe0e131bad 1063->1069 1064->1061 1064->1063 1065->1063 1067 7ffe0e131b8d-7ffe0e131b96 1065->1067 1067->1063 1070 7ffe0e131be0-7ffe0e131be4 1068->1070 1071 7ffe0e131bcf 1068->1071 1069->1068 1073 7ffe0e131bd8-7ffe0e131bde 1070->1073 1074 7ffe0e131be6-7ffe0e131c0e 1070->1074 1072 7ffe0e131c38 1071->1072 1075 7ffe0e131c3c-7ffe0e131c42 1072->1075 1073->1070 1073->1072 1074->1075 1076 7ffe0e131c10-7ffe0e131c14 1074->1076 1077 7ffe0e131c19-7ffe0e131c30 1075->1077 1076->1075 1078 7ffe0e131c16 1076->1078 1078->1077
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 68b5536e91810cc27808bf6625663023f2b188fd92dcfb590efa3df9a6d2dc30
    • Instruction ID: 06a006730b62e0267ec61fb51f24ffb8a6b85390ebef0bf4687352f3647e94a6
    • Opcode Fuzzy Hash: 68b5536e91810cc27808bf6625663023f2b188fd92dcfb590efa3df9a6d2dc30
    • Instruction Fuzzy Hash: 26514BB2706B9590EF159B2AD8483B936A5FB54FC4F588536DE8D0B7A8EE3DE441C300
    Function 00007FFE0E146C30 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$AttributesFile
    • String ID:
    • API String ID: 3559115319-0
    • Opcode ID: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction ID: 5989012367a89036984a62e59ce8330c00f6a6eacdac5422eabe04bca07363be
    • Opcode Fuzzy Hash: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction Fuzzy Hash: 8021A752F4AA0781FE09EB25B9541B52392EF95794F988037DC8E0B3B5EE3CE8428340
    Function 00007FFE0E131830 Relevance: 2.6, APIs: 2, Instructions: 88memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AllocVirtualmemset
    • String ID:
    • API String ID: 921305906-0
    • Opcode ID: 6496729da8c964ddebf59c9aa6cdada848c01b8722516d3519af174f54379de9
    • Instruction ID: c3b093a9a93828be7432a1894dc2ed9c6c9d17280894121fcd594aa5816508cd
    • Opcode Fuzzy Hash: 6496729da8c964ddebf59c9aa6cdada848c01b8722516d3519af174f54379de9
    • Instruction Fuzzy Hash: 4E318C32B06B8081EB158F66F8447AD76A4EB48FD4F198076DE8C0B7A5DE38D582C300
    Function 00007FFE0E1327D0 Relevance: 1.4, APIs: 1, Instructions: 165memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction ID: 275b8aa8fe5266c9a39243b75965f2374c643625345a15a870d3e7f12dd3053c
    • Opcode Fuzzy Hash: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction Fuzzy Hash: 6271CEB2A05B4191EA19AF29D4443A833E5FF04B84F58823ADA8D077B5EF38E5D1C300
    Function 00007FFE0E136B50 Relevance: 1.3, APIs: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction ID: 245f4d5451fb1f29f08d8851f56c16b25a6ce852d24118106d61ca69cafec03f
    • Opcode Fuzzy Hash: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction Fuzzy Hash: FA416CB7A09A46A0EA10CF25D4502BC73A4FB58BA0F844237CA9E077F4DF78D995C340

    Non-executed Functions

    Function 00007FFE0E13C670 Relevance: 45.7, APIs: 12, Strings: 14, Instructions: 158libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateProcessW$GetCurrentProcess$GetCurrentThread$GetProcAddress$GetProcessHeap$GetThreadContext$HeapAlloc$HeapCreate$InitializeProcThreadAttributeList$LoadLibraryA$ResumeThread$UpdateProcThreadAttribute$WaitForSingleObject$kernel32
    • API String ID: 2238633743-547029440
    • Opcode ID: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction ID: c5433b138257bcf5935ced3e29fb4480aba456a09241f37610f58a11cc730beb
    • Opcode Fuzzy Hash: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction Fuzzy Hash: 3761E765B0AA0390ED44A722B91447673A1BF48BC8F98547BCCCD5B3B1EF3CA545E3A4
    Function 00007FFE0E14D040 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 219threadlibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: HandleThread$CloseContext$AddressCreateCurrentExceptionFirstHandlerInitLoadModuleOpenProcProcessSnapshotStringThread32Toolhelp32UnicodeVectoredmemset
    • String ID: J*!=$jt+9
    • API String ID: 3419048117-242937532
    • Opcode ID: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction ID: d1f3e824dc2ef7e7fccb7f6ab6f49cfe4c63fe7e469a0700dea47e5572a20720
    • Opcode Fuzzy Hash: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction Fuzzy Hash: ADA18FA2B09B4292EE10DB11F8443BA63A1FF84B94F844537DA8E077A8DF3CE546C340
    Function 00007FFE0E13D310 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 229COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: , expect$ValueError$but got $ed 's', $format s$formatValue$invalid $r string$strformat.nim$tring fo$type in
    • API String ID: 3510742995-1773161451
    • Opcode ID: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction ID: 2b1e73820ed8ecfebfca614a9b5ffa596e317c80d73e65a884f85d03059282aa
    • Opcode Fuzzy Hash: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction Fuzzy Hash: 5A9101A2B08A4282EB15CB25F41477E36A0EB85B84F419133EE9D077E1DF7DE880C341
    Function 00007FFE0E1347A0 Relevance: 14.3, APIs: 11, Instructions: 504COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: 8833e5876ba722ff6c55536d39e65e07ac13d76a2c30ec7d9c4d34630e55e252
    • Instruction ID: ef3c6ce9a40ef6aead49c06c1adc3db59f5d49e4f3a8b10ffdc61df622f7cef0
    • Opcode Fuzzy Hash: 8833e5876ba722ff6c55536d39e65e07ac13d76a2c30ec7d9c4d34630e55e252
    • Instruction Fuzzy Hash: F2223CB6A25B5A82DB549F29D0403AD3765FB48FC8F405032DEAD1B3A9EF79E485C340
    Function 00007FFE0E14A350 Relevance: 11.0, APIs: 7, Instructions: 544COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: _setjmp$CreateInstancememcpy
    • String ID:
    • API String ID: 1399768382-0
    • Opcode ID: 49ac5ef823a84596ff31e852dd8982470d31eea043c91aa51cc8c9ce90597c40
    • Instruction ID: bf6d9cee1b7d1fce2820102b7a23fef7557f02abfc18a4c308ce55da2ccf30db
    • Opcode Fuzzy Hash: 49ac5ef823a84596ff31e852dd8982470d31eea043c91aa51cc8c9ce90597c40
    • Instruction Fuzzy Hash: 975246B6A09B8691EB609B15E4503AA73A1FF84B84F458133DACE477B8EF3CE545C740
    Function 00007FFE0E15505A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: Infinity$NaN
    • API String ID: 0-4285296124
    • Opcode ID: 2309f461be310f35730d3e23802c4fafe742c0745b2dad148695cb11957a8981
    • Instruction ID: 2cc431693c110d5af33532649cdea8860afb3b41c798e8386d3c5ba04ea46c4e
    • Opcode Fuzzy Hash: 2309f461be310f35730d3e23802c4fafe742c0745b2dad148695cb11957a8981
    • Instruction Fuzzy Hash: 70E2E533A14B85CEE751CF79C4442AD37A6FB45788F108236EA4D5BBA9DB78E481CB40
    Function 00007FFE0E13DD80 Relevance: 3.2, Strings: 2, Instructions: 656COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: """"""""$DDDDDDDD
    • API String ID: 0-1621327129
    • Opcode ID: 7f47960f10962cb472b862ac8583192cd9337daafb42ac3aa465280148bd6481
    • Instruction ID: bb988797a30864d059d08bbacb317fb830ccb5a3c53ff94cf77dbeb7b638dc84
    • Opcode Fuzzy Hash: 7f47960f10962cb472b862ac8583192cd9337daafb42ac3aa465280148bd6481
    • Instruction Fuzzy Hash: 24425B62718BD485E660CFA1B92179BB7A1F7897D4F04A626EECC67F18DB3CD0518B00
    Function 00007FFE0E137CE0 Relevance: 2.8, Strings: 2, Instructions: 307COMMON
    Download Yara Rule
    Strings
    • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FFE0E137D1C, 00007FFE0E137F86
    • c, xrefs: 00007FFE0E137CFE
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$c
    • API String ID: 0-131350621
    • Opcode ID: e340d7e56e4692bb5786cda8b84092ee4f54f2b7db2075c6980ad0bfea6462c1
    • Instruction ID: 01ed7f31a9ea24a76443f715adc0e95c77579ef38a9d2f6322556f0dcccbb2a9
    • Opcode Fuzzy Hash: e340d7e56e4692bb5786cda8b84092ee4f54f2b7db2075c6980ad0bfea6462c1
    • Instruction Fuzzy Hash: D3B1D796B14B5946EE248B3998013BE7651EB58BE4F548333EEBD873E4EA7CE504C300
    Function 00007FFE0E13D760 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: 33333333$UUUUUUUU
    • API String ID: 0-3483174168
    • Opcode ID: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
    • Instruction ID: ce635fbe03f273c4060d4f95008f9c0126ce9dda3d0ee2486fa34e039c3354eb
    • Opcode Fuzzy Hash: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
    • Instruction Fuzzy Hash: 7D41C3E3B70BB895EA01CF559905AD56761F314FE8A19E026DF0E3BB0EC638DA47C241
    Function 00007FFE0E140B70 Relevance: 2.4, Strings: 1, Instructions: 1166COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 58eec61b0fce6bff770a7f4d666c12284ade7261e7a004fbc32f0a8f4b18339a
    • Instruction ID: 8082d9e7327b19849bad2eb26df8d68ec5752dd43fe7595db0a99f38d7dfb0cd
    • Opcode Fuzzy Hash: 58eec61b0fce6bff770a7f4d666c12284ade7261e7a004fbc32f0a8f4b18339a
    • Instruction Fuzzy Hash: A88208A3724BD442FA11CBB569327E7E351FB99BC4F04B222EE8D27B19DA3CD1419604
    Function 00007FFE0E13FC60 Relevance: 1.7, APIs: 1, Instructions: 466COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: 3c289374dc0602da4094f4b3e91c7ea0ca76e51020ebd8990796c05a85a45c94
    • Instruction ID: 490a2195da4b8b8b1042b37527c3cf640184af70e1aa8184bfe1d29233a39a11
    • Opcode Fuzzy Hash: 3c289374dc0602da4094f4b3e91c7ea0ca76e51020ebd8990796c05a85a45c94
    • Instruction Fuzzy Hash: 67023B23E24FC104E746467DBC029F57A059FE73E4B49D326FAA792FE6CA64D3068244
    Function 00007FFE0E14FFC0 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: a5482531008f66ad118c62eb3fea4e08a44aa0f25f2557dd40036cffbec3998c
    • Instruction ID: 7313992baf599cc2ab6321cad58922c5075cf500768fdeaf7844d833f9f1e4ac
    • Opcode Fuzzy Hash: a5482531008f66ad118c62eb3fea4e08a44aa0f25f2557dd40036cffbec3998c
    • Instruction Fuzzy Hash: BAE1ADA3A09B99C2EE909F45D5587AA33A9FF48BC4F054536DE8D077A5DF38E881C300
    Function 00007FFE0E137870 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
    Download Yara Rule
    Strings
    • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FFE0E1378A4, 00007FFE0E137AF6
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    • API String ID: 0-2272463933
    • Opcode ID: 10d5fe361e85f25da197178b78d998a42f6e716d6a3dc1e380e21bc638164139
    • Instruction ID: a301aec411d849e155d93acd0d348cf7341326b509e0927f75362b7882168450
    • Opcode Fuzzy Hash: 10d5fe361e85f25da197178b78d998a42f6e716d6a3dc1e380e21bc638164139
    • Instruction Fuzzy Hash: E0A1C5D7F1469981EE609B2A980127E3661BB95BE0F548333EEBD437E4E93CE645C300
    Function 00007FFE0E14B640 Relevance: .5, Instructions: 451COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: Initialize$ArraySafe_setjmp$AllocCreateElementStringmemset
    • String ID:
    • API String ID: 3120011687-0
    • Opcode ID: db1fd1c3ab73ffda1965cf88b46968f15bc7b3f8479b6e35a7ef9fd5872a79be
    • Instruction ID: 5317b05fd811cc42ed5859cb01346d3c110a673033938ce1c614924824e4495d
    • Opcode Fuzzy Hash: db1fd1c3ab73ffda1965cf88b46968f15bc7b3f8479b6e35a7ef9fd5872a79be
    • Instruction Fuzzy Hash: DB22A662A1CBD685E725CB74E411BAA7BA0F745788F404236EACD03BA5CF7CE145CB40
    Function 00007FFE0E135E40 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 865bdca27666f05459e3a4654917e4fe474d7f3810578d5aefd4b828c6e4451e
    • Instruction ID: 798e23d5c8c9c8c9e7ac2c0a0bfda30c7bcc2bba0e2e7894b053a01478156a6b
    • Opcode Fuzzy Hash: 865bdca27666f05459e3a4654917e4fe474d7f3810578d5aefd4b828c6e4451e
    • Instruction Fuzzy Hash: D6A186A6B04B9582EE54CB26D4497AA77AAFB94F84F454437DE9E073A1DF38E484C300
    Function 00007FFE0E13D970 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4e728d3a4eb32ca9e2495c8a909e21b47505aa6a3e8fa849587d970dafa8d858
    • Instruction ID: 4d9fb04d4b8faa91147cd29a4c87f1cae50be2956427299c29d0f24f56abf9aa
    • Opcode Fuzzy Hash: 4e728d3a4eb32ca9e2495c8a909e21b47505aa6a3e8fa849587d970dafa8d858
    • Instruction Fuzzy Hash: CD910D63318BE485E660CFA1B921B8BA7A5F389BD4F556025EECC57B18CB3CD455CB00
    Function 00007FFE0E13BD80 Relevance: .2, Instructions: 239COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: 07d993c8840e344863858bdc0ef3939090e20d3d94aff34fc09b80d278887b35
    • Instruction ID: e2a1c6a154587ec2397193ba3993f03c5ae0902e86f95323eb0ff1b3cb2620c2
    • Opcode Fuzzy Hash: 07d993c8840e344863858bdc0ef3939090e20d3d94aff34fc09b80d278887b35
    • Instruction Fuzzy Hash: 2EA13A37A1C6CB82EF1E8F3980101BC7F50AB49B48B45C23BDE9A13396D66CD7458752
    Function 00007FFE0E135770 Relevance: .2, Instructions: 215COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 35101741505c06d83e356add1bbbeb86e29ee3cc90c3769817f5699dc250d040
    • Instruction ID: 8ecb1840716cb2033e88c76a1a13ad5f26f0d34c6e0e7cf77243aec244eb67c0
    • Opcode Fuzzy Hash: 35101741505c06d83e356add1bbbeb86e29ee3cc90c3769817f5699dc250d040
    • Instruction Fuzzy Hash: 7581CBA2B18B9582EE548F26D4846B93766FB54FD4F494477CE8E177A1DE3CE881C300
    Function 00007FFE0E139290 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 89stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: signal$exitstrlen
    • String ID: 5$ReraiseDefect$SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$fatal.nim$sysFatal$unknown signal
    • API String ID: 1414789275-2829261224
    • Opcode ID: b6e0bdcc391af1caf04f3276b165d43eeb7e1cd316d219e9f57022f1951daea0
    • Instruction ID: a7053e46752a173a43a732335e2fd9168a531fd799413bc9e0b354a34205d696
    • Opcode Fuzzy Hash: b6e0bdcc391af1caf04f3276b165d43eeb7e1cd316d219e9f57022f1951daea0
    • Instruction Fuzzy Hash: 5D315C66E18A02E0FA18AB25E8596BDB365BF45784F880437EE9D473F5DF3CA644C340
    Function 00007FFE0E14E250 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 203libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$LibraryLoad$AddressProc
    • String ID: :state$GetFileAttributesW$NtFlushInstructionCache4$OpenProcess$RtlGetVersion$cipher$dctx6$kernel32.dll$key5$remoteProcID2$tProcess1$treadHandle3
    • API String ID: 3980900384-2224378161
    • Opcode ID: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction ID: 38a1b40b4bd4aa54716553016ded1f9e1eec2551bd6e2a1a233d381790414c33
    • Opcode Fuzzy Hash: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction Fuzzy Hash: 9CB10321A19B4385FB129B28A9403A573A2FF55744F84527BCDDC563B2EF7DB289C380
    Function 00007FFE0E1464C0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 202COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: CommandLine
    • String ID: not in $ not in $ not in $0 ..$0 ..$IndexDefect$inde$os.nim$paramStr
    • API String ID: 3253501508-369068400
    • Opcode ID: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction ID: c75b100ea3c77a68e98ffa9a6a52b1f7038a7919dc14654df91ce1f41104dd78
    • Opcode Fuzzy Hash: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction Fuzzy Hash: 719167B2A09B4281EB11DF15E9483A97BA4FF85B94F458037DA9D0B3A5EF3CE505C380
    Function 00007FFE0E146140 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 191windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: FormatFreeLocalMessagememcpymemset
    • String ID: Addition$OS error$OS error$OSError$al info:$unknown $unknown
    • API String ID: 4084645559-3457963805
    • Opcode ID: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction ID: 1cccb3bbc91015aeeee5e269373db9da998e94715edf409a3f9cc118bffac880
    • Opcode Fuzzy Hash: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction Fuzzy Hash: C38189B6B09B5681EE519B19E45877E37A8FF85B88F14843BDA8C073A5EF38D544C380
    Function 00007FFE0E149DA0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 175memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide$AllocFreeInitialize_setjmpmemcpymemset
    • String ID: specifi$ed membe$o invoke$r: $unable t
    • API String ID: 909372610-4084315218
    • Opcode ID: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction ID: 3608184739cf9a4ce5186de14096b6b2228846c6f17fbbf68c7013223949e7e0
    • Opcode Fuzzy Hash: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction Fuzzy Hash: E0A1B376609F8681EB60CF15E8943AAB7A4FB88B80F448136DACD47B69DF7CD454CB40
    Function 00007FFE0E141E50 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 90libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: FormatMessageW$GetCommandLineW$GetCurrentDirectoryW$GetLastError$GetModuleFileNameW$LocalFree$kernel32
    • API String ID: 2238633743-3391179580
    • Opcode ID: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction ID: 1a3c7d1cdd112e4c16a35ba3fc7ffd52b4cc74f30727a0f6db4887a477b311ce
    • Opcode Fuzzy Hash: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction Fuzzy Hash: 9E312FA5B0AA0390EE45D71279544B663A1BF49BC8B84047BDCCD4B3B5EE3CA449E394
    Function 00007FFE0E1489C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: c08b0d58058a0f32ae0a1837bf93386a5446338a07ec94b11b969de91180961c
    • Instruction ID: 77c4aba7d489da3a5bcb68e766c46eb7d55baee26957496e03fcf80fb2983331
    • Opcode Fuzzy Hash: c08b0d58058a0f32ae0a1837bf93386a5446338a07ec94b11b969de91180961c
    • Instruction Fuzzy Hash: 1B81ADA2B0AB4295EA54AB15E8587BE67A1FF40B80F944437EACD073B1DF7CE446C340
    Function 00007FFE0E149600 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 77a330c70f31aafe8eac7d8a143992661a41d3b79795a8f6de167adef57fb92c
    • Instruction ID: cf9360ad58d506b4d4411ee2f788713b9d940a7b0920e67bde18c9f8771412e8
    • Opcode Fuzzy Hash: 77a330c70f31aafe8eac7d8a143992661a41d3b79795a8f6de167adef57fb92c
    • Instruction Fuzzy Hash: 128157A2B0AB4791EB109B15E9586BE63A1FF84B84F844537DA9D073B5DF3CE845C380
    Function 00007FFE0E148270 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction ID: 3b37c313002a21b2ad2d699b6e3e66c0c83775dd160362aac333aefe52bf781d
    • Opcode Fuzzy Hash: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction Fuzzy Hash: 75718CA2B0AB0695EA55AB05E9587BE63A1FF44B84F844537EACD073B0DF3CE441C380
    Function 00007FFE0E13CA70 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 333COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: .$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
    • API String ID: 3510742995-876510697
    • Opcode ID: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction ID: 7776b066975a9f385217b065751afe5a250ae8ace22864d0174df733bc84a7c0
    • Opcode Fuzzy Hash: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction Fuzzy Hash: 50E1D2A2A0879596EB148B3495003E9BBA1FB157D4F488633DAAC277E9DB3CE145C390
    Function 00007FFE0E1389D0 Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 194stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: strlen$memcpy
    • String ID: excepti$Error: u$nhandled$on:
    • API String ID: 3396830738-1220997370
    • Opcode ID: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction ID: 0860cd6b5c6136fceca5f0858951ba55b5e27d08b3b4de618a5f36831518e937
    • Opcode Fuzzy Hash: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction Fuzzy Hash: 0981C162B19A8686FB299B25D4113BA7361FF44B84F888537EB8D177E5EF2CE505C300
    Function 00007FFE0E146830 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
    • API String ID: 3510742995-291823325
    • Opcode ID: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction ID: aee1af98b61cc4981106b5ef7f74e08e1f7bbb9a1864352cea63abcd810622de
    • Opcode Fuzzy Hash: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction Fuzzy Hash: 4E7158B2708B4A85EB119F15E8443AA77A4FB95B88F598037DF8D0B3A1EE7CD544C300
    Function 00007FFE0E144610 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateToolhelp32Snapshot$Thread32First$Thread32Next$kernel32
    • API String ID: 2238633743-3935561650
    • Opcode ID: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction ID: e2279771b7ff47ad42abcbd4b35610a98292c3fefe455890bd81f046e47ab824
    • Opcode Fuzzy Hash: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction Fuzzy Hash: B0113DA5B0EA0390FE159722BD1457A63A1BF49B84F980877CCED473B0EE7CA046D350
    Function 00007FFE0E1314A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction ID: d19d629a3b53e0613472d1ea1b25a2e68c325c9ec19438d3f450bfa31d0aa70a
    • Opcode Fuzzy Hash: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction Fuzzy Hash: EF01C561A5AA07E0EA169B15BC505B933A5BF49788F840533DCDD43270EF3CE149D340
    Function 00007FFE0E13B7F0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: ValueError$integer:$integer:$invalid $invalid $parseInt$strutils.nim
    • API String ID: 3510742995-2575869123
    • Opcode ID: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction ID: 5a9a41dc9289ddd13fb2f5b9cfcd51a7063a2017a68e2d04a786aa847ba646f9
    • Opcode Fuzzy Hash: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction Fuzzy Hash: A9413672A09B0AD1EA209F25E8547AA73A4FF48B84F848437DACD477A5EF7CE545C340
    Function 00007FFE0E13CFC0 Relevance: 11.5, APIs: 9, Instructions: 220COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID:
    • API String ID: 438689982-0
    • Opcode ID: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction ID: 41aeaf78b52ac6210492a8ff25d33e0c52ba71c80a6da48fe58a854cd26ec7ec
    • Opcode Fuzzy Hash: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction Fuzzy Hash: D381C062B09A5681EE05EB25E8052BE77A1BF84F84F468533EE5D173A6EF3CE545C300
    Function 00007FFE0E14BF00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction ID: 94c0ce4550d521aa69181214f9235ea93ed49713d9e6e50d5c96af1dc0b70f1f
    • Opcode Fuzzy Hash: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction Fuzzy Hash: 876136A2B0AB0291FA159B15A8187BE63A1FF85B84F544537DADD073B1EF3DE445C380
    Function 00007FFE0E144CB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpy
    • String ID: to $convert $convert $convert $from
    • API String ID: 3510742995-220309676
    • Opcode ID: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction ID: 46eab1de0f5cbbf42e484e6d0fad7764f6ac1a23ede92afb688f0b11b2e74fd2
    • Opcode Fuzzy Hash: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction Fuzzy Hash: 9E4159B2A09B4681EB05DF15D5483987BA1FB94B80F4A8037DB9C5B3A5EFB8D510C780
    Function 00007FFE0E13C940 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetForegroundWindow$GetWindowThreadProcessId$user32
    • API String ID: 2238633743-4060728576
    • Opcode ID: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction ID: 630a981e584bdba30fab39d1ae15849b5d385d5a2824ec11c675f526db689beb
    • Opcode Fuzzy Hash: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction Fuzzy Hash: 97011A65A5AB03D0EE459B22BC5457AB3A2BF49B84F88457BDCCD873B0EE3CA044C355
    Function 00007FFE0E148FA0 Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: CopyFreeStringVariant_setjmpmemcpystrlen
    • String ID:
    • API String ID: 649350220-0
    • Opcode ID: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction ID: 83f494b72e32496d6c2e9bf6150034332e80dd3b47d8dc8f56378582060d80d6
    • Opcode Fuzzy Hash: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction Fuzzy Hash: 73D138B6A19B8681EA55CB16E4403AE73A1FBC8B94F448133EE9D077A9DF3CE441C340
    Function 00007FFE0E13101D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: _amsg_exit_initterm
    • String ID: 0
    • API String ID: 194249164-4108050209
    • Opcode ID: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction ID: cf483ee752bba1ee092aa0b48df9fb5434bd270b85cf89d27e2af28b6a70408b
    • Opcode Fuzzy Hash: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction Fuzzy Hash: 3D719236B09B068AEB508B65E8903AC37B1BB49B88F504436DE8D977A9CF7DE540C740
    Function 00007FFE0E1486A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 633353902-3035603046
    • Opcode ID: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction ID: 461681aa21f6c7ccf9b375c3dad53e9ae85f69ce65ac773a99064d7fd5f7dd60
    • Opcode Fuzzy Hash: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction Fuzzy Hash: F24169A2B0A70790EA55AB19A91877E6394FF44B84F844937D9DC073B1DF3CE1468390
    Function 00007FFE0E148080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$newVariant
    • API String ID: 633353902-805458017
    • Opcode ID: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction ID: ecc9d3259361cb518f91bb8b3c38e6b09ea3a35ff29167eee4a4fd90462cc2d7
    • Opcode Fuzzy Hash: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction Fuzzy Hash: 0D414EA2B0AB4794EA55AB19A91877E6394FF44B84F844537D9DC073B1DF3CE046C390
    Function 00007FFE0E145220 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 263COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: .~&$T]$T]
    • API String ID: 0-361263744
    • Opcode ID: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction ID: 737f3dd802abeea36cf84ed44e215d04f3f96e6f9b70bfb8c9c50e33c4859dab
    • Opcode Fuzzy Hash: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction Fuzzy Hash: C8C1A0A2E1874292EA50DF54E8412BA7762FF80754F944433EA8E5B7B6EF3CE905C700
    Function 00007FFE0E157F88 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: _lock_unlock
    • String ID:
    • API String ID: 2848772494-0
    • Opcode ID: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction ID: a91daa40c4a94aa909ffea281c5bd156041a777517c0243bf2c3d72c1b0da163
    • Opcode Fuzzy Hash: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction Fuzzy Hash: F54198A7704B49C9EB048F6AD8813AC73A1F748BD8F448936EE6C477A8DF38D5508350
    Function 00007FFE0E13A6D0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: signal
    • String ID:
    • API String ID: 1946981877-0
    • Opcode ID: bf485fdfbc23fad22185c773462e25f357ff4534891f566f7045c9d656fb77c6
    • Instruction ID: 92b1b0121fdf782b0c5b44786352a90867d866971b827b6c1e96419257b0d640
    • Opcode Fuzzy Hash: bf485fdfbc23fad22185c773462e25f357ff4534891f566f7045c9d656fb77c6
    • Instruction Fuzzy Hash: FA112865A08A0294FA106B65E8027BA7365FF45B90FC45837E9DD173F6DF2CA262C304
    Function 00007FFE0E131748 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: _fileno$_setmode
    • String ID:
    • API String ID: 2194614063-0
    • Opcode ID: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction ID: ef0d0c46a369d3c3b4741644165682ea344c24e22cd3aecf5669e34ba1b111e4
    • Opcode Fuzzy Hash: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction Fuzzy Hash: FAF01C11B1455542EF08A7B2BA6437E5A96AFD9BD0F18807B8D4E473D4ED3CD8424340
    Function 00007FFE0E139450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLastexitfwritestrlen
    • String ID: (bad format; library may be wrong architecture)$could not load:
    • API String ID: 671075621-2754783905
    • Opcode ID: 117fd5a3a2a7ce401932fb2f3a82b0c514b2f1c3ea1c25d69b640083474da6a8
    • Instruction ID: 912da432add6e74778a2bdec200ba20ded235543e9cefd23af3096e229ffcebb
    • Opcode Fuzzy Hash: 117fd5a3a2a7ce401932fb2f3a82b0c514b2f1c3ea1c25d69b640083474da6a8
    • Instruction Fuzzy Hash: FD016252B1965791FE04B771E8553B86265AF85780F44413BDE8E473F6EE6CE400C301
    Function 00007FFE0E13C9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: AttachConsole$kernel32
    • API String ID: 2574300362-374305082
    • Opcode ID: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction ID: 665f73e8cd5fb583f99a231c4d618fb360f3bc216d38f9cdee39dd6ab87e9412
    • Opcode Fuzzy Hash: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction Fuzzy Hash: B9F09A61A4AA02C0E949DB22BC4407672E6BF88B94F84057BCCCD463B0EF3CA185C340
    Function 00007FFE0E13EC00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Ws2_32.dll$inet_ntop
    • API String ID: 2574300362-2739477577
    • Opcode ID: 5960f70dcc3cb8590bd01532b6b5409507b56dd736a63677e676c6170141e528
    • Instruction ID: 2770fbf9e73e83282f27653529ab8f7d835d26911a596c3faf8ff1d072e33a94
    • Opcode Fuzzy Hash: 5960f70dcc3cb8590bd01532b6b5409507b56dd736a63677e676c6170141e528
    • Instruction Fuzzy Hash: 08E04224A5AA53C1EA5A9B15AD500A463E1BF59700F90407BC88D423B0EF7CA559C750
    Function 00007FFE0E1381D0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 332COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: [[rerais$]]$ed from:
    • API String ID: 1297977491-96586220
    • Opcode ID: 90a0d65fc59c30596d76e004c169f122685fd9251a9e3b138b75c5044e9bbe11
    • Instruction ID: f7c80199c0b70cb48b408c1629cdcee2bae7ae9cbfd1150b626d2d80fd41c999
    • Opcode Fuzzy Hash: 90a0d65fc59c30596d76e004c169f122685fd9251a9e3b138b75c5044e9bbe11
    • Instruction Fuzzy Hash: 27E18776A09B8681EA648F25E4003AE77A8FB49B98F544637EEAD077E0DF3DD545C300
    Function 00007FFE0E149920 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 204COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: CLRError$clr.nim$clrError
    • API String ID: 1297977491-2830349459
    • Opcode ID: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction ID: 8a7f37976afbcc7d8265fd4e740e01cbcc64f7f71c5c44684600640f3594a22a
    • Opcode Fuzzy Hash: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction Fuzzy Hash: 3D91D6A2A0CB8685E7118B15D8006BE3BA0FB557A4F554272DFEC0B7E2DE3CE550C350
    Function 00007FFE0E135460 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 0147eb758d93df5900c16ac84850479e79e40d14cf0588b13aa4d51046a2b85b
    • Instruction ID: a6150c2ef07ea4b7b117c1b4b172c77d97d92af8be1a8ce848d3802047161daa
    • Opcode Fuzzy Hash: 0147eb758d93df5900c16ac84850479e79e40d14cf0588b13aa4d51046a2b85b
    • Instruction Fuzzy Hash: CB81AEB2A05B4680EB18CB25E9457B933A2FF54B94F518236DEAD073A4EF7DE185C340
    Function 00007FFE0E1351B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 39050be00d2c71d6c1b79541cb4b9b738faebff94102a6b652ad7961b740deac
    • Instruction ID: c20db5cccaff5d85b454a73eb6533fbe1eb464e1ca1d6cb2a88ac849398377a4
    • Opcode Fuzzy Hash: 39050be00d2c71d6c1b79541cb4b9b738faebff94102a6b652ad7961b740deac
    • Instruction Fuzzy Hash: 5961CEB2A05B4680FA28CB25E8457B973A2FF54B94F558236DE9D033A4EF7DE185C340
    Function 00007FFE0E1334F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: e24e67ac07752086788b380265c5cd36709ef847bbd2efcd059adf36909927b0
    • Instruction ID: 3f980147961cdb566abdf14ee684a89b7d0b399b74ba98bcae9804b30cfabae2
    • Opcode Fuzzy Hash: e24e67ac07752086788b380265c5cd36709ef847bbd2efcd059adf36909927b0
    • Instruction Fuzzy Hash: 6351A0B2B15B4584EE19CB25C458BA833A6FB44790F62C23ADABD473A4EF79D5848340
    Function 00007FFE0E133430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1794036043.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000000.00000002.1793972669.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794096360.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794182859.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794270427.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794320655.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794435960.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794491096.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794516403.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1794542521.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe0e130000_loaddll64.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: 5bd5ea1a5a541078cee00e56ef0cf7cd7231e07ee3c72ea0638374ee87e1ac87
    • Instruction ID: 262d2b4795d11a36a548eea8ea02828c9e7e9667d7de8b72672e043d00c4397b
    • Opcode Fuzzy Hash: 5bd5ea1a5a541078cee00e56ef0cf7cd7231e07ee3c72ea0638374ee87e1ac87
    • Instruction Fuzzy Hash: C011C4A2B15B4A81FE59DB26D8512B86791FF94BD0F58D13BC95D433A1DE6CE488C300

    Execution Graph

    Execution Coverage:2.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1814
    Total number of Limit Nodes:12
    execution_graph 10837 7ffe0e14eb70 10838 7ffe0e14eb79 10837->10838 10842 7ffe0e14d520 10838->10842 11013 7ffe0e14f0d0 10838->11013 10839 7ffe0e14eb96 10843 7ffe0e136b50 33 API calls 10842->10843 10844 7ffe0e14d544 10843->10844 11095 7ffe0e13fc60 10844->11095 10846 7ffe0e14d563 11100 7ffe0e144e70 10846->11100 10849 7ffe0e14d59a 10850 7ffe0e13fc60 33 API calls 10849->10850 10851 7ffe0e14d5dc 10850->10851 10852 7ffe0e144e70 38 API calls 10851->10852 10853 7ffe0e14d5e9 10852->10853 11117 7ffe0e14c870 10853->11117 10856 7ffe0e13fc60 33 API calls 10857 7ffe0e14d61a 10856->10857 10858 7ffe0e144e70 38 API calls 10857->10858 10859 7ffe0e14d627 10858->10859 10860 7ffe0e14c870 52 API calls 10859->10860 10861 7ffe0e14d647 10860->10861 10862 7ffe0e13fc60 33 API calls 10861->10862 10863 7ffe0e14d658 10862->10863 10864 7ffe0e144e70 38 API calls 10863->10864 10865 7ffe0e14d665 10864->10865 10866 7ffe0e14c870 52 API calls 10865->10866 10867 7ffe0e14d685 10866->10867 10868 7ffe0e13fc60 33 API calls 10867->10868 10869 7ffe0e14d6ac 10868->10869 10870 7ffe0e144e70 38 API calls 10869->10870 10871 7ffe0e14d6b9 10870->10871 10872 7ffe0e14c870 52 API calls 10871->10872 10873 7ffe0e14d6d9 10872->10873 10874 7ffe0e13fc60 33 API calls 10873->10874 10875 7ffe0e14d70e 10874->10875 10876 7ffe0e144e70 38 API calls 10875->10876 10877 7ffe0e14d71b 10876->10877 10878 7ffe0e14c870 52 API calls 10877->10878 10879 7ffe0e14d73b 10878->10879 10880 7ffe0e144e70 38 API calls 10879->10880 10881 7ffe0e14d74c 10880->10881 10882 7ffe0e14c870 52 API calls 10881->10882 10883 7ffe0e14d76c VirtualProtect 10882->10883 10884 7ffe0e144e70 38 API calls 10883->10884 10885 7ffe0e14d798 10884->10885 10886 7ffe0e14d7c1 10885->10886 10887 7ffe0e14d7e7 10885->10887 10889 7ffe0e144e70 38 API calls 10886->10889 10888 7ffe0e144e70 38 API calls 10887->10888 10891 7ffe0e14d7f8 10888->10891 10890 7ffe0e14d7d2 10889->10890 11137 7ffe0e14ef30 10890->11137 10893 7ffe0e14dfc8 10891->10893 10894 7ffe0e14d828 10891->10894 10895 7ffe0e144e70 38 API calls 10893->10895 11143 7ffe0e145ff0 10894->11143 10897 7ffe0e14dfd9 10895->10897 10899 7ffe0e14ef30 6 API calls 10897->10899 10923 7ffe0e14debe 10899->10923 10900 7ffe0e14db80 11238 7ffe0e14c1d0 10900->11238 10906 7ffe0e14d899 10906->10900 10908 7ffe0e145ff0 41 API calls 10906->10908 10907 7ffe0e150d30 32 API calls 10907->10923 10910 7ffe0e14d8a6 10908->10910 10911 7ffe0e14d8be 10910->10911 10913 7ffe0e1464c0 45 API calls 10910->10913 10914 7ffe0e144e70 38 API calls 10911->10914 10924 7ffe0e14db2a 10911->10924 10915 7ffe0e14d8b6 10913->10915 10916 7ffe0e14d8d7 10914->10916 10918 7ffe0e14d400 39 API calls 10915->10918 10919 7ffe0e14d8e3 10916->10919 10920 7ffe0e14d8ef LoadLibraryA 10916->10920 10918->10911 10919->10920 10922 7ffe0e144e70 38 API calls 10920->10922 10925 7ffe0e14d909 GetProcAddress 10922->10925 10923->10907 10927 7ffe0e138e60 37 API calls 10923->10927 10953 7ffe0e14dedf 10923->10953 11460 7ffe0e146830 10923->11460 11483 7ffe0e144cb0 10923->11483 11501 7ffe0e131680 10923->11501 11505 7ffe0e14fd80 10923->11505 10928 7ffe0e145ff0 41 API calls 10924->10928 10929 7ffe0e139150 37 API calls 10925->10929 10927->10923 10930 7ffe0e14db2f 10928->10930 10934 7ffe0e14d945 10929->10934 10931 7ffe0e14db35 10930->10931 10932 7ffe0e14db4b 10930->10932 10933 7ffe0e1464c0 45 API calls 10931->10933 10937 7ffe0e14db6c exit 10932->10937 10936 7ffe0e14db3f 10933->10936 10934->10937 11194 7ffe0e146d40 10934->11194 10935 7ffe0e14fc90 37 API calls 10935->10953 10938 7ffe0e14d400 39 API calls 10936->10938 10937->10900 10941 7ffe0e14db47 10938->10941 10940 7ffe0e131680 18 API calls 10940->10953 10941->10932 10942 7ffe0e14db90 10941->10942 10943 7ffe0e144e70 38 API calls 10942->10943 10946 7ffe0e14dba6 10943->10946 10944 7ffe0e14e0f0 10948 7ffe0e144e70 38 API calls 10946->10948 10950 7ffe0e14dbbb 10948->10950 10949 7ffe0e14df2a SafeArrayPutElement 10951 7ffe0e14b1e0 110 API calls 10949->10951 10952 7ffe0e144e70 38 API calls 10950->10952 10954 7ffe0e14df6e 10951->10954 10955 7ffe0e14dc18 10952->10955 10953->10935 10953->10940 11441 7ffe0e147e60 10953->11441 10954->10839 10956 7ffe0e144e70 38 API calls 10955->10956 10957 7ffe0e14dc29 10956->10957 10958 7ffe0e144e70 38 API calls 10957->10958 10959 7ffe0e14dc3a 10958->10959 10960 7ffe0e144e70 38 API calls 10959->10960 10962 7ffe0e14dc4b 10960->10962 10961 7ffe0e14da4b 10961->10924 10961->10937 10961->10944 10963 7ffe0e144e70 38 API calls 10962->10963 10964 7ffe0e14dc5c Sleep 10963->10964 11304 7ffe0e14d040 10964->11304 10966 7ffe0e14dc6c 10967 7ffe0e144e70 38 API calls 10966->10967 10968 7ffe0e14dc7d 10967->10968 10969 7ffe0e144e70 38 API calls 10968->10969 10970 7ffe0e14dc8e 10969->10970 10971 7ffe0e144e70 38 API calls 10970->10971 10972 7ffe0e14dc9f 10971->10972 10973 7ffe0e144e70 38 API calls 10972->10973 10974 7ffe0e14dcb0 10973->10974 11343 7ffe0e147370 10974->11343 10976 7ffe0e14dcdc 11362 7ffe0e14bf00 10976->11362 10979 7ffe0e145ff0 41 API calls 10980 7ffe0e14dd00 10979->10980 10981 7ffe0e1464c0 45 API calls 10980->10981 11002 7ffe0e14dd20 10980->11002 10983 7ffe0e14dd10 10981->10983 10982 7ffe0e145ff0 41 API calls 10982->11002 10984 7ffe0e14d400 39 API calls 10983->10984 10986 7ffe0e14dd18 10984->10986 10985 7ffe0e14de00 10987 7ffe0e145ff0 41 API calls 10985->10987 10988 7ffe0e1464c0 45 API calls 10986->10988 10986->11002 10989 7ffe0e14de05 10987->10989 10991 7ffe0e14e0d2 10988->10991 10992 7ffe0e14de25 10989->10992 10994 7ffe0e1464c0 45 API calls 10989->10994 10990 7ffe0e1464c0 45 API calls 10990->11002 11509 7ffe0e13b7f0 10991->11509 10995 7ffe0e144e70 38 API calls 10992->10995 10997 7ffe0e14de15 10994->10997 10998 7ffe0e14de36 10995->10998 10996 7ffe0e1391b0 37 API calls 10996->11002 10999 7ffe0e14d400 39 API calls 10997->10999 11391 7ffe0e150ed0 10998->11391 11000 7ffe0e14de1d 10999->11000 11000->10992 11453 7ffe0e139dc0 11000->11453 11002->10982 11002->10985 11002->10990 11002->10996 11004 7ffe0e136f20 32 API calls 11002->11004 11005 7ffe0e14f010 18 API calls 11002->11005 11007 7ffe0e14ddd3 memcpy 11004->11007 11005->11002 11007->11002 11008 7ffe0e14de7c 11010 7ffe0e14deb2 11008->11010 11011 7ffe0e14dea3 CoInitialize 11008->11011 11433 7ffe0e1507e0 11010->11433 11011->11010 11014 7ffe0e14f0f4 11013->11014 11015 7ffe0e14fc77 11013->11015 11014->11013 11014->11015 11017 7ffe0e14f231 RtlGetVersion 11014->11017 12400 7ffe0e13a920 11015->12400 11021 7ffe0e14f25f 11017->11021 11018 7ffe0e13fc60 33 API calls 11018->11021 11019 7ffe0e144e70 38 API calls 11019->11021 11020 7ffe0e136f90 33 API calls 11020->11021 11021->11018 11021->11019 11021->11020 11022 7ffe0e139150 37 API calls 11021->11022 11024 7ffe0e14f010 18 API calls 11021->11024 11023 7ffe0e14f312 memcpy 11022->11023 11037 7ffe0e14f33f 11023->11037 11024->11021 11025 7ffe0e139150 37 API calls 11025->11037 11026 7ffe0e13fc60 33 API calls 11026->11037 11027 7ffe0e14f010 18 API calls 11027->11037 11028 7ffe0e144e70 38 API calls 11028->11037 11029 7ffe0e145220 42 API calls 11029->11037 11030 7ffe0e14e130 33 API calls 11030->11037 11031 7ffe0e14ece0 38 API calls 11031->11037 11032 7ffe0e13c390 35 API calls 11032->11037 11033 7ffe0e14f990 11034 7ffe0e13fc60 33 API calls 11033->11034 11035 7ffe0e14ef30 6 API calls 11033->11035 11034->11033 11036 7ffe0e14f9b0 exit 11035->11036 11036->11021 11037->11025 11037->11026 11037->11027 11037->11028 11037->11029 11037->11030 11037->11031 11037->11032 11037->11033 11038 7ffe0e14f97c exit 11037->11038 11039 7ffe0e14fa7a 11037->11039 11038->11033 12302 7ffe0e1458c0 11039->12302 11041 7ffe0e14fa7f 11042 7ffe0e13fc60 33 API calls 11041->11042 11094 7ffe0e14fbc4 11041->11094 11045 7ffe0e14fa98 11042->11045 11043 7ffe0e13fc60 33 API calls 11044 7ffe0e14fc19 11043->11044 11049 7ffe0e136ee0 33 API calls 11044->11049 11053 7ffe0e14fc4a 11044->11053 11046 7ffe0e144e70 38 API calls 11045->11046 11047 7ffe0e14faa5 11046->11047 11050 7ffe0e131680 18 API calls 11047->11050 11048 7ffe0e136ee0 33 API calls 11048->11053 11051 7ffe0e14fc37 11049->11051 11052 7ffe0e14fab4 11050->11052 11051->11053 12398 7ffe0e138760 memcpy 11051->12398 12311 7ffe0e14e130 11052->12311 11053->11048 11059 7ffe0e131680 18 API calls 11053->11059 12399 7ffe0e138760 memcpy 11053->12399 11059->11053 11063 7ffe0e14e130 33 API calls 11064 7ffe0e14fae2 11063->11064 11065 7ffe0e14ece0 38 API calls 11064->11065 11066 7ffe0e14faea 11065->11066 11067 7ffe0e145220 42 API calls 11066->11067 11068 7ffe0e14faff 11067->11068 11069 7ffe0e14e130 33 API calls 11068->11069 11070 7ffe0e14fb0b 11069->11070 11071 7ffe0e14ece0 38 API calls 11070->11071 11072 7ffe0e14fb13 11071->11072 11073 7ffe0e145220 42 API calls 11072->11073 11074 7ffe0e14fb28 11073->11074 12262 7ffe0e145cc0 GetTickCount Sleep SleepEx 11074->12262 11076 7ffe0e14fb34 12280 7ffe0e146c30 11076->12280 11081 7ffe0e13fc60 33 API calls 11082 7ffe0e14fb4f 11081->11082 11083 7ffe0e144e70 38 API calls 11082->11083 11084 7ffe0e14fb5c 11083->11084 11085 7ffe0e131680 18 API calls 11084->11085 11086 7ffe0e14fb6b 11085->11086 11087 7ffe0e13fc60 33 API calls 11086->11087 11088 7ffe0e14fb7c 11087->11088 11089 7ffe0e144e70 38 API calls 11088->11089 11090 7ffe0e14fb89 11089->11090 11091 7ffe0e13fc60 33 API calls 11090->11091 11092 7ffe0e14fbb7 11091->11092 11093 7ffe0e144e70 38 API calls 11092->11093 11093->11094 11094->11043 11096 7ffe0e13fcb7 11095->11096 11099 7ffe0e13fd05 11095->11099 11096->11099 11520 7ffe0e150560 11096->11520 11099->10846 11099->11099 11101 7ffe0e13fc60 33 API calls 11100->11101 11102 7ffe0e144ea1 11101->11102 11103 7ffe0e14501a HeapCreate 11102->11103 11104 7ffe0e150560 32 API calls 11102->11104 11108 7ffe0e144f16 11102->11108 11103->10849 11105 7ffe0e144ee1 memcpy 11104->11105 11105->11108 11106 7ffe0e13fc60 33 API calls 11106->11108 11107 7ffe0e1450d8 11111 7ffe0e136b50 33 API calls 11107->11111 11108->11103 11108->11106 11108->11107 11109 7ffe0e136b50 33 API calls 11108->11109 11110 7ffe0e136b50 33 API calls 11108->11110 11112 7ffe0e136b50 33 API calls 11108->11112 11116 7ffe0e144fcc memcpy 11108->11116 11109->11108 11113 7ffe0e14509d memcpy 11110->11113 11114 7ffe0e1450e5 11111->11114 11115 7ffe0e144f97 memcpy 11112->11115 11113->11108 11115->11116 11116->11108 11118 7ffe0e139150 37 API calls 11117->11118 11119 7ffe0e14c8b9 11118->11119 11120 7ffe0e13fc60 33 API calls 11119->11120 11121 7ffe0e14c8f4 11120->11121 11122 7ffe0e144e70 38 API calls 11121->11122 11123 7ffe0e14c901 CreateFileA GetFileSize 11122->11123 11125 7ffe0e14c96e ReadFile 11123->11125 11126 7ffe0e14cdb6 GetProcessHeap RtlAllocateHeap 11123->11126 11129 7ffe0e14ca9d 11125->11129 11130 7ffe0e14c9df 11125->11130 11126->11129 11128 7ffe0e136b50 33 API calls 11128->11130 11131 7ffe0e14cb93 GetModuleHandleA GetProcAddress 11129->11131 11132 7ffe0e14cb84 11129->11132 11134 7ffe0e14cb22 strcmp 11129->11134 11136 7ffe0e14cbfd 11129->11136 11130->11128 11130->11129 11133 7ffe0e144e70 38 API calls 11130->11133 11528 7ffe0e13b590 11130->11528 11131->11132 11132->11129 11132->11131 11133->11130 11134->11129 11136->10856 11138 7ffe0e14ef48 11137->11138 11535 7ffe0e14ee30 11138->11535 11142 7ffe0e14ef7b 11144 7ffe0e146005 GetCommandLineW 11143->11144 11145 7ffe0e146055 11143->11145 11550 7ffe0e137270 11144->11550 11145->10900 11151 7ffe0e1464c0 11145->11151 11150 7ffe0e14f010 18 API calls 11150->11145 11152 7ffe0e1464e2 GetCommandLineW 11151->11152 11158 7ffe0e146503 11151->11158 11153 7ffe0e137270 34 API calls 11152->11153 11154 7ffe0e1464fb 11153->11154 11156 7ffe0e1449a0 40 API calls 11154->11156 11155 7ffe0e146580 11157 7ffe0e150d30 32 API calls 11155->11157 11156->11158 11159 7ffe0e146593 11157->11159 11158->11155 11163 7ffe0e14f010 18 API calls 11158->11163 11160 7ffe0e1465b7 11159->11160 11161 7ffe0e146630 11159->11161 11162 7ffe0e136f90 33 API calls 11160->11162 11566 7ffe0e137ce0 11161->11566 11165 7ffe0e1465c7 11162->11165 11163->11158 11169 7ffe0e14f010 18 API calls 11165->11169 11186 7ffe0e1465eb 11165->11186 11166 7ffe0e146649 11168 7ffe0e137ce0 35 API calls 11166->11168 11167 7ffe0e14fd80 18 API calls 11170 7ffe0e1465f4 11167->11170 11171 7ffe0e146679 11168->11171 11169->11186 11172 7ffe0e138e60 37 API calls 11170->11172 11173 7ffe0e146760 11171->11173 11174 7ffe0e146687 11171->11174 11175 7ffe0e146616 11172->11175 11176 7ffe0e146765 11173->11176 11177 7ffe0e1467cb 11173->11177 11180 7ffe0e136b50 33 API calls 11174->11180 11187 7ffe0e14d400 _setjmp 11175->11187 11178 7ffe0e136b50 33 API calls 11176->11178 11179 7ffe0e136b50 33 API calls 11177->11179 11181 7ffe0e146792 11178->11181 11182 7ffe0e14674a 11179->11182 11183 7ffe0e1466b2 memcpy 11180->11183 11184 7ffe0e14672e memcpy 11181->11184 11185 7ffe0e131680 18 API calls 11182->11185 11183->11182 11183->11184 11184->11182 11185->11186 11186->11167 11188 7ffe0e14d444 11187->11188 11189 7ffe0e14d478 11187->11189 11190 7ffe0e13b7f0 38 API calls 11188->11190 11192 7ffe0e14d4d1 11189->11192 11193 7ffe0e14f010 18 API calls 11189->11193 11191 7ffe0e14d451 11190->11191 11191->10906 11192->10906 11193->11192 11195 7ffe0e139150 37 API calls 11194->11195 11196 7ffe0e146d6d 11195->11196 11197 7ffe0e146dcc 11196->11197 11198 7ffe0e146de0 memcpy 11196->11198 11204 7ffe0e146dec 11196->11204 11197->10961 11198->11204 11199 7ffe0e1472b6 11200 7ffe0e144e70 38 API calls 11199->11200 11201 7ffe0e1472d5 11200->11201 11202 7ffe0e136b50 33 API calls 11201->11202 11213 7ffe0e147046 11202->11213 11203 7ffe0e147010 11205 7ffe0e144e70 38 API calls 11203->11205 11204->11199 11204->11203 11206 7ffe0e144e70 38 API calls 11204->11206 11207 7ffe0e147024 11205->11207 11208 7ffe0e146e64 11206->11208 11209 7ffe0e136b50 33 API calls 11207->11209 11210 7ffe0e14ef30 6 API calls 11208->11210 11209->11213 11212 7ffe0e146e71 11210->11212 11211 7ffe0e14728e 11215 7ffe0e144e70 38 API calls 11211->11215 11212->11211 11214 7ffe0e144e70 38 API calls 11212->11214 11588 7ffe0e14ef90 11213->11588 11216 7ffe0e146ea9 11214->11216 11217 7ffe0e1472a9 11215->11217 11218 7ffe0e14ef30 6 API calls 11216->11218 11219 7ffe0e14ef30 6 API calls 11217->11219 11221 7ffe0e146eb6 11218->11221 11219->11199 11222 7ffe0e147270 11221->11222 11223 7ffe0e146edd 11221->11223 11224 7ffe0e144e70 38 API calls 11222->11224 11225 7ffe0e144e70 38 API calls 11223->11225 11226 7ffe0e147281 11224->11226 11227 7ffe0e146ef3 11225->11227 11228 7ffe0e14ef30 6 API calls 11226->11228 11229 7ffe0e136b50 33 API calls 11227->11229 11228->11211 11231 7ffe0e146f0d 11229->11231 11230 7ffe0e1471ed 11230->10961 11231->11230 11232 7ffe0e14ee30 5 API calls 11231->11232 11233 7ffe0e146fc9 11232->11233 11234 7ffe0e14ee30 5 API calls 11233->11234 11235 7ffe0e146fdb fwrite 11234->11235 11237 7ffe0e147003 fflush 11235->11237 11237->11203 11596 7ffe0e136cd0 11238->11596 11240 7ffe0e14c2d4 GetModuleFileNameW 11241 7ffe0e14c2e8 11240->11241 11243 7ffe0e14c2b1 11240->11243 11244 7ffe0e13fc60 33 API calls 11241->11244 11242 7ffe0e14c330 11247 7ffe0e137270 34 API calls 11242->11247 11243->11240 11243->11242 11245 7ffe0e136cd0 33 API calls 11243->11245 11246 7ffe0e14c2fc 11244->11246 11245->11243 11599 7ffe0e146bb0 11246->11599 11248 7ffe0e14c33e 11247->11248 11250 7ffe0e13fc60 33 API calls 11248->11250 11252 7ffe0e14c352 11250->11252 11254 7ffe0e146bb0 44 API calls 11252->11254 11256 7ffe0e14c35a 11254->11256 11258 7ffe0e13fc60 33 API calls 11256->11258 11259 7ffe0e14c36e 11258->11259 11260 7ffe0e1464c0 45 API calls 11259->11260 11261 7ffe0e14c325 11260->11261 11262 7ffe0e136b50 33 API calls 11261->11262 11263 7ffe0e14c3c9 11262->11263 11264 7ffe0e14c3e5 memcpy 11263->11264 11265 7ffe0e14c860 11263->11265 11266 7ffe0e14c42b 11264->11266 11267 7ffe0e14c40b memcpy 11264->11267 11268 7ffe0e14c450 11266->11268 11269 7ffe0e14c430 memcpy 11266->11269 11267->11266 11270 7ffe0e14c475 11268->11270 11271 7ffe0e14c455 memcpy 11268->11271 11269->11268 11272 7ffe0e14c47a memcpy 11270->11272 11273 7ffe0e14c496 11270->11273 11271->11270 11272->11273 11274 7ffe0e13fc60 33 API calls 11273->11274 11285 7ffe0e14c4a7 11274->11285 11275 7ffe0e145ff0 41 API calls 11275->11285 11276 7ffe0e14c599 11277 7ffe0e13fc60 33 API calls 11276->11277 11279 7ffe0e14c5af 11277->11279 11278 7ffe0e13fc60 33 API calls 11278->11285 11281 7ffe0e137ce0 35 API calls 11279->11281 11280 7ffe0e1464c0 45 API calls 11280->11285 11282 7ffe0e14c5e8 11281->11282 11283 7ffe0e13fc60 33 API calls 11282->11283 11289 7ffe0e14c5fe 11283->11289 11284 7ffe0e136b50 33 API calls 11284->11285 11285->11275 11285->11276 11285->11278 11285->11280 11285->11284 11286 7ffe0e14c523 memcpy 11285->11286 11287 7ffe0e14c543 memcpy 11285->11287 11288 7ffe0e14c56b memcpy 11285->11288 11286->11285 11287->11285 11288->11285 11290 7ffe0e136b50 33 API calls 11289->11290 11291 7ffe0e14c646 memcpy 11290->11291 11292 7ffe0e14c67e memcpy 11291->11292 11293 7ffe0e14c69c 11291->11293 11292->11293 11294 7ffe0e14c6bf 11293->11294 11295 7ffe0e14c6a1 memcpy 11293->11295 11296 7ffe0e14c6e4 11294->11296 11297 7ffe0e14c6c4 memcpy 11294->11297 11295->11294 11298 7ffe0e14c707 11296->11298 11299 7ffe0e14c6e9 memcpy 11296->11299 11297->11296 11300 7ffe0e136cd0 33 API calls 11298->11300 11299->11298 11301 7ffe0e14c722 11300->11301 11607 7ffe0e13c390 11301->11607 11303 7ffe0e14c7ca 11303->10839 11305 7ffe0e14d052 11304->11305 11306 7ffe0e14d070 RtlAddVectoredExceptionHandler memset 11305->11306 11307 7ffe0e14d276 11305->11307 11309 7ffe0e14d0b0 CreateToolhelp32Snapshot 11306->11309 11308 7ffe0e13fc60 33 API calls 11307->11308 11310 7ffe0e14d287 11308->11310 11315 7ffe0e14d114 Thread32First 11309->11315 11316 7ffe0e14d104 11309->11316 11311 7ffe0e144e70 38 API calls 11310->11311 11312 7ffe0e14d294 GetModuleHandleA 11311->11312 11332 7ffe0e14d2bc 11312->11332 11317 7ffe0e14d3d0 11315->11317 11318 7ffe0e14d161 11315->11318 11316->10966 11319 7ffe0e13fc60 33 API calls 11317->11319 11321 7ffe0e14d16f GetCurrentProcessId 11318->11321 11322 7ffe0e14d197 CloseHandle 11318->11322 11320 7ffe0e14d3e1 11319->11320 11323 7ffe0e144e70 38 API calls 11320->11323 11321->11318 11324 7ffe0e14d26c 11322->11324 11325 7ffe0e14d1a8 11322->11325 11326 7ffe0e14d3ee 11323->11326 11665 7ffe0e14ce10 11324->11665 11328 7ffe0e14d1be OpenThread 11325->11328 11326->10966 11328->11316 11331 7ffe0e14d1da GetThreadContext 11328->11331 11329 7ffe0e14d2ff GetProcAddress 11329->11332 11331->11316 11333 7ffe0e14d1ee 11331->11333 11332->11329 11334 7ffe0e13fc60 33 API calls 11332->11334 11335 7ffe0e13c390 35 API calls 11332->11335 11339 7ffe0e144e70 38 API calls 11332->11339 11336 7ffe0e14d24f CloseHandle 11333->11336 11337 7ffe0e144e70 38 API calls 11333->11337 11334->11332 11338 7ffe0e14d39d RtlInitUnicodeString LdrLoadDll 11335->11338 11336->11324 11336->11328 11340 7ffe0e14d20c SetThreadContext 11337->11340 11338->11332 11339->11332 11340->11316 11341 7ffe0e14d242 11340->11341 11342 7ffe0e144e70 38 API calls 11341->11342 11342->11336 11344 7ffe0e1478f0 11343->11344 11345 7ffe0e147392 11343->11345 11346 7ffe0e136b50 33 API calls 11344->11346 11347 7ffe0e136b50 33 API calls 11345->11347 11348 7ffe0e147901 11346->11348 11349 7ffe0e1473c3 11347->11349 11350 7ffe0e139150 37 API calls 11348->11350 11351 7ffe0e139150 37 API calls 11349->11351 11353 7ffe0e14741f 11350->11353 11351->11353 11352 7ffe0e139150 37 API calls 11354 7ffe0e14755f 11352->11354 11353->11352 11359 7ffe0e147720 11353->11359 11361 7ffe0e147579 11353->11361 11355 7ffe0e14756e 11354->11355 11356 7ffe0e1479d8 11354->11356 11358 7ffe0e139150 37 API calls 11355->11358 11357 7ffe0e139150 37 API calls 11356->11357 11357->11361 11358->11361 11359->10976 11360 7ffe0e139150 37 API calls 11360->11361 11361->11359 11361->11360 11363 7ffe0e14c040 11362->11363 11367 7ffe0e14bf24 11362->11367 11743 7ffe0e14a350 11363->11743 11365 7ffe0e14c047 11372 7ffe0e150d30 32 API calls 11365->11372 11366 7ffe0e14bf3e 11369 7ffe0e14bf5f 11366->11369 11370 7ffe0e14bf50 CoInitialize 11366->11370 11367->11366 11691 7ffe0e149920 11367->11691 11371 7ffe0e1507e0 32 API calls 11369->11371 11370->11369 11373 7ffe0e14bf6b 11371->11373 11374 7ffe0e14c06b 11372->11374 11378 7ffe0e147e60 37 API calls 11373->11378 11380 7ffe0e14c09c 11373->11380 11375 7ffe0e146830 39 API calls 11374->11375 11376 7ffe0e14c08d 11375->11376 11379 7ffe0e144cb0 36 API calls 11376->11379 11377 7ffe0e14fc90 37 API calls 11377->11380 11381 7ffe0e14bf9d SafeArrayCreate 11378->11381 11379->11380 11380->11377 11385 7ffe0e14fd80 18 API calls 11380->11385 11387 7ffe0e14f010 18 API calls 11380->11387 11390 7ffe0e138e60 37 API calls 11380->11390 11381->11365 11382 7ffe0e14bfd3 11381->11382 11383 7ffe0e14c008 11382->11383 11718 7ffe0e148890 11382->11718 11733 7ffe0e14a190 11383->11733 11385->11380 11387->11380 11390->11380 11392 7ffe0e150ef0 11391->11392 11393 7ffe0e1507e0 32 API calls 11392->11393 11394 7ffe0e150f0a 11393->11394 11395 7ffe0e150f1e 11394->11395 11396 7ffe0e14fc90 37 API calls 11394->11396 11397 7ffe0e150f31 11395->11397 11399 7ffe0e14fc90 37 API calls 11395->11399 11400 7ffe0e150fd5 11396->11400 11398 7ffe0e147e60 37 API calls 11397->11398 11402 7ffe0e150d30 32 API calls 11397->11402 11403 7ffe0e14f010 18 API calls 11397->11403 11405 7ffe0e146830 39 API calls 11397->11405 11407 7ffe0e150f7e 11397->11407 11408 7ffe0e144cb0 36 API calls 11397->11408 11409 7ffe0e14fd80 18 API calls 11397->11409 11410 7ffe0e138e60 37 API calls 11397->11410 11398->11397 11399->11397 11400->11395 11401 7ffe0e14f010 18 API calls 11400->11401 11401->11395 11402->11397 11403->11397 11404 7ffe0e14de4b 11411 7ffe0e14b1e0 11404->11411 11405->11397 11407->11404 12062 7ffe0e149470 11407->12062 11408->11397 11409->11397 11410->11397 11412 7ffe0e14b45d 11411->11412 11413 7ffe0e14b219 _setjmp 11411->11413 11414 7ffe0e149920 54 API calls 11412->11414 11415 7ffe0e14b28a 11413->11415 11418 7ffe0e14b2e0 11413->11418 11416 7ffe0e14b471 11414->11416 11417 7ffe0e14b2d3 11415->11417 11419 7ffe0e139650 59 API calls 11415->11419 11416->11008 11417->11008 11424 7ffe0e14b36d 11418->11424 12085 7ffe0e14b110 11418->12085 11419->11412 11422 7ffe0e14b110 109 API calls 11431 7ffe0e14b483 11422->11431 11423 7ffe0e14b3ce 11427 7ffe0e149da0 91 API calls 11423->11427 11424->11423 11426 7ffe0e149920 54 API calls 11424->11426 11425 7ffe0e14b110 109 API calls 11428 7ffe0e14b337 11425->11428 11426->11423 11427->11415 11429 7ffe0e14b34a 11428->11429 11430 7ffe0e14b476 11428->11430 11429->11424 11432 7ffe0e149920 54 API calls 11429->11432 11430->11422 11431->11431 11432->11424 11434 7ffe0e1507ff 11433->11434 11435 7ffe0e15080c 11434->11435 11436 7ffe0e14ffc0 31 API calls 11434->11436 11437 7ffe0e1327d0 12 API calls 11435->11437 11436->11435 11439 7ffe0e15081a 11437->11439 11438 7ffe0e15084f 11438->10923 11439->11438 11440 7ffe0e133730 18 API calls 11439->11440 11440->11438 11442 7ffe0e147e79 11441->11442 11443 7ffe0e147ea3 11442->11443 11444 7ffe0e139150 37 API calls 11442->11444 11446 7ffe0e139150 37 API calls 11443->11446 11450 7ffe0e147eef 11443->11450 11445 7ffe0e147e98 11444->11445 11447 7ffe0e1374c0 18 API calls 11445->11447 11448 7ffe0e147f77 11446->11448 11447->11443 11449 7ffe0e1374c0 18 API calls 11448->11449 11449->11450 11452 7ffe0e147f3a SafeArrayCreate 11450->11452 12239 7ffe0e147cf0 11450->12239 11452->10923 11452->10949 11454 7ffe0e139150 37 API calls 11453->11454 11457 7ffe0e139df8 11454->11457 11455 7ffe0e139e06 11455->10992 11456 7ffe0e136f20 32 API calls 11459 7ffe0e139e7c memcpy 11456->11459 11457->11455 11457->11456 11458 7ffe0e14f010 18 API calls 11457->11458 11458->11457 11459->11457 11461 7ffe0e14684a 11460->11461 11470 7ffe0e14688c 11460->11470 11462 7ffe0e146856 11461->11462 11464 7ffe0e150560 32 API calls 11461->11464 11463 7ffe0e14685f 11462->11463 11466 7ffe0e137040 33 API calls 11462->11466 11467 7ffe0e14693e 11463->11467 11468 7ffe0e146868 11463->11468 11464->11462 11465 7ffe0e136b50 33 API calls 11465->11470 11466->11463 11469 7ffe0e137040 33 API calls 11467->11469 11468->11470 11471 7ffe0e1469a7 11468->11471 11472 7ffe0e146875 11468->11472 11469->11471 11470->11465 11474 7ffe0e137040 33 API calls 11470->11474 11476 7ffe0e1468c1 11470->11476 11473 7ffe0e137ce0 35 API calls 11471->11473 11475 7ffe0e137040 33 API calls 11472->11475 11477 7ffe0e1469e6 11473->11477 11478 7ffe0e146a7f memcpy 11474->11478 11475->11470 11479 7ffe0e137040 33 API calls 11476->11479 11477->11470 11481 7ffe0e136b50 33 API calls 11477->11481 11478->11470 11480 7ffe0e1468cc memcpy 11479->11480 11480->10923 11482 7ffe0e146a18 memcpy 11481->11482 11482->11470 11484 7ffe0e144cc1 11483->11484 11485 7ffe0e144ccb 11483->11485 11484->11485 11487 7ffe0e144e10 11484->11487 11486 7ffe0e1395b0 33 API calls 11485->11486 11488 7ffe0e144cd3 11486->11488 11489 7ffe0e1395b0 33 API calls 11487->11489 11490 7ffe0e144cdf 11488->11490 11491 7ffe0e144da8 11488->11491 11489->11488 11495 7ffe0e136b50 33 API calls 11490->11495 11492 7ffe0e144e20 11491->11492 11493 7ffe0e144dad 11491->11493 11494 7ffe0e136b50 33 API calls 11492->11494 11496 7ffe0e136b50 33 API calls 11493->11496 11497 7ffe0e144d95 11494->11497 11498 7ffe0e144d0a memcpy 11495->11498 11499 7ffe0e144dd0 11496->11499 11497->10923 11498->11497 11500 7ffe0e144d79 memcpy 11498->11500 11499->11500 11500->11497 11503 7ffe0e131691 11501->11503 11502 7ffe0e1316b4 11502->10923 11503->11502 11504 7ffe0e14f010 18 API calls 11503->11504 11504->11502 11506 7ffe0e14fd90 11505->11506 11508 7ffe0e14fda6 11505->11508 11507 7ffe0e14f010 18 API calls 11506->11507 11506->11508 11507->11508 11508->10923 12245 7ffe0e13adb0 11509->12245 11511 7ffe0e150d30 32 API calls 11513 7ffe0e13b816 11511->11513 11512 7ffe0e13b837 11512->11002 11513->11511 11513->11512 11514 7ffe0e136b50 33 API calls 11513->11514 11515 7ffe0e136b50 33 API calls 11513->11515 11517 7ffe0e14fd80 18 API calls 11513->11517 11518 7ffe0e14f010 18 API calls 11513->11518 11519 7ffe0e138e60 37 API calls 11513->11519 11514->11513 11516 7ffe0e13b899 memcpy 11515->11516 11516->11513 11517->11513 11518->11513 11519->11513 11521 7ffe0e15057e 11520->11521 11522 7ffe0e15058b 11521->11522 11523 7ffe0e14ffc0 31 API calls 11521->11523 11524 7ffe0e1327d0 12 API calls 11522->11524 11523->11522 11525 7ffe0e150598 11524->11525 11526 7ffe0e13fcdd memcpy 11525->11526 11527 7ffe0e133730 18 API calls 11525->11527 11526->11099 11527->11526 11529 7ffe0e13b5ac 11528->11529 11530 7ffe0e13b738 11529->11530 11531 7ffe0e13b5d4 11529->11531 11534 7ffe0e13b60f 11529->11534 11533 7ffe0e13b74d memchr 11530->11533 11530->11534 11532 7ffe0e13b5f6 strstr 11531->11532 11531->11534 11532->11534 11533->11534 11534->11130 11536 7ffe0e14ee43 11535->11536 11537 7ffe0e14eec0 11535->11537 11547 7ffe0e14e100 11536->11547 11539 7ffe0e14e100 3 API calls 11537->11539 11545 7ffe0e14eed6 11539->11545 11540 7ffe0e14ee8f fwrite 11540->11142 11541 7ffe0e14eeed fputc 11541->11540 11541->11545 11542 7ffe0e14ee76 fputc 11542->11540 11546 7ffe0e14ee65 11542->11546 11543 7ffe0e14e100 3 API calls 11543->11545 11544 7ffe0e14e100 3 API calls 11544->11546 11545->11540 11545->11541 11545->11543 11546->11540 11546->11542 11546->11544 11548 7ffe0e152370 3 API calls 11547->11548 11549 7ffe0e14e124 11548->11549 11549->11546 11551 7ffe0e136b50 33 API calls 11550->11551 11554 7ffe0e1372a9 11551->11554 11552 7ffe0e137140 33 API calls 11552->11554 11553 7ffe0e1373f9 11555 7ffe0e1449a0 11553->11555 11554->11552 11554->11553 11559 7ffe0e1449d0 11555->11559 11556 7ffe0e136b50 33 API calls 11556->11559 11557 7ffe0e1391b0 37 API calls 11557->11559 11558 7ffe0e144b21 11558->11145 11558->11150 11559->11556 11559->11557 11559->11558 11560 7ffe0e137140 33 API calls 11559->11560 11561 7ffe0e144c58 11559->11561 11562 7ffe0e1506b0 33 API calls 11559->11562 11565 7ffe0e14f010 18 API calls 11559->11565 11560->11559 11563 7ffe0e136f20 32 API calls 11561->11563 11562->11559 11564 7ffe0e144c7d memcpy 11563->11564 11564->11558 11565->11559 11567 7ffe0e1380a0 11566->11567 11572 7ffe0e137cf9 11566->11572 11568 7ffe0e137740 35 API calls 11567->11568 11569 7ffe0e1380cb 11568->11569 11583 7ffe0e1374c0 11569->11583 11574 7ffe0e137fc9 11572->11574 11576 7ffe0e137740 11572->11576 11573 7ffe0e14f010 18 API calls 11575 7ffe0e138007 11573->11575 11574->11573 11574->11575 11575->11166 11575->11575 11577 7ffe0e137830 11576->11577 11580 7ffe0e137769 11576->11580 11578 7ffe0e136b50 33 API calls 11577->11578 11579 7ffe0e137810 11578->11579 11579->11574 11580->11579 11581 7ffe0e150560 32 API calls 11580->11581 11582 7ffe0e1377cf memcpy memset 11581->11582 11582->11579 11584 7ffe0e1374d1 11583->11584 11585 7ffe0e137500 11584->11585 11586 7ffe0e14f010 18 API calls 11584->11586 11585->11574 11587 7ffe0e137515 11586->11587 11587->11574 11589 7ffe0e14efac 11588->11589 11590 7ffe0e14ee30 5 API calls 11589->11590 11591 7ffe0e14efb7 11590->11591 11592 7ffe0e14ee30 5 API calls 11591->11592 11593 7ffe0e14efcd fwrite 11592->11593 11595 7ffe0e14eff5 11593->11595 11597 7ffe0e136b50 33 API calls 11596->11597 11598 7ffe0e136cf5 11597->11598 11598->11243 11600 7ffe0e136cd0 33 API calls 11599->11600 11603 7ffe0e146bd2 11600->11603 11601 7ffe0e146bd8 GetCurrentDirectoryW 11602 7ffe0e146c00 GetLastError 11601->11602 11601->11603 11612 7ffe0e146480 11602->11612 11603->11601 11604 7ffe0e146c18 11603->11604 11606 7ffe0e136cd0 33 API calls 11603->11606 11606->11603 11608 7ffe0e13c3aa MultiByteToWideChar 11607->11608 11610 7ffe0e136b50 33 API calls 11608->11610 11611 7ffe0e13c420 MultiByteToWideChar 11610->11611 11611->11303 11617 7ffe0e146140 11612->11617 11614 7ffe0e146489 11615 7ffe0e138e60 37 API calls 11614->11615 11616 7ffe0e1464af 11615->11616 11616->11603 11618 7ffe0e136b50 33 API calls 11617->11618 11619 7ffe0e146160 11618->11619 11620 7ffe0e146184 FormatMessageW 11619->11620 11623 7ffe0e1461c3 11619->11623 11621 7ffe0e1463b0 11620->11621 11620->11623 11622 7ffe0e137270 34 API calls 11621->11622 11625 7ffe0e1463c5 11622->11625 11626 7ffe0e14f010 18 API calls 11623->11626 11632 7ffe0e1461ea 11623->11632 11624 7ffe0e14633a 11627 7ffe0e146430 11624->11627 11628 7ffe0e146343 11624->11628 11625->11623 11629 7ffe0e1463d2 LocalFree 11625->11629 11626->11632 11631 7ffe0e136f20 32 API calls 11627->11631 11630 7ffe0e1463a1 11628->11630 11635 7ffe0e136f20 32 API calls 11628->11635 11629->11623 11630->11614 11636 7ffe0e146441 11631->11636 11632->11624 11633 7ffe0e146256 11632->11633 11650 7ffe0e137140 11632->11650 11657 7ffe0e137040 11633->11657 11637 7ffe0e14635b 11635->11637 11636->11614 11637->11630 11639 7ffe0e14f010 18 API calls 11637->11639 11641 7ffe0e146405 11639->11641 11640 7ffe0e14629a 11643 7ffe0e137040 33 API calls 11640->11643 11641->11614 11642 7ffe0e146268 11642->11640 11644 7ffe0e14f010 18 API calls 11642->11644 11648 7ffe0e1462de 11643->11648 11644->11640 11646 7ffe0e146310 memcpy 11646->11624 11647 7ffe0e14f010 18 API calls 11647->11633 11648->11646 11649 7ffe0e14f010 18 API calls 11648->11649 11649->11646 11651 7ffe0e137238 11650->11651 11654 7ffe0e13715a 11650->11654 11652 7ffe0e150560 32 API calls 11651->11652 11653 7ffe0e1371df 11652->11653 11653->11633 11653->11647 11654->11653 11655 7ffe0e150560 32 API calls 11654->11655 11656 7ffe0e1371b2 memcpy 11655->11656 11656->11653 11658 7ffe0e1370f8 11657->11658 11662 7ffe0e137055 11657->11662 11660 7ffe0e150560 32 API calls 11658->11660 11659 7ffe0e1370e6 11659->11642 11661 7ffe0e137117 11660->11661 11661->11642 11662->11659 11663 7ffe0e150560 32 API calls 11662->11663 11664 7ffe0e1370ba memcpy 11663->11664 11664->11659 11666 7ffe0e13fc60 33 API calls 11665->11666 11667 7ffe0e14ce36 11666->11667 11668 7ffe0e144e70 38 API calls 11667->11668 11669 7ffe0e14ce43 GetModuleHandleA 11668->11669 11671 7ffe0e13fc60 33 API calls 11669->11671 11672 7ffe0e14ce7f 11671->11672 11673 7ffe0e144e70 38 API calls 11672->11673 11682 7ffe0e14ce90 11673->11682 11674 7ffe0e14cff1 11675 7ffe0e13fc60 33 API calls 11674->11675 11677 7ffe0e14d002 11675->11677 11676 7ffe0e136b50 33 API calls 11676->11682 11678 7ffe0e144e70 38 API calls 11677->11678 11680 7ffe0e14cfe8 11678->11680 11679 7ffe0e13fc60 33 API calls 11679->11682 11680->10966 11681 7ffe0e144e70 38 API calls 11681->11682 11682->11674 11682->11676 11682->11679 11682->11681 11683 7ffe0e13b590 2 API calls 11682->11683 11684 7ffe0e14cf5e 11682->11684 11683->11682 11685 7ffe0e13fc60 33 API calls 11684->11685 11686 7ffe0e14cf83 11685->11686 11687 7ffe0e144e70 38 API calls 11686->11687 11688 7ffe0e14cf96 11687->11688 11688->11680 11689 7ffe0e13fc60 33 API calls 11688->11689 11690 7ffe0e144e70 38 API calls 11688->11690 11689->11688 11690->11688 11692 7ffe0e149c70 11691->11692 11693 7ffe0e14993d 11691->11693 11693->11692 11694 7ffe0e136b50 33 API calls 11693->11694 11695 7ffe0e149993 11694->11695 11696 7ffe0e136b50 33 API calls 11695->11696 11697 7ffe0e1499ba 11696->11697 11817 7ffe0e13d310 11697->11817 11699 7ffe0e1499dd 11700 7ffe0e137040 33 API calls 11699->11700 11701 7ffe0e1499ec 11700->11701 11702 7ffe0e136b50 33 API calls 11701->11702 11703 7ffe0e149a14 11702->11703 11704 7ffe0e13d310 53 API calls 11703->11704 11705 7ffe0e149b10 11704->11705 11706 7ffe0e137040 33 API calls 11705->11706 11707 7ffe0e149b1f 11706->11707 11708 7ffe0e149b4e 11707->11708 11709 7ffe0e149c28 11707->11709 11710 7ffe0e149b77 11708->11710 11714 7ffe0e14f010 18 API calls 11708->11714 11711 7ffe0e136f20 32 API calls 11709->11711 11713 7ffe0e14fd80 18 API calls 11710->11713 11712 7ffe0e149c43 memcpy 11711->11712 11712->11692 11715 7ffe0e149b81 11713->11715 11714->11710 11716 7ffe0e138e60 37 API calls 11715->11716 11717 7ffe0e149ba8 11716->11717 11717->11366 11719 7ffe0e1488b3 11718->11719 11720 7ffe0e1488a4 CoInitialize 11718->11720 11721 7ffe0e1507e0 32 API calls 11719->11721 11720->11719 11722 7ffe0e1488bf 11721->11722 11723 7ffe0e1488cc 11722->11723 11911 7ffe0e14fc90 11722->11911 11725 7ffe0e14fc90 37 API calls 11723->11725 11729 7ffe0e1488d8 11723->11729 11730 7ffe0e148954 11725->11730 11726 7ffe0e147e60 37 API calls 11727 7ffe0e1488e9 SafeArrayPutElement 11726->11727 11727->11382 11727->11383 11728 7ffe0e14890d 11728->11723 11731 7ffe0e14f010 18 API calls 11728->11731 11729->11726 11730->11729 11732 7ffe0e14f010 18 API calls 11730->11732 11731->11723 11732->11729 11734 7ffe0e14a1c4 _setjmp 11733->11734 11735 7ffe0e14a338 11733->11735 11740 7ffe0e14a21a 11734->11740 11736 7ffe0e149920 54 API calls 11735->11736 11737 7ffe0e14a349 11736->11737 11737->11737 11739 7ffe0e149920 54 API calls 11739->11740 11740->11739 11742 7ffe0e14a322 11740->11742 11921 7ffe0e139650 11740->11921 11947 7ffe0e149da0 11740->11947 11742->10979 11744 7ffe0e1395b0 33 API calls 11743->11744 11745 7ffe0e14a375 11744->11745 11746 7ffe0e14a389 _setjmp 11745->11746 11747 7ffe0e14a462 _setjmp 11745->11747 11748 7ffe0e14a580 CLRCreateInstance 11746->11748 11749 7ffe0e14a3f8 11746->11749 11751 7ffe0e14a900 CLRCreateInstance 11747->11751 11752 7ffe0e14a4f7 11747->11752 11750 7ffe0e14a700 11748->11750 11759 7ffe0e14a5aa 11748->11759 11749->11747 11749->11752 11761 7ffe0e149920 54 API calls 11749->11761 11753 7ffe0e149920 54 API calls 11750->11753 11754 7ffe0e14a934 11751->11754 11755 7ffe0e14a926 11751->11755 11760 7ffe0e139650 59 API calls 11752->11760 11763 7ffe0e14a563 11752->11763 11757 7ffe0e14a70e 11753->11757 11756 7ffe0e13c390 35 API calls 11754->11756 11758 7ffe0e149920 54 API calls 11755->11758 11765 7ffe0e14a93e 11756->11765 11757->11365 11758->11754 11762 7ffe0e149920 54 API calls 11759->11762 11802 7ffe0e14a5ce 11759->11802 11760->11750 11761->11747 11762->11802 11763->11365 11764 7ffe0e14a5fe _setjmp 11764->11802 11766 7ffe0e136ee0 33 API calls 11765->11766 11769 7ffe0e14a9b9 11765->11769 11768 7ffe0e14a988 11766->11768 11767 7ffe0e14ac20 11772 7ffe0e149920 54 API calls 11767->11772 12060 7ffe0e138760 memcpy 11768->12060 11769->11767 11777 7ffe0e149920 54 API calls 11769->11777 11778 7ffe0e14aa1f 11769->11778 11771 7ffe0e14a661 _setjmp 11771->11802 11788 7ffe0e14ac46 11772->11788 11773 7ffe0e14a99a 11774 7ffe0e14a9af 11773->11774 12061 7ffe0e138760 memcpy 11773->12061 11776 7ffe0e149920 54 API calls 11774->11776 11776->11769 11777->11778 11779 7ffe0e14aa84 11778->11779 11780 7ffe0e14ac70 11778->11780 11782 7ffe0e14aaed 11778->11782 11786 7ffe0e14ac7e 11779->11786 11805 7ffe0e14aab3 11779->11805 11783 7ffe0e149920 54 API calls 11780->11783 11781 7ffe0e136b50 33 API calls 11781->11802 11784 7ffe0e14ab33 11782->11784 11785 7ffe0e14ab24 CoInitialize 11782->11785 11783->11786 11787 7ffe0e1507e0 32 API calls 11784->11787 11785->11784 11790 7ffe0e149920 54 API calls 11786->11790 11789 7ffe0e14ab3f 11787->11789 11788->11365 11792 7ffe0e14ad31 11789->11792 11793 7ffe0e14ab60 11789->11793 11794 7ffe0e14acc6 11789->11794 11796 7ffe0e14ac96 11790->11796 11795 7ffe0e14fc90 37 API calls 11792->11795 11797 7ffe0e147e60 37 API calls 11793->11797 11798 7ffe0e14fc90 37 API calls 11794->11798 11808 7ffe0e14ad45 11795->11808 11806 7ffe0e149920 54 API calls 11796->11806 11801 7ffe0e14ab71 11797->11801 11811 7ffe0e14acfd 11798->11811 11799 7ffe0e14acae 11803 7ffe0e149920 54 API calls 11799->11803 11800 7ffe0e1395b0 33 API calls 11800->11802 11804 7ffe0e14b1e0 103 API calls 11801->11804 11802->11752 11802->11764 11802->11771 11802->11781 11802->11788 11802->11794 11802->11800 11802->11802 12055 7ffe0e13c170 11802->12055 11803->11794 11807 7ffe0e14abbd 11804->11807 11805->11782 11805->11796 11805->11799 11806->11799 11809 7ffe0e14b1e0 103 API calls 11807->11809 11808->11788 11810 7ffe0e14f010 18 API calls 11808->11810 11812 7ffe0e14abe9 11809->11812 11810->11788 11811->11792 11813 7ffe0e14f010 18 API calls 11811->11813 11814 7ffe0e14b1e0 103 API calls 11812->11814 11813->11792 11815 7ffe0e14ac11 11814->11815 11816 7ffe0e131680 18 API calls 11815->11816 11816->11767 11844 7ffe0e13ca70 11817->11844 11819 7ffe0e13d362 11858 7ffe0e1395b0 11819->11858 11822 7ffe0e150d30 32 API calls 11824 7ffe0e13d57b 11822->11824 11829 7ffe0e136b50 33 API calls 11824->11829 11825 7ffe0e13d4eb 11826 7ffe0e13d690 11825->11826 11827 7ffe0e13d4f7 11825->11827 11831 7ffe0e137040 33 API calls 11826->11831 11830 7ffe0e137040 33 API calls 11827->11830 11828 7ffe0e13d37e 11832 7ffe0e14f010 18 API calls 11828->11832 11838 7ffe0e14fd80 18 API calls 11828->11838 11839 7ffe0e13d396 11828->11839 11842 7ffe0e13d4cf 11828->11842 11843 7ffe0e138e60 37 API calls 11828->11843 11829->11828 11833 7ffe0e13d503 11830->11833 11834 7ffe0e13d69b 11831->11834 11832->11828 11835 7ffe0e1374c0 18 API calls 11833->11835 11836 7ffe0e1374c0 18 API calls 11834->11836 11840 7ffe0e13d50e memcpy 11835->11840 11841 7ffe0e13d6a6 11836->11841 11837 7ffe0e137740 35 API calls 11837->11842 11838->11828 11839->11837 11839->11842 11840->11699 11841->11699 11863 7ffe0e13cfc0 11842->11863 11843->11828 11856 7ffe0e13cacc 11844->11856 11845 7ffe0e136b50 33 API calls 11847 7ffe0e13cd9a memcpy 11845->11847 11846 7ffe0e13ce65 11846->11819 11848 7ffe0e13ce36 11847->11848 11849 7ffe0e13ce1b 11847->11849 11850 7ffe0e14fd80 18 API calls 11848->11850 11849->11848 11853 7ffe0e14f010 18 API calls 11849->11853 11852 7ffe0e13ce43 11850->11852 11851 7ffe0e150d30 32 API calls 11851->11856 11854 7ffe0e138e60 37 API calls 11852->11854 11853->11848 11854->11846 11855 7ffe0e136b50 33 API calls 11855->11856 11856->11846 11856->11851 11856->11855 11857 7ffe0e13cc8f 11856->11857 11857->11845 11859 7ffe0e139610 11858->11859 11860 7ffe0e1395c0 11858->11860 11859->11822 11859->11828 11860->11859 11861 7ffe0e150560 32 API calls 11860->11861 11862 7ffe0e1395e6 memcpy 11861->11862 11862->11859 11864 7ffe0e13d0f8 11863->11864 11865 7ffe0e13cfea 11863->11865 11867 7ffe0e136b50 33 API calls 11864->11867 11865->11864 11866 7ffe0e13d1f5 11865->11866 11870 7ffe0e13d027 11865->11870 11868 7ffe0e136b50 33 API calls 11866->11868 11869 7ffe0e13d15b 11867->11869 11871 7ffe0e13d22a memset 11868->11871 11872 7ffe0e13d176 11869->11872 11873 7ffe0e13d166 memset 11869->11873 11874 7ffe0e136b50 33 API calls 11870->11874 11875 7ffe0e13d24f 11871->11875 11881 7ffe0e13d2a0 11871->11881 11877 7ffe0e136b50 33 API calls 11872->11877 11873->11872 11878 7ffe0e13d057 memset 11874->11878 11879 7ffe0e136ee0 33 API calls 11875->11879 11876 7ffe0e136ee0 33 API calls 11876->11881 11880 7ffe0e13d19f 11877->11880 11878->11881 11882 7ffe0e13d079 11878->11882 11883 7ffe0e13d257 memcpy 11879->11883 11885 7ffe0e13d1ba 11880->11885 11886 7ffe0e13d1aa memset 11880->11886 11881->11876 11884 7ffe0e13d27d memcpy 11881->11884 11888 7ffe0e136b50 33 API calls 11881->11888 11887 7ffe0e136b50 33 API calls 11882->11887 11883->11884 11884->11881 11890 7ffe0e13d2f0 11885->11890 11891 7ffe0e13d1c6 11885->11891 11886->11885 11892 7ffe0e13d095 memcpy memcpy 11887->11892 11889 7ffe0e13d2ab memcpy 11888->11889 11889->11881 11893 7ffe0e136ee0 33 API calls 11890->11893 11904 7ffe0e136ee0 11891->11904 11892->11825 11895 7ffe0e13d2f8 11893->11895 11910 7ffe0e138760 memcpy 11895->11910 11899 7ffe0e13d1df 11908 7ffe0e138760 memcpy 11899->11908 11900 7ffe0e13d306 11900->11900 11902 7ffe0e13d1ea 11909 7ffe0e138760 memcpy 11902->11909 11905 7ffe0e136b50 33 API calls 11904->11905 11906 7ffe0e136f04 11905->11906 11907 7ffe0e138760 memcpy 11906->11907 11907->11899 11908->11902 11909->11866 11910->11900 11912 7ffe0e136b50 33 API calls 11911->11912 11913 7ffe0e14fca8 11912->11913 11914 7ffe0e14fcdd 11913->11914 11916 7ffe0e14f010 18 API calls 11913->11916 11915 7ffe0e139150 37 API calls 11914->11915 11918 7ffe0e14fd02 11915->11918 11916->11914 11917 7ffe0e14fd3d 11917->11728 11918->11917 11919 7ffe0e14f010 18 API calls 11918->11919 11920 7ffe0e14fd55 11919->11920 11920->11728 11922 7ffe0e139671 11921->11922 11923 7ffe0e139662 longjmp 11921->11923 11978 7ffe0e1389d0 11922->11978 11923->11922 11925 7ffe0e139691 exit 11926 7ffe0e1396d0 11925->11926 11927 7ffe0e139843 11926->11927 11928 7ffe0e1396f5 11926->11928 11929 7ffe0e1390c0 37 API calls 11927->11929 11930 7ffe0e136b50 33 API calls 11928->11930 11931 7ffe0e139848 11929->11931 11937 7ffe0e139701 11930->11937 11932 7ffe0e1398a5 11931->11932 11933 7ffe0e13988c 11931->11933 11934 7ffe0e1390c0 37 API calls 11932->11934 11935 7ffe0e136b50 33 API calls 11933->11935 11936 7ffe0e1398aa 11934->11936 11938 7ffe0e139898 11935->11938 11939 7ffe0e139a60 11936->11939 11940 7ffe0e1398c5 11936->11940 11937->11740 11938->11740 11944 7ffe0e139150 37 API calls 11939->11944 11946 7ffe0e1398e0 11939->11946 11941 7ffe0e1398d1 11940->11941 11942 7ffe0e139a40 11940->11942 11945 7ffe0e139150 37 API calls 11941->11945 11943 7ffe0e139150 37 API calls 11942->11943 11943->11946 11944->11946 11945->11946 11946->11740 11948 7ffe0e13c390 35 API calls 11947->11948 11949 7ffe0e149ddb SysAllocString _setjmp 11948->11949 11958 7ffe0e149e4c 11949->11958 11975 7ffe0e14a038 SysFreeString 11949->11975 11950 7ffe0e14a0b5 12027 7ffe0e148270 11950->12027 11953 7ffe0e14a082 11953->11740 11954 7ffe0e14a0b0 11956 7ffe0e139650 59 API calls 11954->11956 11955 7ffe0e14a0d3 11962 7ffe0e14fc90 37 API calls 11955->11962 11956->11950 11957 7ffe0e149fc4 11959 7ffe0e149fee CoInitialize 11957->11959 11960 7ffe0e149ffd 11957->11960 11958->11950 11958->11957 11963 7ffe0e136b50 33 API calls 11958->11963 11977 7ffe0e14a174 11958->11977 11959->11960 11961 7ffe0e1507e0 32 API calls 11960->11961 11964 7ffe0e14a009 11961->11964 11965 7ffe0e14a13d 11962->11965 11966 7ffe0e149f2b 11963->11966 11964->11955 11967 7ffe0e14a14c 11964->11967 11973 7ffe0e147e60 37 API calls 11964->11973 11968 7ffe0e131680 18 API calls 11965->11968 11969 7ffe0e149f83 memcpy 11966->11969 11970 7ffe0e149fba 11966->11970 11971 7ffe0e14fc90 37 API calls 11967->11971 11968->11967 11969->11970 11972 7ffe0e149920 54 API calls 11970->11972 11974 7ffe0e14a165 11971->11974 11972->11957 11973->11975 11976 7ffe0e131680 18 API calls 11974->11976 11975->11953 11975->11954 11976->11977 11979 7ffe0e138a12 11978->11979 11980 7ffe0e138a08 11978->11980 11984 7ffe0e138a63 memcpy 11979->11984 11992 7ffe0e138a82 11979->11992 11993 7ffe0e138b39 11979->11993 11980->11979 11994 7ffe0e1381d0 11980->11994 11982 7ffe0e138a8f 11985 7ffe0e138aab strlen 11982->11985 11988 7ffe0e138ac6 11982->11988 11983 7ffe0e138c06 11986 7ffe0e138c13 strlen 11983->11986 11983->11988 11984->11992 11987 7ffe0e138c2e memcpy strlen 11985->11987 11985->11988 11986->11987 11986->11988 11987->11988 11988->11987 11989 7ffe0e138aec strlen 11988->11989 11988->11993 12007 7ffe0e138800 11988->12007 11991 7ffe0e150560 32 API calls 11989->11991 11991->11988 11992->11982 11992->11983 11993->11925 11995 7ffe0e136b50 33 API calls 11994->11995 11998 7ffe0e1381f9 11995->11998 11996 7ffe0e138572 11996->11979 11997 7ffe0e137040 33 API calls 11997->11998 11998->11996 11998->11997 11999 7ffe0e137140 33 API calls 11998->11999 12000 7ffe0e137ce0 35 API calls 11998->12000 12001 7ffe0e150560 32 API calls 11998->12001 12002 7ffe0e14ffc0 31 API calls 11998->12002 12003 7ffe0e1327d0 12 API calls 11998->12003 12004 7ffe0e14f010 18 API calls 11998->12004 12005 7ffe0e13845a memcpy 11998->12005 12006 7ffe0e133730 18 API calls 11998->12006 11999->11998 12000->11998 12001->11998 12002->11998 12003->11998 12004->11998 12005->11998 12006->11998 12008 7ffe0e138835 _setjmp 12007->12008 12009 7ffe0e1388f7 12007->12009 12008->12009 12011 7ffe0e138920 12008->12011 12010 7ffe0e138904 12009->12010 12012 7ffe0e1389a3 fwrite fflush 12009->12012 12010->11988 12011->12009 12014 7ffe0e139290 12011->12014 12012->12010 12015 7ffe0e1392a5 12014->12015 12016 7ffe0e150d30 32 API calls 12015->12016 12017 7ffe0e1392c6 12016->12017 12018 7ffe0e136f90 33 API calls 12017->12018 12019 7ffe0e1392ea 12018->12019 12020 7ffe0e13930f 12019->12020 12022 7ffe0e14f010 18 API calls 12019->12022 12021 7ffe0e138e60 37 API calls 12020->12021 12023 7ffe0e139331 strlen 12021->12023 12022->12020 12025 7ffe0e138800 40 API calls 12023->12025 12026 7ffe0e1393a3 exit signal signal signal signal 12025->12026 12028 7ffe0e14829f 12027->12028 12029 7ffe0e148290 CoInitialize 12027->12029 12030 7ffe0e1507e0 32 API calls 12028->12030 12029->12028 12031 7ffe0e1482ab 12030->12031 12033 7ffe0e147e60 37 API calls 12031->12033 12034 7ffe0e148439 12031->12034 12032 7ffe0e14fc90 37 API calls 12032->12034 12035 7ffe0e1482df SafeArrayCreate 12033->12035 12034->12032 12052 7ffe0e14f010 18 API calls 12034->12052 12053 7ffe0e14fd80 18 API calls 12034->12053 12054 7ffe0e138e60 37 API calls 12034->12054 12036 7ffe0e148316 12035->12036 12037 7ffe0e1483f8 12035->12037 12040 7ffe0e148327 12036->12040 12041 7ffe0e1483c8 12036->12041 12046 7ffe0e148363 12036->12046 12038 7ffe0e150d30 32 API calls 12037->12038 12039 7ffe0e14840b 12038->12039 12043 7ffe0e146830 39 API calls 12039->12043 12044 7ffe0e148336 12040->12044 12045 7ffe0e148378 SafeArrayPutElement 12040->12045 12042 7ffe0e1483d0 SafeArrayPutElement 12041->12042 12042->12042 12042->12046 12047 7ffe0e14842a 12043->12047 12048 7ffe0e1483a0 SafeArrayPutElement 12044->12048 12049 7ffe0e14833b 12044->12049 12045->12045 12045->12046 12046->11955 12051 7ffe0e144cb0 36 API calls 12047->12051 12048->12046 12048->12048 12050 7ffe0e148340 SafeArrayPutElement 12049->12050 12050->12046 12050->12050 12051->12034 12052->12034 12053->12034 12054->12034 12056 7ffe0e13c238 12055->12056 12057 7ffe0e13c18e WideCharToMultiByte 12055->12057 12056->11802 12058 7ffe0e136b50 33 API calls 12057->12058 12059 7ffe0e13c1f1 WideCharToMultiByte 12058->12059 12059->12056 12060->11773 12061->11774 12063 7ffe0e149494 12062->12063 12064 7ffe0e149485 CoInitialize 12062->12064 12065 7ffe0e1507e0 32 API calls 12063->12065 12064->12063 12066 7ffe0e1494a0 12065->12066 12067 7ffe0e14fc90 37 API calls 12066->12067 12072 7ffe0e1494b1 12066->12072 12073 7ffe0e149535 12067->12073 12068 7ffe0e1494c1 12069 7ffe0e147e60 37 API calls 12068->12069 12071 7ffe0e1494d2 12069->12071 12070 7ffe0e14fc90 37 API calls 12075 7ffe0e149580 12070->12075 12080 7ffe0e13c2c0 12071->12080 12072->12068 12072->12070 12073->12072 12076 7ffe0e14f010 18 API calls 12073->12076 12075->12068 12078 7ffe0e14f010 18 API calls 12075->12078 12076->12072 12078->12068 12081 7ffe0e13c369 SysAllocString 12080->12081 12082 7ffe0e13c2dd MultiByteToWideChar 12080->12082 12081->11407 12083 7ffe0e136b50 33 API calls 12082->12083 12084 7ffe0e13c334 MultiByteToWideChar 12083->12084 12084->12081 12096 7ffe0e14afd0 12085->12096 12087 7ffe0e14b122 12088 7ffe0e14b13f 12087->12088 12089 7ffe0e149920 54 API calls 12087->12089 12090 7ffe0e14a190 92 API calls 12088->12090 12089->12088 12091 7ffe0e14b167 12090->12091 12092 7ffe0e14b191 12091->12092 12093 7ffe0e149920 54 API calls 12091->12093 12111 7ffe0e1486a0 12092->12111 12093->12092 12095 7ffe0e14b1b6 12095->11425 12095->11430 12097 7ffe0e14afe0 12096->12097 12098 7ffe0e14aff8 12096->12098 12100 7ffe0e14afec 12097->12100 12143 7ffe0e14b640 12097->12143 12099 7ffe0e14a350 110 API calls 12098->12099 12099->12097 12100->12087 12103 7ffe0e14b1e0 110 API calls 12104 7ffe0e14b070 12103->12104 12105 7ffe0e149470 41 API calls 12104->12105 12106 7ffe0e14b088 12105->12106 12107 7ffe0e14b1e0 110 API calls 12106->12107 12109 7ffe0e14b0b0 12107->12109 12108 7ffe0e14b0dc 12108->12087 12109->12108 12110 7ffe0e14f010 18 API calls 12109->12110 12110->12108 12112 7ffe0e1486c6 12111->12112 12113 7ffe0e1486b7 CoInitialize 12111->12113 12114 7ffe0e1507e0 32 API calls 12112->12114 12113->12112 12115 7ffe0e1486d2 12114->12115 12117 7ffe0e1486f3 12115->12117 12118 7ffe0e1487d0 12115->12118 12123 7ffe0e1487d5 12115->12123 12116 7ffe0e14fc90 37 API calls 12119 7ffe0e148815 12116->12119 12120 7ffe0e147e60 37 API calls 12117->12120 12121 7ffe0e14fc90 37 API calls 12118->12121 12126 7ffe0e148860 12119->12126 12138 7ffe0e148761 12119->12138 12122 7ffe0e148704 VariantCopy 12120->12122 12121->12123 12124 7ffe0e148714 12122->12124 12125 7ffe0e148728 12122->12125 12123->12116 12129 7ffe0e148865 12123->12129 12124->12095 12127 7ffe0e150d30 32 API calls 12125->12127 12128 7ffe0e14f010 18 API calls 12126->12128 12130 7ffe0e14873b 12127->12130 12128->12129 12132 7ffe0e14f010 18 API calls 12129->12132 12131 7ffe0e146830 39 API calls 12130->12131 12134 7ffe0e148757 12131->12134 12135 7ffe0e14887d 12132->12135 12133 7ffe0e14f010 18 API calls 12136 7ffe0e148791 12133->12136 12137 7ffe0e144cb0 36 API calls 12134->12137 12139 7ffe0e14fd80 18 API calls 12136->12139 12137->12138 12138->12133 12138->12136 12140 7ffe0e14879e 12139->12140 12141 7ffe0e138e60 37 API calls 12140->12141 12142 7ffe0e1487c0 12141->12142 12142->12095 12201 7ffe0e14adb0 12143->12201 12145 7ffe0e14b686 12147 7ffe0e149470 41 API calls 12145->12147 12194 7ffe0e14b8e7 12145->12194 12146 7ffe0e149920 54 API calls 12146->12194 12148 7ffe0e14b6f4 12147->12148 12224 7ffe0e148560 12148->12224 12149 7ffe0e149470 41 API calls 12149->12194 12152 7ffe0e148560 38 API calls 12152->12194 12153 7ffe0e14b1e0 110 API calls 12154 7ffe0e14b74a 12153->12154 12156 7ffe0e150ed0 50 API calls 12154->12156 12155 7ffe0e14b1e0 110 API calls 12155->12194 12157 7ffe0e14b758 12156->12157 12159 7ffe0e148270 52 API calls 12157->12159 12158 7ffe0e150ed0 50 API calls 12158->12194 12160 7ffe0e14b772 12159->12160 12161 7ffe0e149470 41 API calls 12160->12161 12162 7ffe0e14b7d1 12161->12162 12163 7ffe0e148560 38 API calls 12162->12163 12164 7ffe0e14b7dd 12163->12164 12165 7ffe0e14b1e0 110 API calls 12164->12165 12166 7ffe0e14b82d 12165->12166 12167 7ffe0e149470 41 API calls 12166->12167 12168 7ffe0e14b841 12167->12168 12169 7ffe0e14b1e0 110 API calls 12168->12169 12170 7ffe0e14b869 12169->12170 12172 7ffe0e14b87b 12170->12172 12173 7ffe0e14bd48 12170->12173 12171 7ffe0e14bc38 12174 7ffe0e148560 38 API calls 12171->12174 12175 7ffe0e148560 38 API calls 12172->12175 12176 7ffe0e148560 38 API calls 12173->12176 12177 7ffe0e14bc48 12174->12177 12178 7ffe0e14b889 12175->12178 12179 7ffe0e14bd52 12176->12179 12180 7ffe0e14b1e0 110 API calls 12177->12180 12181 7ffe0e14b1e0 110 API calls 12178->12181 12182 7ffe0e14b1e0 110 API calls 12179->12182 12183 7ffe0e14bc70 12180->12183 12184 7ffe0e14b8b1 12181->12184 12185 7ffe0e14bd7a 12182->12185 12186 7ffe0e149470 41 API calls 12183->12186 12187 7ffe0e136b50 33 API calls 12184->12187 12188 7ffe0e136b50 33 API calls 12185->12188 12189 7ffe0e14bc86 12186->12189 12187->12194 12188->12194 12190 7ffe0e14b1e0 110 API calls 12189->12190 12191 7ffe0e14bcae 12190->12191 12192 7ffe0e148560 38 API calls 12191->12192 12193 7ffe0e14bcc1 12192->12193 12195 7ffe0e14b1e0 110 API calls 12193->12195 12194->12146 12194->12149 12194->12152 12194->12155 12194->12158 12194->12171 12194->12194 12196 7ffe0e14bce9 12195->12196 12197 7ffe0e149470 41 API calls 12196->12197 12198 7ffe0e14bcff 12197->12198 12199 7ffe0e14b1e0 110 API calls 12198->12199 12200 7ffe0e14b044 12199->12200 12200->12103 12202 7ffe0e14afb8 12201->12202 12203 7ffe0e14add8 _setjmp 12201->12203 12204 7ffe0e14a350 109 API calls 12202->12204 12207 7ffe0e14aea0 12203->12207 12208 7ffe0e14ae0b 12203->12208 12205 7ffe0e14afbf 12204->12205 12205->12205 12206 7ffe0e14ae6a 12212 7ffe0e139290 46 API calls 12206->12212 12222 7ffe0e14ae8b 12206->12222 12207->12206 12213 7ffe0e14af0c 12207->12213 12217 7ffe0e149920 54 API calls 12207->12217 12209 7ffe0e14ae2c 12208->12209 12210 7ffe0e149920 54 API calls 12208->12210 12211 7ffe0e149470 41 API calls 12209->12211 12210->12209 12215 7ffe0e14ae42 12211->12215 12216 7ffe0e14afa6 12212->12216 12214 7ffe0e149470 41 API calls 12213->12214 12218 7ffe0e14af22 12214->12218 12219 7ffe0e14a190 92 API calls 12215->12219 12216->12145 12217->12213 12220 7ffe0e14a190 92 API calls 12218->12220 12219->12206 12221 7ffe0e14af4a 12220->12221 12221->12206 12223 7ffe0e14f010 18 API calls 12221->12223 12222->12145 12223->12206 12225 7ffe0e148583 12224->12225 12226 7ffe0e148574 CoInitialize 12224->12226 12227 7ffe0e1507e0 32 API calls 12225->12227 12226->12225 12228 7ffe0e14858f 12227->12228 12229 7ffe0e14fc90 37 API calls 12228->12229 12235 7ffe0e14859c 12228->12235 12232 7ffe0e1485e5 12229->12232 12230 7ffe0e14fc90 37 API calls 12233 7ffe0e14862c 12230->12233 12231 7ffe0e147e60 37 API calls 12234 7ffe0e1485bc 12231->12234 12232->12235 12236 7ffe0e14f010 18 API calls 12232->12236 12237 7ffe0e14f010 18 API calls 12233->12237 12238 7ffe0e1485a8 12233->12238 12234->12153 12235->12230 12235->12238 12236->12235 12237->12238 12238->12231 12240 7ffe0e147d04 12239->12240 12241 7ffe0e139150 37 API calls 12240->12241 12242 7ffe0e147d16 12241->12242 12243 7ffe0e14f010 18 API calls 12242->12243 12244 7ffe0e147d5b 12242->12244 12243->12244 12244->11452 12249 7ffe0e13adce 12245->12249 12246 7ffe0e13aeb7 12246->11513 12247 7ffe0e13ae9d 12247->12246 12251 7ffe0e13acb0 12247->12251 12249->12246 12249->12247 12250 7ffe0e13acb0 37 API calls 12249->12250 12250->12249 12252 7ffe0e150d30 32 API calls 12251->12252 12253 7ffe0e13accc 12252->12253 12254 7ffe0e136f20 32 API calls 12253->12254 12255 7ffe0e13acf5 12254->12255 12256 7ffe0e13ad68 12255->12256 12259 7ffe0e14f010 18 API calls 12255->12259 12257 7ffe0e14fd80 18 API calls 12256->12257 12258 7ffe0e13ad72 12257->12258 12260 7ffe0e138e60 37 API calls 12258->12260 12259->12256 12261 7ffe0e13ad94 12260->12261 12261->12246 12263 7ffe0e145cf0 12262->12263 12264 7ffe0e145ce9 exit 12262->12264 12265 7ffe0e13fc60 33 API calls 12263->12265 12264->12263 12266 7ffe0e145d03 12265->12266 12267 7ffe0e145d1e 12266->12267 12268 7ffe0e145de8 12266->12268 12269 7ffe0e136b50 33 API calls 12267->12269 12270 7ffe0e136b50 33 API calls 12268->12270 12271 7ffe0e145d3d 12269->12271 12272 7ffe0e145e04 12270->12272 12273 7ffe0e145d7d memcpy 12271->12273 12274 7ffe0e145d5c memcpy 12271->12274 12275 7ffe0e145e22 memcpy 12272->12275 12276 7ffe0e145d96 12272->12276 12273->12276 12274->12273 12275->12276 12277 7ffe0e145dbd 12276->12277 12278 7ffe0e14f010 18 API calls 12276->12278 12277->11076 12279 7ffe0e145dd5 12278->12279 12279->11076 12281 7ffe0e13fc60 33 API calls 12280->12281 12282 7ffe0e146c47 12281->12282 12283 7ffe0e144e70 38 API calls 12282->12283 12284 7ffe0e146c54 12283->12284 12285 7ffe0e136cd0 33 API calls 12284->12285 12286 7ffe0e146c75 GetFileAttributesW 12285->12286 12287 7ffe0e13fc60 33 API calls 12286->12287 12288 7ffe0e146c8f 12287->12288 12289 7ffe0e144e70 38 API calls 12288->12289 12290 7ffe0e146c9c 12289->12290 12291 7ffe0e13fc60 33 API calls 12290->12291 12292 7ffe0e146cb0 12291->12292 12293 7ffe0e144e70 38 API calls 12292->12293 12294 7ffe0e146cbd 12293->12294 12295 7ffe0e136cd0 33 API calls 12294->12295 12296 7ffe0e146ce1 GetFileAttributesW 12295->12296 12297 7ffe0e146d00 12296->12297 12298 7ffe0e146cef 12296->12298 12300 7ffe0e136cd0 33 API calls 12297->12300 12384 7ffe0e1459a0 OpenProcess 12298->12384 12301 7ffe0e146d21 GetFileAttributesW 12300->12301 12303 7ffe0e1458e5 12302->12303 12304 7ffe0e145968 12303->12304 12305 7ffe0e13fc60 33 API calls 12303->12305 12304->11041 12306 7ffe0e145911 12305->12306 12307 7ffe0e144e70 38 API calls 12306->12307 12309 7ffe0e14591e 12307->12309 12308 7ffe0e14594d 12308->11041 12309->12308 12310 7ffe0e14f010 18 API calls 12309->12310 12310->12308 12312 7ffe0e14e174 12311->12312 12313 7ffe0e136b50 33 API calls 12312->12313 12314 7ffe0e14e1a7 12313->12314 12315 7ffe0e14ece0 12314->12315 12316 7ffe0e13fc60 33 API calls 12315->12316 12317 7ffe0e14ecfe 12316->12317 12318 7ffe0e144e70 38 API calls 12317->12318 12319 7ffe0e14ed0b 12318->12319 12320 7ffe0e13fc60 33 API calls 12319->12320 12321 7ffe0e144e70 38 API calls 12319->12321 12322 7ffe0e14ee16 12319->12322 12320->12319 12321->12319 12323 7ffe0e145220 12322->12323 12324 7ffe0e14525f 12323->12324 12325 7ffe0e145256 12323->12325 12324->11063 12325->12324 12326 7ffe0e13fc60 33 API calls 12325->12326 12327 7ffe0e1452a0 12326->12327 12328 7ffe0e144e70 38 API calls 12327->12328 12329 7ffe0e1452ad 12328->12329 12329->12324 12330 7ffe0e13fc60 33 API calls 12329->12330 12331 7ffe0e1452c4 12330->12331 12332 7ffe0e144e70 38 API calls 12331->12332 12333 7ffe0e1452d1 12332->12333 12333->12324 12334 7ffe0e13fc60 33 API calls 12333->12334 12335 7ffe0e145379 12334->12335 12336 7ffe0e144e70 38 API calls 12335->12336 12337 7ffe0e14538d 12336->12337 12338 7ffe0e145550 12337->12338 12339 7ffe0e1453be 12337->12339 12349 7ffe0e145586 12337->12349 12340 7ffe0e144e70 38 API calls 12338->12340 12339->12338 12356 7ffe0e1453c7 12339->12356 12342 7ffe0e145530 12340->12342 12341 7ffe0e145570 12343 7ffe0e144e70 38 API calls 12341->12343 12345 7ffe0e144e70 38 API calls 12342->12345 12343->12324 12344 7ffe0e144e70 38 API calls 12344->12349 12345->12324 12346 7ffe0e144e70 38 API calls 12346->12356 12347 7ffe0e145160 40 API calls 12347->12349 12349->12341 12349->12344 12349->12347 12350 7ffe0e1455c2 strlen 12349->12350 12351 7ffe0e1454a4 12349->12351 12350->12341 12350->12349 12353 7ffe0e145630 12351->12353 12354 7ffe0e1454b0 12351->12354 12352 7ffe0e145480 strlen 12352->12351 12352->12356 12355 7ffe0e14564b 12353->12355 12358 7ffe0e144e70 38 API calls 12353->12358 12357 7ffe0e144e70 38 API calls 12354->12357 12359 7ffe0e144e70 38 API calls 12355->12359 12356->12341 12356->12346 12356->12351 12356->12352 12403 7ffe0e145160 12356->12403 12360 7ffe0e1454ca 12357->12360 12358->12355 12361 7ffe0e14565c 12359->12361 12362 7ffe0e144e70 38 API calls 12360->12362 12363 7ffe0e144e70 38 API calls 12361->12363 12364 7ffe0e1454db 12362->12364 12365 7ffe0e14566d 12363->12365 12366 7ffe0e144e70 38 API calls 12364->12366 12368 7ffe0e144e70 38 API calls 12365->12368 12367 7ffe0e1454ec 12366->12367 12369 7ffe0e144e70 38 API calls 12367->12369 12370 7ffe0e14567e 12368->12370 12371 7ffe0e1454fd 12369->12371 12372 7ffe0e144e70 38 API calls 12370->12372 12373 7ffe0e144e70 38 API calls 12371->12373 12374 7ffe0e14568f 12372->12374 12375 7ffe0e14550e 12373->12375 12376 7ffe0e144e70 38 API calls 12374->12376 12377 7ffe0e144e70 38 API calls 12375->12377 12378 7ffe0e1456a0 12376->12378 12379 7ffe0e14551f 12377->12379 12380 7ffe0e144e70 38 API calls 12378->12380 12382 7ffe0e144e70 38 API calls 12379->12382 12381 7ffe0e1456b1 12380->12381 12383 7ffe0e144e70 38 API calls 12381->12383 12382->12342 12383->12342 12385 7ffe0e1459d0 12384->12385 12386 7ffe0e1459c4 12384->12386 12387 7ffe0e13fc60 33 API calls 12385->12387 12386->11081 12388 7ffe0e1459e1 12387->12388 12389 7ffe0e144e70 38 API calls 12388->12389 12390 7ffe0e1459ee 12389->12390 12391 7ffe0e145ad8 12390->12391 12392 7ffe0e1459fa 12390->12392 12394 7ffe0e14f010 18 API calls 12391->12394 12396 7ffe0e145a25 12391->12396 12393 7ffe0e14f010 18 API calls 12392->12393 12392->12396 12393->12396 12394->12396 12395 7ffe0e136f20 32 API calls 12397 7ffe0e145a9f memcpy 12395->12397 12396->12386 12396->12395 12397->12396 12398->11053 12399->11053 12401 7ffe0e13a931 fwrite fflush exit 12400->12401 12402 7ffe0e13a983 12401->12402 12402->11014 12404 7ffe0e13fc60 33 API calls 12403->12404 12405 7ffe0e145186 12404->12405 12406 7ffe0e144e70 38 API calls 12405->12406 12407 7ffe0e145193 12406->12407 12408 7ffe0e145198 strlen 12407->12408 12411 7ffe0e145200 12407->12411 12410 7ffe0e1451a8 12408->12410 12408->12411 12409 7ffe0e1451b0 strlen 12409->12410 12409->12411 12410->12409 12410->12411 12411->12356 12412 7ffe0e150950 12413 7ffe0e150963 _fileno _setmode 12412->12413 12414 7ffe0e150987 _fileno _setmode 12413->12414 12415 7ffe0e15099d _fileno _setmode LoadLibraryA 12414->12415 12416 7ffe0e1509cf GetProcAddress 12415->12416 12422 7ffe0e1509e6 12415->12422 12416->12422 12417 7ffe0e150d1d 12439 7ffe0e13a680 12417->12439 12419 7ffe0e150d22 12420 7ffe0e13a920 3 API calls 12419->12420 12421 7ffe0e150d27 12420->12421 12422->12417 12422->12419 12423 7ffe0e150b80 12422->12423 12424 7ffe0e1507e0 32 API calls 12423->12424 12425 7ffe0e150bee 12424->12425 12426 7ffe0e14fc90 37 API calls 12425->12426 12431 7ffe0e150c02 12425->12431 12432 7ffe0e150cc5 12426->12432 12427 7ffe0e14fc90 37 API calls 12435 7ffe0e150c8d 12427->12435 12428 7ffe0e147e60 37 API calls 12430 7ffe0e150c22 12428->12430 12429 7ffe0e150c5e 12430->12429 12436 7ffe0e14f010 18 API calls 12430->12436 12431->12427 12433 7ffe0e150c11 12431->12433 12432->12431 12434 7ffe0e14f010 18 API calls 12432->12434 12433->12428 12434->12431 12435->12433 12438 7ffe0e14f010 18 API calls 12435->12438 12437 7ffe0e150c75 12436->12437 12438->12433 12440 7ffe0e13a691 fwrite fflush exit 12439->12440 12441 7ffe0e13a6fe 12440->12441 12442 7ffe0e13a6e3 12440->12442 12443 7ffe0e13a680 12 API calls 12441->12443 12442->12419 12444 7ffe0e13a703 12443->12444 12445 7ffe0e13a7af 12444->12445 12446 7ffe0e13a729 12444->12446 12447 7ffe0e13a680 12 API calls 12445->12447 12451 7ffe0e132be0 12446->12451 12448 7ffe0e13a7b4 12447->12448 12452 7ffe0e1327d0 12 API calls 12451->12452 12453 7ffe0e132c3a 12452->12453 12454 7ffe0e1327d0 12 API calls 12453->12454 12455 7ffe0e132c91 12454->12455 12456 7ffe0e1327d0 12 API calls 12455->12456 12457 7ffe0e132ce8 12456->12457 12458 7ffe0e1327d0 12 API calls 12457->12458 12459 7ffe0e132d38 12458->12459 12460 7ffe0e1327d0 12 API calls 12459->12460 12461 7ffe0e132da9 signal signal signal signal signal 12460->12461 12461->12419 10463 7ffe0e13c530 LoadLibraryA 10464 7ffe0e13c610 10463->10464 10465 7ffe0e13c55d GetProcAddress 10463->10465 10484 7ffe0e139450 10464->10484 10467 7ffe0e13c61c 10465->10467 10468 7ffe0e13c57c LoadLibraryA 10465->10468 10494 7ffe0e13a7c0 10467->10494 10470 7ffe0e13c630 10468->10470 10471 7ffe0e13c59f 10468->10471 10473 7ffe0e139450 5 API calls 10470->10473 10474 7ffe0e13c63c 10471->10474 10475 7ffe0e13c5b7 10471->10475 10473->10474 10476 7ffe0e13a7c0 39 API calls 10474->10476 10477 7ffe0e13c64b 10475->10477 10478 7ffe0e13c5d9 10475->10478 10476->10477 10477->10475 10479 7ffe0e13a7c0 39 API calls 10477->10479 10480 7ffe0e13c65b 10478->10480 10481 7ffe0e13c5fb 10478->10481 10479->10480 10480->10478 10482 7ffe0e13a7c0 39 API calls 10480->10482 10483 7ffe0e13c66b 10482->10483 10483->10481 10485 7ffe0e139470 10484->10485 10500 7ffe0e1315b0 10485->10500 10487 7ffe0e13947f 10488 7ffe0e1315b0 3 API calls 10487->10488 10489 7ffe0e1394a2 GetLastError 10488->10489 10490 7ffe0e1394af 10489->10490 10491 7ffe0e1315b0 3 API calls 10490->10491 10492 7ffe0e1315b0 3 API calls 10490->10492 10493 7ffe0e1394c5 exit 10491->10493 10492->10490 10493->10490 10495 7ffe0e13a800 10494->10495 10496 7ffe0e13a897 GetProcAddress 10495->10496 10498 7ffe0e13a8b1 10495->10498 10496->10495 10497 7ffe0e13a8b9 10496->10497 10497->10468 10505 7ffe0e1394f0 10498->10505 10501 7ffe0e1315d1 fwrite 10500->10501 10502 7ffe0e1315c6 strlen 10500->10502 10503 7ffe0e157ae0 fflush 10501->10503 10502->10501 10503->10487 10504 7ffe0e1872ec 10503->10504 10506 7ffe0e139508 10505->10506 10507 7ffe0e1315b0 3 API calls 10506->10507 10508 7ffe0e139517 10507->10508 10509 7ffe0e1315b0 3 API calls 10508->10509 10510 7ffe0e139529 10509->10510 10511 7ffe0e1315b0 3 API calls 10510->10511 10512 7ffe0e13953f exit 10511->10512 10513 7ffe0e139577 10512->10513 10514 7ffe0e1395a5 10513->10514 10515 7ffe0e13958c 10513->10515 10529 7ffe0e1390c0 10514->10529 10520 7ffe0e136b50 10515->10520 10519 7ffe0e139598 10519->10497 10521 7ffe0e136b71 10520->10521 10522 7ffe0e136b81 10521->10522 10558 7ffe0e14ffc0 10521->10558 10536 7ffe0e1327d0 10522->10536 10525 7ffe0e136bcc memset 10525->10519 10527 7ffe0e136b91 10527->10525 10581 7ffe0e133730 10527->10581 10787 7ffe0e150d30 10529->10787 10533 7ffe0e139100 10535 7ffe0e14f010 18 API calls 10533->10535 10800 7ffe0e138e60 10533->10800 10535->10533 10537 7ffe0e132860 10536->10537 10538 7ffe0e1327f3 10536->10538 10541 7ffe0e132875 10537->10541 10542 7ffe0e1329b8 10537->10542 10539 7ffe0e1328d0 VirtualAlloc 10538->10539 10540 7ffe0e132804 10538->10540 10543 7ffe0e132a60 10539->10543 10544 7ffe0e1328f3 10539->10544 10587 7ffe0e132100 10540->10587 10541->10543 10549 7ffe0e132837 10541->10549 10546 7ffe0e132100 11 API calls 10542->10546 10615 7ffe0e1317f0 10543->10615 10547 7ffe0e13292f 10544->10547 10550 7ffe0e13294a 10544->10550 10546->10549 10604 7ffe0e131830 10547->10604 10549->10527 10554 7ffe0e13280c 10550->10554 10551 7ffe0e132a7a 10555 7ffe0e1327d0 11 API calls 10551->10555 10597 7ffe0e132690 10554->10597 10557 7ffe0e132a8d 10555->10557 10556 7ffe0e132a45 10556->10527 10557->10527 10559 7ffe0e14ffd5 10558->10559 10560 7ffe0e15047a 10559->10560 10646 7ffe0e1347a0 10559->10646 10560->10522 10564 7ffe0e150085 10565 7ffe0e1500b6 10564->10565 10697 7ffe0e14f010 10564->10697 10565->10522 10566 7ffe0e1500fc 10568 7ffe0e150123 10566->10568 10704 7ffe0e1334f0 10566->10704 10567 7ffe0e150074 10567->10564 10567->10566 10570 7ffe0e135040 19 API calls 10567->10570 10572 7ffe0e1334f0 5 API calls 10568->10572 10570->10567 10573 7ffe0e150145 10572->10573 10574 7ffe0e1327d0 12 API calls 10573->10574 10575 7ffe0e150168 10574->10575 10577 7ffe0e1501e9 10575->10577 10711 7ffe0e14fdc0 10575->10711 10578 7ffe0e14fdc0 19 API calls 10577->10578 10579 7ffe0e150262 10577->10579 10578->10577 10579->10564 10580 7ffe0e1334f0 VirtualFree exit fputc _lock _unlock 10579->10580 10580->10579 10582 7ffe0e133768 10581->10582 10583 7ffe0e13374b 10581->10583 10584 7ffe0e1327d0 12 API calls 10582->10584 10583->10525 10585 7ffe0e133794 memcpy 10584->10585 10586 7ffe0e1334f0 5 API calls 10585->10586 10586->10583 10588 7ffe0e1322c4 10587->10588 10589 7ffe0e13211b 10587->10589 10593 7ffe0e131830 8 API calls 10588->10593 10595 7ffe0e132312 10588->10595 10589->10588 10590 7ffe0e132274 10589->10590 10594 7ffe0e132424 10589->10594 10633 7ffe0e131a00 10589->10633 10590->10588 10629 7ffe0e131d80 10590->10629 10592 7ffe0e131a00 11 API calls 10592->10590 10593->10595 10594->10588 10594->10592 10595->10554 10598 7ffe0e132760 10597->10598 10599 7ffe0e1326bb 10597->10599 10601 7ffe0e13276c 10598->10601 10603 7ffe0e131830 8 API calls 10598->10603 10600 7ffe0e132690 8 API calls 10599->10600 10602 7ffe0e1326c7 10599->10602 10600->10602 10601->10549 10602->10549 10603->10601 10605 7ffe0e131880 VirtualAlloc 10604->10605 10606 7ffe0e131849 10604->10606 10608 7ffe0e1318e0 10605->10608 10609 7ffe0e13189e 10605->10609 10606->10605 10607 7ffe0e131851 memset 10606->10607 10607->10556 10610 7ffe0e1317f0 6 API calls 10608->10610 10609->10607 10612 7ffe0e1318e5 10610->10612 10611 7ffe0e13195e 10611->10556 10612->10611 10613 7ffe0e131830 6 API calls 10612->10613 10614 7ffe0e131932 10613->10614 10614->10556 10616 7ffe0e131800 10615->10616 10617 7ffe0e1315b0 3 API calls 10616->10617 10618 7ffe0e13181c exit 10617->10618 10620 7ffe0e131830 10618->10620 10619 7ffe0e131880 VirtualAlloc 10622 7ffe0e1318e0 10619->10622 10623 7ffe0e13189e 10619->10623 10620->10619 10621 7ffe0e131851 memset 10620->10621 10621->10551 10624 7ffe0e1317f0 5 API calls 10622->10624 10623->10621 10626 7ffe0e1318e5 10624->10626 10625 7ffe0e13195e 10625->10551 10626->10625 10627 7ffe0e131830 5 API calls 10626->10627 10628 7ffe0e131932 10627->10628 10628->10551 10630 7ffe0e131dd5 10629->10630 10631 7ffe0e131e4e 10630->10631 10632 7ffe0e131830 8 API calls 10630->10632 10631->10588 10632->10631 10634 7ffe0e131c68 10633->10634 10635 7ffe0e131a1c 10633->10635 10634->10594 10636 7ffe0e131a54 VirtualAlloc 10635->10636 10637 7ffe0e131c48 VirtualAlloc 10635->10637 10638 7ffe0e131c74 VirtualAlloc 10636->10638 10639 7ffe0e131a6b 10636->10639 10640 7ffe0e131c5f 10637->10640 10643 7ffe0e131a72 10637->10643 10638->10639 10638->10640 10639->10643 10641 7ffe0e1317f0 8 API calls 10640->10641 10642 7ffe0e131c64 10641->10642 10642->10634 10644 7ffe0e131830 8 API calls 10643->10644 10645 7ffe0e131ab6 10643->10645 10644->10645 10645->10594 10648 7ffe0e1347c8 10646->10648 10647 7ffe0e134910 10692 7ffe0e135040 10647->10692 10648->10647 10649 7ffe0e134928 10648->10649 10650 7ffe0e1327d0 12 API calls 10648->10650 10675 7ffe0e13497d 10648->10675 10651 7ffe0e1327d0 12 API calls 10649->10651 10652 7ffe0e1348cb memcpy 10650->10652 10653 7ffe0e13494d memcpy 10651->10653 10654 7ffe0e1334f0 5 API calls 10652->10654 10655 7ffe0e1334f0 5 API calls 10653->10655 10654->10648 10655->10675 10656 7ffe0e134cad 10660 7ffe0e1327d0 12 API calls 10656->10660 10657 7ffe0e1327d0 12 API calls 10661 7ffe0e134c14 memcpy 10657->10661 10658 7ffe0e1327d0 12 API calls 10662 7ffe0e134fbf memcpy 10658->10662 10659 7ffe0e134d15 10665 7ffe0e1327d0 12 API calls 10659->10665 10663 7ffe0e134ce5 memcpy 10660->10663 10666 7ffe0e1334f0 5 API calls 10661->10666 10669 7ffe0e1334f0 5 API calls 10662->10669 10670 7ffe0e1334f0 5 API calls 10663->10670 10664 7ffe0e134d7d 10668 7ffe0e1327d0 12 API calls 10664->10668 10671 7ffe0e134d4d memcpy 10665->10671 10666->10675 10667 7ffe0e134de5 10674 7ffe0e1327d0 12 API calls 10667->10674 10672 7ffe0e134db5 memcpy 10668->10672 10691 7ffe0e134f1d 10669->10691 10670->10659 10676 7ffe0e1334f0 5 API calls 10671->10676 10677 7ffe0e1334f0 5 API calls 10672->10677 10673 7ffe0e134e4d 10680 7ffe0e1327d0 12 API calls 10673->10680 10678 7ffe0e134e1d memcpy 10674->10678 10675->10656 10675->10657 10675->10659 10675->10664 10675->10667 10675->10673 10679 7ffe0e134eb5 10675->10679 10682 7ffe0e134c58 10675->10682 10675->10691 10676->10664 10677->10667 10684 7ffe0e1334f0 5 API calls 10678->10684 10683 7ffe0e1327d0 12 API calls 10679->10683 10681 7ffe0e134e85 memcpy 10680->10681 10685 7ffe0e1334f0 5 API calls 10681->10685 10686 7ffe0e1327d0 12 API calls 10682->10686 10687 7ffe0e134eed memcpy 10683->10687 10684->10673 10685->10679 10688 7ffe0e134c7d memcpy 10686->10688 10689 7ffe0e1334f0 5 API calls 10687->10689 10690 7ffe0e1334f0 5 API calls 10688->10690 10689->10691 10690->10656 10691->10647 10691->10658 10693 7ffe0e135058 10692->10693 10694 7ffe0e135170 10693->10694 10695 7ffe0e133e50 19 API calls 10693->10695 10696 7ffe0e1334f0 5 API calls 10693->10696 10694->10567 10695->10693 10696->10693 10698 7ffe0e14f023 10697->10698 10699 7ffe0e14f030 10697->10699 10698->10564 10700 7ffe0e14f04b 10699->10700 10701 7ffe0e1327d0 12 API calls 10699->10701 10700->10564 10702 7ffe0e14f091 memcpy 10701->10702 10703 7ffe0e1334f0 5 API calls 10702->10703 10703->10700 10705 7ffe0e133620 10704->10705 10706 7ffe0e133522 10704->10706 10705->10566 10706->10705 10707 7ffe0e1335ba VirtualFree 10706->10707 10707->10705 10708 7ffe0e133600 10707->10708 10719 7ffe0e14e200 10708->10719 10742 7ffe0e133990 10711->10742 10713 7ffe0e14fdf3 10749 7ffe0e134050 10713->10749 10715 7ffe0e14fed8 10715->10575 10716 7ffe0e133990 18 API calls 10718 7ffe0e14fe21 10716->10718 10717 7ffe0e133e50 19 API calls 10717->10718 10718->10715 10718->10716 10718->10717 10720 7ffe0e14e229 10719->10720 10723 7ffe0e152370 10720->10723 10730 7ffe0e158440 10723->10730 10732 7ffe0e158456 10730->10732 10731 7ffe0e152390 10734 7ffe0e15419f 10731->10734 10732->10731 10733 7ffe0e158476 _lock 10732->10733 10733->10731 10737 7ffe0e1541be 10734->10737 10735 7ffe0e1523b4 10738 7ffe0e1584d0 10735->10738 10736 7ffe0e1523d0 fputc 10736->10737 10737->10735 10737->10736 10740 7ffe0e1584e6 10738->10740 10739 7ffe0e13360c exit 10739->10705 10740->10739 10741 7ffe0e158519 _unlock 10740->10741 10741->10739 10743 7ffe0e1339c0 10742->10743 10745 7ffe0e1339df 10743->10745 10746 7ffe0e133a15 10743->10746 10753 7ffe0e1338c0 10743->10753 10745->10713 10747 7ffe0e1327d0 12 API calls 10746->10747 10748 7ffe0e133a50 10747->10748 10748->10713 10750 7ffe0e13406a 10749->10750 10751 7ffe0e134100 10750->10751 10759 7ffe0e133e50 10750->10759 10751->10718 10754 7ffe0e1327d0 12 API calls 10753->10754 10755 7ffe0e1338f5 memset 10754->10755 10757 7ffe0e13391a 10755->10757 10756 7ffe0e1334f0 5 API calls 10758 7ffe0e13397e 10756->10758 10757->10756 10757->10757 10758->10746 10760 7ffe0e133e91 10759->10760 10761 7ffe0e133e65 10759->10761 10760->10750 10761->10760 10762 7ffe0e133ec0 10761->10762 10765 7ffe0e133e8a 10761->10765 10762->10760 10763 7ffe0e133e50 19 API calls 10762->10763 10763->10762 10765->10760 10767 7ffe0e133f30 10765->10767 10772 7ffe0e133d20 10765->10772 10768 7ffe0e133f70 10767->10768 10769 7ffe0e133f59 10767->10769 10768->10769 10770 7ffe0e133f30 19 API calls 10768->10770 10771 7ffe0e133d20 19 API calls 10768->10771 10769->10765 10770->10768 10771->10768 10773 7ffe0e133d2e 10772->10773 10774 7ffe0e133d5b 10772->10774 10773->10774 10775 7ffe0e133d41 10773->10775 10776 7ffe0e133d80 10773->10776 10774->10765 10775->10774 10778 7ffe0e1327d0 12 API calls 10775->10778 10777 7ffe0e133990 18 API calls 10776->10777 10779 7ffe0e14fdf3 10777->10779 10780 7ffe0e133dc7 memcpy 10778->10780 10781 7ffe0e134050 18 API calls 10779->10781 10782 7ffe0e1334f0 5 API calls 10780->10782 10786 7ffe0e14fe21 10781->10786 10782->10774 10783 7ffe0e14fed8 10783->10765 10784 7ffe0e133990 18 API calls 10784->10786 10785 7ffe0e133e50 18 API calls 10785->10786 10786->10783 10786->10784 10786->10785 10788 7ffe0e150d4f 10787->10788 10789 7ffe0e150d60 10788->10789 10790 7ffe0e14ffc0 31 API calls 10788->10790 10791 7ffe0e1327d0 12 API calls 10789->10791 10790->10789 10794 7ffe0e150d6e 10791->10794 10792 7ffe0e133730 18 API calls 10793 7ffe0e1390dc 10792->10793 10795 7ffe0e136f90 10793->10795 10794->10792 10794->10793 10796 7ffe0e136fa7 10795->10796 10797 7ffe0e136fa0 10795->10797 10796->10533 10797->10796 10806 7ffe0e136f20 10797->10806 10799 7ffe0e136fdf memcpy 10799->10533 10802 7ffe0e138e7f 10800->10802 10801 7ffe0e138ed0 10802->10801 10812 7ffe0e1391b0 10802->10812 10804 7ffe0e138e9e 10804->10801 10805 7ffe0e14f010 18 API calls 10804->10805 10805->10801 10807 7ffe0e136f3c 10806->10807 10808 7ffe0e136f5b 10807->10808 10810 7ffe0e14ffc0 31 API calls 10807->10810 10809 7ffe0e1327d0 12 API calls 10808->10809 10811 7ffe0e136f6b memset 10809->10811 10810->10808 10811->10799 10813 7ffe0e139260 10812->10813 10817 7ffe0e1391c8 10812->10817 10815 7ffe0e139150 36 API calls 10813->10815 10814 7ffe0e139245 10814->10804 10816 7ffe0e13926d 10815->10816 10816->10804 10817->10814 10821 7ffe0e139150 10817->10821 10819 7ffe0e139206 memcpy 10819->10814 10822 7ffe0e139177 10821->10822 10823 7ffe0e1391a1 10822->10823 10824 7ffe0e13918f 10822->10824 10825 7ffe0e1390c0 36 API calls 10823->10825 10827 7ffe0e136b50 33 API calls 10824->10827 10826 7ffe0e1391a6 10825->10826 10829 7ffe0e139260 10826->10829 10833 7ffe0e1391c8 10826->10833 10828 7ffe0e139194 10827->10828 10828->10819 10831 7ffe0e139150 36 API calls 10829->10831 10830 7ffe0e139245 10830->10819 10832 7ffe0e13926d 10831->10832 10832->10819 10833->10830 10834 7ffe0e139150 36 API calls 10833->10834 10835 7ffe0e139206 memcpy 10834->10835 10835->10830

    Executed Functions

    Function 00007FFE0E14F0D0 Relevance: 53.2, APIs: 4, Strings: 26, Instructions: 672COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe0e14f0d0-7ffe0e14f0ee 1 7ffe0e14f0f4-7ffe0e14f114 0->1 2 7ffe0e14fc77 call 7ffe0e13a920 0->2 1->2 4 7ffe0e14f11a-7ffe0e14f133 1->4 5 7ffe0e14fc7c-7ffe0e14fc80 2->5 4->2 6 7ffe0e14f139-7ffe0e14f152 4->6 5->0 6->2 7 7ffe0e14f158-7ffe0e14f171 6->7 7->2 8 7ffe0e14f177-7ffe0e14f190 7->8 8->2 9 7ffe0e14f196-7ffe0e14f1af 8->9 9->2 10 7ffe0e14f1b5-7ffe0e14f1ce 9->10 10->2 11 7ffe0e14f1d4-7ffe0e14f1ed 10->11 11->2 12 7ffe0e14f1f3-7ffe0e14f20c 11->12 12->2 13 7ffe0e14f212-7ffe0e14f22b 12->13 13->2 14 7ffe0e14f231-7ffe0e14f259 RtlGetVersion 13->14 15 7ffe0e14f25f-7ffe0e14f262 14->15 16 7ffe0e14f9c0-7ffe0e14f9c9 14->16 17 7ffe0e14f264-7ffe0e14f26b 15->17 18 7ffe0e14f271-7ffe0e14f295 call 7ffe0e13fc60 call 7ffe0e144e70 15->18 16->17 19 7ffe0e14f9cf-7ffe0e14f9d2 16->19 17->18 27 7ffe0e14f29c-7ffe0e14f2a9 18->27 28 7ffe0e14f297 18->28 19->17 21 7ffe0e14f9d8-7ffe0e14f9da 19->21 21->17 23 7ffe0e14f9e0-7ffe0e14f9e3 21->23 23->17 25 7ffe0e14f9e9 23->25 25->18 29 7ffe0e14f2c5-7ffe0e14f2e2 call 7ffe0e136f90 27->29 30 7ffe0e14f2ab-7ffe0e14f2bf 27->30 28->27 36 7ffe0e14f2e4-7ffe0e14f2f8 29->36 37 7ffe0e14f2fe-7ffe0e14f33d call 7ffe0e139150 memcpy 29->37 30->29 31 7ffe0e14fa60-7ffe0e14fa65 call 7ffe0e14f010 30->31 31->29 36->37 38 7ffe0e14fa70-7ffe0e14fa75 call 7ffe0e14f010 36->38 42 7ffe0e14f33f-7ffe0e14f353 37->42 43 7ffe0e14f359-7ffe0e14f36d call 7ffe0e139150 37->43 38->37 42->43 45 7ffe0e14fa50-7ffe0e14fa55 call 7ffe0e14f010 42->45 49 7ffe0e14f374-7ffe0e14f381 43->49 50 7ffe0e14f36f 43->50 45->43 52 7ffe0e14f383-7ffe0e14f397 49->52 53 7ffe0e14f39d-7ffe0e14f3c4 call 7ffe0e13fc60 call 7ffe0e144e70 49->53 50->49 52->53 54 7ffe0e14fa40-7ffe0e14fa45 call 7ffe0e14f010 52->54 61 7ffe0e14f3cb-7ffe0e14f3d8 53->61 62 7ffe0e14f3c6 53->62 54->53 63 7ffe0e14f3f4-7ffe0e14f41b call 7ffe0e13fc60 call 7ffe0e144e70 61->63 64 7ffe0e14f3da-7ffe0e14f3ee 61->64 62->61 72 7ffe0e14f422-7ffe0e14f42f 63->72 73 7ffe0e14f41d 63->73 64->63 65 7ffe0e14fa30-7ffe0e14fa35 call 7ffe0e14f010 64->65 65->63 74 7ffe0e14f431-7ffe0e14f445 72->74 75 7ffe0e14f44b-7ffe0e14f472 call 7ffe0e13fc60 call 7ffe0e144e70 72->75 73->72 74->75 76 7ffe0e14fa20-7ffe0e14fa25 call 7ffe0e14f010 74->76 83 7ffe0e14f474 75->83 84 7ffe0e14f479-7ffe0e14f486 75->84 76->75 83->84 85 7ffe0e14f4a2-7ffe0e14f4c9 call 7ffe0e13fc60 call 7ffe0e144e70 84->85 86 7ffe0e14f488-7ffe0e14f49c 84->86 94 7ffe0e14f4d0-7ffe0e14f4dd 85->94 95 7ffe0e14f4cb 85->95 86->85 87 7ffe0e14fa10-7ffe0e14fa15 call 7ffe0e14f010 86->87 87->85 96 7ffe0e14f4df-7ffe0e14f4f3 94->96 97 7ffe0e14f4f9-7ffe0e14f58f call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 94->97 95->94 96->97 98 7ffe0e14fa00-7ffe0e14fa05 call 7ffe0e14f010 96->98 117 7ffe0e14f591 97->117 118 7ffe0e14f596-7ffe0e14f5a3 97->118 98->97 117->118 119 7ffe0e14f5a5-7ffe0e14f5b9 118->119 120 7ffe0e14f5bf-7ffe0e14f960 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 118->120 119->120 121 7ffe0e14f9f0-7ffe0e14f9f5 call 7ffe0e14f010 119->121 248 7ffe0e14f962-7ffe0e14f96f 120->248 249 7ffe0e14f990-7ffe0e14f9ab call 7ffe0e13fc60 call 7ffe0e14ef30 120->249 121->120 256 7ffe0e14f971-7ffe0e14f976 248->256 257 7ffe0e14f97c-7ffe0e14f986 exit 248->257 254 7ffe0e14f9b0-7ffe0e14f9b7 exit 249->254 254->16 256->257 258 7ffe0e14fa7a-7ffe0e14fa81 call 7ffe0e1458c0 256->258 257->249 261 7ffe0e14fa87-7ffe0e14fb23 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 258->261 262 7ffe0e14fc08-7ffe0e14fc24 call 7ffe0e13fc60 258->262 305 7ffe0e14fb28-7ffe0e14fb34 call 7ffe0e145cc0 call 7ffe0e146c30 261->305 267 7ffe0e14fc26 262->267 268 7ffe0e14fc29-7ffe0e14fc2c 262->268 267->268 270 7ffe0e14fc65-7ffe0e14fc73 call 7ffe0e136ee0 268->270 271 7ffe0e14fc2e-7ffe0e14fc40 call 7ffe0e136ee0 268->271 279 7ffe0e14fc75 270->279 280 7ffe0e14fc4d-7ffe0e14fc50 call 7ffe0e138760 270->280 281 7ffe0e14fc42-7ffe0e14fc45 call 7ffe0e138760 271->281 282 7ffe0e14fc4a 271->282 285 7ffe0e14fc55-7ffe0e14fc60 call 7ffe0e131680 279->285 280->285 281->282 282->280 285->270 309 7ffe0e14fb39-7ffe0e14fb93 call 7ffe0e1459a0 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e13fc60 call 7ffe0e144e70 305->309 322 7ffe0e14fb95-7ffe0e14fb9d 309->322 323 7ffe0e14fba1-7ffe0e14fbce call 7ffe0e13fc60 call 7ffe0e144e70 309->323 322->323 329 7ffe0e14fbd0-7ffe0e14fbd8 323->329 330 7ffe0e14fbdc-7ffe0e14fbfa 323->330 329->330 330->262
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$ByteCharMultiWideexit$Version
    • String ID: CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VirtualProtect$WaitForSingleObject$T]
    • API String ID: 206777904-685478019
    • Opcode ID: b45f2f8461dc00cc225e3df3eeb2e6f5cb47b4b7ce774521207b75bae5f129ac
    • Instruction ID: 6c2b76d9e2dcf6567f574f206e0d4934e61591816cbdcff9d8d3bd1f98a7c4b3
    • Opcode Fuzzy Hash: b45f2f8461dc00cc225e3df3eeb2e6f5cb47b4b7ce774521207b75bae5f129ac
    • Instruction Fuzzy Hash: 726208B5F19B0781FA14ABA9E455AB923A1FF89B80F845437D98D1B7B6DE3CE011C340
    Function 00007FFE0E14C870 Relevance: 12.4, APIs: 8, Instructions: 352fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 668 7ffe0e14c870-7ffe0e14c909 call 7ffe0e139150 call 7ffe0e13fc60 call 7ffe0e144e70 675 7ffe0e14c90b-7ffe0e14c917 668->675 676 7ffe0e14c91c-7ffe0e14c968 CreateFileA GetFileSize 668->676 675->676 677 7ffe0e14c96e-7ffe0e14c9d9 ReadFile 676->677 678 7ffe0e14cdb6-7ffe0e14cdca GetProcessHeap RtlAllocateHeap 676->678 685 7ffe0e14c9df-7ffe0e14c9f8 677->685 686 7ffe0e14cdf7 677->686 680 7ffe0e14cdd2-7ffe0e14cdd4 678->680 681 7ffe0e14cdd8-7ffe0e14cde8 680->681 681->681 683 7ffe0e14cdea-7ffe0e14cdf2 681->683 684 7ffe0e14cb2e-7ffe0e14cb3b 683->684 688 7ffe0e14cc05-7ffe0e14cc24 684->688 689 7ffe0e14cb41-7ffe0e14cb49 684->689 687 7ffe0e14ca07-7ffe0e14ca97 call 7ffe0e136b50 call 7ffe0e144e70 call 7ffe0e13b590 685->687 691 7ffe0e14cdff-7ffe0e14ce03 686->691 717 7ffe0e14ca00-7ffe0e14ca03 687->717 718 7ffe0e14ca9d-7ffe0e14cadf 687->718 692 7ffe0e14cb4c-7ffe0e14cb60 689->692 696 7ffe0e14cd07-7ffe0e14cd1d 691->696 693 7ffe0e14cb62-7ffe0e14cb82 692->693 694 7ffe0e14cb18-7ffe0e14cb1b 692->694 697 7ffe0e14cb93-7ffe0e14cbd4 GetModuleHandleA GetProcAddress 693->697 698 7ffe0e14cb84-7ffe0e14cb8f 693->698 694->684 702 7ffe0e14cb1d-7ffe0e14cb20 694->702 699 7ffe0e14cd23-7ffe0e14cd38 696->699 700 7ffe0e14cda9-7ffe0e14cdb1 696->700 703 7ffe0e14cbee-7ffe0e14cbf1 697->703 698->697 699->700 704 7ffe0e14cd3a-7ffe0e14cd4c 699->704 700->684 702->684 706 7ffe0e14cb22-7ffe0e14cb2c strcmp 702->706 707 7ffe0e14cbf3-7ffe0e14cbf7 703->707 708 7ffe0e14cbe0-7ffe0e14cbec 703->708 704->700 709 7ffe0e14cd4e-7ffe0e14cd60 704->709 706->684 706->693 707->708 712 7ffe0e14cbf9-7ffe0e14cbfb 707->712 708->703 711 7ffe0e14cc25-7ffe0e14cc27 708->711 709->700 713 7ffe0e14cd62-7ffe0e14cd74 709->713 715 7ffe0e14cc29-7ffe0e14cc90 711->715 712->715 713->700 716 7ffe0e14cd76-7ffe0e14cd88 713->716 715->700 722 7ffe0e14cc96-7ffe0e14cca9 715->722 716->700 719 7ffe0e14cd8a-7ffe0e14cd9c 716->719 717->687 720 7ffe0e14cae5-7ffe0e14cb12 718->720 721 7ffe0e14cbfd 718->721 719->700 723 7ffe0e14cd9e-7ffe0e14cda4 719->723 720->692 721->688 722->680 724 7ffe0e14ccaf-7ffe0e14ccb3 722->724 723->700 724->680 725 7ffe0e14ccb9-7ffe0e14ccbd 724->725 725->691 726 7ffe0e14ccc3-7ffe0e14cccc 725->726 727 7ffe0e14ccd0-7ffe0e14cce2 726->727 727->727 728 7ffe0e14cce4-7ffe0e14ccf1 727->728 728->700 729 7ffe0e14ccf7-7ffe0e14cd05 728->729 729->696 729->699
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$File$CreateReadSize
    • String ID:
    • API String ID: 3349561689-0
    • Opcode ID: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction ID: 9ea9f028ffebf61283f37a72def0b60319a3bec4377fd314401ede3a39822efd
    • Opcode Fuzzy Hash: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction Fuzzy Hash: 67F112A2A0E7C182EB20CB65E45477ABFA1FB85B80F098136DADE477A5DE3CD145C350
    Function 00007FFE0E14D520 Relevance: 25.1, APIs: 10, Strings: 4, Instructions: 619memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 332 7ffe0e14d520-7ffe0e14d5f3 call 7ffe0e136b50 call 7ffe0e13fc60 call 7ffe0e144e70 HeapCreate call 7ffe0e13fc60 call 7ffe0e144e70 344 7ffe0e14d5f5-7ffe0e14d5fd 332->344 345 7ffe0e14d601-7ffe0e14d631 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 332->345 344->345 352 7ffe0e14d633-7ffe0e14d63b 345->352 353 7ffe0e14d63f-7ffe0e14d66f call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 345->353 352->353 360 7ffe0e14d671-7ffe0e14d679 353->360 361 7ffe0e14d67d-7ffe0e14d6c3 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 353->361 360->361 368 7ffe0e14d6c5-7ffe0e14d6cd 361->368 369 7ffe0e14d6d1-7ffe0e14d725 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 361->369 368->369 376 7ffe0e14d733-7ffe0e14d756 call 7ffe0e14c870 call 7ffe0e144e70 369->376 377 7ffe0e14d727-7ffe0e14d72f 369->377 382 7ffe0e14d764-7ffe0e14d793 call 7ffe0e14c870 VirtualProtect call 7ffe0e144e70 376->382 383 7ffe0e14d758-7ffe0e14d760 376->383 377->376 387 7ffe0e14d798-7ffe0e14d7a2 382->387 383->382 388 7ffe0e14d7a4-7ffe0e14d7ac 387->388 389 7ffe0e14d7b0-7ffe0e14d7bf 387->389 388->389 391 7ffe0e14d7c1-7ffe0e14d7e2 call 7ffe0e144e70 call 7ffe0e14ef30 389->391 392 7ffe0e14d7e7-7ffe0e14d802 call 7ffe0e144e70 389->392 391->392 398 7ffe0e14d804-7ffe0e14d80c 392->398 399 7ffe0e14d810-7ffe0e14d822 392->399 398->399 401 7ffe0e14dfc8-7ffe0e14dfee call 7ffe0e144e70 call 7ffe0e14ef30 399->401 402 7ffe0e14d828-7ffe0e14d881 call 7ffe0e145ff0 399->402 415 7ffe0e14dff8-7ffe0e14e072 call 7ffe0e150d30 call 7ffe0e146830 call 7ffe0e144cb0 call 7ffe0e131680 call 7ffe0e14fd80 call 7ffe0e138e60 401->415 408 7ffe0e14db80-7ffe0e14db88 call 7ffe0e14c1d0 402->408 409 7ffe0e14d887-7ffe0e14d89b call 7ffe0e1464c0 call 7ffe0e14d400 402->409 409->408 419 7ffe0e14d8a1-7ffe0e14d8aa call 7ffe0e145ff0 409->419 455 7ffe0e14e080-7ffe0e14e09e call 7ffe0e14fc90 call 7ffe0e131680 415->455 425 7ffe0e14d8ac-7ffe0e14d8c0 call 7ffe0e1464c0 call 7ffe0e14d400 419->425 426 7ffe0e14d8c6-7ffe0e14d8e1 call 7ffe0e144e70 419->426 425->426 442 7ffe0e14db2a-7ffe0e14db33 call 7ffe0e145ff0 425->442 435 7ffe0e14d8e3-7ffe0e14d8eb 426->435 436 7ffe0e14d8ef-7ffe0e14d913 LoadLibraryA call 7ffe0e144e70 426->436 435->436 444 7ffe0e14d915-7ffe0e14d91d 436->444 445 7ffe0e14d921-7ffe0e14d9f9 GetProcAddress call 7ffe0e139150 call 7ffe0e181940 436->445 452 7ffe0e14db35-7ffe0e14db49 call 7ffe0e1464c0 call 7ffe0e14d400 442->452 453 7ffe0e14db4b-7ffe0e14db65 442->453 444->445 461 7ffe0e14d9ff-7ffe0e14da51 call 7ffe0e146d40 445->461 462 7ffe0e14db6c-7ffe0e14db76 exit 445->462 452->453 470 7ffe0e14db90-7ffe0e14dce8 call 7ffe0e144e70 * 7 Sleep call 7ffe0e14d040 call 7ffe0e144e70 * 4 call 7ffe0e147370 452->470 453->462 474 7ffe0e14e0a4-7ffe0e14e0bf call 7ffe0e14fc90 call 7ffe0e131680 455->474 475 7ffe0e14dedf-7ffe0e14df24 call 7ffe0e147e60 SafeArrayCreate 455->475 472 7ffe0e14e0f0 461->472 473 7ffe0e14da57-7ffe0e14da67 461->473 462->408 522 7ffe0e14dcea 470->522 523 7ffe0e14dced-7ffe0e14dd04 call 7ffe0e14bf00 call 7ffe0e145ff0 470->523 478 7ffe0e14da7d-7ffe0e14da84 473->478 474->475 475->415 485 7ffe0e14df2a-7ffe0e14df83 SafeArrayPutElement call 7ffe0e14b1e0 475->485 482 7ffe0e14da70-7ffe0e14da77 478->482 483 7ffe0e14da86-7ffe0e14da8a 478->483 482->472 482->478 483->482 487 7ffe0e14da8c-7ffe0e14da90 483->487 487->482 491 7ffe0e14da92-7ffe0e14da96 487->491 491->482 495 7ffe0e14da98-7ffe0e14da9c 491->495 495->482 496 7ffe0e14da9e-7ffe0e14daa2 495->496 496->482 498 7ffe0e14daa4-7ffe0e14db28 call 7ffe0e181a48 call 7ffe0e181a50 496->498 498->442 498->462 522->523 528 7ffe0e14dd20-7ffe0e14dd2f 523->528 529 7ffe0e14dd06-7ffe0e14dd1a call 7ffe0e1464c0 call 7ffe0e14d400 523->529 531 7ffe0e14dd65-7ffe0e14dd6d call 7ffe0e145ff0 528->531 529->528 542 7ffe0e14e0c8-7ffe0e14e0e5 call 7ffe0e1464c0 call 7ffe0e13b7f0 529->542 536 7ffe0e14dd73-7ffe0e14dd77 531->536 537 7ffe0e14de00-7ffe0e14de09 call 7ffe0e145ff0 531->537 540 7ffe0e14dd61 536->540 541 7ffe0e14dd79-7ffe0e14dda8 call 7ffe0e1464c0 call 7ffe0e1391b0 536->541 547 7ffe0e14de25-7ffe0e14de3b call 7ffe0e144e70 537->547 548 7ffe0e14de0b-7ffe0e14de1f call 7ffe0e1464c0 call 7ffe0e14d400 537->548 540->531 561 7ffe0e14ddaa-7ffe0e14ddaf 541->561 562 7ffe0e14dd3d-7ffe0e14dd44 541->562 542->528 559 7ffe0e14de41-7ffe0e14dea1 call 7ffe0e150ed0 call 7ffe0e14b1e0 547->559 560 7ffe0e14de3d 547->560 548->547 570 7ffe0e14df88-7ffe0e14df94 548->570 581 7ffe0e14deb2-7ffe0e14dec9 call 7ffe0e1507e0 559->581 582 7ffe0e14dea3-7ffe0e14deab CoInitialize 559->582 560->559 566 7ffe0e14ddb1-7ffe0e14ddf4 call 7ffe0e136f20 memcpy 561->566 567 7ffe0e14dd38 561->567 562->540 568 7ffe0e14dd46-7ffe0e14dd5a 562->568 566->562 567->562 568->540 569 7ffe0e14dd5c call 7ffe0e14f010 568->569 569->540 574 7ffe0e14df9e-7ffe0e14dfbe call 7ffe0e139dc0 570->574 575 7ffe0e14df96-7ffe0e14df9a 570->575 574->547 575->574 581->455 585 7ffe0e14decf-7ffe0e14ded9 581->585 582->581 585->474 585->475
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$AddressCreateHeapLibraryLoadProcProtectVirtualexitfwritememset
    • String ID: Jo .$VariantConversionError$com.nim$toVariant
    • API String ID: 1711561947-479195221
    • Opcode ID: 267aad6122c0e13e02fc832062a4c5bc73dba4db2a22413d8cfe2e07d4621de0
    • Instruction ID: b180b70066d2219dc2e5d860d64a013653b37e144978ef48df02bc3f3d9c8809
    • Opcode Fuzzy Hash: 267aad6122c0e13e02fc832062a4c5bc73dba4db2a22413d8cfe2e07d4621de0
    • Instruction Fuzzy Hash: 066246A2B09B4691EB10DB60E8543BA23A1FF85B94F804137DA9E477B6DF3CE545C380
    Function 00007FFE0E150950 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 218libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 586 7ffe0e150950-7ffe0e1509cd _fileno _setmode _fileno _setmode _fileno _setmode LoadLibraryA 590 7ffe0e1509cf-7ffe0e1509e3 GetProcAddress 586->590 591 7ffe0e1509e6-7ffe0e1509f6 586->591 590->591 592 7ffe0e1509fc-7ffe0e150a1c 591->592 593 7ffe0e150d1d call 7ffe0e13a680 591->593 592->593 595 7ffe0e150a22-7ffe0e150a3b 592->595 596 7ffe0e150d22-7ffe0e150d28 call 7ffe0e13a920 593->596 595->593 597 7ffe0e150a41-7ffe0e150a5a 595->597 597->593 599 7ffe0e150a60-7ffe0e150a79 597->599 599->593 601 7ffe0e150a7f-7ffe0e150a98 599->601 601->593 602 7ffe0e150a9e-7ffe0e150b35 601->602 602->596 603 7ffe0e150b3b-7ffe0e150b5b 602->603 603->593 604 7ffe0e150b61-7ffe0e150b7a 603->604 604->593 605 7ffe0e150b80-7ffe0e150bd2 604->605 606 7ffe0e150be2-7ffe0e150bfc call 7ffe0e1507e0 605->606 607 7ffe0e150bd4-7ffe0e150bdf 605->607 611 7ffe0e150c02-7ffe0e150c0f 606->611 612 7ffe0e150cc0-7ffe0e150ccb call 7ffe0e14fc90 606->612 607->606 613 7ffe0e150c11-7ffe0e150c46 call 7ffe0e147e60 611->613 614 7ffe0e150c88-7ffe0e150c93 call 7ffe0e14fc90 611->614 621 7ffe0e150cd2-7ffe0e150cd8 612->621 622 7ffe0e150ccd 612->622 625 7ffe0e150c5e-7ffe0e150c69 613->625 626 7ffe0e150c48-7ffe0e150c5c 613->626 623 7ffe0e150c95 614->623 624 7ffe0e150c9a-7ffe0e150ca0 614->624 627 7ffe0e150cf0-7ffe0e150cf3 621->627 628 7ffe0e150cda-7ffe0e150cee 621->628 622->621 623->624 629 7ffe0e150ca2-7ffe0e150cb6 624->629 630 7ffe0e150cb8-7ffe0e150cbb 624->630 626->625 631 7ffe0e150c70-7ffe0e150c80 call 7ffe0e14f010 626->631 627->611 628->627 632 7ffe0e150d00-7ffe0e150d08 call 7ffe0e14f010 628->632 629->630 634 7ffe0e150d10-7ffe0e150d18 call 7ffe0e14f010 629->634 630->613 632->611 634->613
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: _fileno_setmode$AddressLibraryLoadProc
    • String ID: inet_ntop
    • API String ID: 3115319449-448242623
    • Opcode ID: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction ID: 3d0441a3fd2b9ae56ad53d10fe99b28e43d44d038bf4b2224a30da2c72688827
    • Opcode Fuzzy Hash: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction Fuzzy Hash: 81A14172A09B4A81EB119F99E8143A873A0FB89B80F948537DADC233A5DF3DE455C740
    Function 00007FFE0E13C530 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 77libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: LibraryLoad$AddressProc
    • String ID: MultiByteToWideChar$SysStringLen$WideCharToMultiByte$kernel32$lstrlenW$oleaut32
    • API String ID: 1469910268-1955535950
    • Opcode ID: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction ID: 50fddb0466cb1475f479da3eb50a48eac9ff7740cd49e34045d11df1bbe58fc8
    • Opcode Fuzzy Hash: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction Fuzzy Hash: 2031F3A5B1AA03D0ED559B22B854476B3A1BF48B88B98153BDCDD473B1EE3CE405D3A0
    Function 00007FFE0E145CC0 Relevance: 10.6, APIs: 7, Instructions: 98sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: Sleepmemcpy$CountTickexit
    • String ID:
    • API String ID: 3478675858-0
    • Opcode ID: 0bdc9acf1ffa6991366d1e7dbc8e9db2be78bbb090259d4902cde132a9111b43
    • Instruction ID: c2debfd109fb03b81b8e0001fd55044452663093610d125ae3361cfdf44075bc
    • Opcode Fuzzy Hash: 0bdc9acf1ffa6991366d1e7dbc8e9db2be78bbb090259d4902cde132a9111b43
    • Instruction Fuzzy Hash: 22413B72B09A5692EB11AF18E9943AC73A1FF44B84F448437CA8D177A5EF3CE952C340
    Function 00007FFE0E1317F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • exit.MSVCRT(?,?,?,?,00007FFE0E1318E5,?,?,?,?,00007FFE0E17E968,?,3F000000,02B3C260,00007FFE0E13244D,0000040F), ref: 00007FFE0E131821
    • memset.MSVCRT ref: 00007FFE0E131871
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: exitmemset
    • String ID: out of memory
    • API String ID: 2099101326-49810860
    • Opcode ID: a22d6bbd68ecaa542f404404ab495eed28682d22c7e6bab6dcadafd07e105a1a
    • Instruction ID: 6de8e848fd82886408c6efd7dea4b4eb269f35c18a616f8305ae4af0bc787711
    • Opcode Fuzzy Hash: a22d6bbd68ecaa542f404404ab495eed28682d22c7e6bab6dcadafd07e105a1a
    • Instruction Fuzzy Hash: 0B218132F0AB8580FB185F66E4483A963A0EB48FD4F088076DE8C0B7A5DE3CE481C340
    Function 00007FFE0E144E70 Relevance: 5.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction ID: a01483521fc8d50d56d325ca0927091d0fb8182adbaa78c166a4981e769a3133
    • Opcode Fuzzy Hash: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction Fuzzy Hash: E9614872609B8592EA21DF05E8503ED77A0FB88B84F868533DA9D4B7A5EF3CD509C340
    Function 00007FFE0E131A00 Relevance: 3.9, APIs: 3, Instructions: 159memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 809 7ffe0e131a00-7ffe0e131a16 810 7ffe0e131c68-7ffe0e131c6f 809->810 811 7ffe0e131a1c-7ffe0e131a29 809->811 812 7ffe0e131ae0-7ffe0e131b16 811->812 813 7ffe0e131a2f-7ffe0e131a3a 811->813 814 7ffe0e131a3f-7ffe0e131a4e 812->814 813->814 815 7ffe0e131a54-7ffe0e131a65 VirtualAlloc 814->815 816 7ffe0e131c48-7ffe0e131c59 VirtualAlloc 814->816 817 7ffe0e131c74-7ffe0e131c8d VirtualAlloc 815->817 818 7ffe0e131a6b 815->818 819 7ffe0e131c5f-7ffe0e131c64 call 7ffe0e1317f0 816->819 820 7ffe0e131a72-7ffe0e131a87 816->820 817->819 822 7ffe0e131c8f-7ffe0e131c96 817->822 818->820 819->810 823 7ffe0e131a90-7ffe0e131a97 820->823 822->820 825 7ffe0e131a9d-7ffe0e131aa7 823->825 826 7ffe0e131b1b-7ffe0e131b31 823->826 825->823 827 7ffe0e131aa9-7ffe0e131ada call 7ffe0e131830 825->827 828 7ffe0e131b34-7ffe0e131b5c 826->828 827->828 830 7ffe0e131b5e 828->830 831 7ffe0e131b68-7ffe0e131b6c 828->831 835 7ffe0e131b99-7ffe0e131ba6 830->835 832 7ffe0e131b60-7ffe0e131b66 831->832 833 7ffe0e131b6e-7ffe0e131b8b 831->833 832->831 832->835 833->835 836 7ffe0e131b8d-7ffe0e131b96 833->836 837 7ffe0e131bb2-7ffe0e131bcd 835->837 838 7ffe0e131ba8-7ffe0e131bad 835->838 836->835 839 7ffe0e131be0-7ffe0e131be4 837->839 840 7ffe0e131bcf 837->840 838->837 842 7ffe0e131bd8-7ffe0e131bde 839->842 843 7ffe0e131be6-7ffe0e131c0e 839->843 841 7ffe0e131c38 840->841 845 7ffe0e131c3c-7ffe0e131c42 841->845 842->839 842->841 844 7ffe0e131c10-7ffe0e131c14 843->844 843->845 844->845 846 7ffe0e131c16 844->846 847 7ffe0e131c19-7ffe0e131c30 845->847 846->847
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1790b6db0320995f7436345c45903ecaa4b7fcd4b84692f55c2bdba6814a56ae
    • Instruction ID: 06a006730b62e0267ec61fb51f24ffb8a6b85390ebef0bf4687352f3647e94a6
    • Opcode Fuzzy Hash: 1790b6db0320995f7436345c45903ecaa4b7fcd4b84692f55c2bdba6814a56ae
    • Instruction Fuzzy Hash: 26514BB2706B9590EF159B2AD8483B936A5FB54FC4F588536DE8D0B7A8EE3DE441C300
    Function 00007FFE0E146C30 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$AttributesFile
    • String ID:
    • API String ID: 3559115319-0
    • Opcode ID: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction ID: 5989012367a89036984a62e59ce8330c00f6a6eacdac5422eabe04bca07363be
    • Opcode Fuzzy Hash: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction Fuzzy Hash: 8021A752F4AA0781FE09EB25B9541B52392EF95794F988037DC8E0B3B5EE3CE8428340
    Function 00007FFE0E131830 Relevance: 2.6, APIs: 2, Instructions: 88memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AllocVirtualmemset
    • String ID:
    • API String ID: 921305906-0
    • Opcode ID: 3ff3c6db38c44a7a331b5cd085444be021dc225577a1303040b3e8ac49655f0c
    • Instruction ID: c3b093a9a93828be7432a1894dc2ed9c6c9d17280894121fcd594aa5816508cd
    • Opcode Fuzzy Hash: 3ff3c6db38c44a7a331b5cd085444be021dc225577a1303040b3e8ac49655f0c
    • Instruction Fuzzy Hash: 4E318C32B06B8081EB158F66F8447AD76A4EB48FD4F198076DE8C0B7A5DE38D582C300
    Function 00007FFE0E1327D0 Relevance: 1.4, APIs: 1, Instructions: 165memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction ID: 275b8aa8fe5266c9a39243b75965f2374c643625345a15a870d3e7f12dd3053c
    • Opcode Fuzzy Hash: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction Fuzzy Hash: 6271CEB2A05B4191EA19AF29D4443A833E5FF04B84F58823ADA8D077B5EF38E5D1C300
    Function 00007FFE0E136B50 Relevance: 1.3, APIs: 1, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction ID: 245f4d5451fb1f29f08d8851f56c16b25a6ce852d24118106d61ca69cafec03f
    • Opcode Fuzzy Hash: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction Fuzzy Hash: FA416CB7A09A46A0EA10CF25D4502BC73A4FB58BA0F844237CA9E077F4DF78D995C340

    Non-executed Functions

    Function 00007FFE0E14D040 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 219threadlibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: HandleThread$CloseContext$AddressCreateCurrentExceptionFirstHandlerInitLoadModuleOpenProcProcessSnapshotStringThread32Toolhelp32UnicodeVectoredmemset
    • String ID: J*!=$jt+9
    • API String ID: 3419048117-242937532
    • Opcode ID: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction ID: d1f3e824dc2ef7e7fccb7f6ab6f49cfe4c63fe7e469a0700dea47e5572a20720
    • Opcode Fuzzy Hash: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction Fuzzy Hash: ADA18FA2B09B4292EE10DB11F8443BA63A1FF84B94F844537DA8E077A8DF3CE546C340
    Function 00007FFE0E13D310 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 229COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: , expect$ValueError$but got $ed 's', $format s$formatValue$invalid $r string$strformat.nim$tring fo$type in
    • API String ID: 3510742995-1773161451
    • Opcode ID: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction ID: 2b1e73820ed8ecfebfca614a9b5ffa596e317c80d73e65a884f85d03059282aa
    • Opcode Fuzzy Hash: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction Fuzzy Hash: 5A9101A2B08A4282EB15CB25F41477E36A0EB85B84F419133EE9D077E1DF7DE880C341
    Function 00007FFE0E13C670 Relevance: 45.7, APIs: 12, Strings: 14, Instructions: 158libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateProcessW$GetCurrentProcess$GetCurrentThread$GetProcAddress$GetProcessHeap$GetThreadContext$HeapAlloc$HeapCreate$InitializeProcThreadAttributeList$LoadLibraryA$ResumeThread$UpdateProcThreadAttribute$WaitForSingleObject$kernel32
    • API String ID: 2238633743-547029440
    • Opcode ID: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction ID: c5433b138257bcf5935ced3e29fb4480aba456a09241f37610f58a11cc730beb
    • Opcode Fuzzy Hash: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction Fuzzy Hash: 3761E765B0AA0390ED44A722B91447673A1BF48BC8F98547BCCCD5B3B1EF3CA545E3A4
    Function 00007FFE0E14C1D0 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 396COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$FileModuleName
    • String ID: *7;u$p
    • API String ID: 1955653913-3490293476
    • Opcode ID: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction ID: 347d2f54ae6f7b132ff34f6c40c5f5ae0114f50581e7bbe922afd297b2952dac
    • Opcode Fuzzy Hash: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction Fuzzy Hash: 89022AB2B09B8692EB54DF15E4543AAB7A1FB84B84F458037DA9C0B7A9EF3CD505C340
    Function 00007FFE0E139290 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 89stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: signal$exitstrlen
    • String ID: 5$ReraiseDefect$SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$fatal.nim$sysFatal$unknown signal
    • API String ID: 1414789275-2829261224
    • Opcode ID: db43e712b9be7a93631420e14b105a0930ecd6170e45012433f711954e299830
    • Instruction ID: a7053e46752a173a43a732335e2fd9168a531fd799413bc9e0b354a34205d696
    • Opcode Fuzzy Hash: db43e712b9be7a93631420e14b105a0930ecd6170e45012433f711954e299830
    • Instruction Fuzzy Hash: 5D315C66E18A02E0FA18AB25E8596BDB365BF45784F880437EE9D473F5DF3CA644C340
    Function 00007FFE0E14E250 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 203libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$LibraryLoad$AddressProc
    • String ID: :state$GetFileAttributesW$NtFlushInstructionCache4$OpenProcess$RtlGetVersion$cipher$dctx6$kernel32.dll$key5$remoteProcID2$tProcess1$treadHandle3
    • API String ID: 3980900384-2224378161
    • Opcode ID: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction ID: 38a1b40b4bd4aa54716553016ded1f9e1eec2551bd6e2a1a233d381790414c33
    • Opcode Fuzzy Hash: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction Fuzzy Hash: 9CB10321A19B4385FB129B28A9403A573A2FF55744F84527BCDDC563B2EF7DB289C380
    Function 00007FFE0E1464C0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 202COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: CommandLine
    • String ID: not in $ not in $ not in $0 ..$0 ..$IndexDefect$inde$os.nim$paramStr
    • API String ID: 3253501508-369068400
    • Opcode ID: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction ID: c75b100ea3c77a68e98ffa9a6a52b1f7038a7919dc14654df91ce1f41104dd78
    • Opcode Fuzzy Hash: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction Fuzzy Hash: 719167B2A09B4281EB11DF15E9483A97BA4FF85B94F458037DA9D0B3A5EF3CE505C380
    Function 00007FFE0E146140 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 191windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: FormatFreeLocalMessagememcpymemset
    • String ID: Addition$OS error$OS error$OSError$al info:$unknown $unknown
    • API String ID: 4084645559-3457963805
    • Opcode ID: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction ID: 1cccb3bbc91015aeeee5e269373db9da998e94715edf409a3f9cc118bffac880
    • Opcode Fuzzy Hash: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction Fuzzy Hash: C38189B6B09B5681EE519B19E45877E37A8FF85B88F14843BDA8C073A5EF38D544C380
    Function 00007FFE0E149DA0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 175memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide$AllocFreeInitialize_setjmpmemcpymemset
    • String ID: specifi$ed membe$o invoke$r: $unable t
    • API String ID: 909372610-4084315218
    • Opcode ID: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction ID: 3608184739cf9a4ce5186de14096b6b2228846c6f17fbbf68c7013223949e7e0
    • Opcode Fuzzy Hash: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction Fuzzy Hash: E0A1B376609F8681EB60CF15E8943AAB7A4FB88B80F448136DACD47B69DF7CD454CB40
    Function 00007FFE0E141E50 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 90libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: FormatMessageW$GetCommandLineW$GetCurrentDirectoryW$GetLastError$GetModuleFileNameW$LocalFree$kernel32
    • API String ID: 2238633743-3391179580
    • Opcode ID: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction ID: 1a3c7d1cdd112e4c16a35ba3fc7ffd52b4cc74f30727a0f6db4887a477b311ce
    • Opcode Fuzzy Hash: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction Fuzzy Hash: 9E312FA5B0AA0390EE45D71279544B663A1BF49BC8B84047BDCCD4B3B5EE3CA449E394
    Function 00007FFE0E1489C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: c9a4d359ccf372bf526eaa78d5230b43e9c201022d9012c80fc7dd3dc61b5e02
    • Instruction ID: 77c4aba7d489da3a5bcb68e766c46eb7d55baee26957496e03fcf80fb2983331
    • Opcode Fuzzy Hash: c9a4d359ccf372bf526eaa78d5230b43e9c201022d9012c80fc7dd3dc61b5e02
    • Instruction Fuzzy Hash: 1B81ADA2B0AB4295EA54AB15E8587BE67A1FF40B80F944437EACD073B1DF7CE446C340
    Function 00007FFE0E149600 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: e59546261d6e30790542a23a76ed5ab6d73a75fa9f730ccaf14fb43211ccd0fd
    • Instruction ID: cf9360ad58d506b4d4411ee2f788713b9d940a7b0920e67bde18c9f8771412e8
    • Opcode Fuzzy Hash: e59546261d6e30790542a23a76ed5ab6d73a75fa9f730ccaf14fb43211ccd0fd
    • Instruction Fuzzy Hash: 128157A2B0AB4791EB109B15E9586BE63A1FF84B84F844537DA9D073B5DF3CE845C380
    Function 00007FFE0E148270 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction ID: 3b37c313002a21b2ad2d699b6e3e66c0c83775dd160362aac333aefe52bf781d
    • Opcode Fuzzy Hash: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction Fuzzy Hash: 75718CA2B0AB0695EA55AB05E9587BE63A1FF44B84F844537EACD073B0DF3CE441C380
    Function 00007FFE0E13A680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FFE0E13A69C
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: signal$exitfflushfwrite
    • String ID: [GC] cannot register thread local variable; too many thread local variables
    • API String ID: 3958355099-685140759
    • Opcode ID: fa8ccfdcd3ab8ba8d84ef958eb0a57ba01de52049acf6b168819aab5f8359f7c
    • Instruction ID: 389863c5b7d13818841a51b3535989dfd102dbcd312e5236424c1690ac05d406
    • Opcode Fuzzy Hash: fa8ccfdcd3ab8ba8d84ef958eb0a57ba01de52049acf6b168819aab5f8359f7c
    • Instruction Fuzzy Hash: B5215C66A09A0285FA146B65E8467BA7261FF86B80F845837E9DD173F2DF3CA211C304
    Function 00007FFE0E13CA70 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 333COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: .$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
    • API String ID: 3510742995-876510697
    • Opcode ID: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction ID: 7776b066975a9f385217b065751afe5a250ae8ace22864d0174df733bc84a7c0
    • Opcode Fuzzy Hash: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction Fuzzy Hash: 50E1D2A2A0879596EB148B3495003E9BBA1FB157D4F488633DAAC277E9DB3CE145C390
    Function 00007FFE0E1389D0 Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 194stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: strlen$memcpy
    • String ID: excepti$Error: u$nhandled$on:
    • API String ID: 3396830738-1220997370
    • Opcode ID: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction ID: 0860cd6b5c6136fceca5f0858951ba55b5e27d08b3b4de618a5f36831518e937
    • Opcode Fuzzy Hash: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction Fuzzy Hash: 0981C162B19A8686FB299B25D4113BA7361FF44B84F888537EB8D177E5EF2CE505C300
    Function 00007FFE0E146830 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
    • API String ID: 3510742995-291823325
    • Opcode ID: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction ID: aee1af98b61cc4981106b5ef7f74e08e1f7bbb9a1864352cea63abcd810622de
    • Opcode Fuzzy Hash: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction Fuzzy Hash: 4E7158B2708B4A85EB119F15E8443AA77A4FB95B88F598037DF8D0B3A1EE7CD544C300
    Function 00007FFE0E144610 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateToolhelp32Snapshot$Thread32First$Thread32Next$kernel32
    • API String ID: 2238633743-3935561650
    • Opcode ID: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction ID: e2279771b7ff47ad42abcbd4b35610a98292c3fefe455890bd81f046e47ab824
    • Opcode Fuzzy Hash: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction Fuzzy Hash: B0113DA5B0EA0390FE159722BD1457A63A1BF49B84F980877CCED473B0EE7CA046D350
    Function 00007FFE0E1314A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction ID: d19d629a3b53e0613472d1ea1b25a2e68c325c9ec19438d3f450bfa31d0aa70a
    • Opcode Fuzzy Hash: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction Fuzzy Hash: EF01C561A5AA07E0EA169B15BC505B933A5BF49788F840533DCDD43270EF3CE149D340
    Function 00007FFE0E13B7F0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: ValueError$integer:$integer:$invalid $invalid $parseInt$strutils.nim
    • API String ID: 3510742995-2575869123
    • Opcode ID: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction ID: 5a9a41dc9289ddd13fb2f5b9cfcd51a7063a2017a68e2d04a786aa847ba646f9
    • Opcode Fuzzy Hash: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction Fuzzy Hash: A9413672A09B0AD1EA209F25E8547AA73A4FF48B84F848437DACD477A5EF7CE545C340
    Function 00007FFE0E13CFC0 Relevance: 11.5, APIs: 9, Instructions: 220COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID:
    • API String ID: 438689982-0
    • Opcode ID: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction ID: 41aeaf78b52ac6210492a8ff25d33e0c52ba71c80a6da48fe58a854cd26ec7ec
    • Opcode Fuzzy Hash: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction Fuzzy Hash: D381C062B09A5681EE05EB25E8052BE77A1BF84F84F468533EE5D173A6EF3CE545C300
    Function 00007FFE0E14BF00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction ID: 94c0ce4550d521aa69181214f9235ea93ed49713d9e6e50d5c96af1dc0b70f1f
    • Opcode Fuzzy Hash: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction Fuzzy Hash: 876136A2B0AB0291FA159B15A8187BE63A1FF85B84F544537DADD073B1EF3DE445C380
    Function 00007FFE0E144CB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: to $convert $convert $convert $from
    • API String ID: 3510742995-220309676
    • Opcode ID: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction ID: 46eab1de0f5cbbf42e484e6d0fad7764f6ac1a23ede92afb688f0b11b2e74fd2
    • Opcode Fuzzy Hash: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction Fuzzy Hash: 9E4159B2A09B4681EB05DF15D5483987BA1FB94B80F4A8037DB9C5B3A5EFB8D510C780
    Function 00007FFE0E13C940 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetForegroundWindow$GetWindowThreadProcessId$user32
    • API String ID: 2238633743-4060728576
    • Opcode ID: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction ID: 630a981e584bdba30fab39d1ae15849b5d385d5a2824ec11c675f526db689beb
    • Opcode Fuzzy Hash: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction Fuzzy Hash: 97011A65A5AB03D0EE459B22BC5457AB3A2BF49B84F88457BDCCD873B0EE3CA044C355
    Function 00007FFE0E148FA0 Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: CopyFreeStringVariant_setjmpmemcpystrlen
    • String ID:
    • API String ID: 649350220-0
    • Opcode ID: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction ID: 83f494b72e32496d6c2e9bf6150034332e80dd3b47d8dc8f56378582060d80d6
    • Opcode Fuzzy Hash: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction Fuzzy Hash: 73D138B6A19B8681EA55CB16E4403AE73A1FBC8B94F448133EE9D077A9DF3CE441C340
    Function 00007FFE0E13101D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: _amsg_exit_initterm
    • String ID: 0
    • API String ID: 194249164-4108050209
    • Opcode ID: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction ID: cf483ee752bba1ee092aa0b48df9fb5434bd270b85cf89d27e2af28b6a70408b
    • Opcode Fuzzy Hash: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction Fuzzy Hash: 3D719236B09B068AEB508B65E8903AC37B1BB49B88F504436DE8D977A9CF7DE540C740
    Function 00007FFE0E1486A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 633353902-3035603046
    • Opcode ID: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction ID: 461681aa21f6c7ccf9b375c3dad53e9ae85f69ce65ac773a99064d7fd5f7dd60
    • Opcode Fuzzy Hash: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction Fuzzy Hash: F24169A2B0A70790EA55AB19A91877E6394FF44B84F844937D9DC073B1DF3CE1468390
    Function 00007FFE0E148080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$newVariant
    • API String ID: 633353902-805458017
    • Opcode ID: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction ID: ecc9d3259361cb518f91bb8b3c38e6b09ea3a35ff29167eee4a4fd90462cc2d7
    • Opcode Fuzzy Hash: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction Fuzzy Hash: 0D414EA2B0AB4794EA55AB19A91877E6394FF44B84F844537D9DC073B1DF3CE046C390
    Function 00007FFE0E145220 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 263COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID:
    • String ID: .~&$T]$T]
    • API String ID: 0-361263744
    • Opcode ID: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction ID: 737f3dd802abeea36cf84ed44e215d04f3f96e6f9b70bfb8c9c50e33c4859dab
    • Opcode Fuzzy Hash: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction Fuzzy Hash: C8C1A0A2E1874292EA50DF54E8412BA7762FF80754F944433EA8E5B7B6EF3CE905C700
    Function 00007FFE0E157F88 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: _lock_unlock
    • String ID:
    • API String ID: 2848772494-0
    • Opcode ID: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction ID: a91daa40c4a94aa909ffea281c5bd156041a777517c0243bf2c3d72c1b0da163
    • Opcode Fuzzy Hash: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction Fuzzy Hash: F54198A7704B49C9EB048F6AD8813AC73A1F748BD8F448936EE6C477A8DF38D5508350
    Function 00007FFE0E131748 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: _fileno$_setmode
    • String ID:
    • API String ID: 2194614063-0
    • Opcode ID: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction ID: ef0d0c46a369d3c3b4741644165682ea344c24e22cd3aecf5669e34ba1b111e4
    • Opcode Fuzzy Hash: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction Fuzzy Hash: FAF01C11B1455542EF08A7B2BA6437E5A96AFD9BD0F18807B8D4E473D4ED3CD8424340
    Function 00007FFE0E13A9B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsEqualGUID$ole32
    • API String ID: 2574300362-2239048069
    • Opcode ID: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction ID: 196fcbb036f43c9fc6d75697a3f333a8677996702306e6ec7d5d33c57413b403
    • Opcode Fuzzy Hash: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction Fuzzy Hash: 3661AE2191DB8296F6528B58F8857B573B4BF4CB44F80223BC9DD872B0EF3DA6858340
    Function 00007FFE0E139450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: ErrorLastexitfwritestrlen
    • String ID: (bad format; library may be wrong architecture)$could not load:
    • API String ID: 671075621-2754783905
    • Opcode ID: 89563ff696690d38515c8b2b3e1467e36067791bf54df73593b659afd1aa64d8
    • Instruction ID: 912da432add6e74778a2bdec200ba20ded235543e9cefd23af3096e229ffcebb
    • Opcode Fuzzy Hash: 89563ff696690d38515c8b2b3e1467e36067791bf54df73593b659afd1aa64d8
    • Instruction Fuzzy Hash: FD016252B1965791FE04B771E8553B86265AF85780F44413BDE8E473F6EE6CE400C301
    Function 00007FFE0E13A920 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register global variable; too many global variables, xrefs: 00007FFE0E13A93C
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register global variable; too many global variables
    • API String ID: 3476253079-2146260042
    • Opcode ID: a171ecbd8870034556625941e9756daf10bdc1cbc3b2acaf7614254cba44feb3
    • Instruction ID: 08ebba02b5b36af7409eba46b3b81dc39efb3781fd1b9eb5419a33466852c97d
    • Opcode Fuzzy Hash: a171ecbd8870034556625941e9756daf10bdc1cbc3b2acaf7614254cba44feb3
    • Instruction Fuzzy Hash: FCF03022E59B42D5F6046B61E8463B926B1FF8AB41F852537E9CE173F2DF2DA151C300
    Function 00007FFE0E13C9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: AttachConsole$kernel32
    • API String ID: 2574300362-374305082
    • Opcode ID: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction ID: 665f73e8cd5fb583f99a231c4d618fb360f3bc216d38f9cdee39dd6ab87e9412
    • Opcode Fuzzy Hash: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction Fuzzy Hash: B9F09A61A4AA02C0E949DB22BC4407672E6BF88B94F84057BCCCD463B0EF3CA185C340
    Function 00007FFE0E13EBF2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Ws2_32.dll$inet_ntop
    • API String ID: 2574300362-2739477577
    • Opcode ID: 914704028e4e1037669f4e11dce6df8e21213c999ae66db6755afc4eb31b2321
    • Instruction ID: 024834d2069ac56fd1ab66b5b99b06d1bf048141c8cdea8aa71214ef869677c5
    • Opcode Fuzzy Hash: 914704028e4e1037669f4e11dce6df8e21213c999ae66db6755afc4eb31b2321
    • Instruction Fuzzy Hash: AFE0BD21A5AE42C0EA4A9B24ED442B863E1FF49700F9440BBC88D423B0EF3CA55AC350
    Function 00007FFE0E1381D0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 332COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: [[rerais$]]$ed from:
    • API String ID: 1297977491-96586220
    • Opcode ID: 4de7edbcc6b12fb41e346efe08153019dc93f70cd32370dedc5e014a18505298
    • Instruction ID: f7c80199c0b70cb48b408c1629cdcee2bae7ae9cbfd1150b626d2d80fd41c999
    • Opcode Fuzzy Hash: 4de7edbcc6b12fb41e346efe08153019dc93f70cd32370dedc5e014a18505298
    • Instruction Fuzzy Hash: 27E18776A09B8681EA648F25E4003AE77A8FB49B98F544637EEAD077E0DF3DD545C300
    Function 00007FFE0E149920 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 204COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: CLRError$clr.nim$clrError
    • API String ID: 1297977491-2830349459
    • Opcode ID: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction ID: 8a7f37976afbcc7d8265fd4e740e01cbcc64f7f71c5c44684600640f3594a22a
    • Opcode Fuzzy Hash: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction Fuzzy Hash: 3D91D6A2A0CB8685E7118B15D8006BE3BA0FB557A4F554272DFEC0B7E2DE3CE550C350
    Function 00007FFE0E135460 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 1f137d6605ab7e2858848fd2a2c3146e9ccc07f199a0bb54434c994e38447113
    • Instruction ID: a6150c2ef07ea4b7b117c1b4b172c77d97d92af8be1a8ce848d3802047161daa
    • Opcode Fuzzy Hash: 1f137d6605ab7e2858848fd2a2c3146e9ccc07f199a0bb54434c994e38447113
    • Instruction Fuzzy Hash: CB81AEB2A05B4680EB18CB25E9457B933A2FF54B94F518236DEAD073A4EF7DE185C340
    Function 00007FFE0E1351B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 898de089e6a652b3b74e16420251f34d35e97e5bf78494b81a434b6a4fe685e7
    • Instruction ID: c20db5cccaff5d85b454a73eb6533fbe1eb464e1ca1d6cb2a88ac849398377a4
    • Opcode Fuzzy Hash: 898de089e6a652b3b74e16420251f34d35e97e5bf78494b81a434b6a4fe685e7
    • Instruction Fuzzy Hash: 5961CEB2A05B4680FA28CB25E8457B973A2FF54B94F558236DE9D033A4EF7DE185C340
    Function 00007FFE0E1334F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: 78c6a9389ec2a35e9909f5ee783a93cabf13e1c0a10bdb62cf2a036c13e9934b
    • Instruction ID: 3f980147961cdb566abdf14ee684a89b7d0b399b74ba98bcae9804b30cfabae2
    • Opcode Fuzzy Hash: 78c6a9389ec2a35e9909f5ee783a93cabf13e1c0a10bdb62cf2a036c13e9934b
    • Instruction Fuzzy Hash: 6351A0B2B15B4584EE19CB25C458BA833A6FB44790F62C23ADABD473A4EF79D5848340
    Function 00007FFE0E133430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1912218581.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000003.00000002.1912185776.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912262619.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912294847.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912374228.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912413359.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912443775.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912488211.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912511890.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1912537555.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_7ffe0e130000_regsvr32.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: 85fe4ed7ebd342e25d4a31d68c50157dc6f40be3eecca2972c7da7329500421c
    • Instruction ID: 262d2b4795d11a36a548eea8ea02828c9e7e9667d7de8b72672e043d00c4397b
    • Opcode Fuzzy Hash: 85fe4ed7ebd342e25d4a31d68c50157dc6f40be3eecca2972c7da7329500421c
    • Instruction Fuzzy Hash: C011C4A2B15B4A81FE59DB26D8512B86791FF94BD0F58D13BC95D433A1DE6CE488C300

    Execution Graph

    Execution Coverage:2.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1800
    Total number of Limit Nodes:11
    execution_graph 10795 7ffe0e150950 10796 7ffe0e150963 _fileno _setmode 10795->10796 10797 7ffe0e150987 _fileno _setmode 10796->10797 10798 7ffe0e15099d _fileno _setmode LoadLibraryA 10797->10798 10799 7ffe0e1509cf GetProcAddress 10798->10799 10805 7ffe0e1509e6 10798->10805 10799->10805 10800 7ffe0e150d1d 10854 7ffe0e13a680 10800->10854 10802 7ffe0e150d22 10866 7ffe0e13a920 10802->10866 10804 7ffe0e150d27 10805->10800 10805->10802 10806 7ffe0e150b80 10805->10806 10807 7ffe0e150be2 10806->10807 10808 7ffe0e150bd4 CoInitializeEx 10806->10808 10824 7ffe0e1507e0 10807->10824 10808->10807 10811 7ffe0e150c02 10812 7ffe0e150c11 10811->10812 10844 7ffe0e14fc90 10811->10844 10832 7ffe0e147e60 10812->10832 10813 7ffe0e14fc90 37 API calls 10818 7ffe0e150cc5 10813->10818 10817 7ffe0e150c5e 10818->10811 10820 7ffe0e14f010 18 API calls 10818->10820 10819 7ffe0e14f010 18 API calls 10822 7ffe0e150c75 10819->10822 10820->10811 10821 7ffe0e150c8d 10821->10812 10823 7ffe0e14f010 18 API calls 10821->10823 10823->10812 10825 7ffe0e1507ff 10824->10825 10826 7ffe0e15080c 10825->10826 10828 7ffe0e14ffc0 31 API calls 10825->10828 10827 7ffe0e1327d0 12 API calls 10826->10827 10830 7ffe0e15081a 10827->10830 10828->10826 10829 7ffe0e15084f 10829->10811 10829->10813 10830->10829 10831 7ffe0e133730 18 API calls 10830->10831 10831->10829 10833 7ffe0e147e79 10832->10833 10834 7ffe0e147ea3 10833->10834 10835 7ffe0e139150 37 API calls 10833->10835 10837 7ffe0e139150 37 API calls 10834->10837 10841 7ffe0e147eef 10834->10841 10836 7ffe0e147e98 10835->10836 10869 7ffe0e1374c0 10836->10869 10839 7ffe0e147f77 10837->10839 10840 7ffe0e1374c0 18 API calls 10839->10840 10840->10841 10843 7ffe0e147f3a 10841->10843 10874 7ffe0e147cf0 10841->10874 10843->10817 10843->10819 10845 7ffe0e136b50 33 API calls 10844->10845 10847 7ffe0e14fca8 10845->10847 10846 7ffe0e14fcdd 10848 7ffe0e139150 37 API calls 10846->10848 10847->10846 10849 7ffe0e14f010 18 API calls 10847->10849 10851 7ffe0e14fd02 10848->10851 10849->10846 10850 7ffe0e14fd3d 10850->10821 10851->10850 10852 7ffe0e14f010 18 API calls 10851->10852 10853 7ffe0e14fd55 10852->10853 10853->10821 10855 7ffe0e13a691 fwrite fflush exit 10854->10855 10856 7ffe0e13a6fe 10855->10856 10857 7ffe0e13a6e3 10855->10857 10858 7ffe0e13a680 12 API calls 10856->10858 10857->10802 10859 7ffe0e13a703 10858->10859 10860 7ffe0e13a7af 10859->10860 10861 7ffe0e13a729 10859->10861 10862 7ffe0e13a680 12 API calls 10860->10862 10880 7ffe0e132be0 10861->10880 10863 7ffe0e13a7b4 10862->10863 10867 7ffe0e13a931 fwrite fflush exit 10866->10867 10868 7ffe0e13a983 10867->10868 10868->10804 10871 7ffe0e1374d1 10869->10871 10870 7ffe0e137500 10870->10834 10871->10870 10872 7ffe0e14f010 18 API calls 10871->10872 10873 7ffe0e137515 10872->10873 10873->10834 10875 7ffe0e147d04 10874->10875 10876 7ffe0e139150 37 API calls 10875->10876 10877 7ffe0e147d16 10876->10877 10878 7ffe0e14f010 18 API calls 10877->10878 10879 7ffe0e147d5b 10877->10879 10878->10879 10879->10843 10881 7ffe0e1327d0 12 API calls 10880->10881 10882 7ffe0e132c3a 10881->10882 10883 7ffe0e1327d0 12 API calls 10882->10883 10884 7ffe0e132c91 10883->10884 10885 7ffe0e1327d0 12 API calls 10884->10885 10886 7ffe0e132ce8 10885->10886 10887 7ffe0e1327d0 12 API calls 10886->10887 10888 7ffe0e132d38 10887->10888 10889 7ffe0e1327d0 12 API calls 10888->10889 10890 7ffe0e132da9 signal signal signal signal signal 10889->10890 10890->10802 10434 7ffe0e13a9b0 LoadLibraryA 10435 7ffe0e13ac28 10434->10435 10436 7ffe0e13abfb GetProcAddress 10434->10436 10442 7ffe0e139450 10435->10442 10437 7ffe0e13ac13 10436->10437 10438 7ffe0e13ac34 10436->10438 10452 7ffe0e13a7c0 10438->10452 10443 7ffe0e139470 10442->10443 10458 7ffe0e1315b0 10443->10458 10445 7ffe0e13947f 10446 7ffe0e1315b0 3 API calls 10445->10446 10447 7ffe0e1394a2 GetLastError 10446->10447 10448 7ffe0e1394af 10447->10448 10449 7ffe0e1315b0 3 API calls 10448->10449 10450 7ffe0e1315b0 3 API calls 10448->10450 10451 7ffe0e1394c5 exit 10449->10451 10450->10448 10451->10448 10453 7ffe0e13a800 10452->10453 10454 7ffe0e13a897 GetProcAddress 10453->10454 10456 7ffe0e13a8b1 10453->10456 10454->10453 10455 7ffe0e13a8b9 10454->10455 10463 7ffe0e1394f0 10456->10463 10459 7ffe0e1315d1 fwrite 10458->10459 10460 7ffe0e1315c6 strlen 10458->10460 10461 7ffe0e157ae0 fflush 10459->10461 10460->10459 10461->10445 10462 7ffe0e1872ec 10461->10462 10464 7ffe0e139508 10463->10464 10465 7ffe0e1315b0 3 API calls 10464->10465 10466 7ffe0e139517 10465->10466 10467 7ffe0e1315b0 3 API calls 10466->10467 10468 7ffe0e139529 10467->10468 10469 7ffe0e1315b0 3 API calls 10468->10469 10470 7ffe0e13953f exit 10469->10470 10471 7ffe0e139577 10470->10471 10472 7ffe0e1395a5 10471->10472 10474 7ffe0e13958c 10471->10474 10487 7ffe0e1390c0 10472->10487 10478 7ffe0e136b50 10474->10478 10477 7ffe0e139598 10477->10455 10479 7ffe0e136b71 10478->10479 10480 7ffe0e136b81 10479->10480 10516 7ffe0e14ffc0 10479->10516 10494 7ffe0e1327d0 10480->10494 10483 7ffe0e136bcc memset 10483->10477 10485 7ffe0e136b91 10485->10483 10539 7ffe0e133730 10485->10539 10745 7ffe0e150d30 10487->10745 10491 7ffe0e139100 10493 7ffe0e14f010 18 API calls 10491->10493 10758 7ffe0e138e60 10491->10758 10493->10491 10495 7ffe0e132860 10494->10495 10496 7ffe0e1327f3 10494->10496 10497 7ffe0e132875 10495->10497 10498 7ffe0e1329b8 10495->10498 10499 7ffe0e1328d0 VirtualAlloc 10496->10499 10500 7ffe0e132804 10496->10500 10502 7ffe0e132a60 10497->10502 10505 7ffe0e132837 10497->10505 10501 7ffe0e132100 11 API calls 10498->10501 10499->10502 10503 7ffe0e1328f3 10499->10503 10545 7ffe0e132100 10500->10545 10501->10505 10573 7ffe0e1317f0 10502->10573 10506 7ffe0e13292f 10503->10506 10510 7ffe0e13294a 10503->10510 10505->10485 10562 7ffe0e131830 10506->10562 10507 7ffe0e13280c 10555 7ffe0e132690 10507->10555 10509 7ffe0e132a7a 10511 7ffe0e1327d0 11 API calls 10509->10511 10510->10507 10514 7ffe0e132a8d 10511->10514 10514->10485 10515 7ffe0e132a45 10515->10485 10517 7ffe0e14ffd5 10516->10517 10518 7ffe0e15047a 10517->10518 10604 7ffe0e1347a0 10517->10604 10518->10480 10522 7ffe0e1500b6 10522->10480 10523 7ffe0e1500fc 10527 7ffe0e150123 10523->10527 10662 7ffe0e1334f0 10523->10662 10524 7ffe0e150074 10524->10523 10525 7ffe0e150085 10524->10525 10526 7ffe0e135040 19 API calls 10524->10526 10525->10522 10655 7ffe0e14f010 10525->10655 10526->10524 10530 7ffe0e1334f0 5 API calls 10527->10530 10531 7ffe0e150145 10530->10531 10532 7ffe0e1327d0 12 API calls 10531->10532 10535 7ffe0e150168 10532->10535 10534 7ffe0e1501e9 10536 7ffe0e14fdc0 19 API calls 10534->10536 10537 7ffe0e150262 10534->10537 10535->10534 10669 7ffe0e14fdc0 10535->10669 10536->10534 10537->10525 10538 7ffe0e1334f0 VirtualFree exit fputc _lock _unlock 10537->10538 10538->10537 10540 7ffe0e133768 10539->10540 10541 7ffe0e13374b 10539->10541 10542 7ffe0e1327d0 12 API calls 10540->10542 10541->10483 10543 7ffe0e133794 memcpy 10542->10543 10544 7ffe0e1334f0 5 API calls 10543->10544 10544->10541 10546 7ffe0e13211b 10545->10546 10554 7ffe0e1322c4 10545->10554 10547 7ffe0e132424 10546->10547 10551 7ffe0e132274 10546->10551 10546->10554 10591 7ffe0e131a00 10546->10591 10548 7ffe0e131a00 11 API calls 10547->10548 10547->10554 10548->10551 10549 7ffe0e131830 8 API calls 10552 7ffe0e132312 10549->10552 10551->10554 10587 7ffe0e131d80 10551->10587 10552->10507 10554->10549 10554->10552 10556 7ffe0e132760 10555->10556 10557 7ffe0e1326bb 10555->10557 10558 7ffe0e13276c 10556->10558 10560 7ffe0e131830 8 API calls 10556->10560 10559 7ffe0e1326c7 10557->10559 10561 7ffe0e132690 8 API calls 10557->10561 10558->10505 10559->10505 10560->10558 10561->10559 10563 7ffe0e131880 VirtualAlloc 10562->10563 10564 7ffe0e131849 10562->10564 10566 7ffe0e1318e0 10563->10566 10567 7ffe0e13189e 10563->10567 10564->10563 10565 7ffe0e131851 memset 10564->10565 10565->10515 10568 7ffe0e1317f0 6 API calls 10566->10568 10567->10565 10570 7ffe0e1318e5 10568->10570 10569 7ffe0e13195e 10569->10515 10570->10569 10571 7ffe0e131830 6 API calls 10570->10571 10572 7ffe0e131932 10571->10572 10572->10515 10574 7ffe0e131800 10573->10574 10575 7ffe0e1315b0 3 API calls 10574->10575 10576 7ffe0e13181c exit 10575->10576 10578 7ffe0e131830 10576->10578 10577 7ffe0e131880 VirtualAlloc 10580 7ffe0e1318e0 10577->10580 10581 7ffe0e13189e 10577->10581 10578->10577 10579 7ffe0e131851 memset 10578->10579 10579->10509 10582 7ffe0e1317f0 5 API calls 10580->10582 10581->10579 10584 7ffe0e1318e5 10582->10584 10583 7ffe0e13195e 10583->10509 10584->10583 10585 7ffe0e131830 5 API calls 10584->10585 10586 7ffe0e131932 10585->10586 10586->10509 10588 7ffe0e131dd5 10587->10588 10589 7ffe0e131e4e 10588->10589 10590 7ffe0e131830 8 API calls 10588->10590 10589->10554 10590->10589 10592 7ffe0e131c68 10591->10592 10593 7ffe0e131a1c 10591->10593 10592->10547 10594 7ffe0e131a54 VirtualAlloc 10593->10594 10595 7ffe0e131c48 VirtualAlloc 10593->10595 10597 7ffe0e131c74 VirtualAlloc 10594->10597 10598 7ffe0e131a6b 10594->10598 10596 7ffe0e131c5f 10595->10596 10600 7ffe0e131a72 10595->10600 10599 7ffe0e1317f0 8 API calls 10596->10599 10597->10596 10597->10598 10598->10600 10601 7ffe0e131c64 10599->10601 10602 7ffe0e131830 8 API calls 10600->10602 10603 7ffe0e131ab6 10600->10603 10601->10592 10602->10603 10603->10547 10606 7ffe0e1347c8 10604->10606 10605 7ffe0e134910 10650 7ffe0e135040 10605->10650 10606->10605 10607 7ffe0e1327d0 12 API calls 10606->10607 10608 7ffe0e134928 10606->10608 10615 7ffe0e13497d 10606->10615 10609 7ffe0e1348cb memcpy 10607->10609 10611 7ffe0e1327d0 12 API calls 10608->10611 10612 7ffe0e1334f0 5 API calls 10609->10612 10610 7ffe0e134f1d 10610->10605 10618 7ffe0e1327d0 12 API calls 10610->10618 10613 7ffe0e13494d memcpy 10611->10613 10612->10606 10614 7ffe0e1334f0 5 API calls 10613->10614 10614->10615 10615->10610 10616 7ffe0e1327d0 12 API calls 10615->10616 10619 7ffe0e134d15 10615->10619 10622 7ffe0e134d7d 10615->10622 10628 7ffe0e134de5 10615->10628 10631 7ffe0e134e4d 10615->10631 10636 7ffe0e134eb5 10615->10636 10641 7ffe0e134c58 10615->10641 10649 7ffe0e134cad 10615->10649 10617 7ffe0e134c14 memcpy 10616->10617 10624 7ffe0e1334f0 5 API calls 10617->10624 10625 7ffe0e134fbf memcpy 10618->10625 10623 7ffe0e1327d0 12 API calls 10619->10623 10620 7ffe0e1327d0 12 API calls 10621 7ffe0e134ce5 memcpy 10620->10621 10626 7ffe0e1334f0 5 API calls 10621->10626 10629 7ffe0e1327d0 12 API calls 10622->10629 10627 7ffe0e134d4d memcpy 10623->10627 10624->10615 10630 7ffe0e1334f0 5 API calls 10625->10630 10626->10619 10633 7ffe0e1334f0 5 API calls 10627->10633 10632 7ffe0e1327d0 12 API calls 10628->10632 10634 7ffe0e134db5 memcpy 10629->10634 10630->10610 10637 7ffe0e1327d0 12 API calls 10631->10637 10635 7ffe0e134e1d memcpy 10632->10635 10633->10622 10638 7ffe0e1334f0 5 API calls 10634->10638 10639 7ffe0e1334f0 5 API calls 10635->10639 10642 7ffe0e1327d0 12 API calls 10636->10642 10640 7ffe0e134e85 memcpy 10637->10640 10638->10628 10639->10631 10643 7ffe0e1334f0 5 API calls 10640->10643 10644 7ffe0e1327d0 12 API calls 10641->10644 10645 7ffe0e134eed memcpy 10642->10645 10643->10636 10646 7ffe0e134c7d memcpy 10644->10646 10647 7ffe0e1334f0 5 API calls 10645->10647 10648 7ffe0e1334f0 5 API calls 10646->10648 10647->10610 10648->10649 10649->10620 10653 7ffe0e135058 10650->10653 10651 7ffe0e135170 10651->10524 10652 7ffe0e1334f0 5 API calls 10652->10653 10653->10651 10653->10652 10654 7ffe0e133e50 19 API calls 10653->10654 10654->10653 10656 7ffe0e14f023 10655->10656 10657 7ffe0e14f030 10655->10657 10656->10525 10658 7ffe0e14f04b 10657->10658 10659 7ffe0e1327d0 12 API calls 10657->10659 10658->10525 10660 7ffe0e14f091 memcpy 10659->10660 10661 7ffe0e1334f0 5 API calls 10660->10661 10661->10658 10663 7ffe0e133620 10662->10663 10664 7ffe0e133522 10662->10664 10663->10523 10664->10663 10665 7ffe0e1335ba VirtualFree 10664->10665 10665->10663 10666 7ffe0e133600 10665->10666 10677 7ffe0e14e200 10666->10677 10700 7ffe0e133990 10669->10700 10671 7ffe0e14fdf3 10707 7ffe0e134050 10671->10707 10673 7ffe0e14fed8 10673->10535 10674 7ffe0e133990 18 API calls 10676 7ffe0e14fe21 10674->10676 10675 7ffe0e133e50 19 API calls 10675->10676 10676->10673 10676->10674 10676->10675 10678 7ffe0e14e229 10677->10678 10681 7ffe0e152370 10678->10681 10688 7ffe0e158440 10681->10688 10690 7ffe0e158456 10688->10690 10689 7ffe0e152390 10692 7ffe0e15419f 10689->10692 10690->10689 10691 7ffe0e158476 _lock 10690->10691 10691->10689 10695 7ffe0e1541be 10692->10695 10693 7ffe0e1523b4 10696 7ffe0e1584d0 10693->10696 10694 7ffe0e1523d0 fputc 10694->10695 10695->10693 10695->10694 10698 7ffe0e1584e6 10696->10698 10697 7ffe0e13360c exit 10697->10663 10698->10697 10699 7ffe0e158519 _unlock 10698->10699 10699->10697 10703 7ffe0e1339c0 10700->10703 10702 7ffe0e1339df 10702->10671 10703->10702 10704 7ffe0e133a15 10703->10704 10711 7ffe0e1338c0 10703->10711 10705 7ffe0e1327d0 12 API calls 10704->10705 10706 7ffe0e133a50 10705->10706 10706->10671 10708 7ffe0e13406a 10707->10708 10709 7ffe0e134100 10708->10709 10717 7ffe0e133e50 10708->10717 10709->10676 10712 7ffe0e1327d0 12 API calls 10711->10712 10713 7ffe0e1338f5 memset 10712->10713 10715 7ffe0e13391a 10713->10715 10714 7ffe0e1334f0 5 API calls 10716 7ffe0e13397e 10714->10716 10715->10714 10715->10715 10716->10704 10718 7ffe0e133e65 10717->10718 10721 7ffe0e133e91 10717->10721 10720 7ffe0e133e8a 10718->10720 10718->10721 10722 7ffe0e133ec0 10718->10722 10719 7ffe0e133e50 19 API calls 10719->10722 10720->10721 10725 7ffe0e133f30 10720->10725 10730 7ffe0e133d20 10720->10730 10721->10708 10722->10719 10722->10721 10726 7ffe0e133f70 10725->10726 10727 7ffe0e133f59 10725->10727 10726->10727 10728 7ffe0e133f30 19 API calls 10726->10728 10729 7ffe0e133d20 19 API calls 10726->10729 10727->10720 10728->10726 10729->10726 10731 7ffe0e133d2e 10730->10731 10732 7ffe0e133d5b 10730->10732 10731->10732 10733 7ffe0e133d41 10731->10733 10734 7ffe0e133d80 10731->10734 10732->10720 10733->10732 10735 7ffe0e1327d0 12 API calls 10733->10735 10736 7ffe0e133990 18 API calls 10734->10736 10737 7ffe0e133dc7 memcpy 10735->10737 10738 7ffe0e14fdf3 10736->10738 10739 7ffe0e1334f0 5 API calls 10737->10739 10740 7ffe0e134050 18 API calls 10738->10740 10739->10732 10743 7ffe0e14fe21 10740->10743 10741 7ffe0e14fed8 10741->10720 10742 7ffe0e133990 18 API calls 10742->10743 10743->10741 10743->10742 10744 7ffe0e133e50 18 API calls 10743->10744 10744->10743 10746 7ffe0e150d4f 10745->10746 10747 7ffe0e150d60 10746->10747 10749 7ffe0e14ffc0 31 API calls 10746->10749 10748 7ffe0e1327d0 12 API calls 10747->10748 10750 7ffe0e150d6e 10748->10750 10749->10747 10751 7ffe0e1390dc 10750->10751 10752 7ffe0e133730 18 API calls 10750->10752 10753 7ffe0e136f90 10751->10753 10752->10751 10754 7ffe0e136fa7 10753->10754 10755 7ffe0e136fa0 10753->10755 10754->10491 10755->10754 10764 7ffe0e136f20 10755->10764 10757 7ffe0e136fdf memcpy 10757->10491 10760 7ffe0e138e7f 10758->10760 10759 7ffe0e138ed0 10760->10759 10770 7ffe0e1391b0 10760->10770 10762 7ffe0e138e9e 10762->10759 10763 7ffe0e14f010 18 API calls 10762->10763 10763->10759 10766 7ffe0e136f3c 10764->10766 10765 7ffe0e136f5b 10768 7ffe0e1327d0 12 API calls 10765->10768 10766->10765 10767 7ffe0e14ffc0 31 API calls 10766->10767 10767->10765 10769 7ffe0e136f6b memset 10768->10769 10769->10757 10771 7ffe0e139260 10770->10771 10775 7ffe0e1391c8 10770->10775 10773 7ffe0e139150 36 API calls 10771->10773 10772 7ffe0e139245 10772->10762 10774 7ffe0e13926d 10773->10774 10774->10762 10775->10772 10779 7ffe0e139150 10775->10779 10777 7ffe0e139206 memcpy 10777->10772 10780 7ffe0e139177 10779->10780 10781 7ffe0e1391a1 10780->10781 10782 7ffe0e13918f 10780->10782 10783 7ffe0e1390c0 36 API calls 10781->10783 10784 7ffe0e136b50 33 API calls 10782->10784 10785 7ffe0e1391a6 10783->10785 10786 7ffe0e139194 10784->10786 10787 7ffe0e139260 10785->10787 10791 7ffe0e1391c8 10785->10791 10786->10777 10789 7ffe0e139150 36 API calls 10787->10789 10788 7ffe0e139245 10788->10777 10790 7ffe0e13926d 10789->10790 10790->10777 10791->10788 10792 7ffe0e139150 36 API calls 10791->10792 10793 7ffe0e139206 memcpy 10792->10793 10793->10788 10891 7ffe0e14ebd0 10892 7ffe0e14ebd9 10891->10892 10896 7ffe0e14d520 10892->10896 11067 7ffe0e14f0d0 10892->11067 10893 7ffe0e14ebf6 10897 7ffe0e136b50 33 API calls 10896->10897 10898 7ffe0e14d544 10897->10898 11149 7ffe0e13fc60 10898->11149 10903 7ffe0e14d59a 10904 7ffe0e13fc60 33 API calls 10903->10904 10905 7ffe0e14d5dc 10904->10905 10906 7ffe0e144e70 38 API calls 10905->10906 10907 7ffe0e14d5e9 10906->10907 11171 7ffe0e14c870 10907->11171 10910 7ffe0e13fc60 33 API calls 10911 7ffe0e14d61a 10910->10911 10912 7ffe0e144e70 38 API calls 10911->10912 10913 7ffe0e14d627 10912->10913 10914 7ffe0e14c870 52 API calls 10913->10914 10915 7ffe0e14d647 10914->10915 10916 7ffe0e13fc60 33 API calls 10915->10916 10917 7ffe0e14d658 10916->10917 10918 7ffe0e144e70 38 API calls 10917->10918 10919 7ffe0e14d665 10918->10919 10920 7ffe0e14c870 52 API calls 10919->10920 10921 7ffe0e14d685 10920->10921 10922 7ffe0e13fc60 33 API calls 10921->10922 10923 7ffe0e14d6ac 10922->10923 10924 7ffe0e144e70 38 API calls 10923->10924 10925 7ffe0e14d6b9 10924->10925 10926 7ffe0e14c870 52 API calls 10925->10926 10927 7ffe0e14d6d9 10926->10927 10928 7ffe0e13fc60 33 API calls 10927->10928 10929 7ffe0e14d70e 10928->10929 10930 7ffe0e144e70 38 API calls 10929->10930 10931 7ffe0e14d71b 10930->10931 10932 7ffe0e14c870 52 API calls 10931->10932 10933 7ffe0e14d73b 10932->10933 10934 7ffe0e144e70 38 API calls 10933->10934 10935 7ffe0e14d74c 10934->10935 10936 7ffe0e14c870 52 API calls 10935->10936 10937 7ffe0e14d76c VirtualProtect 10936->10937 10938 7ffe0e144e70 38 API calls 10937->10938 10939 7ffe0e14d798 10938->10939 10940 7ffe0e14d7c1 10939->10940 10941 7ffe0e14d7e7 10939->10941 10942 7ffe0e144e70 38 API calls 10940->10942 10943 7ffe0e144e70 38 API calls 10941->10943 10944 7ffe0e14d7d2 10942->10944 10945 7ffe0e14d7f8 10943->10945 11191 7ffe0e14ef30 10944->11191 10947 7ffe0e14dfc8 10945->10947 10948 7ffe0e14d828 10945->10948 10950 7ffe0e144e70 38 API calls 10947->10950 11197 7ffe0e145ff0 10948->11197 10952 7ffe0e14dfd9 10950->10952 10954 7ffe0e14ef30 6 API calls 10952->10954 10953 7ffe0e14db80 11292 7ffe0e14c1d0 10953->11292 10979 7ffe0e14debe 10954->10979 10960 7ffe0e150d30 32 API calls 10960->10979 10961 7ffe0e14d899 10961->10953 10963 7ffe0e145ff0 41 API calls 10961->10963 10964 7ffe0e14d8a6 10963->10964 10966 7ffe0e14d8be 10964->10966 10968 7ffe0e1464c0 45 API calls 10964->10968 10967 7ffe0e144e70 38 API calls 10966->10967 10977 7ffe0e14db2a 10966->10977 10969 7ffe0e14d8d7 10967->10969 10971 7ffe0e14d8b6 10968->10971 10973 7ffe0e14d8e3 10969->10973 10974 7ffe0e14d8ef LoadLibraryA 10969->10974 10972 7ffe0e14d400 39 API calls 10971->10972 10972->10966 10973->10974 10975 7ffe0e144e70 38 API calls 10974->10975 10978 7ffe0e14d909 GetProcAddress 10975->10978 10980 7ffe0e145ff0 41 API calls 10977->10980 10984 7ffe0e139150 37 API calls 10978->10984 10979->10960 10982 7ffe0e138e60 37 API calls 10979->10982 10988 7ffe0e14dedf 10979->10988 11494 7ffe0e146830 10979->11494 11517 7ffe0e144cb0 10979->11517 11535 7ffe0e131680 10979->11535 11539 7ffe0e14fd80 10979->11539 10983 7ffe0e14db2f 10980->10983 10982->10979 10985 7ffe0e14db35 10983->10985 10986 7ffe0e14db4b 10983->10986 10992 7ffe0e14d945 10984->10992 10987 7ffe0e1464c0 45 API calls 10985->10987 10993 7ffe0e14db6c exit 10986->10993 10989 7ffe0e14db3f 10987->10989 10990 7ffe0e14fc90 37 API calls 10988->10990 10999 7ffe0e147e60 37 API calls 10988->10999 11005 7ffe0e131680 18 API calls 10988->11005 10991 7ffe0e14d400 39 API calls 10989->10991 10990->10988 10995 7ffe0e14db47 10991->10995 10992->10993 11248 7ffe0e146d40 10992->11248 10993->10953 10995->10986 10996 7ffe0e14db90 10995->10996 10997 7ffe0e144e70 38 API calls 10996->10997 11000 7ffe0e14dba6 10997->11000 10998 7ffe0e14e0f0 11001 7ffe0e14deed SafeArrayCreate 10999->11001 11002 7ffe0e144e70 38 API calls 11000->11002 11001->10979 11003 7ffe0e14df2a SafeArrayPutElement 11001->11003 11004 7ffe0e14dbbb 11002->11004 11006 7ffe0e14b1e0 110 API calls 11003->11006 11007 7ffe0e144e70 38 API calls 11004->11007 11005->10988 11008 7ffe0e14df6e 11006->11008 11009 7ffe0e14dc18 11007->11009 11008->10893 11010 7ffe0e144e70 38 API calls 11009->11010 11011 7ffe0e14dc29 11010->11011 11012 7ffe0e144e70 38 API calls 11011->11012 11013 7ffe0e14dc3a 11012->11013 11014 7ffe0e144e70 38 API calls 11013->11014 11016 7ffe0e14dc4b 11014->11016 11015 7ffe0e14da4b 11015->10977 11015->10993 11015->10998 11017 7ffe0e144e70 38 API calls 11016->11017 11018 7ffe0e14dc5c Sleep 11017->11018 11358 7ffe0e14d040 11018->11358 11020 7ffe0e14dc6c 11021 7ffe0e144e70 38 API calls 11020->11021 11022 7ffe0e14dc7d 11021->11022 11023 7ffe0e144e70 38 API calls 11022->11023 11024 7ffe0e14dc8e 11023->11024 11025 7ffe0e144e70 38 API calls 11024->11025 11026 7ffe0e14dc9f 11025->11026 11027 7ffe0e144e70 38 API calls 11026->11027 11028 7ffe0e14dcb0 11027->11028 11397 7ffe0e147370 11028->11397 11030 7ffe0e14dcdc 11416 7ffe0e14bf00 11030->11416 11033 7ffe0e145ff0 41 API calls 11034 7ffe0e14dd00 11033->11034 11035 7ffe0e1464c0 45 API calls 11034->11035 11058 7ffe0e14dd20 11034->11058 11036 7ffe0e14dd10 11035->11036 11038 7ffe0e14d400 39 API calls 11036->11038 11037 7ffe0e145ff0 41 API calls 11037->11058 11039 7ffe0e14dd18 11038->11039 11043 7ffe0e1464c0 45 API calls 11039->11043 11039->11058 11040 7ffe0e14de00 11041 7ffe0e145ff0 41 API calls 11040->11041 11044 7ffe0e14de05 11041->11044 11042 7ffe0e1464c0 45 API calls 11042->11058 11045 7ffe0e14e0d2 11043->11045 11046 7ffe0e14de25 11044->11046 11050 7ffe0e1464c0 45 API calls 11044->11050 11543 7ffe0e13b7f0 11045->11543 11047 7ffe0e144e70 38 API calls 11046->11047 11051 7ffe0e14de36 11047->11051 11048 7ffe0e1391b0 37 API calls 11048->11058 11052 7ffe0e14de15 11050->11052 11445 7ffe0e150ed0 11051->11445 11053 7ffe0e14d400 39 API calls 11052->11053 11054 7ffe0e14de1d 11053->11054 11054->11046 11487 7ffe0e139dc0 11054->11487 11057 7ffe0e136f20 32 API calls 11060 7ffe0e14ddd3 memcpy 11057->11060 11058->11037 11058->11040 11058->11042 11058->11048 11058->11057 11061 7ffe0e14f010 18 API calls 11058->11061 11060->11058 11061->11058 11063 7ffe0e14de7c 11064 7ffe0e14deb2 11063->11064 11065 7ffe0e14dea3 CoInitialize 11063->11065 11066 7ffe0e1507e0 32 API calls 11064->11066 11065->11064 11066->10979 11068 7ffe0e14f0f4 11067->11068 11069 7ffe0e14fc77 11067->11069 11068->11067 11068->11069 11071 7ffe0e14f231 RtlGetVersion 11068->11071 11070 7ffe0e13a920 3 API calls 11069->11070 11070->11068 11075 7ffe0e14f25f 11071->11075 11072 7ffe0e13fc60 33 API calls 11072->11075 11073 7ffe0e144e70 38 API calls 11073->11075 11074 7ffe0e136f90 33 API calls 11074->11075 11075->11072 11075->11073 11075->11074 11076 7ffe0e139150 37 API calls 11075->11076 11078 7ffe0e14f010 18 API calls 11075->11078 11077 7ffe0e14f312 memcpy 11076->11077 11082 7ffe0e14f33f 11077->11082 11078->11075 11079 7ffe0e139150 37 API calls 11079->11082 11080 7ffe0e144e70 38 API calls 11080->11082 11081 7ffe0e14f010 18 API calls 11081->11082 11082->11079 11082->11080 11082->11081 11083 7ffe0e14e130 33 API calls 11082->11083 11084 7ffe0e14ece0 38 API calls 11082->11084 11085 7ffe0e145220 42 API calls 11082->11085 11086 7ffe0e13c390 35 API calls 11082->11086 11087 7ffe0e13fc60 33 API calls 11082->11087 11088 7ffe0e14f990 11082->11088 11092 7ffe0e14f97c exit 11082->11092 11093 7ffe0e14fa7a 11082->11093 11083->11082 11084->11082 11085->11082 11086->11082 11087->11082 11089 7ffe0e13fc60 33 API calls 11088->11089 11090 7ffe0e14ef30 6 API calls 11088->11090 11089->11088 11091 7ffe0e14f9b0 exit 11090->11091 11091->11075 11092->11088 12315 7ffe0e1458c0 11093->12315 11095 7ffe0e14fa7f 11096 7ffe0e13fc60 33 API calls 11095->11096 11148 7ffe0e14fbc4 11095->11148 11098 7ffe0e14fa98 11096->11098 11097 7ffe0e13fc60 33 API calls 11099 7ffe0e14fc19 11097->11099 11100 7ffe0e144e70 38 API calls 11098->11100 11104 7ffe0e136ee0 33 API calls 11099->11104 11108 7ffe0e14fc4a 11099->11108 11101 7ffe0e14faa5 11100->11101 11102 7ffe0e131680 18 API calls 11101->11102 11105 7ffe0e14fab4 11102->11105 11103 7ffe0e136ee0 33 API calls 11103->11108 11106 7ffe0e14fc37 11104->11106 12324 7ffe0e14e130 11105->12324 11106->11108 12411 7ffe0e138760 memcpy 11106->12411 11108->11103 11112 7ffe0e131680 18 API calls 11108->11112 12412 7ffe0e138760 memcpy 11108->12412 11112->11108 11117 7ffe0e14e130 33 API calls 11118 7ffe0e14fae2 11117->11118 11119 7ffe0e14ece0 38 API calls 11118->11119 11120 7ffe0e14faea 11119->11120 11121 7ffe0e145220 42 API calls 11120->11121 11122 7ffe0e14faff 11121->11122 11123 7ffe0e14e130 33 API calls 11122->11123 11124 7ffe0e14fb0b 11123->11124 11125 7ffe0e14ece0 38 API calls 11124->11125 11126 7ffe0e14fb13 11125->11126 11127 7ffe0e145220 42 API calls 11126->11127 11128 7ffe0e14fb28 11127->11128 12275 7ffe0e145cc0 GetTickCount Sleep SleepEx 11128->12275 11130 7ffe0e14fb34 12293 7ffe0e146c30 11130->12293 11135 7ffe0e13fc60 33 API calls 11136 7ffe0e14fb4f 11135->11136 11137 7ffe0e144e70 38 API calls 11136->11137 11138 7ffe0e14fb5c 11137->11138 11139 7ffe0e131680 18 API calls 11138->11139 11140 7ffe0e14fb6b 11139->11140 11141 7ffe0e13fc60 33 API calls 11140->11141 11142 7ffe0e14fb7c 11141->11142 11143 7ffe0e144e70 38 API calls 11142->11143 11144 7ffe0e14fb89 11143->11144 11145 7ffe0e13fc60 33 API calls 11144->11145 11146 7ffe0e14fbb7 11145->11146 11147 7ffe0e144e70 38 API calls 11146->11147 11147->11148 11148->11097 11150 7ffe0e13fcb7 11149->11150 11153 7ffe0e13fd05 11149->11153 11150->11153 11554 7ffe0e150560 11150->11554 11154 7ffe0e144e70 11153->11154 11155 7ffe0e13fc60 33 API calls 11154->11155 11156 7ffe0e144ea1 11155->11156 11157 7ffe0e14501a HeapCreate 11156->11157 11158 7ffe0e150560 32 API calls 11156->11158 11168 7ffe0e144f16 11156->11168 11157->10903 11159 7ffe0e144ee1 memcpy 11158->11159 11159->11168 11160 7ffe0e13fc60 33 API calls 11160->11168 11161 7ffe0e1450d8 11162 7ffe0e136b50 33 API calls 11161->11162 11166 7ffe0e1450e5 11162->11166 11163 7ffe0e136b50 33 API calls 11167 7ffe0e144f97 memcpy 11163->11167 11164 7ffe0e136b50 33 API calls 11164->11168 11165 7ffe0e136b50 33 API calls 11169 7ffe0e14509d memcpy 11165->11169 11170 7ffe0e144fcc memcpy 11167->11170 11168->11157 11168->11160 11168->11161 11168->11163 11168->11164 11168->11165 11168->11170 11169->11168 11170->11168 11172 7ffe0e139150 37 API calls 11171->11172 11173 7ffe0e14c8b9 11172->11173 11174 7ffe0e13fc60 33 API calls 11173->11174 11175 7ffe0e14c8f4 11174->11175 11176 7ffe0e144e70 38 API calls 11175->11176 11177 7ffe0e14c901 CreateFileA GetFileSize 11176->11177 11179 7ffe0e14c96e ReadFile 11177->11179 11180 7ffe0e14cdb6 GetProcessHeap RtlAllocateHeap 11177->11180 11189 7ffe0e14c9df 11179->11189 11190 7ffe0e14ca9d 11179->11190 11180->11190 11182 7ffe0e14cbfd 11182->10910 11183 7ffe0e136b50 33 API calls 11183->11189 11184 7ffe0e14cb93 GetModuleHandleA GetProcAddress 11187 7ffe0e14cb84 11184->11187 11185 7ffe0e144e70 38 API calls 11185->11189 11186 7ffe0e14cb22 strcmp 11186->11190 11187->11184 11187->11190 11189->11183 11189->11185 11189->11190 11562 7ffe0e13b590 11189->11562 11190->11182 11190->11184 11190->11186 11190->11187 11192 7ffe0e14ef48 11191->11192 11569 7ffe0e14ee30 11192->11569 11196 7ffe0e14ef7b 11198 7ffe0e146005 GetCommandLineW 11197->11198 11200 7ffe0e146055 11197->11200 11584 7ffe0e137270 11198->11584 11200->10953 11205 7ffe0e1464c0 11200->11205 11204 7ffe0e14f010 18 API calls 11204->11200 11206 7ffe0e1464e2 GetCommandLineW 11205->11206 11218 7ffe0e146503 11205->11218 11207 7ffe0e137270 34 API calls 11206->11207 11209 7ffe0e1464fb 11207->11209 11208 7ffe0e146580 11210 7ffe0e150d30 32 API calls 11208->11210 11211 7ffe0e1449a0 40 API calls 11209->11211 11212 7ffe0e146593 11210->11212 11211->11218 11213 7ffe0e1465b7 11212->11213 11215 7ffe0e146630 11212->11215 11216 7ffe0e136f90 33 API calls 11213->11216 11214 7ffe0e14f010 18 API calls 11214->11218 11600 7ffe0e137ce0 11215->11600 11217 7ffe0e1465c7 11216->11217 11220 7ffe0e1465eb 11217->11220 11223 7ffe0e14f010 18 API calls 11217->11223 11218->11208 11218->11214 11222 7ffe0e14fd80 18 API calls 11220->11222 11224 7ffe0e1465f4 11222->11224 11223->11220 11226 7ffe0e138e60 37 API calls 11224->11226 11225 7ffe0e137ce0 35 API calls 11227 7ffe0e146679 11225->11227 11230 7ffe0e146616 11226->11230 11228 7ffe0e146760 11227->11228 11229 7ffe0e146687 11227->11229 11231 7ffe0e146765 11228->11231 11232 7ffe0e1467cb 11228->11232 11233 7ffe0e136b50 33 API calls 11229->11233 11241 7ffe0e14d400 _setjmp 11230->11241 11234 7ffe0e136b50 33 API calls 11231->11234 11235 7ffe0e136b50 33 API calls 11232->11235 11236 7ffe0e1466b2 memcpy 11233->11236 11237 7ffe0e146792 11234->11237 11238 7ffe0e14674a 11235->11238 11236->11238 11239 7ffe0e14672e memcpy 11236->11239 11237->11239 11240 7ffe0e131680 18 API calls 11238->11240 11239->11238 11240->11220 11242 7ffe0e14d444 11241->11242 11243 7ffe0e14d478 11241->11243 11244 7ffe0e13b7f0 38 API calls 11242->11244 11245 7ffe0e14d4d1 11243->11245 11247 7ffe0e14f010 18 API calls 11243->11247 11246 7ffe0e14d451 11244->11246 11245->10961 11246->10961 11247->11245 11249 7ffe0e139150 37 API calls 11248->11249 11250 7ffe0e146d6d 11249->11250 11251 7ffe0e146dcc 11250->11251 11252 7ffe0e146de0 memcpy 11250->11252 11256 7ffe0e146dec 11250->11256 11251->11015 11252->11256 11253 7ffe0e144e70 38 API calls 11254 7ffe0e1472d5 11253->11254 11257 7ffe0e136b50 33 API calls 11254->11257 11255 7ffe0e147010 11258 7ffe0e144e70 38 API calls 11255->11258 11256->11255 11259 7ffe0e144e70 38 API calls 11256->11259 11274 7ffe0e1472b6 11256->11274 11267 7ffe0e147046 11257->11267 11260 7ffe0e147024 11258->11260 11261 7ffe0e146e64 11259->11261 11262 7ffe0e136b50 33 API calls 11260->11262 11263 7ffe0e14ef30 6 API calls 11261->11263 11262->11267 11265 7ffe0e146e71 11263->11265 11264 7ffe0e14728e 11266 7ffe0e144e70 38 API calls 11264->11266 11265->11264 11268 7ffe0e144e70 38 API calls 11265->11268 11269 7ffe0e1472a9 11266->11269 11617 7ffe0e14ef90 11267->11617 11270 7ffe0e146ea9 11268->11270 11271 7ffe0e14ef30 6 API calls 11269->11271 11273 7ffe0e14ef30 6 API calls 11270->11273 11271->11274 11275 7ffe0e146eb6 11273->11275 11274->11253 11276 7ffe0e147270 11275->11276 11277 7ffe0e146edd 11275->11277 11279 7ffe0e144e70 38 API calls 11276->11279 11278 7ffe0e144e70 38 API calls 11277->11278 11280 7ffe0e146ef3 11278->11280 11281 7ffe0e147281 11279->11281 11282 7ffe0e136b50 33 API calls 11280->11282 11283 7ffe0e14ef30 6 API calls 11281->11283 11285 7ffe0e146f0d 11282->11285 11283->11264 11284 7ffe0e1471ed 11284->11015 11285->11284 11286 7ffe0e14ee30 5 API calls 11285->11286 11287 7ffe0e146fc9 11286->11287 11288 7ffe0e14ee30 5 API calls 11287->11288 11289 7ffe0e146fdb fwrite 11288->11289 11291 7ffe0e147003 fflush 11289->11291 11291->11255 11625 7ffe0e136cd0 11292->11625 11294 7ffe0e14c2d4 GetModuleFileNameW 11295 7ffe0e14c2e8 11294->11295 11297 7ffe0e14c2b1 11294->11297 11298 7ffe0e13fc60 33 API calls 11295->11298 11296 7ffe0e14c330 11299 7ffe0e137270 34 API calls 11296->11299 11297->11294 11297->11296 11300 7ffe0e136cd0 33 API calls 11297->11300 11301 7ffe0e14c2fc 11298->11301 11302 7ffe0e14c33e 11299->11302 11300->11297 11628 7ffe0e146bb0 11301->11628 11304 7ffe0e13fc60 33 API calls 11302->11304 11307 7ffe0e14c352 11304->11307 11309 7ffe0e146bb0 44 API calls 11307->11309 11311 7ffe0e14c35a 11309->11311 11312 7ffe0e13fc60 33 API calls 11311->11312 11313 7ffe0e14c36e 11312->11313 11314 7ffe0e1464c0 45 API calls 11313->11314 11315 7ffe0e14c325 11314->11315 11316 7ffe0e136b50 33 API calls 11315->11316 11317 7ffe0e14c3c9 11316->11317 11318 7ffe0e14c3e5 memcpy 11317->11318 11319 7ffe0e14c860 11317->11319 11320 7ffe0e14c42b 11318->11320 11321 7ffe0e14c40b memcpy 11318->11321 11322 7ffe0e14c450 11320->11322 11323 7ffe0e14c430 memcpy 11320->11323 11321->11320 11324 7ffe0e14c475 11322->11324 11325 7ffe0e14c455 memcpy 11322->11325 11323->11322 11326 7ffe0e14c47a memcpy 11324->11326 11327 7ffe0e14c496 11324->11327 11325->11324 11326->11327 11328 7ffe0e13fc60 33 API calls 11327->11328 11335 7ffe0e14c4a7 11328->11335 11329 7ffe0e145ff0 41 API calls 11329->11335 11330 7ffe0e14c599 11331 7ffe0e13fc60 33 API calls 11330->11331 11332 7ffe0e14c5af 11331->11332 11336 7ffe0e137ce0 35 API calls 11332->11336 11333 7ffe0e13fc60 33 API calls 11333->11335 11334 7ffe0e1464c0 45 API calls 11334->11335 11335->11329 11335->11330 11335->11333 11335->11334 11338 7ffe0e136b50 33 API calls 11335->11338 11340 7ffe0e14c523 memcpy 11335->11340 11341 7ffe0e14c543 memcpy 11335->11341 11342 7ffe0e14c56b memcpy 11335->11342 11337 7ffe0e14c5e8 11336->11337 11339 7ffe0e13fc60 33 API calls 11337->11339 11338->11335 11343 7ffe0e14c5fe 11339->11343 11340->11335 11341->11335 11342->11335 11344 7ffe0e136b50 33 API calls 11343->11344 11345 7ffe0e14c646 memcpy 11344->11345 11346 7ffe0e14c67e memcpy 11345->11346 11347 7ffe0e14c69c 11345->11347 11346->11347 11348 7ffe0e14c6bf 11347->11348 11349 7ffe0e14c6a1 memcpy 11347->11349 11350 7ffe0e14c6e4 11348->11350 11351 7ffe0e14c6c4 memcpy 11348->11351 11349->11348 11352 7ffe0e14c707 11350->11352 11353 7ffe0e14c6e9 memcpy 11350->11353 11351->11350 11354 7ffe0e136cd0 33 API calls 11352->11354 11353->11352 11355 7ffe0e14c722 11354->11355 11636 7ffe0e13c390 11355->11636 11357 7ffe0e14c7ca 11357->10893 11359 7ffe0e14d052 11358->11359 11360 7ffe0e14d070 RtlAddVectoredExceptionHandler memset 11359->11360 11361 7ffe0e14d276 11359->11361 11362 7ffe0e14d0b0 CreateToolhelp32Snapshot 11360->11362 11363 7ffe0e13fc60 33 API calls 11361->11363 11369 7ffe0e14d114 Thread32First 11362->11369 11370 7ffe0e14d104 11362->11370 11364 7ffe0e14d287 11363->11364 11365 7ffe0e144e70 38 API calls 11364->11365 11366 7ffe0e14d294 GetModuleHandleA 11365->11366 11371 7ffe0e14d2bc 11366->11371 11372 7ffe0e14d3d0 11369->11372 11376 7ffe0e14d161 11369->11376 11370->11020 11375 7ffe0e13fc60 33 API calls 11371->11375 11378 7ffe0e144e70 38 API calls 11371->11378 11387 7ffe0e14d2ff GetProcAddress 11371->11387 11392 7ffe0e13c390 35 API calls 11371->11392 11373 7ffe0e13fc60 33 API calls 11372->11373 11374 7ffe0e14d3e1 11373->11374 11377 7ffe0e144e70 38 API calls 11374->11377 11375->11371 11379 7ffe0e14d16f GetCurrentProcessId 11376->11379 11380 7ffe0e14d197 CloseHandle 11376->11380 11381 7ffe0e14d3ee 11377->11381 11378->11371 11379->11376 11382 7ffe0e14d26c 11380->11382 11383 7ffe0e14d1a8 11380->11383 11381->11020 11694 7ffe0e14ce10 11382->11694 11384 7ffe0e14d1be OpenThread 11383->11384 11384->11370 11386 7ffe0e14d1da GetThreadContext 11384->11386 11386->11370 11389 7ffe0e14d1ee 11386->11389 11387->11371 11390 7ffe0e14d24f CloseHandle 11389->11390 11391 7ffe0e144e70 38 API calls 11389->11391 11390->11382 11390->11384 11393 7ffe0e14d20c SetThreadContext 11391->11393 11394 7ffe0e14d39d RtlInitUnicodeString LdrLoadDll 11392->11394 11393->11370 11395 7ffe0e14d242 11393->11395 11394->11371 11396 7ffe0e144e70 38 API calls 11395->11396 11396->11390 11398 7ffe0e1478f0 11397->11398 11399 7ffe0e147392 11397->11399 11400 7ffe0e136b50 33 API calls 11398->11400 11401 7ffe0e136b50 33 API calls 11399->11401 11402 7ffe0e147901 11400->11402 11403 7ffe0e1473c3 11401->11403 11404 7ffe0e139150 37 API calls 11402->11404 11405 7ffe0e139150 37 API calls 11403->11405 11408 7ffe0e14741f 11404->11408 11405->11408 11406 7ffe0e139150 37 API calls 11407 7ffe0e14755f 11406->11407 11409 7ffe0e14756e 11407->11409 11410 7ffe0e1479d8 11407->11410 11408->11406 11414 7ffe0e147579 11408->11414 11415 7ffe0e147720 11408->11415 11412 7ffe0e139150 37 API calls 11409->11412 11411 7ffe0e139150 37 API calls 11410->11411 11411->11414 11412->11414 11413 7ffe0e139150 37 API calls 11413->11414 11414->11413 11414->11415 11415->11030 11417 7ffe0e14c040 11416->11417 11421 7ffe0e14bf24 11416->11421 11772 7ffe0e14a350 11417->11772 11419 7ffe0e14c047 11425 7ffe0e150d30 32 API calls 11419->11425 11420 7ffe0e14bf3e 11423 7ffe0e14bf5f 11420->11423 11424 7ffe0e14bf50 CoInitialize 11420->11424 11421->11420 11720 7ffe0e149920 11421->11720 11426 7ffe0e1507e0 32 API calls 11423->11426 11424->11423 11427 7ffe0e14c06b 11425->11427 11429 7ffe0e14bf6b 11426->11429 11428 7ffe0e146830 39 API calls 11427->11428 11430 7ffe0e14c08d 11428->11430 11432 7ffe0e147e60 37 API calls 11429->11432 11442 7ffe0e14c09c 11429->11442 11433 7ffe0e144cb0 36 API calls 11430->11433 11431 7ffe0e14fc90 37 API calls 11431->11442 11434 7ffe0e14bf9d SafeArrayCreate 11432->11434 11433->11442 11434->11419 11435 7ffe0e14bfd3 11434->11435 11436 7ffe0e14c008 11435->11436 11747 7ffe0e148890 11435->11747 11762 7ffe0e14a190 11436->11762 11438 7ffe0e14fd80 18 API calls 11438->11442 11439 7ffe0e14f010 18 API calls 11439->11442 11442->11431 11442->11438 11442->11439 11444 7ffe0e138e60 37 API calls 11442->11444 11444->11442 11446 7ffe0e150ef0 11445->11446 11447 7ffe0e1507e0 32 API calls 11446->11447 11448 7ffe0e150f0a 11447->11448 11449 7ffe0e14fc90 37 API calls 11448->11449 11452 7ffe0e150f1e 11448->11452 11453 7ffe0e150fd5 11449->11453 11450 7ffe0e14fc90 37 API calls 11463 7ffe0e150f31 11450->11463 11451 7ffe0e147e60 37 API calls 11451->11463 11452->11450 11452->11463 11453->11452 11454 7ffe0e14f010 18 API calls 11453->11454 11454->11452 11455 7ffe0e14de4b 11465 7ffe0e14b1e0 11455->11465 11456 7ffe0e150d30 32 API calls 11456->11463 11457 7ffe0e14f010 18 API calls 11457->11463 11459 7ffe0e146830 39 API calls 11459->11463 11460 7ffe0e150f7e 11460->11455 12081 7ffe0e149470 11460->12081 11461 7ffe0e144cb0 36 API calls 11461->11463 11462 7ffe0e14fd80 18 API calls 11462->11463 11463->11451 11463->11456 11463->11457 11463->11459 11463->11460 11463->11461 11463->11462 11464 7ffe0e138e60 37 API calls 11463->11464 11464->11463 11466 7ffe0e14b45d 11465->11466 11467 7ffe0e14b219 _setjmp 11465->11467 11468 7ffe0e149920 54 API calls 11466->11468 11470 7ffe0e14b2e0 11467->11470 11472 7ffe0e14b28a 11467->11472 11469 7ffe0e14b471 11468->11469 11469->11063 11475 7ffe0e14b36d 11470->11475 12104 7ffe0e14b110 11470->12104 11471 7ffe0e14b2d3 11471->11063 11472->11471 11474 7ffe0e139650 59 API calls 11472->11474 11474->11466 11478 7ffe0e14b3ce 11475->11478 11481 7ffe0e149920 54 API calls 11475->11481 11477 7ffe0e14b476 11480 7ffe0e14b110 109 API calls 11477->11480 11482 7ffe0e149da0 91 API calls 11478->11482 11479 7ffe0e14b110 109 API calls 11483 7ffe0e14b337 11479->11483 11484 7ffe0e14b483 11480->11484 11481->11478 11482->11472 11483->11477 11485 7ffe0e14b34a 11483->11485 11485->11475 11486 7ffe0e149920 54 API calls 11485->11486 11486->11475 11488 7ffe0e139150 37 API calls 11487->11488 11490 7ffe0e139df8 11488->11490 11489 7ffe0e139e06 11489->11046 11490->11489 11491 7ffe0e136f20 32 API calls 11490->11491 11492 7ffe0e14f010 18 API calls 11490->11492 11493 7ffe0e139e7c memcpy 11491->11493 11492->11490 11493->11490 11495 7ffe0e14684a 11494->11495 11506 7ffe0e14688c 11494->11506 11496 7ffe0e146856 11495->11496 11498 7ffe0e150560 32 API calls 11495->11498 11497 7ffe0e14685f 11496->11497 11502 7ffe0e137040 33 API calls 11496->11502 11499 7ffe0e14693e 11497->11499 11500 7ffe0e146868 11497->11500 11498->11496 11503 7ffe0e137040 33 API calls 11499->11503 11504 7ffe0e1469a7 11500->11504 11505 7ffe0e146875 11500->11505 11500->11506 11501 7ffe0e136b50 33 API calls 11501->11506 11502->11497 11503->11504 11509 7ffe0e137ce0 35 API calls 11504->11509 11508 7ffe0e137040 33 API calls 11505->11508 11506->11501 11507 7ffe0e137040 33 API calls 11506->11507 11511 7ffe0e1468c1 11506->11511 11510 7ffe0e146a7f memcpy 11507->11510 11508->11506 11512 7ffe0e1469e6 11509->11512 11510->11506 11513 7ffe0e137040 33 API calls 11511->11513 11512->11506 11515 7ffe0e136b50 33 API calls 11512->11515 11514 7ffe0e1468cc memcpy 11513->11514 11514->10979 11516 7ffe0e146a18 memcpy 11515->11516 11516->11506 11518 7ffe0e144cc1 11517->11518 11519 7ffe0e144ccb 11517->11519 11518->11519 11520 7ffe0e144e10 11518->11520 11521 7ffe0e1395b0 33 API calls 11519->11521 11522 7ffe0e1395b0 33 API calls 11520->11522 11523 7ffe0e144cd3 11521->11523 11522->11523 11524 7ffe0e144cdf 11523->11524 11525 7ffe0e144da8 11523->11525 11530 7ffe0e136b50 33 API calls 11524->11530 11526 7ffe0e144e20 11525->11526 11527 7ffe0e144dad 11525->11527 11529 7ffe0e136b50 33 API calls 11526->11529 11528 7ffe0e136b50 33 API calls 11527->11528 11532 7ffe0e144dd0 11528->11532 11533 7ffe0e144d95 11529->11533 11531 7ffe0e144d0a memcpy 11530->11531 11531->11533 11534 7ffe0e144d79 memcpy 11531->11534 11532->11534 11533->10979 11534->11533 11537 7ffe0e131691 11535->11537 11536 7ffe0e1316b4 11536->10979 11537->11536 11538 7ffe0e14f010 18 API calls 11537->11538 11538->11536 11540 7ffe0e14fd90 11539->11540 11541 7ffe0e14fda6 11539->11541 11540->11541 11542 7ffe0e14f010 18 API calls 11540->11542 11541->10979 11542->11541 12258 7ffe0e13adb0 11543->12258 11545 7ffe0e150d30 32 API calls 11547 7ffe0e13b816 11545->11547 11546 7ffe0e13b837 11546->11058 11547->11545 11547->11546 11548 7ffe0e136b50 33 API calls 11547->11548 11549 7ffe0e136b50 33 API calls 11547->11549 11551 7ffe0e14fd80 18 API calls 11547->11551 11552 7ffe0e14f010 18 API calls 11547->11552 11553 7ffe0e138e60 37 API calls 11547->11553 11548->11547 11550 7ffe0e13b899 memcpy 11549->11550 11550->11547 11551->11547 11552->11547 11553->11547 11555 7ffe0e15057e 11554->11555 11556 7ffe0e15058b 11555->11556 11558 7ffe0e14ffc0 31 API calls 11555->11558 11557 7ffe0e1327d0 12 API calls 11556->11557 11560 7ffe0e150598 11557->11560 11558->11556 11559 7ffe0e13fcdd memcpy 11559->11153 11560->11559 11561 7ffe0e133730 18 API calls 11560->11561 11561->11559 11563 7ffe0e13b5ac 11562->11563 11564 7ffe0e13b60f 11563->11564 11565 7ffe0e13b738 11563->11565 11566 7ffe0e13b5d4 11563->11566 11564->11189 11565->11564 11567 7ffe0e13b74d memchr 11565->11567 11566->11564 11568 7ffe0e13b5f6 strstr 11566->11568 11567->11564 11568->11564 11570 7ffe0e14ee43 11569->11570 11571 7ffe0e14eec0 11569->11571 11581 7ffe0e14e100 11570->11581 11572 7ffe0e14e100 3 API calls 11571->11572 11580 7ffe0e14eed6 11572->11580 11574 7ffe0e14ee8f fwrite 11574->11196 11575 7ffe0e14eeed fputc 11575->11574 11575->11580 11576 7ffe0e14ee76 fputc 11576->11574 11579 7ffe0e14ee65 11576->11579 11577 7ffe0e14e100 3 API calls 11577->11580 11578 7ffe0e14e100 3 API calls 11578->11579 11579->11574 11579->11576 11579->11578 11580->11574 11580->11575 11580->11577 11582 7ffe0e152370 3 API calls 11581->11582 11583 7ffe0e14e124 11582->11583 11583->11579 11585 7ffe0e136b50 33 API calls 11584->11585 11587 7ffe0e1372a9 11585->11587 11586 7ffe0e1373f9 11589 7ffe0e1449a0 11586->11589 11587->11586 11588 7ffe0e137140 33 API calls 11587->11588 11588->11587 11592 7ffe0e1449d0 11589->11592 11590 7ffe0e136b50 33 API calls 11590->11592 11591 7ffe0e1391b0 37 API calls 11591->11592 11592->11590 11592->11591 11593 7ffe0e144b21 11592->11593 11594 7ffe0e144c58 11592->11594 11595 7ffe0e137140 33 API calls 11592->11595 11597 7ffe0e1506b0 33 API calls 11592->11597 11599 7ffe0e14f010 18 API calls 11592->11599 11593->11200 11593->11204 11596 7ffe0e136f20 32 API calls 11594->11596 11595->11592 11598 7ffe0e144c7d memcpy 11596->11598 11597->11592 11598->11593 11599->11592 11601 7ffe0e1380a0 11600->11601 11602 7ffe0e137cf9 11600->11602 11603 7ffe0e137740 35 API calls 11601->11603 11604 7ffe0e137fc9 11602->11604 11610 7ffe0e137740 11602->11610 11605 7ffe0e1380cb 11603->11605 11608 7ffe0e14f010 18 API calls 11604->11608 11609 7ffe0e138007 11604->11609 11607 7ffe0e1374c0 18 API calls 11605->11607 11607->11604 11608->11609 11609->11225 11611 7ffe0e137830 11610->11611 11614 7ffe0e137769 11610->11614 11613 7ffe0e136b50 33 API calls 11611->11613 11612 7ffe0e137810 11612->11604 11613->11612 11614->11612 11615 7ffe0e150560 32 API calls 11614->11615 11616 7ffe0e1377cf memcpy memset 11615->11616 11616->11612 11618 7ffe0e14efac 11617->11618 11619 7ffe0e14ee30 5 API calls 11618->11619 11620 7ffe0e14efb7 11619->11620 11621 7ffe0e14ee30 5 API calls 11620->11621 11622 7ffe0e14efcd fwrite 11621->11622 11624 7ffe0e14eff5 11622->11624 11626 7ffe0e136b50 33 API calls 11625->11626 11627 7ffe0e136cf5 11626->11627 11627->11297 11629 7ffe0e136cd0 33 API calls 11628->11629 11633 7ffe0e146bd2 11629->11633 11630 7ffe0e146bd8 GetCurrentDirectoryW 11631 7ffe0e146c00 GetLastError 11630->11631 11630->11633 11641 7ffe0e146480 11631->11641 11633->11630 11634 7ffe0e146c18 11633->11634 11635 7ffe0e136cd0 33 API calls 11633->11635 11635->11633 11637 7ffe0e13c3aa MultiByteToWideChar 11636->11637 11639 7ffe0e136b50 33 API calls 11637->11639 11640 7ffe0e13c420 MultiByteToWideChar 11639->11640 11640->11357 11646 7ffe0e146140 11641->11646 11643 7ffe0e146489 11644 7ffe0e138e60 37 API calls 11643->11644 11645 7ffe0e1464af 11644->11645 11645->11633 11647 7ffe0e136b50 33 API calls 11646->11647 11648 7ffe0e146160 11647->11648 11649 7ffe0e146184 FormatMessageW 11648->11649 11653 7ffe0e1461c3 11648->11653 11650 7ffe0e1463b0 11649->11650 11649->11653 11652 7ffe0e137270 34 API calls 11650->11652 11651 7ffe0e1461ea 11654 7ffe0e14633a 11651->11654 11673 7ffe0e146256 11651->11673 11679 7ffe0e137140 11651->11679 11655 7ffe0e1463c5 11652->11655 11653->11651 11659 7ffe0e14f010 18 API calls 11653->11659 11656 7ffe0e146430 11654->11656 11657 7ffe0e146343 11654->11657 11655->11653 11658 7ffe0e1463d2 LocalFree 11655->11658 11661 7ffe0e136f20 32 API calls 11656->11661 11660 7ffe0e1463a1 11657->11660 11662 7ffe0e136f20 32 API calls 11657->11662 11658->11653 11659->11651 11660->11643 11663 7ffe0e146441 11661->11663 11665 7ffe0e14635b 11662->11665 11663->11643 11665->11660 11668 7ffe0e14f010 18 API calls 11665->11668 11667 7ffe0e14629a 11671 7ffe0e137040 33 API calls 11667->11671 11669 7ffe0e146405 11668->11669 11669->11643 11670 7ffe0e146268 11670->11667 11672 7ffe0e14f010 18 API calls 11670->11672 11677 7ffe0e1462de 11671->11677 11672->11667 11686 7ffe0e137040 11673->11686 11675 7ffe0e14f010 18 API calls 11675->11673 11676 7ffe0e146310 memcpy 11676->11654 11677->11676 11678 7ffe0e14f010 18 API calls 11677->11678 11678->11676 11680 7ffe0e137238 11679->11680 11681 7ffe0e13715a 11679->11681 11683 7ffe0e150560 32 API calls 11680->11683 11682 7ffe0e1371df 11681->11682 11684 7ffe0e150560 32 API calls 11681->11684 11682->11673 11682->11675 11683->11682 11685 7ffe0e1371b2 memcpy 11684->11685 11685->11682 11687 7ffe0e1370f8 11686->11687 11692 7ffe0e137055 11686->11692 11688 7ffe0e150560 32 API calls 11687->11688 11690 7ffe0e137117 11688->11690 11689 7ffe0e1370e6 11689->11670 11690->11670 11691 7ffe0e150560 32 API calls 11693 7ffe0e1370ba memcpy 11691->11693 11692->11689 11692->11691 11693->11689 11695 7ffe0e13fc60 33 API calls 11694->11695 11696 7ffe0e14ce36 11695->11696 11697 7ffe0e144e70 38 API calls 11696->11697 11698 7ffe0e14ce43 GetModuleHandleA 11697->11698 11700 7ffe0e13fc60 33 API calls 11698->11700 11701 7ffe0e14ce7f 11700->11701 11702 7ffe0e144e70 38 API calls 11701->11702 11710 7ffe0e14ce90 11702->11710 11703 7ffe0e14cff1 11704 7ffe0e13fc60 33 API calls 11703->11704 11705 7ffe0e14d002 11704->11705 11707 7ffe0e144e70 38 API calls 11705->11707 11706 7ffe0e136b50 33 API calls 11706->11710 11719 7ffe0e14cfe8 11707->11719 11708 7ffe0e13fc60 33 API calls 11708->11710 11709 7ffe0e144e70 38 API calls 11709->11710 11710->11703 11710->11706 11710->11708 11710->11709 11711 7ffe0e13b590 2 API calls 11710->11711 11712 7ffe0e14cf5e 11710->11712 11711->11710 11713 7ffe0e13fc60 33 API calls 11712->11713 11714 7ffe0e14cf83 11713->11714 11715 7ffe0e144e70 38 API calls 11714->11715 11717 7ffe0e14cf96 11715->11717 11716 7ffe0e13fc60 33 API calls 11716->11717 11717->11716 11718 7ffe0e144e70 38 API calls 11717->11718 11717->11719 11718->11717 11719->11020 11721 7ffe0e149c70 11720->11721 11722 7ffe0e14993d 11720->11722 11722->11721 11723 7ffe0e136b50 33 API calls 11722->11723 11724 7ffe0e149993 11723->11724 11725 7ffe0e136b50 33 API calls 11724->11725 11726 7ffe0e1499ba 11725->11726 11846 7ffe0e13d310 11726->11846 11728 7ffe0e1499dd 11729 7ffe0e137040 33 API calls 11728->11729 11730 7ffe0e1499ec 11729->11730 11731 7ffe0e136b50 33 API calls 11730->11731 11732 7ffe0e149a14 11731->11732 11733 7ffe0e13d310 53 API calls 11732->11733 11734 7ffe0e149b10 11733->11734 11735 7ffe0e137040 33 API calls 11734->11735 11736 7ffe0e149b1f 11735->11736 11737 7ffe0e149b4e 11736->11737 11738 7ffe0e149c28 11736->11738 11739 7ffe0e149b77 11737->11739 11743 7ffe0e14f010 18 API calls 11737->11743 11740 7ffe0e136f20 32 API calls 11738->11740 11742 7ffe0e14fd80 18 API calls 11739->11742 11741 7ffe0e149c43 memcpy 11740->11741 11741->11721 11744 7ffe0e149b81 11742->11744 11743->11739 11745 7ffe0e138e60 37 API calls 11744->11745 11746 7ffe0e149ba8 11745->11746 11746->11420 11748 7ffe0e1488b3 11747->11748 11749 7ffe0e1488a4 CoInitialize 11747->11749 11750 7ffe0e1507e0 32 API calls 11748->11750 11749->11748 11751 7ffe0e1488bf 11750->11751 11752 7ffe0e1488cc 11751->11752 11753 7ffe0e14fc90 37 API calls 11751->11753 11755 7ffe0e14fc90 37 API calls 11752->11755 11757 7ffe0e1488d8 11752->11757 11758 7ffe0e14890d 11753->11758 11754 7ffe0e147e60 37 API calls 11756 7ffe0e1488e9 SafeArrayPutElement 11754->11756 11759 7ffe0e148954 11755->11759 11756->11435 11756->11436 11757->11754 11758->11752 11760 7ffe0e14f010 18 API calls 11758->11760 11759->11757 11761 7ffe0e14f010 18 API calls 11759->11761 11760->11752 11761->11757 11763 7ffe0e14a1c4 _setjmp 11762->11763 11764 7ffe0e14a338 11762->11764 11770 7ffe0e14a21a 11763->11770 11765 7ffe0e149920 54 API calls 11764->11765 11766 7ffe0e14a349 11765->11766 11766->11766 11768 7ffe0e149920 54 API calls 11768->11770 11770->11768 11771 7ffe0e14a322 11770->11771 11940 7ffe0e139650 11770->11940 11966 7ffe0e149da0 11770->11966 11771->11033 11773 7ffe0e1395b0 33 API calls 11772->11773 11774 7ffe0e14a375 11773->11774 11775 7ffe0e14a389 _setjmp 11774->11775 11776 7ffe0e14a462 _setjmp 11774->11776 11777 7ffe0e14a580 CLRCreateInstance 11775->11777 11784 7ffe0e14a3f8 11775->11784 11780 7ffe0e14a900 CLRCreateInstance 11776->11780 11788 7ffe0e14a4f7 11776->11788 11778 7ffe0e14a700 11777->11778 11779 7ffe0e14a5aa 11777->11779 11783 7ffe0e149920 54 API calls 11778->11783 11790 7ffe0e149920 54 API calls 11779->11790 11829 7ffe0e14a5ce 11779->11829 11781 7ffe0e14a934 11780->11781 11782 7ffe0e14a926 11780->11782 11786 7ffe0e13c390 35 API calls 11781->11786 11785 7ffe0e149920 54 API calls 11782->11785 11787 7ffe0e14a70e 11783->11787 11784->11776 11784->11788 11791 7ffe0e149920 54 API calls 11784->11791 11785->11781 11795 7ffe0e14a93e 11786->11795 11787->11419 11789 7ffe0e139650 59 API calls 11788->11789 11792 7ffe0e14a563 11788->11792 11789->11778 11790->11829 11791->11776 11792->11419 11793 7ffe0e14a9b9 11805 7ffe0e149920 54 API calls 11793->11805 11806 7ffe0e14aa1f 11793->11806 11845 7ffe0e14ac20 11793->11845 11794 7ffe0e14a5fe _setjmp 11794->11829 11795->11793 11796 7ffe0e136ee0 33 API calls 11795->11796 11797 7ffe0e14a988 11796->11797 12079 7ffe0e138760 memcpy 11797->12079 11799 7ffe0e14a661 _setjmp 11799->11829 11800 7ffe0e149920 54 API calls 11816 7ffe0e14ac46 11800->11816 11801 7ffe0e14a99a 11802 7ffe0e14a9af 11801->11802 12080 7ffe0e138760 memcpy 11801->12080 11804 7ffe0e149920 54 API calls 11802->11804 11804->11793 11805->11806 11807 7ffe0e14aaed 11806->11807 11808 7ffe0e14aa84 11806->11808 11809 7ffe0e14ac70 11806->11809 11811 7ffe0e14ab33 11807->11811 11812 7ffe0e14ab24 CoInitialize 11807->11812 11815 7ffe0e14ac7e 11808->11815 11832 7ffe0e14aab3 11808->11832 11813 7ffe0e149920 54 API calls 11809->11813 11810 7ffe0e136b50 33 API calls 11810->11829 11814 7ffe0e1507e0 32 API calls 11811->11814 11812->11811 11813->11815 11817 7ffe0e14ab3f 11814->11817 11820 7ffe0e149920 54 API calls 11815->11820 11816->11419 11819 7ffe0e14ad31 11817->11819 11822 7ffe0e14ab60 11817->11822 11823 7ffe0e14acc6 11817->11823 11824 7ffe0e14fc90 37 API calls 11819->11824 11821 7ffe0e14ac96 11820->11821 11833 7ffe0e149920 54 API calls 11821->11833 11826 7ffe0e147e60 37 API calls 11822->11826 11827 7ffe0e14fc90 37 API calls 11823->11827 11836 7ffe0e14ad45 11824->11836 11825 7ffe0e1395b0 33 API calls 11825->11829 11831 7ffe0e14ab71 11826->11831 11837 7ffe0e14acfd 11827->11837 11828 7ffe0e14acae 11830 7ffe0e149920 54 API calls 11828->11830 11829->11788 11829->11794 11829->11799 11829->11810 11829->11816 11829->11823 11829->11825 11829->11829 12074 7ffe0e13c170 11829->12074 11830->11823 11834 7ffe0e14b1e0 103 API calls 11831->11834 11832->11807 11832->11821 11832->11828 11833->11828 11835 7ffe0e14abbd 11834->11835 11838 7ffe0e14b1e0 103 API calls 11835->11838 11836->11816 11839 7ffe0e14f010 18 API calls 11836->11839 11837->11819 11840 7ffe0e14f010 18 API calls 11837->11840 11841 7ffe0e14abe9 11838->11841 11839->11816 11840->11819 11842 7ffe0e14b1e0 103 API calls 11841->11842 11843 7ffe0e14ac11 11842->11843 11844 7ffe0e131680 18 API calls 11843->11844 11844->11845 11845->11800 11873 7ffe0e13ca70 11846->11873 11848 7ffe0e13d362 11887 7ffe0e1395b0 11848->11887 11851 7ffe0e13d4cf 11892 7ffe0e13cfc0 11851->11892 11852 7ffe0e150d30 32 API calls 11854 7ffe0e13d57b 11852->11854 11856 7ffe0e136b50 33 API calls 11854->11856 11855 7ffe0e13d4eb 11857 7ffe0e13d690 11855->11857 11858 7ffe0e13d4f7 11855->11858 11868 7ffe0e13d37e 11856->11868 11861 7ffe0e137040 33 API calls 11857->11861 11860 7ffe0e137040 33 API calls 11858->11860 11859 7ffe0e14f010 18 API calls 11859->11868 11862 7ffe0e13d503 11860->11862 11863 7ffe0e13d69b 11861->11863 11866 7ffe0e1374c0 18 API calls 11862->11866 11867 7ffe0e1374c0 18 API calls 11863->11867 11864 7ffe0e137740 35 API calls 11864->11851 11865 7ffe0e14fd80 18 API calls 11865->11868 11869 7ffe0e13d50e memcpy 11866->11869 11870 7ffe0e13d6a6 11867->11870 11868->11851 11868->11859 11868->11865 11871 7ffe0e138e60 37 API calls 11868->11871 11872 7ffe0e13d396 11868->11872 11869->11728 11870->11728 11871->11868 11872->11851 11872->11864 11885 7ffe0e13cacc 11873->11885 11874 7ffe0e136b50 33 API calls 11875 7ffe0e13cd9a memcpy 11874->11875 11877 7ffe0e13ce36 11875->11877 11878 7ffe0e13ce1b 11875->11878 11876 7ffe0e13ce65 11876->11848 11879 7ffe0e14fd80 18 API calls 11877->11879 11878->11877 11881 7ffe0e14f010 18 API calls 11878->11881 11882 7ffe0e13ce43 11879->11882 11880 7ffe0e150d30 32 API calls 11880->11885 11881->11877 11883 7ffe0e138e60 37 API calls 11882->11883 11883->11876 11884 7ffe0e136b50 33 API calls 11884->11885 11885->11876 11885->11880 11885->11884 11886 7ffe0e13cc8f 11885->11886 11886->11874 11888 7ffe0e139610 11887->11888 11889 7ffe0e1395c0 11887->11889 11888->11852 11888->11868 11889->11888 11890 7ffe0e150560 32 API calls 11889->11890 11891 7ffe0e1395e6 memcpy 11890->11891 11891->11888 11893 7ffe0e13d0f8 11892->11893 11894 7ffe0e13cfea 11892->11894 11895 7ffe0e136b50 33 API calls 11893->11895 11894->11893 11898 7ffe0e13d027 11894->11898 11932 7ffe0e13d1f5 11894->11932 11897 7ffe0e13d15b 11895->11897 11896 7ffe0e136b50 33 API calls 11899 7ffe0e13d22a memset 11896->11899 11900 7ffe0e13d176 11897->11900 11901 7ffe0e13d166 memset 11897->11901 11902 7ffe0e136b50 33 API calls 11898->11902 11903 7ffe0e13d24f 11899->11903 11910 7ffe0e13d2a0 11899->11910 11905 7ffe0e136b50 33 API calls 11900->11905 11901->11900 11906 7ffe0e13d057 memset 11902->11906 11907 7ffe0e136ee0 33 API calls 11903->11907 11904 7ffe0e136ee0 33 API calls 11904->11910 11909 7ffe0e13d19f 11905->11909 11906->11910 11911 7ffe0e13d079 11906->11911 11908 7ffe0e13d257 memcpy 11907->11908 11913 7ffe0e13d27d memcpy 11908->11913 11915 7ffe0e13d1ba 11909->11915 11916 7ffe0e13d1aa memset 11909->11916 11910->11904 11910->11913 11914 7ffe0e136b50 33 API calls 11910->11914 11912 7ffe0e136b50 33 API calls 11911->11912 11917 7ffe0e13d095 memcpy memcpy 11912->11917 11913->11910 11920 7ffe0e13d2ab memcpy 11914->11920 11918 7ffe0e13d2f0 11915->11918 11919 7ffe0e13d1c6 11915->11919 11916->11915 11917->11855 11922 7ffe0e136ee0 33 API calls 11918->11922 11933 7ffe0e136ee0 11919->11933 11920->11910 11924 7ffe0e13d2f8 11922->11924 11939 7ffe0e138760 memcpy 11924->11939 11927 7ffe0e13d1df 11937 7ffe0e138760 memcpy 11927->11937 11928 7ffe0e13d306 11928->11928 11930 7ffe0e13d1ea 11938 7ffe0e138760 memcpy 11930->11938 11932->11896 11934 7ffe0e136b50 33 API calls 11933->11934 11935 7ffe0e136f04 11934->11935 11936 7ffe0e138760 memcpy 11935->11936 11936->11927 11937->11930 11938->11932 11939->11928 11941 7ffe0e139671 11940->11941 11942 7ffe0e139662 longjmp 11940->11942 11997 7ffe0e1389d0 11941->11997 11942->11941 11944 7ffe0e139691 exit 11945 7ffe0e1396d0 11944->11945 11946 7ffe0e139843 11945->11946 11947 7ffe0e1396f5 11945->11947 11948 7ffe0e1390c0 37 API calls 11946->11948 11949 7ffe0e136b50 33 API calls 11947->11949 11950 7ffe0e139848 11948->11950 11956 7ffe0e139701 11949->11956 11951 7ffe0e1398a5 11950->11951 11952 7ffe0e13988c 11950->11952 11953 7ffe0e1390c0 37 API calls 11951->11953 11954 7ffe0e136b50 33 API calls 11952->11954 11955 7ffe0e1398aa 11953->11955 11957 7ffe0e139898 11954->11957 11958 7ffe0e139a60 11955->11958 11959 7ffe0e1398c5 11955->11959 11956->11770 11957->11770 11963 7ffe0e139150 37 API calls 11958->11963 11965 7ffe0e1398e0 11958->11965 11960 7ffe0e1398d1 11959->11960 11961 7ffe0e139a40 11959->11961 11964 7ffe0e139150 37 API calls 11960->11964 11962 7ffe0e139150 37 API calls 11961->11962 11962->11965 11963->11965 11964->11965 11965->11770 11967 7ffe0e13c390 35 API calls 11966->11967 11968 7ffe0e149ddb SysAllocString _setjmp 11967->11968 11969 7ffe0e14a038 SysFreeString 11968->11969 11978 7ffe0e149e4c 11968->11978 11972 7ffe0e14a082 11969->11972 11973 7ffe0e14a0b0 11969->11973 11971 7ffe0e14a0b5 12046 7ffe0e148270 11971->12046 11972->11770 11975 7ffe0e139650 59 API calls 11973->11975 11975->11971 11976 7ffe0e14a0d3 11984 7ffe0e14fc90 37 API calls 11976->11984 11977 7ffe0e149fc4 11980 7ffe0e149fee CoInitialize 11977->11980 11981 7ffe0e149ffd 11977->11981 11978->11971 11978->11977 11979 7ffe0e14a174 11978->11979 11982 7ffe0e136b50 33 API calls 11978->11982 11980->11981 11983 7ffe0e1507e0 32 API calls 11981->11983 11985 7ffe0e149f2b 11982->11985 11986 7ffe0e14a009 11983->11986 11987 7ffe0e14a13d 11984->11987 11988 7ffe0e149f83 memcpy 11985->11988 11989 7ffe0e149fba 11985->11989 11986->11976 11990 7ffe0e14a14c 11986->11990 11995 7ffe0e147e60 37 API calls 11986->11995 11991 7ffe0e131680 18 API calls 11987->11991 11988->11989 11993 7ffe0e149920 54 API calls 11989->11993 11992 7ffe0e14fc90 37 API calls 11990->11992 11991->11990 11994 7ffe0e14a165 11992->11994 11993->11977 11996 7ffe0e131680 18 API calls 11994->11996 11995->11969 11996->11979 11998 7ffe0e138a08 11997->11998 12011 7ffe0e138a12 11997->12011 11998->12011 12013 7ffe0e1381d0 11998->12013 11999 7ffe0e138a82 12002 7ffe0e138a8f 11999->12002 12003 7ffe0e138c06 11999->12003 12001 7ffe0e138a63 memcpy 12001->11999 12005 7ffe0e138aab strlen 12002->12005 12008 7ffe0e138ac6 12002->12008 12004 7ffe0e138c13 strlen 12003->12004 12003->12008 12006 7ffe0e138c2e memcpy strlen 12004->12006 12004->12008 12005->12006 12005->12008 12006->12008 12007 7ffe0e138aec strlen 12010 7ffe0e150560 32 API calls 12007->12010 12008->12006 12008->12007 12012 7ffe0e138b39 12008->12012 12026 7ffe0e138800 12008->12026 12010->12008 12011->11999 12011->12001 12011->12012 12012->11944 12014 7ffe0e136b50 33 API calls 12013->12014 12020 7ffe0e1381f9 12014->12020 12015 7ffe0e138572 12015->12011 12016 7ffe0e137140 33 API calls 12016->12020 12017 7ffe0e137ce0 35 API calls 12017->12020 12018 7ffe0e150560 32 API calls 12018->12020 12019 7ffe0e137040 33 API calls 12019->12020 12020->12015 12020->12016 12020->12017 12020->12018 12020->12019 12021 7ffe0e14ffc0 31 API calls 12020->12021 12022 7ffe0e1327d0 12 API calls 12020->12022 12023 7ffe0e13845a memcpy 12020->12023 12024 7ffe0e14f010 18 API calls 12020->12024 12025 7ffe0e133730 18 API calls 12020->12025 12021->12020 12022->12020 12023->12020 12024->12020 12025->12020 12027 7ffe0e138835 _setjmp 12026->12027 12028 7ffe0e1388f7 12026->12028 12027->12028 12030 7ffe0e138920 12027->12030 12029 7ffe0e138904 12028->12029 12031 7ffe0e1389a3 fwrite fflush 12028->12031 12029->12008 12030->12028 12033 7ffe0e139290 12030->12033 12031->12029 12034 7ffe0e1392a5 12033->12034 12035 7ffe0e150d30 32 API calls 12034->12035 12036 7ffe0e1392c6 12035->12036 12037 7ffe0e136f90 33 API calls 12036->12037 12038 7ffe0e1392ea 12037->12038 12039 7ffe0e13930f 12038->12039 12041 7ffe0e14f010 18 API calls 12038->12041 12040 7ffe0e138e60 37 API calls 12039->12040 12044 7ffe0e139331 strlen 12040->12044 12041->12039 12043 7ffe0e138800 40 API calls 12045 7ffe0e1393a3 exit signal signal signal signal 12043->12045 12044->12043 12047 7ffe0e14829f 12046->12047 12048 7ffe0e148290 CoInitialize 12046->12048 12049 7ffe0e1507e0 32 API calls 12047->12049 12048->12047 12050 7ffe0e1482ab 12049->12050 12052 7ffe0e147e60 37 API calls 12050->12052 12071 7ffe0e148439 12050->12071 12051 7ffe0e14fc90 37 API calls 12051->12071 12053 7ffe0e1482df SafeArrayCreate 12052->12053 12054 7ffe0e148316 12053->12054 12055 7ffe0e1483f8 12053->12055 12057 7ffe0e148363 12054->12057 12060 7ffe0e148327 12054->12060 12061 7ffe0e1483c8 12054->12061 12056 7ffe0e150d30 32 API calls 12055->12056 12059 7ffe0e14840b 12056->12059 12057->11976 12058 7ffe0e14f010 18 API calls 12058->12071 12063 7ffe0e146830 39 API calls 12059->12063 12064 7ffe0e148336 12060->12064 12065 7ffe0e148378 SafeArrayPutElement 12060->12065 12062 7ffe0e1483d0 SafeArrayPutElement 12061->12062 12062->12057 12062->12062 12066 7ffe0e14842a 12063->12066 12067 7ffe0e1483a0 SafeArrayPutElement 12064->12067 12068 7ffe0e14833b 12064->12068 12065->12057 12065->12065 12069 7ffe0e144cb0 36 API calls 12066->12069 12067->12057 12067->12067 12070 7ffe0e148340 SafeArrayPutElement 12068->12070 12069->12071 12070->12057 12070->12070 12071->12051 12071->12058 12072 7ffe0e14fd80 18 API calls 12071->12072 12073 7ffe0e138e60 37 API calls 12071->12073 12072->12071 12073->12071 12075 7ffe0e13c238 12074->12075 12076 7ffe0e13c18e WideCharToMultiByte 12074->12076 12075->11829 12077 7ffe0e136b50 33 API calls 12076->12077 12078 7ffe0e13c1f1 WideCharToMultiByte 12077->12078 12078->12075 12079->11801 12080->11802 12082 7ffe0e149494 12081->12082 12083 7ffe0e149485 CoInitialize 12081->12083 12084 7ffe0e1507e0 32 API calls 12082->12084 12083->12082 12085 7ffe0e1494a0 12084->12085 12086 7ffe0e1494b1 12085->12086 12087 7ffe0e14fc90 37 API calls 12085->12087 12089 7ffe0e14fc90 37 API calls 12086->12089 12092 7ffe0e1494c1 12086->12092 12091 7ffe0e149535 12087->12091 12088 7ffe0e147e60 37 API calls 12090 7ffe0e1494d2 12088->12090 12095 7ffe0e149580 12089->12095 12099 7ffe0e13c2c0 12090->12099 12091->12086 12093 7ffe0e14f010 18 API calls 12091->12093 12092->12088 12093->12086 12095->12092 12097 7ffe0e14f010 18 API calls 12095->12097 12097->12092 12100 7ffe0e13c369 SysAllocString 12099->12100 12101 7ffe0e13c2dd MultiByteToWideChar 12099->12101 12100->11460 12102 7ffe0e136b50 33 API calls 12101->12102 12103 7ffe0e13c334 MultiByteToWideChar 12102->12103 12103->12100 12115 7ffe0e14afd0 12104->12115 12106 7ffe0e14b13f 12109 7ffe0e14a190 92 API calls 12106->12109 12107 7ffe0e14b122 12107->12106 12108 7ffe0e149920 54 API calls 12107->12108 12108->12106 12110 7ffe0e14b167 12109->12110 12111 7ffe0e14b191 12110->12111 12112 7ffe0e149920 54 API calls 12110->12112 12130 7ffe0e1486a0 12111->12130 12112->12111 12114 7ffe0e14b1b6 12114->11477 12114->11479 12116 7ffe0e14afe0 12115->12116 12117 7ffe0e14aff8 12115->12117 12118 7ffe0e14afec 12116->12118 12162 7ffe0e14b640 12116->12162 12119 7ffe0e14a350 110 API calls 12117->12119 12118->12107 12119->12116 12122 7ffe0e14b1e0 110 API calls 12123 7ffe0e14b070 12122->12123 12124 7ffe0e149470 41 API calls 12123->12124 12125 7ffe0e14b088 12124->12125 12126 7ffe0e14b1e0 110 API calls 12125->12126 12127 7ffe0e14b0b0 12126->12127 12128 7ffe0e14b0dc 12127->12128 12129 7ffe0e14f010 18 API calls 12127->12129 12128->12107 12129->12128 12131 7ffe0e1486c6 12130->12131 12132 7ffe0e1486b7 CoInitialize 12130->12132 12133 7ffe0e1507e0 32 API calls 12131->12133 12132->12131 12134 7ffe0e1486d2 12133->12134 12135 7ffe0e1487d5 12134->12135 12137 7ffe0e1486f3 12134->12137 12138 7ffe0e1487d0 12134->12138 12136 7ffe0e14fc90 37 API calls 12135->12136 12147 7ffe0e148865 12135->12147 12139 7ffe0e148815 12136->12139 12140 7ffe0e147e60 37 API calls 12137->12140 12141 7ffe0e14fc90 37 API calls 12138->12141 12145 7ffe0e148860 12139->12145 12157 7ffe0e148761 12139->12157 12142 7ffe0e148704 VariantCopy 12140->12142 12141->12135 12143 7ffe0e148714 12142->12143 12144 7ffe0e148728 12142->12144 12143->12114 12146 7ffe0e150d30 32 API calls 12144->12146 12149 7ffe0e14f010 18 API calls 12145->12149 12148 7ffe0e14873b 12146->12148 12150 7ffe0e14f010 18 API calls 12147->12150 12152 7ffe0e146830 39 API calls 12148->12152 12149->12147 12154 7ffe0e14887d 12150->12154 12151 7ffe0e14f010 18 API calls 12155 7ffe0e148791 12151->12155 12153 7ffe0e148757 12152->12153 12156 7ffe0e144cb0 36 API calls 12153->12156 12158 7ffe0e14fd80 18 API calls 12155->12158 12156->12157 12157->12151 12157->12155 12159 7ffe0e14879e 12158->12159 12160 7ffe0e138e60 37 API calls 12159->12160 12161 7ffe0e1487c0 12160->12161 12161->12114 12220 7ffe0e14adb0 12162->12220 12164 7ffe0e14b686 12166 7ffe0e149470 41 API calls 12164->12166 12167 7ffe0e14b8e7 12164->12167 12165 7ffe0e149920 54 API calls 12165->12167 12168 7ffe0e14b6f4 12166->12168 12167->12165 12170 7ffe0e149470 41 API calls 12167->12170 12172 7ffe0e148560 38 API calls 12167->12172 12175 7ffe0e14b1e0 110 API calls 12167->12175 12178 7ffe0e150ed0 50 API calls 12167->12178 12191 7ffe0e14bc38 12167->12191 12243 7ffe0e148560 12168->12243 12170->12167 12172->12167 12173 7ffe0e14b1e0 110 API calls 12174 7ffe0e14b74a 12173->12174 12176 7ffe0e150ed0 50 API calls 12174->12176 12175->12167 12177 7ffe0e14b758 12176->12177 12179 7ffe0e148270 52 API calls 12177->12179 12178->12167 12180 7ffe0e14b772 12179->12180 12181 7ffe0e149470 41 API calls 12180->12181 12182 7ffe0e14b7d1 12181->12182 12183 7ffe0e148560 38 API calls 12182->12183 12184 7ffe0e14b7dd 12183->12184 12185 7ffe0e14b1e0 110 API calls 12184->12185 12186 7ffe0e14b82d 12185->12186 12187 7ffe0e149470 41 API calls 12186->12187 12188 7ffe0e14b841 12187->12188 12189 7ffe0e14b1e0 110 API calls 12188->12189 12190 7ffe0e14b869 12189->12190 12192 7ffe0e14b87b 12190->12192 12193 7ffe0e14bd48 12190->12193 12194 7ffe0e148560 38 API calls 12191->12194 12195 7ffe0e148560 38 API calls 12192->12195 12196 7ffe0e148560 38 API calls 12193->12196 12197 7ffe0e14bc48 12194->12197 12198 7ffe0e14b889 12195->12198 12199 7ffe0e14bd52 12196->12199 12200 7ffe0e14b1e0 110 API calls 12197->12200 12201 7ffe0e14b1e0 110 API calls 12198->12201 12202 7ffe0e14b1e0 110 API calls 12199->12202 12203 7ffe0e14bc70 12200->12203 12204 7ffe0e14b8b1 12201->12204 12205 7ffe0e14bd7a 12202->12205 12206 7ffe0e149470 41 API calls 12203->12206 12207 7ffe0e136b50 33 API calls 12204->12207 12208 7ffe0e136b50 33 API calls 12205->12208 12209 7ffe0e14bc86 12206->12209 12207->12167 12208->12167 12210 7ffe0e14b1e0 110 API calls 12209->12210 12211 7ffe0e14bcae 12210->12211 12212 7ffe0e148560 38 API calls 12211->12212 12213 7ffe0e14bcc1 12212->12213 12214 7ffe0e14b1e0 110 API calls 12213->12214 12215 7ffe0e14bce9 12214->12215 12216 7ffe0e149470 41 API calls 12215->12216 12217 7ffe0e14bcff 12216->12217 12218 7ffe0e14b1e0 110 API calls 12217->12218 12219 7ffe0e14b044 12218->12219 12219->12122 12221 7ffe0e14afb8 12220->12221 12222 7ffe0e14add8 _setjmp 12220->12222 12224 7ffe0e14a350 109 API calls 12221->12224 12223 7ffe0e14aea0 12222->12223 12226 7ffe0e14ae0b 12222->12226 12229 7ffe0e14af0c 12223->12229 12233 7ffe0e149920 54 API calls 12223->12233 12239 7ffe0e14ae6a 12223->12239 12225 7ffe0e14afbf 12224->12225 12225->12225 12227 7ffe0e14ae2c 12226->12227 12230 7ffe0e149920 54 API calls 12226->12230 12231 7ffe0e149470 41 API calls 12227->12231 12228 7ffe0e139290 46 API calls 12232 7ffe0e14afa6 12228->12232 12234 7ffe0e149470 41 API calls 12229->12234 12230->12227 12235 7ffe0e14ae42 12231->12235 12232->12164 12233->12229 12236 7ffe0e14af22 12234->12236 12237 7ffe0e14a190 92 API calls 12235->12237 12238 7ffe0e14a190 92 API calls 12236->12238 12237->12239 12240 7ffe0e14af4a 12238->12240 12239->12228 12241 7ffe0e14ae8b 12239->12241 12240->12239 12242 7ffe0e14f010 18 API calls 12240->12242 12241->12164 12242->12239 12244 7ffe0e148583 12243->12244 12245 7ffe0e148574 CoInitialize 12243->12245 12246 7ffe0e1507e0 32 API calls 12244->12246 12245->12244 12247 7ffe0e14858f 12246->12247 12248 7ffe0e14fc90 37 API calls 12247->12248 12254 7ffe0e14859c 12247->12254 12249 7ffe0e1485e5 12248->12249 12249->12254 12256 7ffe0e14f010 18 API calls 12249->12256 12250 7ffe0e14fc90 37 API calls 12253 7ffe0e14862c 12250->12253 12251 7ffe0e147e60 37 API calls 12252 7ffe0e1485bc 12251->12252 12252->12173 12255 7ffe0e1485a8 12253->12255 12257 7ffe0e14f010 18 API calls 12253->12257 12254->12250 12254->12255 12255->12251 12256->12254 12257->12255 12261 7ffe0e13adce 12258->12261 12259 7ffe0e13aeb7 12259->11547 12260 7ffe0e13ae9d 12260->12259 12264 7ffe0e13acb0 12260->12264 12261->12259 12261->12260 12263 7ffe0e13acb0 37 API calls 12261->12263 12263->12261 12265 7ffe0e150d30 32 API calls 12264->12265 12266 7ffe0e13accc 12265->12266 12267 7ffe0e136f20 32 API calls 12266->12267 12268 7ffe0e13acf5 12267->12268 12269 7ffe0e13ad68 12268->12269 12272 7ffe0e14f010 18 API calls 12268->12272 12270 7ffe0e14fd80 18 API calls 12269->12270 12271 7ffe0e13ad72 12270->12271 12273 7ffe0e138e60 37 API calls 12271->12273 12272->12269 12274 7ffe0e13ad94 12273->12274 12274->12259 12276 7ffe0e145cf0 12275->12276 12277 7ffe0e145ce9 exit 12275->12277 12278 7ffe0e13fc60 33 API calls 12276->12278 12277->12276 12279 7ffe0e145d03 12278->12279 12280 7ffe0e145d1e 12279->12280 12281 7ffe0e145de8 12279->12281 12283 7ffe0e136b50 33 API calls 12280->12283 12282 7ffe0e136b50 33 API calls 12281->12282 12284 7ffe0e145e04 12282->12284 12285 7ffe0e145d3d 12283->12285 12286 7ffe0e145e22 memcpy 12284->12286 12287 7ffe0e145d96 12284->12287 12288 7ffe0e145d7d memcpy 12285->12288 12289 7ffe0e145d5c memcpy 12285->12289 12286->12287 12290 7ffe0e145dbd 12287->12290 12291 7ffe0e14f010 18 API calls 12287->12291 12288->12287 12289->12288 12290->11130 12292 7ffe0e145dd5 12291->12292 12292->11130 12294 7ffe0e13fc60 33 API calls 12293->12294 12295 7ffe0e146c47 12294->12295 12296 7ffe0e144e70 38 API calls 12295->12296 12297 7ffe0e146c54 12296->12297 12298 7ffe0e136cd0 33 API calls 12297->12298 12299 7ffe0e146c75 GetFileAttributesW 12298->12299 12300 7ffe0e13fc60 33 API calls 12299->12300 12301 7ffe0e146c8f 12300->12301 12302 7ffe0e144e70 38 API calls 12301->12302 12303 7ffe0e146c9c 12302->12303 12304 7ffe0e13fc60 33 API calls 12303->12304 12305 7ffe0e146cb0 12304->12305 12306 7ffe0e144e70 38 API calls 12305->12306 12307 7ffe0e146cbd 12306->12307 12308 7ffe0e136cd0 33 API calls 12307->12308 12309 7ffe0e146ce1 GetFileAttributesW 12308->12309 12310 7ffe0e146d00 12309->12310 12311 7ffe0e146cef 12309->12311 12313 7ffe0e136cd0 33 API calls 12310->12313 12397 7ffe0e1459a0 OpenProcess 12311->12397 12314 7ffe0e146d21 GetFileAttributesW 12313->12314 12316 7ffe0e1458e5 12315->12316 12317 7ffe0e145968 12316->12317 12318 7ffe0e13fc60 33 API calls 12316->12318 12317->11095 12319 7ffe0e145911 12318->12319 12320 7ffe0e144e70 38 API calls 12319->12320 12322 7ffe0e14591e 12320->12322 12321 7ffe0e14594d 12321->11095 12322->12321 12323 7ffe0e14f010 18 API calls 12322->12323 12323->12321 12325 7ffe0e14e174 12324->12325 12326 7ffe0e136b50 33 API calls 12325->12326 12327 7ffe0e14e1a7 12326->12327 12328 7ffe0e14ece0 12327->12328 12329 7ffe0e13fc60 33 API calls 12328->12329 12330 7ffe0e14ecfe 12329->12330 12331 7ffe0e144e70 38 API calls 12330->12331 12334 7ffe0e14ed0b 12331->12334 12332 7ffe0e13fc60 33 API calls 12332->12334 12333 7ffe0e144e70 38 API calls 12333->12334 12334->12332 12334->12333 12335 7ffe0e14ee16 12334->12335 12336 7ffe0e145220 12335->12336 12337 7ffe0e145256 12336->12337 12358 7ffe0e14525f 12336->12358 12338 7ffe0e13fc60 33 API calls 12337->12338 12337->12358 12339 7ffe0e1452a0 12338->12339 12340 7ffe0e144e70 38 API calls 12339->12340 12341 7ffe0e1452ad 12340->12341 12342 7ffe0e13fc60 33 API calls 12341->12342 12341->12358 12343 7ffe0e1452c4 12342->12343 12344 7ffe0e144e70 38 API calls 12343->12344 12345 7ffe0e1452d1 12344->12345 12346 7ffe0e13fc60 33 API calls 12345->12346 12345->12358 12347 7ffe0e145379 12346->12347 12348 7ffe0e144e70 38 API calls 12347->12348 12349 7ffe0e14538d 12348->12349 12350 7ffe0e145550 12349->12350 12352 7ffe0e1453be 12349->12352 12362 7ffe0e145586 12349->12362 12351 7ffe0e144e70 38 API calls 12350->12351 12353 7ffe0e145530 12351->12353 12352->12350 12370 7ffe0e1453c7 12352->12370 12356 7ffe0e144e70 38 API calls 12353->12356 12354 7ffe0e145570 12355 7ffe0e144e70 38 API calls 12354->12355 12355->12358 12356->12358 12357 7ffe0e144e70 38 API calls 12357->12362 12358->11117 12359 7ffe0e144e70 38 API calls 12359->12370 12360 7ffe0e145160 40 API calls 12360->12362 12362->12354 12362->12357 12362->12360 12363 7ffe0e1455c2 strlen 12362->12363 12364 7ffe0e1454a4 12362->12364 12363->12354 12363->12362 12365 7ffe0e145630 12364->12365 12366 7ffe0e1454b0 12364->12366 12369 7ffe0e14564b 12365->12369 12372 7ffe0e144e70 38 API calls 12365->12372 12368 7ffe0e144e70 38 API calls 12366->12368 12367 7ffe0e145480 strlen 12367->12364 12367->12370 12371 7ffe0e1454ca 12368->12371 12373 7ffe0e144e70 38 API calls 12369->12373 12370->12354 12370->12359 12370->12364 12370->12367 12413 7ffe0e145160 12370->12413 12374 7ffe0e144e70 38 API calls 12371->12374 12372->12369 12375 7ffe0e14565c 12373->12375 12376 7ffe0e1454db 12374->12376 12377 7ffe0e144e70 38 API calls 12375->12377 12378 7ffe0e144e70 38 API calls 12376->12378 12379 7ffe0e14566d 12377->12379 12381 7ffe0e1454ec 12378->12381 12380 7ffe0e144e70 38 API calls 12379->12380 12382 7ffe0e14567e 12380->12382 12383 7ffe0e144e70 38 API calls 12381->12383 12384 7ffe0e144e70 38 API calls 12382->12384 12385 7ffe0e1454fd 12383->12385 12386 7ffe0e14568f 12384->12386 12387 7ffe0e144e70 38 API calls 12385->12387 12388 7ffe0e144e70 38 API calls 12386->12388 12389 7ffe0e14550e 12387->12389 12390 7ffe0e1456a0 12388->12390 12391 7ffe0e144e70 38 API calls 12389->12391 12392 7ffe0e144e70 38 API calls 12390->12392 12393 7ffe0e14551f 12391->12393 12394 7ffe0e1456b1 12392->12394 12395 7ffe0e144e70 38 API calls 12393->12395 12396 7ffe0e144e70 38 API calls 12394->12396 12395->12353 12396->12353 12398 7ffe0e1459d0 12397->12398 12399 7ffe0e1459c4 12397->12399 12400 7ffe0e13fc60 33 API calls 12398->12400 12399->11135 12401 7ffe0e1459e1 12400->12401 12402 7ffe0e144e70 38 API calls 12401->12402 12403 7ffe0e1459ee 12402->12403 12405 7ffe0e145ad8 12403->12405 12406 7ffe0e1459fa 12403->12406 12404 7ffe0e145a25 12404->12399 12407 7ffe0e136f20 32 API calls 12404->12407 12405->12404 12409 7ffe0e14f010 18 API calls 12405->12409 12406->12404 12408 7ffe0e14f010 18 API calls 12406->12408 12410 7ffe0e145a9f memcpy 12407->12410 12408->12404 12409->12404 12410->12404 12411->11108 12412->11108 12414 7ffe0e13fc60 33 API calls 12413->12414 12415 7ffe0e145186 12414->12415 12416 7ffe0e144e70 38 API calls 12415->12416 12417 7ffe0e145193 12416->12417 12418 7ffe0e145198 strlen 12417->12418 12421 7ffe0e145200 12417->12421 12419 7ffe0e1451a8 12418->12419 12418->12421 12420 7ffe0e1451b0 strlen 12419->12420 12419->12421 12420->12419 12420->12421 12421->12370

    Executed Functions

    Function 00007FFE0E14F0D0 Relevance: 53.2, APIs: 4, Strings: 26, Instructions: 672COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe0e14f0d0-7ffe0e14f0ee 1 7ffe0e14f0f4-7ffe0e14f114 0->1 2 7ffe0e14fc77 call 7ffe0e13a920 0->2 1->2 4 7ffe0e14f11a-7ffe0e14f133 1->4 6 7ffe0e14fc7c-7ffe0e14fc80 2->6 4->2 5 7ffe0e14f139-7ffe0e14f152 4->5 5->2 7 7ffe0e14f158-7ffe0e14f171 5->7 6->0 7->2 8 7ffe0e14f177-7ffe0e14f190 7->8 8->2 9 7ffe0e14f196-7ffe0e14f1af 8->9 9->2 10 7ffe0e14f1b5-7ffe0e14f1ce 9->10 10->2 11 7ffe0e14f1d4-7ffe0e14f1ed 10->11 11->2 12 7ffe0e14f1f3-7ffe0e14f20c 11->12 12->2 13 7ffe0e14f212-7ffe0e14f22b 12->13 13->2 14 7ffe0e14f231-7ffe0e14f259 RtlGetVersion 13->14 15 7ffe0e14f25f-7ffe0e14f262 14->15 16 7ffe0e14f9c0-7ffe0e14f9c9 14->16 17 7ffe0e14f264-7ffe0e14f26b 15->17 18 7ffe0e14f271-7ffe0e14f295 call 7ffe0e13fc60 call 7ffe0e144e70 15->18 16->17 19 7ffe0e14f9cf-7ffe0e14f9d2 16->19 17->18 27 7ffe0e14f29c-7ffe0e14f2a9 18->27 28 7ffe0e14f297 18->28 19->17 20 7ffe0e14f9d8-7ffe0e14f9da 19->20 20->17 22 7ffe0e14f9e0-7ffe0e14f9e3 20->22 22->17 24 7ffe0e14f9e9 22->24 24->18 29 7ffe0e14f2c5-7ffe0e14f2e2 call 7ffe0e136f90 27->29 30 7ffe0e14f2ab-7ffe0e14f2bf 27->30 28->27 35 7ffe0e14f2e4-7ffe0e14f2f8 29->35 36 7ffe0e14f2fe-7ffe0e14f33d call 7ffe0e139150 memcpy 29->36 30->29 31 7ffe0e14fa60-7ffe0e14fa65 call 7ffe0e14f010 30->31 31->29 35->36 38 7ffe0e14fa70-7ffe0e14fa75 call 7ffe0e14f010 35->38 42 7ffe0e14f33f-7ffe0e14f353 36->42 43 7ffe0e14f359-7ffe0e14f36d call 7ffe0e139150 36->43 38->36 42->43 45 7ffe0e14fa50-7ffe0e14fa55 call 7ffe0e14f010 42->45 50 7ffe0e14f374-7ffe0e14f381 43->50 51 7ffe0e14f36f 43->51 45->43 52 7ffe0e14f383-7ffe0e14f397 50->52 53 7ffe0e14f39d-7ffe0e14f3c4 call 7ffe0e13fc60 call 7ffe0e144e70 50->53 51->50 52->53 54 7ffe0e14fa40-7ffe0e14fa45 call 7ffe0e14f010 52->54 61 7ffe0e14f3cb-7ffe0e14f3d8 53->61 62 7ffe0e14f3c6 53->62 54->53 63 7ffe0e14f3f4-7ffe0e14f41b call 7ffe0e13fc60 call 7ffe0e144e70 61->63 64 7ffe0e14f3da-7ffe0e14f3ee 61->64 62->61 72 7ffe0e14f422-7ffe0e14f42f 63->72 73 7ffe0e14f41d 63->73 64->63 65 7ffe0e14fa30-7ffe0e14fa35 call 7ffe0e14f010 64->65 65->63 74 7ffe0e14f431-7ffe0e14f445 72->74 75 7ffe0e14f44b-7ffe0e14f472 call 7ffe0e13fc60 call 7ffe0e144e70 72->75 73->72 74->75 76 7ffe0e14fa20-7ffe0e14fa25 call 7ffe0e14f010 74->76 83 7ffe0e14f474 75->83 84 7ffe0e14f479-7ffe0e14f486 75->84 76->75 83->84 85 7ffe0e14f4a2-7ffe0e14f4c9 call 7ffe0e13fc60 call 7ffe0e144e70 84->85 86 7ffe0e14f488-7ffe0e14f49c 84->86 94 7ffe0e14f4d0-7ffe0e14f4dd 85->94 95 7ffe0e14f4cb 85->95 86->85 87 7ffe0e14fa10-7ffe0e14fa15 call 7ffe0e14f010 86->87 87->85 96 7ffe0e14f4df-7ffe0e14f4f3 94->96 97 7ffe0e14f4f9-7ffe0e14f58f call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 94->97 95->94 96->97 98 7ffe0e14fa00-7ffe0e14fa05 call 7ffe0e14f010 96->98 117 7ffe0e14f591 97->117 118 7ffe0e14f596-7ffe0e14f5a3 97->118 98->97 117->118 119 7ffe0e14f5a5-7ffe0e14f5b9 118->119 120 7ffe0e14f5bf-7ffe0e14f960 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13c390 call 7ffe0e145700 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e13fc60 call 7ffe0e144e70 118->120 119->120 121 7ffe0e14f9f0-7ffe0e14f9f5 call 7ffe0e14f010 119->121 248 7ffe0e14f962-7ffe0e14f96f 120->248 249 7ffe0e14f990-7ffe0e14f9ab call 7ffe0e13fc60 call 7ffe0e14ef30 120->249 121->120 256 7ffe0e14f971-7ffe0e14f976 248->256 257 7ffe0e14f97c-7ffe0e14f986 exit 248->257 255 7ffe0e14f9b0-7ffe0e14f9b7 exit 249->255 255->16 256->257 258 7ffe0e14fa7a-7ffe0e14fa81 call 7ffe0e1458c0 256->258 257->249 261 7ffe0e14fa87-7ffe0e14fb23 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 call 7ffe0e14e130 call 7ffe0e14ece0 call 7ffe0e145220 258->261 262 7ffe0e14fc08-7ffe0e14fc24 call 7ffe0e13fc60 258->262 305 7ffe0e14fb28-7ffe0e14fb34 call 7ffe0e145cc0 call 7ffe0e146c30 261->305 268 7ffe0e14fc26 262->268 269 7ffe0e14fc29-7ffe0e14fc2c 262->269 268->269 271 7ffe0e14fc65-7ffe0e14fc73 call 7ffe0e136ee0 269->271 272 7ffe0e14fc2e-7ffe0e14fc40 call 7ffe0e136ee0 269->272 280 7ffe0e14fc75 271->280 281 7ffe0e14fc4d-7ffe0e14fc50 call 7ffe0e138760 271->281 282 7ffe0e14fc42-7ffe0e14fc45 call 7ffe0e138760 272->282 283 7ffe0e14fc4a 272->283 287 7ffe0e14fc55-7ffe0e14fc60 call 7ffe0e131680 280->287 281->287 282->283 283->281 287->271 309 7ffe0e14fb39-7ffe0e14fb93 call 7ffe0e1459a0 call 7ffe0e13fc60 call 7ffe0e144e70 call 7ffe0e131680 call 7ffe0e13fc60 call 7ffe0e144e70 305->309 322 7ffe0e14fb95-7ffe0e14fb9d 309->322 323 7ffe0e14fba1-7ffe0e14fbce call 7ffe0e13fc60 call 7ffe0e144e70 309->323 322->323 329 7ffe0e14fbd0-7ffe0e14fbd8 323->329 330 7ffe0e14fbdc-7ffe0e14fbfa 323->330 329->330 330->262
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$ByteCharMultiWideexit$Version
    • String ID: CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VirtualProtect$WaitForSingleObject$T]
    • API String ID: 206777904-685478019
    • Opcode ID: b45f2f8461dc00cc225e3df3eeb2e6f5cb47b4b7ce774521207b75bae5f129ac
    • Instruction ID: 6c2b76d9e2dcf6567f574f206e0d4934e61591816cbdcff9d8d3bd1f98a7c4b3
    • Opcode Fuzzy Hash: b45f2f8461dc00cc225e3df3eeb2e6f5cb47b4b7ce774521207b75bae5f129ac
    • Instruction Fuzzy Hash: 726208B5F19B0781FA14ABA9E455AB923A1FF89B80F845437D98D1B7B6DE3CE011C340
    Function 00007FFE0E14C870 Relevance: 12.4, APIs: 8, Instructions: 352fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 639 7ffe0e14c870-7ffe0e14c909 call 7ffe0e139150 call 7ffe0e13fc60 call 7ffe0e144e70 646 7ffe0e14c90b-7ffe0e14c917 639->646 647 7ffe0e14c91c-7ffe0e14c968 CreateFileA GetFileSize 639->647 646->647 648 7ffe0e14c96e-7ffe0e14c9d9 ReadFile 647->648 649 7ffe0e14cdb6-7ffe0e14cdca GetProcessHeap RtlAllocateHeap 647->649 655 7ffe0e14c9df-7ffe0e14c9f8 648->655 656 7ffe0e14cdf7 648->656 651 7ffe0e14cdd2-7ffe0e14cdd4 649->651 652 7ffe0e14cdd8-7ffe0e14cde8 651->652 652->652 654 7ffe0e14cdea-7ffe0e14cdf2 652->654 657 7ffe0e14cb2e-7ffe0e14cb3b 654->657 660 7ffe0e14ca07-7ffe0e14ca97 call 7ffe0e136b50 call 7ffe0e144e70 call 7ffe0e13b590 655->660 663 7ffe0e14cdff-7ffe0e14ce03 656->663 658 7ffe0e14cc05-7ffe0e14cc24 657->658 659 7ffe0e14cb41-7ffe0e14cb49 657->659 661 7ffe0e14cb4c-7ffe0e14cb60 659->661 688 7ffe0e14ca00-7ffe0e14ca03 660->688 689 7ffe0e14ca9d-7ffe0e14cadf 660->689 664 7ffe0e14cb62-7ffe0e14cb82 661->664 665 7ffe0e14cb18-7ffe0e14cb1b 661->665 667 7ffe0e14cd07-7ffe0e14cd1d 663->667 669 7ffe0e14cb93-7ffe0e14cbd4 GetModuleHandleA GetProcAddress 664->669 670 7ffe0e14cb84-7ffe0e14cb8f 664->670 665->657 668 7ffe0e14cb1d-7ffe0e14cb20 665->668 671 7ffe0e14cd23-7ffe0e14cd38 667->671 672 7ffe0e14cda9-7ffe0e14cdb1 667->672 668->657 674 7ffe0e14cb22-7ffe0e14cb2c strcmp 668->674 675 7ffe0e14cbee-7ffe0e14cbf1 669->675 670->669 671->672 676 7ffe0e14cd3a-7ffe0e14cd4c 671->676 672->657 674->657 674->664 678 7ffe0e14cbf3-7ffe0e14cbf7 675->678 679 7ffe0e14cbe0-7ffe0e14cbec 675->679 676->672 680 7ffe0e14cd4e-7ffe0e14cd60 676->680 678->679 684 7ffe0e14cbf9-7ffe0e14cbfb 678->684 679->675 683 7ffe0e14cc25-7ffe0e14cc27 679->683 680->672 685 7ffe0e14cd62-7ffe0e14cd74 680->685 686 7ffe0e14cc29-7ffe0e14cc90 683->686 684->686 685->672 687 7ffe0e14cd76-7ffe0e14cd88 685->687 686->672 693 7ffe0e14cc96-7ffe0e14cca9 686->693 687->672 690 7ffe0e14cd8a-7ffe0e14cd9c 687->690 688->660 691 7ffe0e14cae5-7ffe0e14cb12 689->691 692 7ffe0e14cbfd 689->692 690->672 694 7ffe0e14cd9e-7ffe0e14cda4 690->694 691->661 692->658 693->651 695 7ffe0e14ccaf-7ffe0e14ccb3 693->695 694->672 695->651 696 7ffe0e14ccb9-7ffe0e14ccbd 695->696 696->663 697 7ffe0e14ccc3-7ffe0e14cccc 696->697 698 7ffe0e14ccd0-7ffe0e14cce2 697->698 698->698 699 7ffe0e14cce4-7ffe0e14ccf1 698->699 699->672 700 7ffe0e14ccf7-7ffe0e14cd05 699->700 700->667 700->671
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$File$CreateReadSize
    • String ID:
    • API String ID: 3349561689-0
    • Opcode ID: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction ID: 9ea9f028ffebf61283f37a72def0b60319a3bec4377fd314401ede3a39822efd
    • Opcode Fuzzy Hash: a8202178b302e06c8707e63b6a2b76a7fa594dfccb05227361a63074442d66f1
    • Instruction Fuzzy Hash: 67F112A2A0E7C182EB20CB65E45477ABFA1FB85B80F098136DADE477A5DE3CD145C350
    Function 00007FFE0E14D520 Relevance: 25.1, APIs: 10, Strings: 4, Instructions: 619memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 332 7ffe0e14d520-7ffe0e14d5f3 call 7ffe0e136b50 call 7ffe0e13fc60 call 7ffe0e144e70 HeapCreate call 7ffe0e13fc60 call 7ffe0e144e70 344 7ffe0e14d5f5-7ffe0e14d5fd 332->344 345 7ffe0e14d601-7ffe0e14d631 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 332->345 344->345 352 7ffe0e14d633-7ffe0e14d63b 345->352 353 7ffe0e14d63f-7ffe0e14d66f call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 345->353 352->353 360 7ffe0e14d671-7ffe0e14d679 353->360 361 7ffe0e14d67d-7ffe0e14d6c3 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 353->361 360->361 368 7ffe0e14d6c5-7ffe0e14d6cd 361->368 369 7ffe0e14d6d1-7ffe0e14d725 call 7ffe0e14c870 call 7ffe0e13fc60 call 7ffe0e144e70 361->369 368->369 376 7ffe0e14d733-7ffe0e14d756 call 7ffe0e14c870 call 7ffe0e144e70 369->376 377 7ffe0e14d727-7ffe0e14d72f 369->377 382 7ffe0e14d764-7ffe0e14d793 call 7ffe0e14c870 VirtualProtect call 7ffe0e144e70 376->382 383 7ffe0e14d758-7ffe0e14d760 376->383 377->376 387 7ffe0e14d798-7ffe0e14d7a2 382->387 383->382 388 7ffe0e14d7a4-7ffe0e14d7ac 387->388 389 7ffe0e14d7b0-7ffe0e14d7bf 387->389 388->389 391 7ffe0e14d7c1-7ffe0e14d7e2 call 7ffe0e144e70 call 7ffe0e14ef30 389->391 392 7ffe0e14d7e7-7ffe0e14d802 call 7ffe0e144e70 389->392 391->392 398 7ffe0e14d804-7ffe0e14d80c 392->398 399 7ffe0e14d810-7ffe0e14d822 392->399 398->399 401 7ffe0e14dfc8-7ffe0e14dfee call 7ffe0e144e70 call 7ffe0e14ef30 399->401 402 7ffe0e14d828-7ffe0e14d881 call 7ffe0e145ff0 399->402 415 7ffe0e14dff8-7ffe0e14e072 call 7ffe0e150d30 call 7ffe0e146830 call 7ffe0e144cb0 call 7ffe0e131680 call 7ffe0e14fd80 call 7ffe0e138e60 401->415 407 7ffe0e14db80-7ffe0e14db88 call 7ffe0e14c1d0 402->407 408 7ffe0e14d887-7ffe0e14d89b call 7ffe0e1464c0 call 7ffe0e14d400 402->408 408->407 420 7ffe0e14d8a1-7ffe0e14d8aa call 7ffe0e145ff0 408->420 456 7ffe0e14e080-7ffe0e14e09e call 7ffe0e14fc90 call 7ffe0e131680 415->456 426 7ffe0e14d8ac-7ffe0e14d8c0 call 7ffe0e1464c0 call 7ffe0e14d400 420->426 427 7ffe0e14d8c6-7ffe0e14d8e1 call 7ffe0e144e70 420->427 426->427 441 7ffe0e14db2a-7ffe0e14db33 call 7ffe0e145ff0 426->441 435 7ffe0e14d8e3-7ffe0e14d8eb 427->435 436 7ffe0e14d8ef-7ffe0e14d913 LoadLibraryA call 7ffe0e144e70 427->436 435->436 445 7ffe0e14d915-7ffe0e14d91d 436->445 446 7ffe0e14d921-7ffe0e14d9f9 GetProcAddress call 7ffe0e139150 call 7ffe0e181940 436->446 451 7ffe0e14db35-7ffe0e14db49 call 7ffe0e1464c0 call 7ffe0e14d400 441->451 452 7ffe0e14db4b-7ffe0e14db65 441->452 445->446 463 7ffe0e14d9ff-7ffe0e14da51 call 7ffe0e146d40 446->463 464 7ffe0e14db6c-7ffe0e14db76 exit 446->464 451->452 470 7ffe0e14db90-7ffe0e14dce8 call 7ffe0e144e70 * 7 Sleep call 7ffe0e14d040 call 7ffe0e144e70 * 4 call 7ffe0e147370 451->470 452->464 474 7ffe0e14e0a4-7ffe0e14e0bf call 7ffe0e14fc90 call 7ffe0e131680 456->474 475 7ffe0e14dedf-7ffe0e14df24 call 7ffe0e147e60 SafeArrayCreate 456->475 472 7ffe0e14e0f0 463->472 473 7ffe0e14da57-7ffe0e14da67 463->473 464->407 522 7ffe0e14dcea 470->522 523 7ffe0e14dced-7ffe0e14dd04 call 7ffe0e14bf00 call 7ffe0e145ff0 470->523 478 7ffe0e14da7d-7ffe0e14da84 473->478 474->475 475->415 485 7ffe0e14df2a-7ffe0e14df83 SafeArrayPutElement call 7ffe0e14b1e0 475->485 482 7ffe0e14da70-7ffe0e14da77 478->482 483 7ffe0e14da86-7ffe0e14da8a 478->483 482->472 482->478 483->482 487 7ffe0e14da8c-7ffe0e14da90 483->487 487->482 491 7ffe0e14da92-7ffe0e14da96 487->491 491->482 495 7ffe0e14da98-7ffe0e14da9c 491->495 495->482 497 7ffe0e14da9e-7ffe0e14daa2 495->497 497->482 499 7ffe0e14daa4-7ffe0e14db28 call 7ffe0e181a48 call 7ffe0e181a50 497->499 499->441 499->464 522->523 528 7ffe0e14dd20-7ffe0e14dd2f 523->528 529 7ffe0e14dd06-7ffe0e14dd1a call 7ffe0e1464c0 call 7ffe0e14d400 523->529 531 7ffe0e14dd65-7ffe0e14dd6d call 7ffe0e145ff0 528->531 529->528 541 7ffe0e14e0c8-7ffe0e14e0e5 call 7ffe0e1464c0 call 7ffe0e13b7f0 529->541 537 7ffe0e14dd73-7ffe0e14dd77 531->537 538 7ffe0e14de00-7ffe0e14de09 call 7ffe0e145ff0 531->538 539 7ffe0e14dd61 537->539 540 7ffe0e14dd79-7ffe0e14dda8 call 7ffe0e1464c0 call 7ffe0e1391b0 537->540 548 7ffe0e14de25-7ffe0e14de3b call 7ffe0e144e70 538->548 549 7ffe0e14de0b-7ffe0e14de1f call 7ffe0e1464c0 call 7ffe0e14d400 538->549 539->531 560 7ffe0e14ddaa-7ffe0e14ddaf 540->560 561 7ffe0e14dd3d-7ffe0e14dd44 540->561 541->528 558 7ffe0e14de41-7ffe0e14dea1 call 7ffe0e150ed0 call 7ffe0e14b1e0 548->558 559 7ffe0e14de3d 548->559 549->548 569 7ffe0e14df88-7ffe0e14df94 549->569 581 7ffe0e14deb2-7ffe0e14dec9 call 7ffe0e1507e0 558->581 582 7ffe0e14dea3-7ffe0e14deab CoInitialize 558->582 559->558 565 7ffe0e14ddb1-7ffe0e14ddf4 call 7ffe0e136f20 memcpy 560->565 566 7ffe0e14dd38 560->566 561->539 567 7ffe0e14dd46-7ffe0e14dd5a 561->567 565->561 566->561 567->539 572 7ffe0e14dd5c call 7ffe0e14f010 567->572 573 7ffe0e14df9e-7ffe0e14dfbe call 7ffe0e139dc0 569->573 574 7ffe0e14df96-7ffe0e14df9a 569->574 572->539 573->548 574->573 581->456 585 7ffe0e14decf-7ffe0e14ded9 581->585 582->581 585->474 585->475
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$AddressCreateHeapLibraryLoadProcProtectVirtualexitfwritememset
    • String ID: Jo .$VariantConversionError$com.nim$toVariant
    • API String ID: 1711561947-479195221
    • Opcode ID: 267aad6122c0e13e02fc832062a4c5bc73dba4db2a22413d8cfe2e07d4621de0
    • Instruction ID: b180b70066d2219dc2e5d860d64a013653b37e144978ef48df02bc3f3d9c8809
    • Opcode Fuzzy Hash: 267aad6122c0e13e02fc832062a4c5bc73dba4db2a22413d8cfe2e07d4621de0
    • Instruction Fuzzy Hash: 066246A2B09B4691EB10DB60E8543BA23A1FF85B94F804137DA9E477B6DF3CE545C380
    Function 00007FFE0E150950 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 586 7ffe0e150950-7ffe0e1509cd _fileno _setmode _fileno _setmode _fileno _setmode LoadLibraryA 590 7ffe0e1509cf-7ffe0e1509e3 GetProcAddress 586->590 591 7ffe0e1509e6-7ffe0e1509f6 586->591 590->591 592 7ffe0e1509fc-7ffe0e150a1c 591->592 593 7ffe0e150d1d call 7ffe0e13a680 591->593 592->593 594 7ffe0e150a22-7ffe0e150a3b 592->594 597 7ffe0e150d22-7ffe0e150d28 call 7ffe0e13a920 593->597 594->593 596 7ffe0e150a41-7ffe0e150a5a 594->596 596->593 598 7ffe0e150a60-7ffe0e150a79 596->598 598->593 601 7ffe0e150a7f-7ffe0e150a98 598->601 601->593 602 7ffe0e150a9e-7ffe0e150b35 601->602 602->597 603 7ffe0e150b3b-7ffe0e150b5b 602->603 603->593 604 7ffe0e150b61-7ffe0e150b7a 603->604 604->593 605 7ffe0e150b80-7ffe0e150bd2 604->605 606 7ffe0e150be2-7ffe0e150bfc call 7ffe0e1507e0 605->606 607 7ffe0e150bd4-7ffe0e150bdf CoInitializeEx 605->607 610 7ffe0e150c02-7ffe0e150c0f 606->610 611 7ffe0e150cc0-7ffe0e150ccb call 7ffe0e14fc90 606->611 607->606 612 7ffe0e150c11-7ffe0e150c46 call 7ffe0e147e60 610->612 613 7ffe0e150c88-7ffe0e150c93 call 7ffe0e14fc90 610->613 619 7ffe0e150cd2-7ffe0e150cd8 611->619 620 7ffe0e150ccd 611->620 622 7ffe0e150c5e-7ffe0e150c69 612->622 623 7ffe0e150c48-7ffe0e150c5c 612->623 626 7ffe0e150c95 613->626 627 7ffe0e150c9a-7ffe0e150ca0 613->627 624 7ffe0e150cf0-7ffe0e150cf3 619->624 625 7ffe0e150cda-7ffe0e150cee 619->625 620->619 623->622 628 7ffe0e150c70-7ffe0e150c80 call 7ffe0e14f010 623->628 624->610 625->624 629 7ffe0e150d00-7ffe0e150d08 call 7ffe0e14f010 625->629 626->627 630 7ffe0e150ca2-7ffe0e150cb6 627->630 631 7ffe0e150cb8-7ffe0e150cbb 627->631 629->610 630->631 634 7ffe0e150d10-7ffe0e150d18 call 7ffe0e14f010 630->634 631->612 634->612
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: _fileno_setmode$AddressInitializeLibraryLoadProc
    • String ID: inet_ntop
    • API String ID: 2337794837-448242623
    • Opcode ID: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction ID: 3d0441a3fd2b9ae56ad53d10fe99b28e43d44d038bf4b2224a30da2c72688827
    • Opcode Fuzzy Hash: 63bcff974b24ba70f64acc777d788e640980a957896653db4294a53ead9a9139
    • Instruction Fuzzy Hash: 81A14172A09B4A81EB119F99E8143A873A0FB89B80F948537DADC233A5DF3DE455C740
    Function 00007FFE0E145CC0 Relevance: 10.6, APIs: 7, Instructions: 98sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: Sleepmemcpy$CountTickexit
    • String ID:
    • API String ID: 3478675858-0
    • Opcode ID: 0bdc9acf1ffa6991366d1e7dbc8e9db2be78bbb090259d4902cde132a9111b43
    • Instruction ID: c2debfd109fb03b81b8e0001fd55044452663093610d125ae3361cfdf44075bc
    • Opcode Fuzzy Hash: 0bdc9acf1ffa6991366d1e7dbc8e9db2be78bbb090259d4902cde132a9111b43
    • Instruction Fuzzy Hash: 22413B72B09A5692EB11AF18E9943AC73A1FF44B84F448437CA8D177A5EF3CE952C340
    Function 00007FFE0E13A9B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsEqualGUID$ole32
    • API String ID: 2574300362-2239048069
    • Opcode ID: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction ID: 196fcbb036f43c9fc6d75697a3f333a8677996702306e6ec7d5d33c57413b403
    • Opcode Fuzzy Hash: 7ff10b3fd0906f5e01960bbf5f10ae61445133da43785ccd3f84570ed7f384fa
    • Instruction Fuzzy Hash: 3661AE2191DB8296F6528B58F8857B573B4BF4CB44F80223BC9DD872B0EF3DA6858340
    Function 00007FFE0E1317F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • exit.MSVCRT(?,?,?,?,00007FFE0E1318E5,?,?,?,?,00007FFE0E17E968,?,3F000000,00000196F0F8C260,00007FFE0E13244D,0000040F), ref: 00007FFE0E131821
    • memset.MSVCRT ref: 00007FFE0E131871
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: exitmemset
    • String ID: out of memory
    • API String ID: 2099101326-49810860
    • Opcode ID: a22d6bbd68ecaa542f404404ab495eed28682d22c7e6bab6dcadafd07e105a1a
    • Instruction ID: 6de8e848fd82886408c6efd7dea4b4eb269f35c18a616f8305ae4af0bc787711
    • Opcode Fuzzy Hash: a22d6bbd68ecaa542f404404ab495eed28682d22c7e6bab6dcadafd07e105a1a
    • Instruction Fuzzy Hash: 0B218132F0AB8580FB185F66E4483A963A0EB48FD4F088076DE8C0B7A5DE3CE481C340
    Function 00007FFE0E144E70 Relevance: 5.2, APIs: 4, Instructions: 152COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction ID: a01483521fc8d50d56d325ca0927091d0fb8182adbaa78c166a4981e769a3133
    • Opcode Fuzzy Hash: cdbec6f9a2dd2351946039720b62acdf348dc7ef4a10d577622d7a41df4bf1b5
    • Instruction Fuzzy Hash: E9614872609B8592EA21DF05E8503ED77A0FB88B84F868533DA9D4B7A5EF3CD509C340
    Function 00007FFE0E131A00 Relevance: 3.9, APIs: 3, Instructions: 159memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 789 7ffe0e131a00-7ffe0e131a16 790 7ffe0e131c68-7ffe0e131c6f 789->790 791 7ffe0e131a1c-7ffe0e131a29 789->791 792 7ffe0e131ae0-7ffe0e131b16 791->792 793 7ffe0e131a2f-7ffe0e131a3a 791->793 794 7ffe0e131a3f-7ffe0e131a4e 792->794 793->794 795 7ffe0e131a54-7ffe0e131a65 VirtualAlloc 794->795 796 7ffe0e131c48-7ffe0e131c59 VirtualAlloc 794->796 799 7ffe0e131c74-7ffe0e131c8d VirtualAlloc 795->799 800 7ffe0e131a6b 795->800 797 7ffe0e131c5f-7ffe0e131c64 call 7ffe0e1317f0 796->797 798 7ffe0e131a72-7ffe0e131a87 796->798 797->790 803 7ffe0e131a90-7ffe0e131a97 798->803 799->797 802 7ffe0e131c8f-7ffe0e131c96 799->802 800->798 802->798 805 7ffe0e131a9d-7ffe0e131aa7 803->805 806 7ffe0e131b1b-7ffe0e131b31 803->806 805->803 808 7ffe0e131aa9-7ffe0e131ada call 7ffe0e131830 805->808 807 7ffe0e131b34-7ffe0e131b5c 806->807 809 7ffe0e131b5e 807->809 810 7ffe0e131b68-7ffe0e131b6c 807->810 808->807 813 7ffe0e131b99-7ffe0e131ba6 809->813 814 7ffe0e131b60-7ffe0e131b66 810->814 815 7ffe0e131b6e-7ffe0e131b8b 810->815 817 7ffe0e131bb2-7ffe0e131bcd 813->817 818 7ffe0e131ba8-7ffe0e131bad 813->818 814->810 814->813 815->813 816 7ffe0e131b8d-7ffe0e131b96 815->816 816->813 819 7ffe0e131be0-7ffe0e131be4 817->819 820 7ffe0e131bcf 817->820 818->817 822 7ffe0e131bd8-7ffe0e131bde 819->822 823 7ffe0e131be6-7ffe0e131c0e 819->823 821 7ffe0e131c38 820->821 825 7ffe0e131c3c-7ffe0e131c42 821->825 822->819 822->821 824 7ffe0e131c10-7ffe0e131c14 823->824 823->825 824->825 826 7ffe0e131c16 824->826 827 7ffe0e131c19-7ffe0e131c30 825->827 826->827
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1790b6db0320995f7436345c45903ecaa4b7fcd4b84692f55c2bdba6814a56ae
    • Instruction ID: 06a006730b62e0267ec61fb51f24ffb8a6b85390ebef0bf4687352f3647e94a6
    • Opcode Fuzzy Hash: 1790b6db0320995f7436345c45903ecaa4b7fcd4b84692f55c2bdba6814a56ae
    • Instruction Fuzzy Hash: 26514BB2706B9590EF159B2AD8483B936A5FB54FC4F588536DE8D0B7A8EE3DE441C300
    Function 00007FFE0E146C30 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$AttributesFile
    • String ID:
    • API String ID: 3559115319-0
    • Opcode ID: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction ID: 5989012367a89036984a62e59ce8330c00f6a6eacdac5422eabe04bca07363be
    • Opcode Fuzzy Hash: 42e9d04e5c697c9ee4175a46a3db53c6dcec2e3e28c3b2640cf8511a3308ae26
    • Instruction Fuzzy Hash: 8021A752F4AA0781FE09EB25B9541B52392EF95794F988037DC8E0B3B5EE3CE8428340
    Function 00007FFE0E131830 Relevance: 2.6, APIs: 2, Instructions: 88memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtualmemset
    • String ID:
    • API String ID: 921305906-0
    • Opcode ID: 3ff3c6db38c44a7a331b5cd085444be021dc225577a1303040b3e8ac49655f0c
    • Instruction ID: c3b093a9a93828be7432a1894dc2ed9c6c9d17280894121fcd594aa5816508cd
    • Opcode Fuzzy Hash: 3ff3c6db38c44a7a331b5cd085444be021dc225577a1303040b3e8ac49655f0c
    • Instruction Fuzzy Hash: 4E318C32B06B8081EB158F66F8447AD76A4EB48FD4F198076DE8C0B7A5DE38D582C300
    Function 00007FFE0E1327D0 Relevance: 1.4, APIs: 1, Instructions: 165memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction ID: 275b8aa8fe5266c9a39243b75965f2374c643625345a15a870d3e7f12dd3053c
    • Opcode Fuzzy Hash: 7a838eac63a25573b851f49d3af618f8f0d33cadf4e87795c7358daf39240612
    • Instruction Fuzzy Hash: 6271CEB2A05B4191EA19AF29D4443A833E5FF04B84F58823ADA8D077B5EF38E5D1C300
    Function 00007FFE0E136B50 Relevance: 1.3, APIs: 1, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction ID: 245f4d5451fb1f29f08d8851f56c16b25a6ce852d24118106d61ca69cafec03f
    • Opcode Fuzzy Hash: b532521561d45849a7f1e55b540afb33b99293abbe439fb3ef002cd9d2cb91db
    • Instruction Fuzzy Hash: FA416CB7A09A46A0EA10CF25D4502BC73A4FB58BA0F844237CA9E077F4DF78D995C340

    Non-executed Functions

    Function 00007FFE0E14D040 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 219threadlibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: HandleThread$CloseContext$AddressCreateCurrentExceptionFirstHandlerInitLoadModuleOpenProcProcessSnapshotStringThread32Toolhelp32UnicodeVectoredmemset
    • String ID: J*!=$jt+9
    • API String ID: 3419048117-242937532
    • Opcode ID: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction ID: d1f3e824dc2ef7e7fccb7f6ab6f49cfe4c63fe7e469a0700dea47e5572a20720
    • Opcode Fuzzy Hash: a9628e8f766383207b41f0b76916dcf45cde8c8b4db2eb96fa1eba45f2c1ec0d
    • Instruction Fuzzy Hash: ADA18FA2B09B4292EE10DB11F8443BA63A1FF84B94F844537DA8E077A8DF3CE546C340
    Function 00007FFE0E13D310 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 229COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: , expect$ValueError$but got $ed 's', $format s$formatValue$invalid $r string$strformat.nim$tring fo$type in
    • API String ID: 3510742995-1773161451
    • Opcode ID: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction ID: 2b1e73820ed8ecfebfca614a9b5ffa596e317c80d73e65a884f85d03059282aa
    • Opcode Fuzzy Hash: 3b737671fdecec1ccda9928ca60f407ce4e1cf31fb0526f2aeb49fa47f716a7c
    • Instruction Fuzzy Hash: 5A9101A2B08A4282EB15CB25F41477E36A0EB85B84F419133EE9D077E1DF7DE880C341
    Function 00007FFE0E13C670 Relevance: 45.7, APIs: 12, Strings: 14, Instructions: 158libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateProcessW$GetCurrentProcess$GetCurrentThread$GetProcAddress$GetProcessHeap$GetThreadContext$HeapAlloc$HeapCreate$InitializeProcThreadAttributeList$LoadLibraryA$ResumeThread$UpdateProcThreadAttribute$WaitForSingleObject$kernel32
    • API String ID: 2238633743-547029440
    • Opcode ID: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction ID: c5433b138257bcf5935ced3e29fb4480aba456a09241f37610f58a11cc730beb
    • Opcode Fuzzy Hash: c58de225f95c152ab6af1b470b37807868feafa623f41c2bcfb802640fa2ff2c
    • Instruction Fuzzy Hash: 3761E765B0AA0390ED44A722B91447673A1BF48BC8F98547BCCCD5B3B1EF3CA545E3A4
    Function 00007FFE0E14C1D0 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 396COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$FileModuleName
    • String ID: *7;u$p
    • API String ID: 1955653913-3490293476
    • Opcode ID: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction ID: 347d2f54ae6f7b132ff34f6c40c5f5ae0114f50581e7bbe922afd297b2952dac
    • Opcode Fuzzy Hash: 645625445c2e909ecbe63e0be60bb5919e0017e978dff1b72ba1033b1c89a85e
    • Instruction Fuzzy Hash: 89022AB2B09B8692EB54DF15E4543AAB7A1FB84B84F458037DA9C0B7A9EF3CD505C340
    Function 00007FFE0E139290 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 89stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: signal$exitstrlen
    • String ID: 5$ReraiseDefect$SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$fatal.nim$sysFatal$unknown signal
    • API String ID: 1414789275-2829261224
    • Opcode ID: db43e712b9be7a93631420e14b105a0930ecd6170e45012433f711954e299830
    • Instruction ID: a7053e46752a173a43a732335e2fd9168a531fd799413bc9e0b354a34205d696
    • Opcode Fuzzy Hash: db43e712b9be7a93631420e14b105a0930ecd6170e45012433f711954e299830
    • Instruction Fuzzy Hash: 5D315C66E18A02E0FA18AB25E8596BDB365BF45784F880437EE9D473F5DF3CA644C340
    Function 00007FFE0E14E250 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 203libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$LibraryLoad$AddressProc
    • String ID: :state$GetFileAttributesW$NtFlushInstructionCache4$OpenProcess$RtlGetVersion$cipher$dctx6$kernel32.dll$key5$remoteProcID2$tProcess1$treadHandle3
    • API String ID: 3980900384-2224378161
    • Opcode ID: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction ID: 38a1b40b4bd4aa54716553016ded1f9e1eec2551bd6e2a1a233d381790414c33
    • Opcode Fuzzy Hash: 5024ca8dcfbd9f7da15cbb3ce75fc2b1b4ac0722f133e5d66a90e89f756bd335
    • Instruction Fuzzy Hash: 9CB10321A19B4385FB129B28A9403A573A2FF55744F84527BCDDC563B2EF7DB289C380
    Function 00007FFE0E1464C0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 202COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: CommandLine
    • String ID: not in $ not in $ not in $0 ..$0 ..$IndexDefect$inde$os.nim$paramStr
    • API String ID: 3253501508-369068400
    • Opcode ID: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction ID: c75b100ea3c77a68e98ffa9a6a52b1f7038a7919dc14654df91ce1f41104dd78
    • Opcode Fuzzy Hash: 176fa0095b720560e638bb860fa3f59553cefa47951e64ab9f53068569c9af63
    • Instruction Fuzzy Hash: 719167B2A09B4281EB11DF15E9483A97BA4FF85B94F458037DA9D0B3A5EF3CE505C380
    Function 00007FFE0E146140 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 191windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: FormatFreeLocalMessagememcpymemset
    • String ID: Addition$OS error$OS error$OSError$al info:$unknown $unknown
    • API String ID: 4084645559-3457963805
    • Opcode ID: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction ID: 1cccb3bbc91015aeeee5e269373db9da998e94715edf409a3f9cc118bffac880
    • Opcode Fuzzy Hash: e43746b6d3e31976e80ed3e78efbe06e3184e3a06d24456f847f49f2a0480dcd
    • Instruction Fuzzy Hash: C38189B6B09B5681EE519B19E45877E37A8FF85B88F14843BDA8C073A5EF38D544C380
    Function 00007FFE0E149DA0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 175memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide$AllocFreeInitialize_setjmpmemcpymemset
    • String ID: specifi$ed membe$o invoke$r: $unable t
    • API String ID: 909372610-4084315218
    • Opcode ID: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction ID: 3608184739cf9a4ce5186de14096b6b2228846c6f17fbbf68c7013223949e7e0
    • Opcode Fuzzy Hash: e426f8c4deaaf8e3db560116b79f21edf749721eaba173ae76d85139aeb9888e
    • Instruction Fuzzy Hash: E0A1B376609F8681EB60CF15E8943AAB7A4FB88B80F448136DACD47B69DF7CD454CB40
    Function 00007FFE0E141E50 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 90libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: FormatMessageW$GetCommandLineW$GetCurrentDirectoryW$GetLastError$GetModuleFileNameW$LocalFree$kernel32
    • API String ID: 2238633743-3391179580
    • Opcode ID: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction ID: 1a3c7d1cdd112e4c16a35ba3fc7ffd52b4cc74f30727a0f6db4887a477b311ce
    • Opcode Fuzzy Hash: 1287cbde34c9a01a5778edf70d3b897d3a7a108950112f86db042cfb1d222104
    • Instruction Fuzzy Hash: 9E312FA5B0AA0390EE45D71279544B663A1BF49BC8B84047BDCCD4B3B5EE3CA449E394
    Function 00007FFE0E1489C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: c9a4d359ccf372bf526eaa78d5230b43e9c201022d9012c80fc7dd3dc61b5e02
    • Instruction ID: 77c4aba7d489da3a5bcb68e766c46eb7d55baee26957496e03fcf80fb2983331
    • Opcode Fuzzy Hash: c9a4d359ccf372bf526eaa78d5230b43e9c201022d9012c80fc7dd3dc61b5e02
    • Instruction Fuzzy Hash: 1B81ADA2B0AB4295EA54AB15E8587BE67A1FF40B80F944437EACD073B1DF7CE446C340
    Function 00007FFE0E149600 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: e59546261d6e30790542a23a76ed5ab6d73a75fa9f730ccaf14fb43211ccd0fd
    • Instruction ID: cf9360ad58d506b4d4411ee2f788713b9d940a7b0920e67bde18c9f8771412e8
    • Opcode Fuzzy Hash: e59546261d6e30790542a23a76ed5ab6d73a75fa9f730ccaf14fb43211ccd0fd
    • Instruction Fuzzy Hash: 128157A2B0AB4791EB109B15E9586BE63A1FF84B84F844537DA9D073B5DF3CE845C380
    Function 00007FFE0E148270 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction ID: 3b37c313002a21b2ad2d699b6e3e66c0c83775dd160362aac333aefe52bf781d
    • Opcode Fuzzy Hash: 697b9fa782d9ff8b20fb0e63cbcfd5e65f50ec7fbf6534a61681d9b41f57343c
    • Instruction Fuzzy Hash: 75718CA2B0AB0695EA55AB05E9587BE63A1FF44B84F844537EACD073B0DF3CE441C380
    Function 00007FFE0E13C530 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 77libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad$AddressProc
    • String ID: MultiByteToWideChar$SysStringLen$WideCharToMultiByte$kernel32$lstrlenW$oleaut32
    • API String ID: 1469910268-1955535950
    • Opcode ID: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction ID: 50fddb0466cb1475f479da3eb50a48eac9ff7740cd49e34045d11df1bbe58fc8
    • Opcode Fuzzy Hash: ee6e375a4fb4bccd2b28a38eab41fe4ff48691f0217c803988e2de915c1ce671
    • Instruction Fuzzy Hash: 2031F3A5B1AA03D0ED559B22B854476B3A1BF48B88B98153BDCDD473B1EE3CE405D3A0
    Function 00007FFE0E13A680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FFE0E13A69C
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: signal$exitfflushfwrite
    • String ID: [GC] cannot register thread local variable; too many thread local variables
    • API String ID: 3958355099-685140759
    • Opcode ID: fa8ccfdcd3ab8ba8d84ef958eb0a57ba01de52049acf6b168819aab5f8359f7c
    • Instruction ID: 389863c5b7d13818841a51b3535989dfd102dbcd312e5236424c1690ac05d406
    • Opcode Fuzzy Hash: fa8ccfdcd3ab8ba8d84ef958eb0a57ba01de52049acf6b168819aab5f8359f7c
    • Instruction Fuzzy Hash: B5215C66A09A0285FA146B65E8467BA7261FF86B80F845837E9DD173F2DF3CA211C304
    Function 00007FFE0E13CA70 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 333COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: .$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
    • API String ID: 3510742995-876510697
    • Opcode ID: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction ID: 7776b066975a9f385217b065751afe5a250ae8ace22864d0174df733bc84a7c0
    • Opcode Fuzzy Hash: 06778b7551d1d1e2799e8a2043c97a13a64522767c93a9a919c662244adb7339
    • Instruction Fuzzy Hash: 50E1D2A2A0879596EB148B3495003E9BBA1FB157D4F488633DAAC277E9DB3CE145C390
    Function 00007FFE0E1389D0 Relevance: 15.2, APIs: 6, Strings: 4, Instructions: 194stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: strlen$memcpy
    • String ID: excepti$Error: u$nhandled$on:
    • API String ID: 3396830738-1220997370
    • Opcode ID: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction ID: 0860cd6b5c6136fceca5f0858951ba55b5e27d08b3b4de618a5f36831518e937
    • Opcode Fuzzy Hash: 620df2181a99c2d9f432fa450793f222c34056ad9a437eb17abca127aa62c4ed
    • Instruction Fuzzy Hash: 0981C162B19A8686FB299B25D4113BA7361FF44B84F888537EB8D177E5EF2CE505C300
    Function 00007FFE0E146830 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
    • API String ID: 3510742995-291823325
    • Opcode ID: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction ID: aee1af98b61cc4981106b5ef7f74e08e1f7bbb9a1864352cea63abcd810622de
    • Opcode Fuzzy Hash: aec648f9a95a20fb432d11329cea1dfd7ef1e45c34c68d363635f803f7b74143
    • Instruction Fuzzy Hash: 4E7158B2708B4A85EB119F15E8443AA77A4FB95B88F598037DF8D0B3A1EE7CD544C300
    Function 00007FFE0E144610 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CreateToolhelp32Snapshot$Thread32First$Thread32Next$kernel32
    • API String ID: 2238633743-3935561650
    • Opcode ID: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction ID: e2279771b7ff47ad42abcbd4b35610a98292c3fefe455890bd81f046e47ab824
    • Opcode Fuzzy Hash: 6c442825502bc7901ecd661716a16d1c8b49b900e669c40a7a4c98e00781447f
    • Instruction Fuzzy Hash: B0113DA5B0EA0390FE159722BD1457A63A1BF49B84F980877CCED473B0EE7CA046D350
    Function 00007FFE0E1314A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction ID: d19d629a3b53e0613472d1ea1b25a2e68c325c9ec19438d3f450bfa31d0aa70a
    • Opcode Fuzzy Hash: 4b359fa39a413980578f20d51ef9706400725c07471b7bbc5a8fdffd70197d7b
    • Instruction Fuzzy Hash: EF01C561A5AA07E0EA169B15BC505B933A5BF49788F840533DCDD43270EF3CE149D340
    Function 00007FFE0E13B7F0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: ValueError$integer:$integer:$invalid $invalid $parseInt$strutils.nim
    • API String ID: 3510742995-2575869123
    • Opcode ID: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction ID: 5a9a41dc9289ddd13fb2f5b9cfcd51a7063a2017a68e2d04a786aa847ba646f9
    • Opcode Fuzzy Hash: 15bf003bdc77111694311591c6e8ce157c1d6e781086ecfc85e6e3deb4704f3f
    • Instruction Fuzzy Hash: A9413672A09B0AD1EA209F25E8547AA73A4FF48B84F848437DACD477A5EF7CE545C340
    Function 00007FFE0E13CFC0 Relevance: 11.5, APIs: 9, Instructions: 220COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID:
    • API String ID: 438689982-0
    • Opcode ID: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction ID: 41aeaf78b52ac6210492a8ff25d33e0c52ba71c80a6da48fe58a854cd26ec7ec
    • Opcode Fuzzy Hash: 9a95c766a421aee8bda3d61193bee614ed9ff932fcd03d974b4030aef223b19b
    • Instruction Fuzzy Hash: D381C062B09A5681EE05EB25E8052BE77A1BF84F84F468533EE5D173A6EF3CE545C300
    Function 00007FFE0E14BF00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ArraySafe$CreateElementInitialize
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 2234878901-3035603046
    • Opcode ID: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction ID: 94c0ce4550d521aa69181214f9235ea93ed49713d9e6e50d5c96af1dc0b70f1f
    • Opcode Fuzzy Hash: 9eae0cf97d50d8a67c4e201ceeba8e2c2a17758a0522804396163c04e92e8b07
    • Instruction Fuzzy Hash: 876136A2B0AB0291FA159B15A8187BE63A1FF85B84F544537DADD073B1EF3DE445C380
    Function 00007FFE0E144CB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID: to $convert $convert $convert $from
    • API String ID: 3510742995-220309676
    • Opcode ID: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction ID: 46eab1de0f5cbbf42e484e6d0fad7764f6ac1a23ede92afb688f0b11b2e74fd2
    • Opcode Fuzzy Hash: dc9e2aa1a007e4dd8d834762d87609655c69aa9ff4af3a690f529dd9e52cdbfa
    • Instruction Fuzzy Hash: 9E4159B2A09B4681EB05DF15D5483987BA1FB94B80F4A8037DB9C5B3A5EFB8D510C780
    Function 00007FFE0E13C940 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetForegroundWindow$GetWindowThreadProcessId$user32
    • API String ID: 2238633743-4060728576
    • Opcode ID: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction ID: 630a981e584bdba30fab39d1ae15849b5d385d5a2824ec11c675f526db689beb
    • Opcode Fuzzy Hash: 099e45388bdc18e5a7f021420b8990e432f484574424dfb494841c910785b762
    • Instruction Fuzzy Hash: 97011A65A5AB03D0EE459B22BC5457AB3A2BF49B84F88457BDCCD873B0EE3CA044C355
    Function 00007FFE0E148FA0 Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: CopyFreeStringVariant_setjmpmemcpystrlen
    • String ID:
    • API String ID: 649350220-0
    • Opcode ID: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction ID: 83f494b72e32496d6c2e9bf6150034332e80dd3b47d8dc8f56378582060d80d6
    • Opcode Fuzzy Hash: 1c8747582f73588acd678ea3ed29cea2ab5c6abdbe1ab605578c608991d5d4c0
    • Instruction Fuzzy Hash: 73D138B6A19B8681EA55CB16E4403AE73A1FBC8B94F448133EE9D077A9DF3CE441C340
    Function 00007FFE0E13101D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: _amsg_exit_initterm
    • String ID: 0
    • API String ID: 194249164-4108050209
    • Opcode ID: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction ID: cf483ee752bba1ee092aa0b48df9fb5434bd270b85cf89d27e2af28b6a70408b
    • Opcode Fuzzy Hash: efee7c7564053665e09315d1a3c1bf29b97e43912d1bab046c58282f71b617ec
    • Instruction Fuzzy Hash: 3D719236B09B068AEB508B65E8903AC37B1BB49B88F504436DE8D977A9CF7DE540C740
    Function 00007FFE0E1486A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 633353902-3035603046
    • Opcode ID: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction ID: 461681aa21f6c7ccf9b375c3dad53e9ae85f69ce65ac773a99064d7fd5f7dd60
    • Opcode Fuzzy Hash: d53b74f056ed678ce3979812d694a4fd568094c6bbedb9c3d2a401089230e449
    • Instruction Fuzzy Hash: F24169A2B0A70790EA55AB19A91877E6394FF44B84F844937D9DC073B1DF3CE1468390
    Function 00007FFE0E148080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$newVariant
    • API String ID: 633353902-805458017
    • Opcode ID: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction ID: ecc9d3259361cb518f91bb8b3c38e6b09ea3a35ff29167eee4a4fd90462cc2d7
    • Opcode Fuzzy Hash: 37dc1bba5de7eb6d8a84ede9a51d855650d8d586e6755152db3d4b614f213599
    • Instruction Fuzzy Hash: 0D414EA2B0AB4794EA55AB19A91877E6394FF44B84F844537D9DC073B1DF3CE046C390
    Function 00007FFE0E145220 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 263COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: .~&$T]$T]
    • API String ID: 0-361263744
    • Opcode ID: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction ID: 737f3dd802abeea36cf84ed44e215d04f3f96e6f9b70bfb8c9c50e33c4859dab
    • Opcode Fuzzy Hash: 1c310ccbf74c847df73c694cb3f318e6f7db29470bae7075e5a2e3ab811cc63c
    • Instruction Fuzzy Hash: C8C1A0A2E1874292EA50DF54E8412BA7762FF80754F944433EA8E5B7B6EF3CE905C700
    Function 00007FFE0E157F88 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlock
    • String ID:
    • API String ID: 2848772494-0
    • Opcode ID: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction ID: a91daa40c4a94aa909ffea281c5bd156041a777517c0243bf2c3d72c1b0da163
    • Opcode Fuzzy Hash: 839b6c95f21c298f95560e90b5800166fcecef062897bb39a6bf96ebd563a10a
    • Instruction Fuzzy Hash: F54198A7704B49C9EB048F6AD8813AC73A1F748BD8F448936EE6C477A8DF38D5508350
    Function 00007FFE0E131748 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: _fileno$_setmode
    • String ID:
    • API String ID: 2194614063-0
    • Opcode ID: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction ID: ef0d0c46a369d3c3b4741644165682ea344c24e22cd3aecf5669e34ba1b111e4
    • Opcode Fuzzy Hash: b8499c141844f940aab8dce16dfdacb536d3285c549e13282d0a74ac03962638
    • Instruction Fuzzy Hash: FAF01C11B1455542EF08A7B2BA6437E5A96AFD9BD0F18807B8D4E473D4ED3CD8424340
    Function 00007FFE0E139450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastexitfwritestrlen
    • String ID: (bad format; library may be wrong architecture)$could not load:
    • API String ID: 671075621-2754783905
    • Opcode ID: 89563ff696690d38515c8b2b3e1467e36067791bf54df73593b659afd1aa64d8
    • Instruction ID: 912da432add6e74778a2bdec200ba20ded235543e9cefd23af3096e229ffcebb
    • Opcode Fuzzy Hash: 89563ff696690d38515c8b2b3e1467e36067791bf54df73593b659afd1aa64d8
    • Instruction Fuzzy Hash: FD016252B1965791FE04B771E8553B86265AF85780F44413BDE8E473F6EE6CE400C301
    Function 00007FFE0E13A920 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register global variable; too many global variables, xrefs: 00007FFE0E13A93C
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register global variable; too many global variables
    • API String ID: 3476253079-2146260042
    • Opcode ID: a171ecbd8870034556625941e9756daf10bdc1cbc3b2acaf7614254cba44feb3
    • Instruction ID: 08ebba02b5b36af7409eba46b3b81dc39efb3781fd1b9eb5419a33466852c97d
    • Opcode Fuzzy Hash: a171ecbd8870034556625941e9756daf10bdc1cbc3b2acaf7614254cba44feb3
    • Instruction Fuzzy Hash: FCF03022E59B42D5F6046B61E8463B926B1FF8AB41F852537E9CE173F2DF2DA151C300
    Function 00007FFE0E13C9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: AttachConsole$kernel32
    • API String ID: 2574300362-374305082
    • Opcode ID: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction ID: 665f73e8cd5fb583f99a231c4d618fb360f3bc216d38f9cdee39dd6ab87e9412
    • Opcode Fuzzy Hash: 960aa4397a13f9497081fe059081674e85d4f086b5cc47264218468e45188bc1
    • Instruction Fuzzy Hash: B9F09A61A4AA02C0E949DB22BC4407672E6BF88B94F84057BCCCD463B0EF3CA185C340
    Function 00007FFE0E13EC00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Ws2_32.dll$inet_ntop
    • API String ID: 2574300362-2739477577
    • Opcode ID: 5960f70dcc3cb8590bd01532b6b5409507b56dd736a63677e676c6170141e528
    • Instruction ID: 2770fbf9e73e83282f27653529ab8f7d835d26911a596c3faf8ff1d072e33a94
    • Opcode Fuzzy Hash: 5960f70dcc3cb8590bd01532b6b5409507b56dd736a63677e676c6170141e528
    • Instruction Fuzzy Hash: 08E04224A5AA53C1EA5A9B15AD500A463E1BF59700F90407BC88D423B0EF7CA559C750
    Function 00007FFE0E1381D0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 332COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: [[rerais$]]$ed from:
    • API String ID: 1297977491-96586220
    • Opcode ID: 4de7edbcc6b12fb41e346efe08153019dc93f70cd32370dedc5e014a18505298
    • Instruction ID: f7c80199c0b70cb48b408c1629cdcee2bae7ae9cbfd1150b626d2d80fd41c999
    • Opcode Fuzzy Hash: 4de7edbcc6b12fb41e346efe08153019dc93f70cd32370dedc5e014a18505298
    • Instruction Fuzzy Hash: 27E18776A09B8681EA648F25E4003AE77A8FB49B98F544637EEAD077E0DF3DD545C300
    Function 00007FFE0E149920 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 204COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: memcpymemset
    • String ID: CLRError$clr.nim$clrError
    • API String ID: 1297977491-2830349459
    • Opcode ID: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction ID: 8a7f37976afbcc7d8265fd4e740e01cbcc64f7f71c5c44684600640f3594a22a
    • Opcode Fuzzy Hash: 10f23ab442f7161de1a4e5cab30c6324a6b80ed03321f59bc245b0addc95e8d4
    • Instruction Fuzzy Hash: 3D91D6A2A0CB8685E7118B15D8006BE3BA0FB557A4F554272DFEC0B7E2DE3CE550C350
    Function 00007FFE0E135460 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 1f137d6605ab7e2858848fd2a2c3146e9ccc07f199a0bb54434c994e38447113
    • Instruction ID: a6150c2ef07ea4b7b117c1b4b172c77d97d92af8be1a8ce848d3802047161daa
    • Opcode Fuzzy Hash: 1f137d6605ab7e2858848fd2a2c3146e9ccc07f199a0bb54434c994e38447113
    • Instruction Fuzzy Hash: CB81AEB2A05B4680EB18CB25E9457B933A2FF54B94F518236DEAD073A4EF7DE185C340
    Function 00007FFE0E1351B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: virtualFree failing!
    • API String ID: 0-3108117800
    • Opcode ID: 898de089e6a652b3b74e16420251f34d35e97e5bf78494b81a434b6a4fe685e7
    • Instruction ID: c20db5cccaff5d85b454a73eb6533fbe1eb464e1ca1d6cb2a88ac849398377a4
    • Opcode Fuzzy Hash: 898de089e6a652b3b74e16420251f34d35e97e5bf78494b81a434b6a4fe685e7
    • Instruction Fuzzy Hash: 5961CEB2A05B4680FA28CB25E8457B973A2FF54B94F558236DE9D033A4EF7DE185C340
    Function 00007FFE0E1334F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: 78c6a9389ec2a35e9909f5ee783a93cabf13e1c0a10bdb62cf2a036c13e9934b
    • Instruction ID: 3f980147961cdb566abdf14ee684a89b7d0b399b74ba98bcae9804b30cfabae2
    • Opcode Fuzzy Hash: 78c6a9389ec2a35e9909f5ee783a93cabf13e1c0a10bdb62cf2a036c13e9934b
    • Instruction Fuzzy Hash: 6351A0B2B15B4584EE19CB25C458BA833A6FB44790F62C23ADABD473A4EF79D5848340
    Function 00007FFE0E133430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1895707930.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
    • Associated: 00000004.00000002.1895683396.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895739640.00007FFE0E159000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895760741.00007FFE0E15A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895786045.00007FFE0E16C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895807663.00007FFE0E170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895828662.00007FFE0E181000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895868596.00007FFE0E186000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895886602.00007FFE0E187000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1895905423.00007FFE0E18A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ffe0e130000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: 85fe4ed7ebd342e25d4a31d68c50157dc6f40be3eecca2972c7da7329500421c
    • Instruction ID: 262d2b4795d11a36a548eea8ea02828c9e7e9667d7de8b72672e043d00c4397b
    • Opcode Fuzzy Hash: 85fe4ed7ebd342e25d4a31d68c50157dc6f40be3eecca2972c7da7329500421c
    • Instruction Fuzzy Hash: C011C4A2B15B4A81FE59DB26D8512B86791FF94BD0F58D13BC95D433A1DE6CE488C300

    Execution Graph

    Execution Coverage:0.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:27
    Total number of Limit Nodes:0
    execution_graph 5414 27b70b51b10 5415 27b70b51b5d 5414->5415 5416 27b70b51b6f NtProtectVirtualMemory 5415->5416 5418 27b70b51bc6 5416->5418 5417 27b70b51bcc NtCreateSection 5419 27b70b51c21 5417->5419 5418->5417 5522 27b70b5087c 5523 27b70b507da 5522->5523 5524 27b70b51b10 2 API calls 5523->5524 5525 27b70b50849 5524->5525 5424 27b70b517c9 5426 27b70b507da 5424->5426 5425 27b70b50849 5426->5425 5428 27b70b51b10 5426->5428 5429 27b70b51b5d 5428->5429 5430 27b70b51b6f NtProtectVirtualMemory 5429->5430 5432 27b70b51bc6 5430->5432 5431 27b70b51bcc NtCreateSection 5433 27b70b51c21 5431->5433 5432->5431 5433->5425 5442 27b70b50730 5444 27b70b50780 5442->5444 5443 27b70b51b10 2 API calls 5445 27b70b50849 5443->5445 5444->5443 5444->5445 5420 27b70b51ba8 5421 27b70b51bc6 5420->5421 5422 27b70b51bcc NtCreateSection 5421->5422 5423 27b70b51c21 5422->5423

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_0000027B70B502D0 1 Function_0000027B70B5024A 2 Function_0000027B70B517C9 27 Function_0000027B70B51B10 2->27 29 Function_0000027B70B50010 2->29 3 Function_0000027B70B519C9 3->27 3->29 4 Function_0000027B70B50EC5 4->27 4->29 5 Function_0000027B70B50630 6 Function_0000027B70B500B0 7 Function_0000027B70B501B0 7->6 8 Function_0000027B70B50730 8->27 8->29 43 Function_0000027B70B50480 8->43 9 Function_0000027B70B51630 9->27 9->29 10 Function_0000027B70B51831 10->27 10->29 11 Function_0000027B70B51C31 12 Function_0000027B70B51CB1 13 Function_0000027B70B512AC 13->27 13->29 14 Function_0000027B70B50BAD 14->27 14->29 15 Function_0000027B70B511B8 15->27 15->29 16 Function_0000027B70B505B7 17 Function_0000027B70B50DBA 17->27 17->29 18 Function_0000027B70B50AB3 18->27 18->29 19 Function_0000027B70B50B36 19->27 19->29 20 Function_0000027B70B51336 20->27 20->29 21 Function_0000027B70B500A0 22 Function_0000027B70B5101C 22->27 22->29 23 Function_0000027B70B51BA8 41 Function_0000027B70B50380 23->41 42 Function_0000027B70B50680 23->42 24 Function_0000027B70B514AA 24->27 24->29 25 Function_0000027B70B503A6 25->7 25->42 26 Function_0000027B70B51CA6 27->7 27->41 27->42 28 Function_0000027B70B50090 59 Function_0000027B70B506E0 29->59 30 Function_0000027B70B5050F 31 Function_0000027B70B50F8F 31->27 31->29 32 Function_0000027B70B50112 33 Function_0000027B70B5170C 33->27 33->29 34 Function_0000027B70B51397 34->27 34->29 35 Function_0000027B70B50999 35->27 35->29 36 Function_0000027B70B50193 37 Function_0000027B70B50416 37->42 38 Function_0000027B70B51215 38->27 38->29 39 Function_0000027B70B51895 39->27 39->29 40 Function_0000027B70B51A95 40->27 40->29 41->7 41->42 43->7 43->28 44 Function_0000027B70B518FF 44->27 44->29 45 Function_0000027B70B50002 46 Function_0000027B70B5087C 46->27 47 Function_0000027B70B506FD 48 Function_0000027B70B50CFD 48->27 48->29 49 Function_0000027B70B50687 50 Function_0000027B70B5130A 50->27 50->29 51 Function_0000027B70B51804 51->27 51->29 52 Function_0000027B70B51106 52->27 52->29 53 Function_0000027B70B51C06 53->41 54 Function_0000027B70B505F0 55 Function_0000027B70B51A6B 55->27 55->29 56 Function_0000027B70B514EE 56->27 56->29 57 Function_0000027B70B51579 57->27 57->29 58 Function_0000027B70B51779 58->27 58->29 60 Function_0000027B70B50460 61 Function_0000027B70B512DC 61->27 61->29 62 Function_0000027B70B516DB 62->27 62->29 63 Function_0000027B70B5185B 63->27 63->29 64 Function_0000027B70B504DE 65 Function_0000027B70B5135E 65->27 65->29 66 Function_0000027B70B51268 66->27 66->29 67 Function_0000027B70B5076A 67->27 67->29 67->43 68 Function_0000027B70B51C69

    Executed Functions

    Function 0000027B70B51B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.1785449236.0000027B70B50000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000027B70B50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_27b70b50000_rundll32.jbxd
    Similarity
    • API ID: CreateMemoryProtectSectionVirtual
    • String ID:
    • API String ID: 1366966015-0
    • Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction ID: 0fa1e7b2449cba7ec53b9145e8193c8251eb757b33425c14aaa9181192467cb0
    • Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction Fuzzy Hash: AF31063121CB0C4FE759AA6C984976AB2D4EBD8311F000B6FF58EC3391FAA199058686
    Function 0000027B70B51BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.1785449236.0000027B70B50000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000027B70B50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_27b70b50000_rundll32.jbxd
    Similarity
    • API ID: CreateSection
    • String ID:
    • API String ID: 2449625523-0
    • Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction ID: e60d42a6b0b2ea4f57c17d8831a1fb82fcbfb10645cc599f97702929a6e7d9a1
    • Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction Fuzzy Hash: 0101DB7275CB080FE75D895CA849775B3C0D7C5321F400B6FE98DD77D2EA6298014686

    Execution Graph

    Execution Coverage:0.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:27
    Total number of Limit Nodes:0
    execution_graph 5414 1e0be701b10 5415 1e0be701b5d 5414->5415 5416 1e0be701b6f NtProtectVirtualMemory 5415->5416 5417 1e0be701bc6 5416->5417 5418 1e0be701bcc NtCreateSection 5417->5418 5419 1e0be701c21 5418->5419 5424 1e0be7016db 5426 1e0be7007da 5424->5426 5425 1e0be700849 5426->5425 5428 1e0be701b10 5426->5428 5429 1e0be701b5d 5428->5429 5430 1e0be701b6f NtProtectVirtualMemory 5429->5430 5431 1e0be701bc6 5430->5431 5432 1e0be701bcc NtCreateSection 5431->5432 5433 1e0be701c21 5432->5433 5433->5425 5458 1e0be700730 5460 1e0be700780 5458->5460 5459 1e0be701b10 2 API calls 5461 1e0be700849 5459->5461 5460->5459 5460->5461 5554 1e0be70087c 5555 1e0be7007da 5554->5555 5556 1e0be701b10 2 API calls 5555->5556 5557 1e0be700849 5556->5557 5420 1e0be701ba8 5422 1e0be701bc6 5420->5422 5421 1e0be701bcc NtCreateSection 5423 1e0be701c21 5421->5423 5422->5421

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_000001E0BE7002D0 1 Function_000001E0BE7016DB 31 Function_000001E0BE701B10 1->31 33 Function_000001E0BE700010 1->33 2 Function_000001E0BE70185B 2->31 2->33 3 Function_000001E0BE7012DC 3->31 3->33 4 Function_000001E0BE7004DE 5 Function_000001E0BE70135E 5->31 5->33 6 Function_000001E0BE700EC5 6->31 6->33 7 Function_000001E0BE7017C9 7->31 7->33 8 Function_000001E0BE7019C9 8->31 8->33 9 Function_000001E0BE70024A 10 Function_000001E0BE700630 11 Function_000001E0BE7000B0 12 Function_000001E0BE7001B0 12->11 13 Function_000001E0BE700730 13->31 13->33 45 Function_000001E0BE700480 13->45 14 Function_000001E0BE701630 14->31 14->33 15 Function_000001E0BE701831 15->31 15->33 16 Function_000001E0BE701C31 17 Function_000001E0BE701CB1 18 Function_000001E0BE700AB3 18->31 18->33 19 Function_000001E0BE700B36 19->31 19->33 20 Function_000001E0BE701336 20->31 20->33 21 Function_000001E0BE7005B7 22 Function_000001E0BE7011B8 22->31 22->33 23 Function_000001E0BE700DBA 23->31 23->33 24 Function_000001E0BE7000A0 25 Function_000001E0BE7003A6 25->12 44 Function_000001E0BE700680 25->44 26 Function_000001E0BE701CA6 27 Function_000001E0BE701BA8 43 Function_000001E0BE700380 27->43 27->44 28 Function_000001E0BE7014AA 28->31 28->33 29 Function_000001E0BE7012AC 29->31 29->33 30 Function_000001E0BE700BAD 30->31 30->33 31->12 31->43 31->44 32 Function_000001E0BE700090 62 Function_000001E0BE7006E0 33->62 34 Function_000001E0BE700112 35 Function_000001E0BE700193 36 Function_000001E0BE701215 36->31 36->33 37 Function_000001E0BE701895 37->31 37->33 38 Function_000001E0BE701A95 38->31 38->33 39 Function_000001E0BE700416 39->44 40 Function_000001E0BE701397 40->31 40->33 41 Function_000001E0BE700999 41->31 41->33 42 Function_000001E0BE70101C 42->31 42->33 43->12 43->44 45->12 45->32 46 Function_000001E0BE700002 47 Function_000001E0BE701804 47->31 47->33 48 Function_000001E0BE701106 48->31 48->33 49 Function_000001E0BE701C06 49->43 50 Function_000001E0BE700687 51 Function_000001E0BE70130A 51->31 51->33 52 Function_000001E0BE70170C 52->31 52->33 53 Function_000001E0BE70050F 54 Function_000001E0BE700F8F 54->31 54->33 55 Function_000001E0BE7005F0 56 Function_000001E0BE701579 56->31 56->33 57 Function_000001E0BE701779 57->31 57->33 58 Function_000001E0BE70087C 58->31 59 Function_000001E0BE7006FD 60 Function_000001E0BE700CFD 60->31 60->33 61 Function_000001E0BE7018FF 61->31 61->33 63 Function_000001E0BE700460 64 Function_000001E0BE701268 64->31 64->33 65 Function_000001E0BE701C69 66 Function_000001E0BE70076A 66->31 66->33 66->45 67 Function_000001E0BE701A6B 67->31 67->33 68 Function_000001E0BE7014EE 68->31 68->33

    Executed Functions

    Function 000001E0BE701B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1834654011.000001E0BE700000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001E0BE700000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_1e0be700000_rundll32.jbxd
    Similarity
    • API ID: CreateMemoryProtectSectionVirtual
    • String ID:
    • API String ID: 1366966015-0
    • Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction ID: 3e7e88560b9756ce16f020fca5dfab66efe13358e263dff94910639c61a6311c
    • Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction Fuzzy Hash: 83310E3025CB4C4FE759A66CD8456AE72D4FB9C311F00072FF88AC3292EAB0DC454786
    Function 000001E0BE701BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1834654011.000001E0BE700000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001E0BE700000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_1e0be700000_rundll32.jbxd
    Similarity
    • API ID: CreateSection
    • String ID:
    • API String ID: 2449625523-0
    • Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction ID: 18533c62089a27652af02935cba0f60aca65bd2c5d05c9f0bec7e768de6f7f35
    • Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction Fuzzy Hash: 6301C87175CB580FE759895CE84577972C0EB89321F40072FE889C3693D9A19C464786

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00000224A1FE00A0 1 Function_00000224A1FE101C 10 Function_00000224A1FE0010 1->10 12 Function_00000224A1FE1B10 1->12 2 Function_00000224A1FE0999 2->10 2->12 3 Function_00000224A1FE0416 23 Function_00000224A1FE0680 3->23 4 Function_00000224A1FE1397 4->10 4->12 5 Function_00000224A1FE1215 5->10 5->12 6 Function_00000224A1FE1895 6->10 6->12 7 Function_00000224A1FE1A95 7->10 7->12 8 Function_00000224A1FE0112 9 Function_00000224A1FE0193 37 Function_00000224A1FE06E0 10->37 11 Function_00000224A1FE0090 22 Function_00000224A1FE0380 12->22 12->23 57 Function_00000224A1FE01B0 12->57 13 Function_00000224A1FE050F 14 Function_00000224A1FE0F8F 14->10 14->12 15 Function_00000224A1FE170C 15->10 15->12 16 Function_00000224A1FE130A 16->10 16->12 17 Function_00000224A1FE1106 17->10 17->12 18 Function_00000224A1FE1C06 18->22 19 Function_00000224A1FE0687 20 Function_00000224A1FE1804 20->10 20->12 21 Function_00000224A1FE0002 22->23 22->57 24 Function_00000224A1FE0480 24->11 24->57 25 Function_00000224A1FE18FF 25->10 25->12 26 Function_00000224A1FE087C 26->12 27 Function_00000224A1FE06FD 28 Function_00000224A1FE0CFD 28->10 28->12 29 Function_00000224A1FE1579 29->10 29->12 30 Function_00000224A1FE1779 30->10 30->12 31 Function_00000224A1FE05F0 32 Function_00000224A1FE14EE 32->10 32->12 33 Function_00000224A1FE076A 33->10 33->12 33->24 34 Function_00000224A1FE1A6B 34->10 34->12 35 Function_00000224A1FE1268 35->10 35->12 36 Function_00000224A1FE1C69 38 Function_00000224A1FE0460 39 Function_00000224A1FE04DE 40 Function_00000224A1FE135E 40->10 40->12 41 Function_00000224A1FE12DC 41->10 41->12 42 Function_00000224A1FE16DB 42->10 42->12 43 Function_00000224A1FE185B 43->10 43->12 44 Function_00000224A1FE02D0 45 Function_00000224A1FE024A 46 Function_00000224A1FE17C9 46->10 46->12 47 Function_00000224A1FE19C9 47->10 47->12 48 Function_00000224A1FE0EC5 48->10 48->12 49 Function_00000224A1FE0DBA 49->10 49->12 50 Function_00000224A1FE11B8 50->10 50->12 51 Function_00000224A1FE0B36 51->10 51->12 52 Function_00000224A1FE1336 52->10 52->12 53 Function_00000224A1FE05B7 54 Function_00000224A1FE0AB3 54->10 54->12 55 Function_00000224A1FE0630 56 Function_00000224A1FE00B0 57->56 58 Function_00000224A1FE0730 58->10 58->12 58->24 59 Function_00000224A1FE1630 59->10 59->12 60 Function_00000224A1FE1831 60->10 60->12 61 Function_00000224A1FE1C31 62 Function_00000224A1FE1CB1 63 Function_00000224A1FE12AC 63->10 63->12 64 Function_00000224A1FE0BAD 64->10 64->12 65 Function_00000224A1FE14AA 65->10 65->12 66 Function_00000224A1FE1BA8 66->22 66->23 67 Function_00000224A1FE03A6 67->23 67->57 68 Function_00000224A1FE1CA6

    Executed Functions

    Function 00000224A1FE1B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000F.00000002.1815725390.00000224A1FE0000.00000020.00000400.00020000.00000000.sdmp, Offset: 00000224A1FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_224a1fe0000_rundll32.jbxd
    Similarity
    • API ID: CreateMemoryProtectSectionVirtual
    • String ID:
    • API String ID: 1366966015-0
    • Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction ID: 29cd9993044d5d27be59441fab249b9e288b65ba33a41c89a9d2913ec5b73733
    • Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction Fuzzy Hash: 79314C3131CF4C5FE718BAAD989D66A72D4EBD8311F40072FF48FC32E1EAA498054686
    Function 00000224A1FE1BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000F.00000002.1815725390.00000224A1FE0000.00000020.00000400.00020000.00000000.sdmp, Offset: 00000224A1FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_224a1fe0000_rundll32.jbxd
    Similarity
    • API ID: CreateSection
    • String ID:
    • API String ID: 2449625523-0
    • Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction ID: 0f79af5b3b7398f8d1405f4cf21b57f199bb25d27c784f6186600b724b92709b
    • Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction Fuzzy Hash: BA01FE7174CF480FE75899ADAC8977573C0D785321F40072FE88EC36D2D965AC164686

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_0000026F88A31831 19 Function_0000026F88A31B10 0->19 21 Function_0000026F88A30010 0->21 1 Function_0000026F88A31C31 2 Function_0000026F88A31CB1 3 Function_0000026F88A30630 4 Function_0000026F88A300B0 5 Function_0000026F88A301B0 5->4 6 Function_0000026F88A30730 6->19 6->21 48 Function_0000026F88A30480 6->48 7 Function_0000026F88A31630 7->19 7->21 8 Function_0000026F88A30B36 8->19 8->21 9 Function_0000026F88A31336 9->19 9->21 10 Function_0000026F88A30AB3 10->19 10->21 11 Function_0000026F88A30DBA 11->19 11->21 12 Function_0000026F88A311B8 12->19 12->21 13 Function_0000026F88A305B7 14 Function_0000026F88A30EC5 14->19 14->21 15 Function_0000026F88A3024A 16 Function_0000026F88A317C9 16->19 16->21 17 Function_0000026F88A319C9 17->19 17->21 18 Function_0000026F88A30112 19->5 46 Function_0000026F88A30380 19->46 47 Function_0000026F88A30680 19->47 20 Function_0000026F88A30090 62 Function_0000026F88A306E0 21->62 22 Function_0000026F88A3050F 23 Function_0000026F88A30F8F 23->19 23->21 24 Function_0000026F88A30416 24->47 25 Function_0000026F88A31215 25->19 25->21 26 Function_0000026F88A31895 26->19 26->21 27 Function_0000026F88A31A95 27->19 27->21 28 Function_0000026F88A30193 29 Function_0000026F88A30999 29->19 29->21 30 Function_0000026F88A31397 30->19 30->21 31 Function_0000026F88A3101C 31->19 31->21 32 Function_0000026F88A300A0 33 Function_0000026F88A303A6 33->5 33->47 34 Function_0000026F88A31CA6 35 Function_0000026F88A314AA 35->19 35->21 36 Function_0000026F88A31BA8 36->46 36->47 37 Function_0000026F88A30BAD 37->19 37->21 38 Function_0000026F88A312AC 38->19 38->21 39 Function_0000026F88A305F0 40 Function_0000026F88A31579 40->19 40->21 41 Function_0000026F88A31779 41->19 41->21 42 Function_0000026F88A306FD 43 Function_0000026F88A30CFD 43->19 43->21 44 Function_0000026F88A3087C 44->19 45 Function_0000026F88A30002 46->5 46->47 48->5 48->20 49 Function_0000026F88A318FF 49->19 49->21 50 Function_0000026F88A31106 50->19 50->21 51 Function_0000026F88A31C06 51->46 52 Function_0000026F88A31804 52->19 52->21 53 Function_0000026F88A3130A 53->19 53->21 54 Function_0000026F88A30687 55 Function_0000026F88A3170C 55->19 55->21 56 Function_0000026F88A302D0 57 Function_0000026F88A304DE 58 Function_0000026F88A3135E 58->19 58->21 59 Function_0000026F88A312DC 59->19 59->21 60 Function_0000026F88A316DB 60->19 60->21 61 Function_0000026F88A3185B 61->19 61->21 63 Function_0000026F88A30460 64 Function_0000026F88A3076A 64->19 64->21 64->48 65 Function_0000026F88A31C69 66 Function_0000026F88A31268 66->19 66->21 67 Function_0000026F88A314EE 67->19 67->21 68 Function_0000026F88A31A6B 68->19 68->21

    Executed Functions

    Function 0000026F88A31B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1791233415.0000026F88A30000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000026F88A30000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_26f88a30000_loaddll64.jbxd
    Similarity
    • API ID: CreateMemoryProtectSectionVirtual
    • String ID:
    • API String ID: 1366966015-0
    • Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction ID: c1c3bc44fc0835fbd4893b02d4361064ec00a66413538b0e68ad114423f40d5f
    • Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction Fuzzy Hash: 6E312C3021CB0C5FEB58AA6CA84D66A72D4EBD8311F40073FF59AC32D1EAA198054786
    Function 0000026F88A31BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1791233415.0000026F88A30000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000026F88A30000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_26f88a30000_loaddll64.jbxd
    Similarity
    • API ID: CreateSection
    • String ID:
    • API String ID: 2449625523-0
    • Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction ID: 1cf1cc4dc258542ce8152ef43da51c612184e463573c2bbcafc052e7d94151dc
    • Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction Fuzzy Hash: 4101F97170CB080FEBA88A6CBC4A77573D0D785321F40077FE999C36D2E966AC06478A