Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
66WXq58R0I.exe

Overview

General Information

Sample name:66WXq58R0I.exe
renamed because original name is a hash value
Original sample name:e68e0c467ecfbb9f0c6e5c8359f81b09.exe
Analysis ID:1542676
MD5:e68e0c467ecfbb9f0c6e5c8359f81b09
SHA1:f9f00bc6c6fe10f2d95f085be5c4e55d404e7900
SHA256:ec6c410d323de0552b1cda52bbbbecdb504985994291a387b06525afa26807be
Tags:64exe
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Machine Learning detection for sample
Reads the Security eventlog
Reads the System eventlog
Sets debug register (to hijack the execution of another thread)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 66WXq58R0I.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\66WXq58R0I.exe" MD5: E68E0C467ECFBB9F0C6E5C8359F81B09)
    • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 66WXq58R0I.exe (PID: 2056 cmdline: C:\Users\user\Desktop\66wxq58r0i.exe 2580 MD5: E68E0C467ECFBB9F0C6E5C8359F81B09)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\66WXq58R0I.exe, ProcessId: 2056, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5elpwno.kpw.ps1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 66WXq58R0I.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 66WXq58R0I.exeVirustotal: Detection: 38%Perma Link
Source: 66WXq58R0I.exeReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 66WXq58R0I.exeJoe Sandbox ML: detected
Source: 66WXq58R0I.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: 66WXq58R0I.exe, 00000000.00000002.2953785596.0000025EAE862000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953608194.0000025EAE66B000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954347645.0000025EAEE60000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953426997.0000025EAE461000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953957081.0000025EAEA6A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954143232.0000025EAEC62000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954414520.00000153C3475000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954582314.00000153C3676000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954890486.00000153C3A7A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955163767.00000153C3E74000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955027560.00000153C3C70000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954752934.00000153C387F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\Git\PwnPowershell\RunSpace\obj\Release\RunSpace.pdb source: 66WXq58R0I.exe, 00000002.00000002.2954223462.00000153C3270000.00000004.08000000.00040000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2953479298.00000153C1803000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: 66WXq58R0I.exe, 00000000.00000002.2953785596.0000025EAE862000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953608194.0000025EAE66B000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954347645.0000025EAEE60000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953426997.0000025EAE461000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953957081.0000025EAEA6A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954143232.0000025EAEC62000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954414520.00000153C3475000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954582314.00000153C3676000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954890486.00000153C3A7A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955163767.00000153C3E74000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955027560.00000153C3C70000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954752934.00000153C387F000.00000004.00000020.00020000.00000000.sdmp
Source: 66WXq58R0I.exe, 00000002.00000002.2955303730.00000153C4071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Spam, unwanted Advertisements and Ransom Demands

barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Reads the System eventlog
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush,0_2_00007FF78E41C240
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41BF80 GetThreadContext,NtTraceEvent,SetThreadContext,BaseThreadInitThunk,BaseThreadInitThunk,2_2_00007FF78E41BF80
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,2_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41BEE0 NtTraceEvent,2_2_00007FF78E41BEE0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D1B10 NtProtectVirtualMemory,NtCreateSection,2_2_00000153C16D1B10
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D1BA8 NtCreateSection,2_2_00000153C16D1BA8
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41C2400_2_00007FF78E41C240
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41F6D00_2_00007FF78E41F6D0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E4167600_2_00007FF78E416760
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41E7F00_2_00007FF78E41E7F0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E4204600_2_00007FF78E420460
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41B4200_2_00007FF78E41B420
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E422CA00_2_00007FF78E422CA0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E4169700_2_00007FF78E416970
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E414A800_2_00007FF78E414A80
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E42A61A0_2_00007FF78E42A61A
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E4204602_2_00007FF78E420460
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41B4202_2_00007FF78E41B420
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E422CA02_2_00007FF78E422CA0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41C2402_2_00007FF78E41C240
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41F6D02_2_00007FF78E41F6D0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E4167602_2_00007FF78E416760
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41E7F02_2_00007FF78E41E7F0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E4169702_2_00007FF78E416970
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E414A802_2_00007FF78E414A80
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E42A61A2_2_00007FF78E42A61A
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D0B362_2_00000153C16D0B36
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D07302_2_00000153C16D0730
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D0BAD2_2_00000153C16D0BAD
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D0AB32_2_00000153C16D0AB3
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00000153C16D09992_2_00000153C16D0999
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: String function: 00007FF78E4161C0 appears 86 times
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: String function: 00007FF78E4120F0 appears 78 times
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: String function: 00007FF78E41E170 appears 48 times
Source: 66WXq58R0I.exeStatic PE information: Number of sections : 11 > 10
Source: 66WXq58R0I.exe, 00000000.00000002.2954143232.0000025EAEDDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 66WXq58R0I.exe
Source: 66WXq58R0I.exe, 00000002.00000002.2954414520.00000153C35ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 66WXq58R0I.exe
Source: 66WXq58R0I.exe, 00000002.00000002.2954223462.00000153C3270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRunSpace.exe2 vs 66WXq58R0I.exe
Source: 66WXq58R0I.exe, 00000002.00000002.2955303730.00000153C40EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs 66WXq58R0I.exe
Source: 66WXq58R0I.exe, 00000002.00000002.2953479298.00000153C1803000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunSpace.exe2 vs 66WXq58R0I.exe
Source: 66WXq58R0I.exe, 00000002.00000002.2955303730.00000153C4071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 66WXq58R0I.exe
Source: classification engineClassification label: mal84.evad.winEXE@4/4@0/0
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,0_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Users\user\Desktop\66WXq58R0I.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5elpwno.kpw.ps1Jump to behavior
Source: 66WXq58R0I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 66WXq58R0I.exeVirustotal: Detection: 38%
Source: 66WXq58R0I.exeReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Users\user\Desktop\66WXq58R0I.exe "C:\Users\user\Desktop\66WXq58R0I.exe"
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess created: C:\Users\user\Desktop\66WXq58R0I.exe C:\Users\user\Desktop\66wxq58r0i.exe 2580
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess created: C:\Users\user\Desktop\66WXq58R0I.exe C:\Users\user\Desktop\66wxq58r0i.exe 2580Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: wshext.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 66WXq58R0I.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 66WXq58R0I.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: 66WXq58R0I.exe, 00000000.00000002.2953785596.0000025EAE862000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953608194.0000025EAE66B000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954347645.0000025EAEE60000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953426997.0000025EAE461000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953957081.0000025EAEA6A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954143232.0000025EAEC62000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954414520.00000153C3475000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954582314.00000153C3676000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954890486.00000153C3A7A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955163767.00000153C3E74000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955027560.00000153C3C70000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954752934.00000153C387F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\Git\PwnPowershell\RunSpace\obj\Release\RunSpace.pdb source: 66WXq58R0I.exe, 00000002.00000002.2954223462.00000153C3270000.00000004.08000000.00040000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2953479298.00000153C1803000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: 66WXq58R0I.exe, 00000000.00000002.2953785596.0000025EAE862000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953608194.0000025EAE66B000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954347645.0000025EAEE60000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953426997.0000025EAE461000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2953957081.0000025EAEA6A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000000.00000002.2954143232.0000025EAEC62000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954414520.00000153C3475000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954582314.00000153C3676000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954890486.00000153C3A7A000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955163767.00000153C3E74000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2955027560.00000153C3C70000.00000004.00000020.00020000.00000000.sdmp, 66WXq58R0I.exe, 00000002.00000002.2954752934.00000153C387F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E418C30 _fileno,_fileno,_setmode,_setmode,_fileno,_setmode,_fileno,_setmode,SetConsoleOutputCP,SetConsoleCP,LoadLibraryA,GetProcAddress,CoInitialize,CoInitializeEx,0_2_00007FF78E418C30
Source: 66WXq58R0I.exeStatic PE information: section name: .eh_fram
Source: 66WXq58R0I.exeStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FFD9B891508 pushad ; retf 5E51h2_2_00007FFD9B89169D
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeMemory allocated: 153C3260000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeMemory allocated: 153DC070000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,0_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeWindow / User API: threadDelayed 1085Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exe TID: 1360Thread sleep count: 1085 > 30Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exe TID: 3624Thread sleep count: 158 > 30Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,0_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,0_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E418C30 _fileno,_fileno,_setmode,_setmode,_fileno,_setmode,_fileno,_setmode,SetConsoleOutputCP,SetConsoleCP,LoadLibraryA,GetProcAddress,CoInitialize,CoInitializeEx,0_2_00007FF78E418C30
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush,0_2_00007FF78E41C240
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E411154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,0_2_00007FF78E411154
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,0_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E45CF08 RtlAddVectoredExceptionHandler,0_2_00007FF78E45CF08
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E41D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,2_2_00007FF78E41D570
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E411154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,2_2_00007FF78E411154
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 2_2_00007FF78E45CF08 RtlAddVectoredExceptionHandler,2_2_00007FF78E45CF08
Source: C:\Users\user\Desktop\66WXq58R0I.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtAllocateVirtualMemory: Indirect: 0x7FF78E424BD1Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtWriteVirtualMemory: Indirect: 0x7FF78E424D2BJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtProtectVirtualMemory: Indirect: 0x7FF78E425018Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtProtectVirtualMemory: Indirect: 0x7FF78E424D80Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtProtectVirtualMemory: Indirect: 0x7FF78E424D00Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeNtWriteVirtualMemory: Indirect: 0x7FF78E424FDFJump to behavior
Hijacks the control flow in another process
Source: C:\Users\user\Desktop\66WXq58R0I.exeMemory written: PID: 2056 base: 153C16D0000 value: E9Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Users\user\Desktop\66WXq58R0I.exeThread register set: 2056 4Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeProcess created: C:\Users\user\Desktop\66WXq58R0I.exe C:\Users\user\Desktop\66wxq58r0i.exe 2580Jump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\66WXq58R0I.exeCode function: 0_2_00007FF78E41C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush,0_2_00007FF78E41C240
Source: C:\Users\user\Desktop\66WXq58R0I.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		211
Process Injection		2
Virtualization/Sandbox Evasion		OS Credential Dumping2
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Disable or Modify Tools		LSASS Memory2
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		211
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
66WXq58R0I.exe38%VirustotalBrowse
66WXq58R0I.exe34%ReversingLabsWin64.Trojan.Dacic
66WXq58R0I.exe100%AviraHEUR/AGEN.1329808
66WXq58R0I.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name66WXq58R0I.exe, 00000002.00000002.2955303730.00000153C4071000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542676
Start date and time:2024-10-26 06:25:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:66WXq58R0I.exe
renamed because original name is a hash value
Original Sample Name:e68e0c467ecfbb9f0c6e5c8359f81b09.exe
Detection:MAL
Classification:mal84.evad.winEXE@4/4@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 60
  • Number of non-executed functions: 67
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5elpwno.kpw.ps1

Download File
Process:C:\Users\user\Desktop\66WXq58R0I.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlxxxkea.ncw.psm1

Download File
Process:C:\Users\user\Desktop\66WXq58R0I.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\66WXq58R0I.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):49
Entropy (8bit):4.443606211763083
Encrypted:false
SSDEEP:3:jBJ2SL1KSyKAJJovov122ycAIqn:jBJ2SBpsmvBVcs
MD5:717327D9B75FC7A8ED8EE1F48D3373F7
SHA1:1DCEDD1A8C4D0BAC49F0BE630FCCF1A1B4491A4B
SHA-256:C2FD348DE26E7A82953985B05229057CB643D2C7F81F86170B5363A6F9A03DD8
SHA-512:936F8CEE7B983B33C2A5D28327746FBFB9FE6E5E8D45351D19D54A52D3CAE71160325DC1AC269CED8AA82C8830450DB9E05A64D56290BA4E3DE33C58564CF4A8
Malicious:false
Reputation:low
Preview:Windows PwnPowershell....PS C:\Windows\system32>

Static File Info

General

File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.714839278042225
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:66WXq58R0I.exe
File size:217'600 bytes
MD5:e68e0c467ecfbb9f0c6e5c8359f81b09
SHA1:f9f00bc6c6fe10f2d95f085be5c4e55d404e7900
SHA256:ec6c410d323de0552b1cda52bbbbecdb504985994291a387b06525afa26807be
SHA512:6f9b506d505187fd14482c22a4967f439bfb6ddcaef7b4873e1cd7bba30b7ccc2753eb40770d6a402146020a5aed4c1d57934b96b5d14564d9afad2d5eae7b58
SSDEEP:6144:xHuGnkJ7WtBOxxaNIfm8vlnPJJJ655ZZo:gGnmhxaNIfm8v
TLSH:24248E3AF29394BCC5ABC27A47C7A8F2A571FC150270B86E16806A317F5BC605B6DF41
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...#}.g...............$.....N...`..%..........@............................. ............`... ............................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x140001125
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x670F7D23 [Wed Oct 16 08:45:23 2024 UTC]
TLS Callbacks:0x40016430, 0x1, 0x400164ef, 0x1
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e16254f44ddd98c690f5ad4d0a981e4a

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [000328A5h]
mov dword ptr [eax], 00000000h
call 00007F6E30CC6003h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [ebp-08h], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
dec eax
lea eax, dword ptr [ebp-000000C0h]
inc ecx
mov eax, 00000068h
mov edx, 00000000h
dec eax
mov ecx, eax
call 00007F6E30CE1ECDh
dec eax
mov eax, dword ptr [00032851h]
mov eax, dword ptr [eax]
test eax, eax
je 00007F6E30CC6005h
dec eax
lea eax, dword ptr [ebp-000000C0h]
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [0004D0D6h]
call eax
dec eax
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-24h], 00000030h
mov eax, dword ptr [ebp-24h]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-30h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-10h], 00000000h
jmp 00007F6E30CC6013h
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
cmp eax, dword ptr [ebp-20h]
jne 00007F6E30CC5FFBh
mov dword ptr [ebp-10h], 00000001h
jmp 00007F6E30CC6037h
mov ecx, 000003E8h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4e0000x900.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x360000xcd8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x510000x158.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x32da00x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x4e24c0x210.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x213980x214008f0885b1d516ce5743c6cdfe6b9f9d6bFalse0.4982084116541353data6.304794610527241IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x230000x1700x20055354dd11b8dee07034c26a5a57569acFalse0.205078125data1.297314840992684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x240000x109000x10a00b9bc3e0a12c3e3a735749f1a9285aa07False0.7250205592105263data7.269544756074582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x350000x40x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x360000xcd80xe009ccec1d59548f9e8ee8192df1b5d7fefFalse0.46177455357142855data4.883061479874814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x370000xdbc0xe003a4a4f460d87102da95aa72e1647738eFalse0.283203125shared library4.539207118672414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x380000x15e200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x4e0000x9000xa00bd0431b4a2191779186074423221870aFalse0.326953125data3.988340192808435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x4f0000x680x2001718af1ca73b922f878bc7724bee0003False0.0703125data0.3646150037346487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x500000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x510000x1580x200782504cbe378b23b06df04251da8d02cFalse0.5390625data3.819558126695766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte
msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fileno, _fmode, _initterm, _lock, _onexit, _setjmp, _setmode, _unlock, abort, calloc, exit, fflush, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memchr, memcpy, memset, signal, strcmp, strerror, strlen, strncmp, strstr, vfprintf, wcslen

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 26, 2024 06:26:23.738876104 CEST53627361.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:00:26:01
Start date:26/10/2024
Path:C:\Users\user\Desktop\66WXq58R0I.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\66WXq58R0I.exe"
Imagebase:0x7ff78e410000
File size:217'600 bytes
MD5 hash:E68E0C467ECFBB9F0C6E5C8359F81B09
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

General

Target ID:1
Start time:00:26:01
Start date:26/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:00:26:03
Start date:26/10/2024
Path:C:\Users\user\Desktop\66WXq58R0I.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\66wxq58r0i.exe 2580
Imagebase:0x7ff78e410000
File size:217'600 bytes
MD5 hash:E68E0C467ECFBB9F0C6E5C8359F81B09
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:14.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.8%
    Total number of Nodes:1358
    Total number of Limit Nodes:33
    execution_graph 9464 7ff78e419768 9467 7ff78e4161c0 9464->9467 9466 7ff78e419774 9468 7ff78e4161d8 9467->9468 9469 7ff78e4161d1 9467->9469 9468->9466 9469->9468 9470 7ff78e416229 9469->9470 9477 7ff78e420460 9469->9477 9532 7ff78e412ea0 9470->9532 9473 7ff78e4162f6 memcpy 9473->9466 9475 7ff78e416239 9475->9473 9551 7ff78e413bd0 9475->9551 9491 7ff78e420478 9477->9491 9478 7ff78e421ac9 9478->9470 9480 7ff78e420cd5 9480->9470 9481 7ff78e421622 9486 7ff78e421649 9481->9486 9488 7ff78e413170 3 API calls 9481->9488 9482 7ff78e420c8f 9482->9481 9483 7ff78e420ca4 9482->9483 9485 7ff78e41ddd0 22 API calls 9482->9485 9483->9480 9562 7ff78e420240 9483->9562 9485->9482 9487 7ff78e413170 3 API calls 9486->9487 9489 7ff78e42166b 9487->9489 9488->9481 9490 7ff78e412ea0 16 API calls 9489->9490 9499 7ff78e42168e 9490->9499 9491->9478 9492 7ff78e412ea0 16 API calls 9491->9492 9495 7ff78e412ea0 16 API calls 9491->9495 9496 7ff78e420c69 9491->9496 9497 7ff78e412ea0 16 API calls 9491->9497 9498 7ff78e412ea0 16 API calls 9491->9498 9500 7ff78e412ea0 16 API calls 9491->9500 9508 7ff78e412ea0 16 API calls 9491->9508 9512 7ff78e412ea0 16 API calls 9491->9512 9516 7ff78e412ea0 16 API calls 9491->9516 9519 7ff78e412ea0 16 API calls 9491->9519 9523 7ff78e412ea0 16 API calls 9491->9523 9526 7ff78e412ea0 16 API calls 9491->9526 9494 7ff78e421016 memcpy 9492->9494 9501 7ff78e413170 3 API calls 9494->9501 9502 7ff78e421080 memcpy 9495->9502 9557 7ff78e41ddd0 9496->9557 9504 7ff78e42159b memcpy 9497->9504 9505 7ff78e421a15 memcpy 9498->9505 9503 7ff78e42170f 9499->9503 9576 7ff78e41fff0 9499->9576 9506 7ff78e421a7a memcpy 9500->9506 9501->9491 9507 7ff78e413170 3 API calls 9502->9507 9513 7ff78e41fff0 22 API calls 9503->9513 9531 7ff78e421788 9503->9531 9509 7ff78e413170 3 API calls 9504->9509 9510 7ff78e413170 3 API calls 9505->9510 9511 7ff78e413170 3 API calls 9506->9511 9507->9491 9514 7ff78e421217 memcpy 9508->9514 9509->9491 9510->9491 9511->9491 9515 7ff78e4213aa memcpy 9512->9515 9513->9503 9517 7ff78e413170 3 API calls 9514->9517 9518 7ff78e413170 3 API calls 9515->9518 9520 7ff78e421474 memcpy 9516->9520 9517->9491 9518->9491 9521 7ff78e42140f memcpy 9519->9521 9522 7ff78e413170 3 API calls 9520->9522 9524 7ff78e413170 3 API calls 9521->9524 9522->9491 9525 7ff78e420ea5 memcpy 9523->9525 9524->9491 9569 7ff78e413170 9525->9569 9528 7ff78e4219b0 memcpy 9526->9528 9529 7ff78e413170 3 API calls 9528->9529 9529->9491 9530 7ff78e413170 VirtualFree exit fputc 9530->9531 9531->9483 9531->9530 9533 7ff78e412f30 9532->9533 9534 7ff78e412ec5 9532->9534 9537 7ff78e413098 9533->9537 9538 7ff78e412f45 9533->9538 9535 7ff78e412fa0 VirtualAlloc 9534->9535 9536 7ff78e412ed6 9534->9536 9535->9538 9539 7ff78e412fc3 9535->9539 9540 7ff78e4129d0 15 API calls 9536->9540 9648 7ff78e4129d0 9537->9648 9545 7ff78e412f09 9538->9545 9683 7ff78e412260 9538->9683 9542 7ff78e413003 9539->9542 9546 7ff78e413022 9539->9546 9543 7ff78e412ede 9540->9543 9665 7ff78e412290 9542->9665 9658 7ff78e412d60 9543->9658 9545->9475 9546->9543 9547 7ff78e413162 9550 7ff78e413125 9550->9475 9552 7ff78e413c08 9551->9552 9553 7ff78e413beb 9551->9553 9554 7ff78e412ea0 16 API calls 9552->9554 9553->9473 9555 7ff78e413c34 memcpy 9554->9555 9556 7ff78e413170 3 API calls 9555->9556 9556->9553 9560 7ff78e41ddf0 9557->9560 9558 7ff78e41df00 9558->9482 9559 7ff78e413170 3 API calls 9559->9560 9560->9558 9560->9559 9561 7ff78e413c70 22 API calls 9560->9561 9561->9560 9563 7ff78e420260 9562->9563 9564 7ff78e420253 9562->9564 9565 7ff78e42027b 9563->9565 9566 7ff78e412ea0 16 API calls 9563->9566 9564->9483 9565->9483 9567 7ff78e4202c1 memcpy 9566->9567 9568 7ff78e413170 3 API calls 9567->9568 9568->9565 9570 7ff78e4132a0 9569->9570 9572 7ff78e4131a2 9569->9572 9570->9491 9571 7ff78e413242 VirtualFree 9571->9570 9573 7ff78e413288 9571->9573 9572->9570 9572->9571 9588 7ff78e422c50 9573->9588 9600 7ff78e41db70 9576->9600 9579 7ff78e42021f 9580 7ff78e413c70 22 API calls 9579->9580 9581 7ff78e420232 9580->9581 9581->9581 9582 7ff78e4200e8 9582->9499 9583 7ff78e41db70 20 API calls 9585 7ff78e420015 9583->9585 9584 7ff78e4201aa 9584->9585 9611 7ff78e413c70 9584->9611 9585->9582 9585->9583 9587 7ff78e413c70 22 API calls 9585->9587 9587->9585 9589 7ff78e422c79 9588->9589 9592 7ff78e427930 9589->9592 9591 7ff78e413294 exit 9591->9570 9593 7ff78e427950 9592->9593 9596 7ff78e42975f 9593->9596 9595 7ff78e427974 9595->9591 9599 7ff78e42977e 9596->9599 9597 7ff78e42a143 9597->9595 9598 7ff78e427990 fputc 9598->9599 9599->9597 9599->9598 9601 7ff78e41dbba 9600->9601 9602 7ff78e41dce0 9601->9602 9603 7ff78e41dbd7 9601->9603 9604 7ff78e41dc35 9601->9604 9605 7ff78e412ea0 16 API calls 9602->9605 9603->9579 9603->9584 9603->9585 9607 7ff78e412ea0 16 API calls 9604->9607 9606 7ff78e41dd01 memset 9605->9606 9609 7ff78e41dd2d 9606->9609 9607->9603 9608 7ff78e413170 3 API calls 9610 7ff78e41dd95 9608->9610 9609->9608 9609->9609 9612 7ff78e413c85 9611->9612 9614 7ff78e413cb1 9611->9614 9612->9614 9615 7ff78e413ce0 9612->9615 9616 7ff78e413caa 9612->9616 9613 7ff78e413c70 22 API calls 9613->9615 9614->9584 9615->9613 9615->9614 9616->9614 9619 7ff78e413d50 9616->9619 9624 7ff78e413380 9616->9624 9620 7ff78e413d79 9619->9620 9622 7ff78e413d90 9619->9622 9620->9616 9621 7ff78e413d50 22 API calls 9621->9622 9622->9620 9622->9621 9623 7ff78e413380 22 API calls 9622->9623 9623->9622 9625 7ff78e41338e 9624->9625 9634 7ff78e4133bb 9624->9634 9627 7ff78e41339b 9625->9627 9629 7ff78e413480 9625->9629 9626 7ff78e4133a1 9630 7ff78e412ea0 16 API calls 9626->9630 9626->9634 9627->9626 9628 7ff78e4133e0 9627->9628 9631 7ff78e41db70 20 API calls 9628->9631 9629->9634 9635 7ff78e412ea0 16 API calls 9629->9635 9633 7ff78e413427 memcpy 9630->9633 9632 7ff78e420004 9631->9632 9639 7ff78e42021f 9632->9639 9644 7ff78e4201aa 9632->9644 9646 7ff78e420015 9632->9646 9636 7ff78e413170 3 API calls 9633->9636 9634->9616 9637 7ff78e4202c1 memcpy 9635->9637 9636->9634 9638 7ff78e413170 3 API calls 9637->9638 9638->9634 9640 7ff78e413c70 20 API calls 9639->9640 9641 7ff78e420232 9640->9641 9641->9641 9642 7ff78e4200e8 9642->9616 9643 7ff78e41db70 20 API calls 9643->9646 9645 7ff78e413c70 20 API calls 9644->9645 9644->9646 9645->9644 9646->9642 9646->9643 9647 7ff78e413c70 20 API calls 9646->9647 9647->9646 9649 7ff78e4129ed 9648->9649 9657 7ff78e412b96 9648->9657 9650 7ff78e412cf4 9649->9650 9651 7ff78e412370 15 API calls 9649->9651 9654 7ff78e412b46 9649->9654 9649->9657 9650->9657 9708 7ff78e412370 9650->9708 9651->9650 9653 7ff78e412290 12 API calls 9655 7ff78e412bea 9653->9655 9654->9657 9704 7ff78e412610 9654->9704 9655->9545 9657->9653 9657->9655 9659 7ff78e412d8b 9658->9659 9660 7ff78e412e30 9658->9660 9662 7ff78e412d60 12 API calls 9659->9662 9664 7ff78e412d97 9659->9664 9661 7ff78e412290 12 API calls 9660->9661 9663 7ff78e412e3c 9660->9663 9661->9663 9662->9664 9663->9545 9664->9545 9666 7ff78e4122a9 9665->9666 9667 7ff78e412300 VirtualAlloc 9665->9667 9666->9667 9668 7ff78e4122b1 9666->9668 9667->9668 9669 7ff78e412360 9667->9669 9668->9550 9670 7ff78e412260 8 API calls 9669->9670 9672 7ff78e412365 9670->9672 9671 7ff78e4125d4 9671->9550 9672->9671 9673 7ff78e4125b8 VirtualAlloc 9672->9673 9674 7ff78e4123c4 VirtualAlloc 9672->9674 9675 7ff78e4125cf 9673->9675 9681 7ff78e4123e2 9673->9681 9676 7ff78e4123db 9674->9676 9677 7ff78e4125e4 VirtualAlloc 9674->9677 9678 7ff78e412260 8 API calls 9675->9678 9676->9681 9677->9675 9679 7ff78e4125ff 9677->9679 9678->9671 9680 7ff78e412426 9680->9550 9681->9680 9682 7ff78e412290 8 API calls 9681->9682 9682->9680 9684 7ff78e41226f 9683->9684 9721 7ff78e411db0 strlen fwrite 9684->9721 9686 7ff78e41227e exit 9687 7ff78e412290 9686->9687 9688 7ff78e412300 VirtualAlloc 9687->9688 9689 7ff78e4122b1 9687->9689 9688->9689 9690 7ff78e412360 9688->9690 9689->9547 9691 7ff78e412260 7 API calls 9690->9691 9693 7ff78e412365 9691->9693 9692 7ff78e4125d4 9692->9547 9693->9692 9694 7ff78e4125b8 VirtualAlloc 9693->9694 9695 7ff78e4123c4 VirtualAlloc 9693->9695 9696 7ff78e4125cf 9694->9696 9701 7ff78e4123e2 9694->9701 9697 7ff78e4123db 9695->9697 9698 7ff78e4125e4 VirtualAlloc 9695->9698 9699 7ff78e412260 7 API calls 9696->9699 9697->9701 9698->9696 9700 7ff78e4125ff 9698->9700 9699->9692 9702 7ff78e412290 7 API calls 9701->9702 9703 7ff78e412426 9701->9703 9702->9703 9703->9547 9705 7ff78e412666 9704->9705 9706 7ff78e412290 12 API calls 9705->9706 9707 7ff78e4126e6 9705->9707 9706->9707 9707->9657 9709 7ff78e4125d4 9708->9709 9710 7ff78e41238c 9708->9710 9709->9654 9711 7ff78e4125b8 VirtualAlloc 9710->9711 9712 7ff78e4123c4 VirtualAlloc 9710->9712 9713 7ff78e4125cf 9711->9713 9718 7ff78e4123e2 9711->9718 9714 7ff78e4123db 9712->9714 9715 7ff78e4125e4 VirtualAlloc 9712->9715 9716 7ff78e412260 12 API calls 9713->9716 9714->9718 9715->9713 9717 7ff78e4125ff 9715->9717 9716->9709 9719 7ff78e412290 12 API calls 9718->9719 9720 7ff78e412426 9718->9720 9719->9720 9720->9654 9722 7ff78e42d0a8 fflush 9721->9722 9722->9686 9723 7ff78e45e3bc 9722->9723 9727 7ff78e429876 9728 7ff78e42988a 9727->9728 9729 7ff78e429890 9727->9729 9728->9729 9730 7ff78e4298c0 9728->9730 9731 7ff78e427b8c 5 API calls 9729->9731 9732 7ff78e427a15 fputc 9730->9732 9735 7ff78e4297d4 9731->9735 9732->9735 9733 7ff78e42a143 9734 7ff78e427990 fputc 9734->9735 9735->9733 9735->9734 9739 7ff78e42aa57 9740 7ff78e42aa67 9739->9740 9799 7ff78e42a150 9740->9799 9742 7ff78e42b2b5 9747 7ff78e42b2f1 9742->9747 9748 7ff78e42b356 9742->9748 9758 7ff78e42b350 9742->9758 9743 7ff78e42afee 9744 7ff78e42ae0a 9743->9744 9753 7ff78e42c0e8 free 9743->9753 9759 7ff78e42c0e8 free 9744->9759 9746 7ff78e42c29b malloc 9749 7ff78e42b373 9746->9749 9766 7ff78e42b32a 9747->9766 9806 7ff78e42c507 9747->9806 9750 7ff78e42c507 3 API calls 9748->9750 9756 7ff78e42c507 3 API calls 9749->9756 9765 7ff78e42b38c 9749->9765 9750->9758 9767 7ff78e42baaf 9753->9767 9754 7ff78e42c507 3 API calls 9754->9758 9756->9765 9758->9746 9761 7ff78e42baf1 9759->9761 9760 7ff78e42b31a 9819 7ff78e42c0e8 9760->9819 9763 7ff78e42bad3 9768 7ff78e42c0e8 free 9763->9768 9764 7ff78e42b423 9770 7ff78e42c6c0 2 API calls 9764->9770 9777 7ff78e42b442 9764->9777 9765->9764 9823 7ff78e42c6c0 9765->9823 9766->9754 9766->9758 9767->9744 9767->9763 9772 7ff78e42c0e8 free 9767->9772 9768->9744 9770->9777 9771 7ff78e42b49c 9773 7ff78e42b531 9771->9773 9775 7ff78e42b4b9 9771->9775 9772->9763 9774 7ff78e42b53b 9773->9774 9781 7ff78e42b94d 9773->9781 9776 7ff78e42b550 9774->9776 9778 7ff78e42c6c0 2 API calls 9774->9778 9775->9743 9780 7ff78e42c170 3 API calls 9775->9780 9796 7ff78e42b5b5 9776->9796 9836 7ff78e42bfa6 9776->9836 9777->9771 9829 7ff78e42c170 9777->9829 9778->9776 9780->9743 9784 7ff78e42b9a9 9781->9784 9786 7ff78e42c170 3 API calls 9781->9786 9784->9743 9789 7ff78e42c6c0 2 API calls 9784->9789 9785 7ff78e42b570 memcpy 9787 7ff78e42c6c0 2 API calls 9785->9787 9786->9781 9787->9796 9788 7ff78e42c170 3 API calls 9788->9771 9789->9743 9791 7ff78e42c0e8 free 9791->9796 9792 7ff78e42b6d5 9793 7ff78e42b7ba 9792->9793 9798 7ff78e42b6fa 9792->9798 9793->9743 9794 7ff78e42c6c0 2 API calls 9793->9794 9794->9743 9795 7ff78e42c170 malloc free memcpy 9795->9796 9796->9743 9796->9784 9796->9791 9796->9792 9796->9795 9840 7ff78e42c91a 9796->9840 9797 7ff78e42c170 malloc free memcpy 9797->9798 9798->9743 9798->9797 9800 7ff78e42a16b 9799->9800 9801 7ff78e42bfa6 malloc 9800->9801 9802 7ff78e42a187 9801->9802 9802->9742 9802->9743 9802->9744 9803 7ff78e42c29b 9802->9803 9804 7ff78e42bfa6 malloc 9803->9804 9805 7ff78e42c2b0 9804->9805 9805->9742 9807 7ff78e42c525 9806->9807 9810 7ff78e42c550 9806->9810 9808 7ff78e42c170 3 API calls 9807->9808 9808->9810 9809 7ff78e42b306 9815 7ff78e42c2e1 9809->9815 9810->9809 9812 7ff78e42c29b malloc 9810->9812 9814 7ff78e42c5b0 9810->9814 9811 7ff78e42c2e1 malloc 9811->9814 9812->9814 9813 7ff78e42c0e8 free 9813->9814 9814->9809 9814->9811 9814->9813 9816 7ff78e42c306 9815->9816 9817 7ff78e42bfa6 malloc 9816->9817 9818 7ff78e42c361 9817->9818 9818->9760 9818->9818 9820 7ff78e42c0fb 9819->9820 9822 7ff78e42c112 9819->9822 9821 7ff78e42c107 free 9820->9821 9820->9822 9821->9822 9822->9766 9824 7ff78e42c700 9823->9824 9825 7ff78e42bfa6 malloc 9824->9825 9826 7ff78e42c719 9825->9826 9827 7ff78e42c0e8 free 9826->9827 9828 7ff78e42c724 9826->9828 9827->9828 9828->9764 9831 7ff78e42c1a9 9829->9831 9830 7ff78e42b47b 9830->9771 9830->9788 9831->9830 9832 7ff78e42bfa6 malloc 9831->9832 9833 7ff78e42c217 9832->9833 9833->9830 9834 7ff78e42c229 memcpy 9833->9834 9835 7ff78e42c0e8 free 9834->9835 9835->9830 9837 7ff78e42bfbb 9836->9837 9838 7ff78e42c086 malloc 9837->9838 9839 7ff78e42bfe4 9837->9839 9838->9839 9839->9785 9841 7ff78e42c93a 9840->9841 9842 7ff78e42c981 9841->9842 9843 7ff78e42c943 9841->9843 9845 7ff78e42bfa6 malloc 9842->9845 9844 7ff78e42bfa6 malloc 9843->9844 9846 7ff78e42c94d 9844->9846 9845->9846 9846->9796 9847 7ff78e42d65b ___lc_codepage_func ___mb_cur_max_func 9848 7ff78e42d6b0 9847->9848 9849 7ff78e42d6a4 9847->9849 9849->9848 9850 7ff78e42d756 9849->9850 9853 7ff78e42d6c5 9849->9853 9850->9848 9851 7ff78e42d540 2 API calls 9850->9851 9851->9850 9852 7ff78e42d540 2 API calls 9852->9853 9853->9848 9853->9852 9860 7ff78e429c62 9861 7ff78e429c75 9860->9861 9862 7ff78e429c9f 9860->9862 9866 7ff78e428fc7 9861->9866 9863 7ff78e428fc7 18 API calls 9862->9863 9865 7ff78e429cdb 9863->9865 9865->9865 9867 7ff78e428fe9 9866->9867 9886 7ff78e428595 9867->9886 9870 7ff78e42905b 9873 7ff78e429132 9870->9873 9877 7ff78e429079 9870->9877 9871 7ff78e429041 9889 7ff78e42884b 9871->9889 9875 7ff78e429142 9873->9875 9876 7ff78e429155 strlen 9873->9876 9874 7ff78e429056 9927 7ff78e42a20f 9874->9927 9919 7ff78e428d01 9875->9919 9876->9875 9878 7ff78e429089 9877->9878 9879 7ff78e4290a0 strlen 9877->9879 9893 7ff78e428936 9878->9893 9879->9878 9884 7ff78e429108 9884->9874 9885 7ff78e427990 fputc 9884->9885 9885->9884 9930 7ff78e428488 9886->9930 9890 7ff78e428877 9889->9890 9891 7ff78e427a15 fputc 9890->9891 9892 7ff78e42892f 9891->9892 9892->9874 9895 7ff78e428953 9893->9895 9894 7ff78e428af8 9896 7ff78e428afe 9894->9896 9897 7ff78e428b11 9894->9897 9895->9894 9903 7ff78e427990 fputc 9895->9903 9898 7ff78e427990 fputc 9896->9898 9899 7ff78e428b21 9897->9899 9900 7ff78e428b34 9897->9900 9905 7ff78e428b0f 9898->9905 9901 7ff78e427990 fputc 9899->9901 9904 7ff78e427990 fputc 9900->9904 9900->9905 9901->9905 9902 7ff78e428b99 9906 7ff78e428c47 9902->9906 9908 7ff78e428ba3 9902->9908 9903->9895 9904->9905 9905->9902 9910 7ff78e427990 fputc 9905->9910 9907 7ff78e427990 fputc 9906->9907 9909 7ff78e428c45 9907->9909 9908->9909 9911 7ff78e427990 fputc 9908->9911 9917 7ff78e427b8c 5 API calls 9908->9917 9915 7ff78e428c7f 9909->9915 10013 7ff78e428659 9909->10013 9910->9905 9911->9908 9913 7ff78e428cf9 9913->9884 9914 7ff78e428cb3 9914->9913 9918 7ff78e427990 fputc 9914->9918 9915->9914 9916 7ff78e427990 fputc 9915->9916 9916->9915 9917->9908 9918->9914 9920 7ff78e428d2e 9919->9920 9921 7ff78e428936 12 API calls 9920->9921 9922 7ff78e428dd1 9921->9922 9923 7ff78e427990 fputc 9922->9923 9924 7ff78e428e0f 9923->9924 10045 7ff78e427df4 9924->10045 9928 7ff78e42c0e8 free 9927->9928 9929 7ff78e429194 9928->9929 9929->9862 9931 7ff78e4284b9 9930->9931 9934 7ff78e42a61a 9931->9934 9935 7ff78e42a67e 9934->9935 9936 7ff78e42a731 9934->9936 9938 7ff78e42a700 9935->9938 9941 7ff78e42a68c 9935->9941 9967 7ff78e42858e 9935->9967 9937 7ff78e42a1a2 malloc 9936->9937 9937->9967 10010 7ff78e42a1a2 9938->10010 9940 7ff78e42a7a6 9942 7ff78e42a1a2 malloc 9940->9942 9941->9940 9941->9967 10006 7ff78e42a4f0 9941->10006 9942->9967 9944 7ff78e42a79a 9945 7ff78e42c0e8 free 9944->9945 9945->9940 9946 7ff78e42a6d7 9946->9944 9947 7ff78e42a7da 9946->9947 9948 7ff78e42a150 malloc 9947->9948 9965 7ff78e42aac7 9948->9965 9949 7ff78e42b2b5 9950 7ff78e42b350 9949->9950 9953 7ff78e42b2f1 9949->9953 9954 7ff78e42b356 9949->9954 9952 7ff78e42c29b malloc 9950->9952 9951 7ff78e42c29b malloc 9951->9949 9955 7ff78e42b373 9952->9955 9956 7ff78e42b32a 9953->9956 9958 7ff78e42c507 3 API calls 9953->9958 9957 7ff78e42c507 3 API calls 9954->9957 9962 7ff78e42c507 3 API calls 9955->9962 9971 7ff78e42b38c 9955->9971 9956->9950 9961 7ff78e42c507 3 API calls 9956->9961 9957->9950 9959 7ff78e42b306 9958->9959 9963 7ff78e42c2e1 malloc 9959->9963 9960 7ff78e42c0e8 free 9972 7ff78e42baaf 9960->9972 9961->9950 9962->9971 9966 7ff78e42b31a 9963->9966 9964 7ff78e42c0e8 free 9964->9967 9965->9949 9965->9951 9980 7ff78e42ae0a 9965->9980 9997 7ff78e42afee 9965->9997 9968 7ff78e42c0e8 free 9966->9968 9967->9870 9967->9871 9968->9956 9969 7ff78e42bad3 9973 7ff78e42c0e8 free 9969->9973 9970 7ff78e42b423 9975 7ff78e42c6c0 2 API calls 9970->9975 9983 7ff78e42b442 9970->9983 9971->9970 9974 7ff78e42c6c0 2 API calls 9971->9974 9972->9969 9977 7ff78e42c0e8 free 9972->9977 9972->9980 9973->9980 9974->9970 9975->9983 9976 7ff78e42b49c 9978 7ff78e42b531 9976->9978 9981 7ff78e42b4b9 9976->9981 9977->9969 9979 7ff78e42b53b 9978->9979 9987 7ff78e42b94d 9978->9987 9982 7ff78e42b550 9979->9982 9984 7ff78e42c6c0 2 API calls 9979->9984 9980->9964 9986 7ff78e42c170 3 API calls 9981->9986 9981->9997 9988 7ff78e42bfa6 malloc 9982->9988 10002 7ff78e42b5b5 9982->10002 9983->9976 9985 7ff78e42c170 3 API calls 9983->9985 9984->9982 9989 7ff78e42b47b 9985->9989 9986->9997 9990 7ff78e42b9a9 9987->9990 9992 7ff78e42c170 3 API calls 9987->9992 9991 7ff78e42b570 memcpy 9988->9991 9989->9976 9994 7ff78e42c170 3 API calls 9989->9994 9995 7ff78e42c6c0 2 API calls 9990->9995 9990->9997 9993 7ff78e42c6c0 2 API calls 9991->9993 9992->9987 9993->10002 9994->9976 9995->9997 9996 7ff78e42c91a malloc 9996->10002 9997->9960 9997->9980 9998 7ff78e42c0e8 free 9998->10002 9999 7ff78e42b6d5 10000 7ff78e42b7ba 9999->10000 10003 7ff78e42b6fa 9999->10003 10000->9997 10001 7ff78e42c6c0 2 API calls 10000->10001 10001->9997 10002->9990 10002->9996 10002->9997 10002->9998 10002->9999 10005 7ff78e42c170 malloc free memcpy 10002->10005 10003->9997 10004 7ff78e42c170 malloc free memcpy 10003->10004 10004->10003 10005->10002 10007 7ff78e42a516 10006->10007 10008 7ff78e42bfa6 malloc 10007->10008 10009 7ff78e42a52f 10008->10009 10009->9946 10011 7ff78e42a150 malloc 10010->10011 10012 7ff78e42a1c0 10011->10012 10012->9967 10014 7ff78e42867a memset 10013->10014 10015 7ff78e4286b2 10013->10015 10016 7ff78e428696 10014->10016 10017 7ff78e4287c1 10015->10017 10018 7ff78e4286e2 10015->10018 10029 7ff78e42d2fe 10016->10029 10019 7ff78e427990 fputc 10017->10019 10020 7ff78e42872a memset 10018->10020 10022 7ff78e4287ac 10019->10022 10023 7ff78e42d600 4 API calls 10020->10023 10022->9915 10024 7ff78e42876f 10023->10024 10025 7ff78e428778 10024->10025 10026 7ff78e4287ae 10024->10026 10025->10022 10028 7ff78e427990 fputc 10025->10028 10027 7ff78e427990 fputc 10026->10027 10027->10022 10028->10025 10030 7ff78e42d326 ___mb_cur_max_func ___lc_codepage_func 10029->10030 10032 7ff78e42d34a 10030->10032 10035 7ff78e42d130 10032->10035 10036 7ff78e42d159 10035->10036 10040 7ff78e42d14f 10035->10040 10037 7ff78e42d293 10036->10037 10038 7ff78e42d1ad 10036->10038 10039 7ff78e42d20b 10036->10039 10036->10040 10037->10040 10042 7ff78e42d2e1 _errno 10037->10042 10038->10040 10041 7ff78e42d1ec _errno 10038->10041 10039->10037 10043 7ff78e42d227 10039->10043 10040->10015 10041->10040 10042->10040 10043->10040 10044 7ff78e42d27a _errno 10043->10044 10044->10040 10046 7ff78e427e2b 10045->10046 10047 7ff78e428056 10046->10047 10052 7ff78e427990 fputc 10046->10052 10048 7ff78e42813b 10047->10048 10049 7ff78e427990 fputc 10047->10049 10050 7ff78e428163 10048->10050 10051 7ff78e427990 fputc 10048->10051 10049->10047 10050->9874 10051->10048 10052->10046 10053 7ff78e42995f 10055 7ff78e429965 10053->10055 10054 7ff78e4299fd 10059 7ff78e42816c 10054->10059 10055->10054 10056 7ff78e427df4 fputc 10055->10056 10056->10054 10058 7ff78e429a30 10058->10058 10063 7ff78e428196 10059->10063 10060 7ff78e428439 10061 7ff78e42845f 10060->10061 10062 7ff78e427990 fputc 10060->10062 10064 7ff78e42847f 10061->10064 10066 7ff78e427990 fputc 10061->10066 10062->10060 10063->10060 10065 7ff78e427990 fputc 10063->10065 10064->10058 10065->10063 10066->10061 10071 7ff78e429b66 10072 7ff78e429b79 10071->10072 10075 7ff78e429ba3 10071->10075 10077 7ff78e428f1c 10072->10077 10074 7ff78e428f1c 16 API calls 10076 7ff78e429bdf 10074->10076 10075->10074 10076->10076 10078 7ff78e428f3e 10077->10078 10079 7ff78e428595 4 API calls 10078->10079 10080 7ff78e428f73 10079->10080 10081 7ff78e428f98 10080->10081 10082 7ff78e428f81 10080->10082 10083 7ff78e428d01 12 API calls 10081->10083 10084 7ff78e42884b fputc 10082->10084 10085 7ff78e428f96 10083->10085 10084->10085 10086 7ff78e42a20f free 10085->10086 10087 7ff78e428fbf 10086->10087 10087->10075 10088 7ff78e429863 10089 7ff78e427990 fputc 10088->10089 10091 7ff78e4297d4 10089->10091 10090 7ff78e42a143 10091->10090 10092 7ff78e427990 fputc 10091->10092 10092->10091 10165 7ff78e413690 10166 7ff78e413380 22 API calls 10165->10166 10167 7ff78e4136aa 10166->10167 10168 7ff78e413380 22 API calls 10167->10168 10169 7ff78e4136b6 10168->10169 10179 7ff78e41bf80 10190 7ff78e41b420 10179->10190 10184 7ff78e41c040 BaseThreadInitThunk 10185 7ff78e41bfe3 10186 7ff78e41b420 36 API calls 10185->10186 10187 7ff78e41bff4 10186->10187 10188 7ff78e41bb80 40 API calls 10187->10188 10189 7ff78e41c001 SetThreadContext 10188->10189 10189->10184 10191 7ff78e41b471 10190->10191 10193 7ff78e41b47c 10190->10193 10191->10193 10206 7ff78e416370 10191->10206 10194 7ff78e41bb80 10193->10194 10195 7ff78e41b420 36 API calls 10194->10195 10196 7ff78e41bbb1 10195->10196 10197 7ff78e41bce2 GetThreadContext 10196->10197 10198 7ff78e416370 36 API calls 10196->10198 10199 7ff78e41b420 36 API calls 10196->10199 10200 7ff78e413f10 36 API calls 10196->10200 10201 7ff78e413f10 36 API calls 10196->10201 10205 7ff78e41bc94 memcpy 10196->10205 10215 7ff78e413f10 10196->10215 10197->10184 10197->10185 10198->10196 10199->10196 10200->10196 10203 7ff78e41bd6d memcpy 10201->10203 10203->10196 10204 7ff78e41bc5f memcpy 10204->10205 10205->10196 10207 7ff78e4163a2 10206->10207 10209 7ff78e420460 34 API calls 10207->10209 10210 7ff78e4163b6 10207->10210 10208 7ff78e412ea0 16 API calls 10213 7ff78e4163c6 10208->10213 10209->10210 10210->10208 10211 7ff78e416408 memcpy 10211->10193 10213->10211 10214 7ff78e413bd0 20 API calls 10213->10214 10214->10211 10216 7ff78e413f31 10215->10216 10217 7ff78e413f41 10216->10217 10218 7ff78e420460 34 API calls 10216->10218 10219 7ff78e412ea0 16 API calls 10217->10219 10218->10217 10222 7ff78e413f51 10219->10222 10220 7ff78e413f8c memset 10220->10204 10222->10220 10223 7ff78e413bd0 20 API calls 10222->10223 10223->10220 10224 7ff78e42d380 10225 7ff78e42d3ae ___lc_codepage_func ___mb_cur_max_func 10224->10225 10227 7ff78e42d3e2 10225->10227 10228 7ff78e42d3d6 10225->10228 10228->10227 10229 7ff78e42d3f7 10228->10229 10230 7ff78e42d483 10228->10230 10229->10227 10232 7ff78e42d130 3 API calls 10229->10232 10230->10227 10231 7ff78e42d130 3 API calls 10230->10231 10231->10230 10232->10229 10240 7ff78e42aa2e 10241 7ff78e42aabd 10240->10241 10242 7ff78e42a150 malloc 10241->10242 10259 7ff78e42aac7 10242->10259 10243 7ff78e42b2b5 10244 7ff78e42b350 10243->10244 10247 7ff78e42b2f1 10243->10247 10248 7ff78e42b356 10243->10248 10246 7ff78e42c29b malloc 10244->10246 10245 7ff78e42c29b malloc 10245->10243 10249 7ff78e42b373 10246->10249 10250 7ff78e42b32a 10247->10250 10252 7ff78e42c507 3 API calls 10247->10252 10251 7ff78e42c507 3 API calls 10248->10251 10256 7ff78e42c507 3 API calls 10249->10256 10265 7ff78e42b38c 10249->10265 10250->10244 10255 7ff78e42c507 3 API calls 10250->10255 10251->10244 10253 7ff78e42b306 10252->10253 10257 7ff78e42c2e1 malloc 10253->10257 10254 7ff78e42c0e8 free 10266 7ff78e42baaf 10254->10266 10255->10244 10256->10265 10260 7ff78e42b31a 10257->10260 10258 7ff78e42c0e8 free 10261 7ff78e42baf1 10258->10261 10259->10243 10259->10245 10274 7ff78e42ae0a 10259->10274 10296 7ff78e42afee 10259->10296 10262 7ff78e42c0e8 free 10260->10262 10262->10250 10263 7ff78e42bad3 10267 7ff78e42c0e8 free 10263->10267 10264 7ff78e42b423 10269 7ff78e42c6c0 2 API calls 10264->10269 10277 7ff78e42b442 10264->10277 10265->10264 10268 7ff78e42c6c0 2 API calls 10265->10268 10266->10263 10271 7ff78e42c0e8 free 10266->10271 10266->10274 10267->10274 10268->10264 10269->10277 10270 7ff78e42b49c 10272 7ff78e42b531 10270->10272 10275 7ff78e42b4b9 10270->10275 10271->10263 10273 7ff78e42b53b 10272->10273 10281 7ff78e42b94d 10272->10281 10276 7ff78e42b550 10273->10276 10278 7ff78e42c6c0 2 API calls 10273->10278 10274->10258 10280 7ff78e42c170 3 API calls 10275->10280 10275->10296 10282 7ff78e42bfa6 malloc 10276->10282 10297 7ff78e42b5b5 10276->10297 10277->10270 10279 7ff78e42c170 3 API calls 10277->10279 10278->10276 10283 7ff78e42b47b 10279->10283 10280->10296 10284 7ff78e42b9a9 10281->10284 10286 7ff78e42c170 3 API calls 10281->10286 10285 7ff78e42b570 memcpy 10282->10285 10283->10270 10288 7ff78e42c170 3 API calls 10283->10288 10289 7ff78e42c6c0 2 API calls 10284->10289 10284->10296 10287 7ff78e42c6c0 2 API calls 10285->10287 10286->10281 10287->10297 10288->10270 10289->10296 10290 7ff78e42c91a malloc 10290->10297 10291 7ff78e42c0e8 free 10291->10297 10292 7ff78e42b6d5 10293 7ff78e42b7ba 10292->10293 10298 7ff78e42b6fa 10292->10298 10294 7ff78e42c6c0 2 API calls 10293->10294 10293->10296 10294->10296 10295 7ff78e42c170 malloc free memcpy 10295->10297 10296->10254 10296->10274 10297->10284 10297->10290 10297->10291 10297->10292 10297->10295 10297->10296 10298->10296 10299 7ff78e42c170 malloc free memcpy 10298->10299 10299->10298 10306 7ff78e429a35 10307 7ff78e429a43 10306->10307 10308 7ff78e427df4 fputc 10307->10308 10309 7ff78e429af2 10308->10309 10309->10309 10317 7ff78e411017 10318 7ff78e411024 10317->10318 10319 7ff78e411037 __set_app_type 10318->10319 10320 7ff78e411043 10318->10320 10319->10320 10324 7ff78e426f20 10325 7ff78e426f4f 10324->10325 10326 7ff78e426f90 10325->10326 10327 7ff78e42704f signal 10325->10327 10330 7ff78e426f60 10325->10330 10329 7ff78e426ff8 signal 10326->10329 10326->10330 10328 7ff78e427069 signal 10327->10328 10327->10330 10328->10330 10329->10330 10331 7ff78e427012 signal 10329->10331 10331->10330 9276 7ff78e411125 9279 7ff78e411154 9276->9279 9280 7ff78e411188 9279->9280 9281 7ff78e411249 9280->9281 9282 7ff78e41123d _amsg_exit 9280->9282 9283 7ff78e41127e 9281->9283 9284 7ff78e411256 _initterm 9281->9284 9282->9283 9285 7ff78e411296 _initterm 9283->9285 9286 7ff78e4112bc 9283->9286 9284->9283 9285->9286 9295 7ff78e411591 9286->9295 9288 7ff78e41140e 9300 7ff78e42da70 9288->9300 9291 7ff78e411462 9293 7ff78e41146c _cexit 9291->9293 9294 7ff78e411146 9291->9294 9292 7ff78e411455 exit 9292->9291 9293->9294 9296 7ff78e4115b7 9295->9296 9297 7ff78e41166a 9296->9297 9298 7ff78e4115d2 9296->9298 9297->9288 9299 7ff78e4115f1 malloc memcpy 9298->9299 9299->9296 9301 7ff78e42db18 9300->9301 9461 7ff78e412020 9301->9461 9303 7ff78e42e8c2 9304 7ff78e4322bf 9303->9304 9305 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9303->9305 9306 7ff78e412050 strlen fwrite fflush GetLastError exit 9304->9306 9307 7ff78e42e8e1 9305->9307 9308 7ff78e4322cb 9306->9308 9310 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9307->9310 9309 7ff78e412050 strlen fwrite fflush GetLastError exit 9308->9309 9311 7ff78e4322d7 9309->9311 9316 7ff78e42e8fb 9310->9316 9312 7ff78e412050 strlen fwrite fflush GetLastError exit 9311->9312 9313 7ff78e4322e3 9312->9313 9314 7ff78e412050 strlen fwrite fflush GetLastError exit 9313->9314 9317 7ff78e4322ef 9314->9317 9315 7ff78e43234b 9318 7ff78e411df0 fwrite fflush exit 9315->9318 9316->9315 9322 7ff78e41fde0 15 API calls 9316->9322 9319 7ff78e412050 strlen fwrite fflush GetLastError exit 9317->9319 9320 7ff78e432350 9318->9320 9321 7ff78e4322fb 9319->9321 9323 7ff78e412050 strlen fwrite fflush GetLastError exit 9321->9323 9324 7ff78e42ef92 9322->9324 9325 7ff78e432307 9323->9325 9326 7ff78e41fde0 15 API calls 9324->9326 9327 7ff78e412050 strlen fwrite fflush GetLastError exit 9325->9327 9328 7ff78e42efa5 9326->9328 9329 7ff78e432313 9327->9329 9330 7ff78e41fde0 15 API calls 9328->9330 9331 7ff78e412050 strlen fwrite fflush GetLastError exit 9329->9331 9332 7ff78e42efb8 9330->9332 9333 7ff78e43231f 9331->9333 9334 7ff78e41fde0 15 API calls 9332->9334 9336 7ff78e412050 strlen fwrite fflush GetLastError exit 9333->9336 9335 7ff78e42efc4 9334->9335 9337 7ff78e41fde0 15 API calls 9335->9337 9338 7ff78e43232b 9336->9338 9340 7ff78e42eff1 9337->9340 9339 7ff78e412050 strlen fwrite fflush GetLastError exit 9338->9339 9341 7ff78e432337 9339->9341 9343 7ff78e42f01e signal signal signal signal 9340->9343 9342 7ff78e412050 strlen fwrite fflush GetLastError exit 9341->9342 9344 7ff78e43233f 9342->9344 9345 7ff78e412020 LoadLibraryA 9343->9345 9346 7ff78e412050 strlen fwrite fflush GetLastError exit 9344->9346 9347 7ff78e42f242 9345->9347 9346->9315 9347->9308 9348 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9347->9348 9349 7ff78e42f261 9348->9349 9350 7ff78e412020 LoadLibraryA 9349->9350 9351 7ff78e42f274 9350->9351 9351->9311 9352 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9351->9352 9353 7ff78e42f293 9352->9353 9354 7ff78e412020 LoadLibraryA 9353->9354 9355 7ff78e42f2a6 9354->9355 9356 7ff78e42f2b9 9355->9356 9357 7ff78e4322b3 9355->9357 9358 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9356->9358 9359 7ff78e412050 strlen fwrite fflush GetLastError exit 9357->9359 9360 7ff78e42f2c5 9358->9360 9359->9304 9361 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9360->9361 9362 7ff78e42f2df 9361->9362 9363 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9362->9363 9364 7ff78e42f2f9 9363->9364 9365 7ff78e412020 LoadLibraryA 9364->9365 9366 7ff78e42f30c 9365->9366 9366->9313 9367 7ff78e42f31f 9366->9367 9368 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9367->9368 9369 7ff78e42f32b 9368->9369 9370 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9369->9370 9371 7ff78e42f345 9370->9371 9372 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9371->9372 9373 7ff78e42f35f 9372->9373 9374 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9373->9374 9375 7ff78e42f379 9374->9375 9376 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9375->9376 9377 7ff78e42f393 9376->9377 9378 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9377->9378 9379 7ff78e42f3ad 9378->9379 9380 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9379->9380 9381 7ff78e42f3c7 9380->9381 9382 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9381->9382 9383 7ff78e42f3e1 9382->9383 9384 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9383->9384 9385 7ff78e42f3fb 9384->9385 9386 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9385->9386 9387 7ff78e42f415 9386->9387 9388 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9387->9388 9389 7ff78e42f42f 9388->9389 9390 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9389->9390 9391 7ff78e42f449 9390->9391 9392 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9391->9392 9393 7ff78e42f463 9392->9393 9394 7ff78e412020 LoadLibraryA 9393->9394 9395 7ff78e42f476 9394->9395 9395->9317 9396 7ff78e42f489 9395->9396 9397 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9396->9397 9398 7ff78e42f49c 9397->9398 9399 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9398->9399 9400 7ff78e42f4b6 9399->9400 9401 7ff78e412020 LoadLibraryA 9400->9401 9402 7ff78e42f5af 9401->9402 9402->9321 9403 7ff78e42f5c2 9402->9403 9404 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9403->9404 9405 7ff78e42f5ce 9404->9405 9406 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9405->9406 9407 7ff78e42f5e8 9406->9407 9408 7ff78e412020 LoadLibraryA 9407->9408 9409 7ff78e4319b1 9408->9409 9409->9329 9410 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9409->9410 9411 7ff78e4319d0 9410->9411 9412 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9411->9412 9413 7ff78e4319ea 9412->9413 9414 7ff78e412020 LoadLibraryA 9413->9414 9415 7ff78e4319fd 9414->9415 9415->9325 9416 7ff78e431a10 9415->9416 9417 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9416->9417 9418 7ff78e431a1c 9417->9418 9419 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9418->9419 9420 7ff78e431a36 9419->9420 9421 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9420->9421 9422 7ff78e431a50 9421->9422 9423 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9422->9423 9424 7ff78e431a6a 9423->9424 9425 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9424->9425 9426 7ff78e431a84 9425->9426 9427 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9426->9427 9428 7ff78e431a9e 9427->9428 9429 7ff78e412020 LoadLibraryA 9428->9429 9430 7ff78e431ab1 9429->9430 9430->9333 9431 7ff78e431ac4 9430->9431 9432 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9431->9432 9433 7ff78e431ad0 9432->9433 9434 7ff78e412020 LoadLibraryA 9433->9434 9435 7ff78e431ae3 9434->9435 9435->9338 9436 7ff78e431af6 9435->9436 9437 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9436->9437 9438 7ff78e431b09 9437->9438 9439 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9438->9439 9440 7ff78e431b23 9439->9440 9441 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9440->9441 9442 7ff78e431b3d 9441->9442 9443 7ff78e41bb80 40 API calls 9442->9443 9444 7ff78e432197 9443->9444 9445 7ff78e412020 LoadLibraryA 9444->9445 9446 7ff78e4321a2 9445->9446 9446->9341 9447 7ff78e4321b5 9446->9447 9448 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9447->9448 9449 7ff78e4321c1 9448->9449 9450 7ff78e412020 LoadLibraryA 9449->9450 9451 7ff78e4321d4 9450->9451 9451->9344 9452 7ff78e4321e7 9451->9452 9453 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9452->9453 9454 7ff78e4321f3 9453->9454 9455 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 9454->9455 9456 7ff78e43220d 9455->9456 9459 7ff78e418c30 74 API calls 9456->9459 9457 7ff78e43221e 9460 7ff78e41c240 184 API calls 9457->9460 9458 7ff78e411445 9458->9291 9458->9292 9459->9457 9460->9458 9462 7ff78e412038 LoadLibraryA 9461->9462 9463 7ff78e41202c 9461->9463 9463->9462 10348 7ff78e422a50 10356 7ff78e4225f0 10348->10356 10353 7ff78e420240 20 API calls 10354 7ff78e422a90 10353->10354 10354->10353 10369 7ff78e420420 10354->10369 10373 7ff78e415a20 10354->10373 10358 7ff78e42260f 10356->10358 10357 7ff78e422620 10359 7ff78e412ea0 16 API calls 10357->10359 10358->10357 10360 7ff78e420460 34 API calls 10358->10360 10362 7ff78e42262e 10359->10362 10360->10357 10361 7ff78e422663 10364 7ff78e414270 10361->10364 10362->10361 10363 7ff78e413bd0 20 API calls 10362->10363 10363->10361 10365 7ff78e414287 10364->10365 10366 7ff78e414280 10364->10366 10365->10354 10366->10365 10381 7ff78e421ec0 10366->10381 10368 7ff78e4142b8 memcpy 10368->10354 10370 7ff78e420430 10369->10370 10371 7ff78e420446 10369->10371 10370->10371 10372 7ff78e420240 20 API calls 10370->10372 10371->10354 10372->10371 10374 7ff78e415a39 10373->10374 10404 7ff78e415bb0 10374->10404 10376 7ff78e415a80 10416 7ff78e415970 10376->10416 10379 7ff78e420240 20 API calls 10379->10376 10382 7ff78e421efb 10381->10382 10383 7ff78e421f0c 10382->10383 10384 7ff78e420460 34 API calls 10382->10384 10385 7ff78e421fd8 10383->10385 10386 7ff78e421f24 10383->10386 10384->10383 10387 7ff78e421fee 10385->10387 10388 7ff78e422140 10385->10388 10389 7ff78e422050 VirtualAlloc 10386->10389 10390 7ff78e421f35 10386->10390 10392 7ff78e4221f8 10387->10392 10396 7ff78e421f70 memset 10387->10396 10391 7ff78e4129d0 15 API calls 10388->10391 10389->10392 10394 7ff78e422073 10389->10394 10393 7ff78e4129d0 15 API calls 10390->10393 10391->10396 10395 7ff78e412260 12 API calls 10392->10395 10398 7ff78e421f41 10393->10398 10394->10398 10399 7ff78e4220ac 10394->10399 10400 7ff78e422215 10395->10400 10396->10368 10402 7ff78e412d60 12 API calls 10398->10402 10401 7ff78e412290 12 API calls 10399->10401 10403 7ff78e4221d6 10401->10403 10402->10396 10403->10368 10405 7ff78e415cb8 10404->10405 10408 7ff78e415bcd 10404->10408 10432 7ff78e415b50 10405->10432 10407 7ff78e415a4e 10407->10376 10407->10379 10408->10407 10409 7ff78e415cd4 10408->10409 10410 7ff78e415c55 10408->10410 10451 7ff78e415ac0 10409->10451 10412 7ff78e413f10 36 API calls 10410->10412 10414 7ff78e415c5d memcpy 10412->10414 10414->10407 10417 7ff78e415a0d 10416->10417 10419 7ff78e415988 10416->10419 10458 7ff78e415110 10417->10458 10422 7ff78e4159be 10419->10422 10424 7ff78e420240 20 API calls 10419->10424 10420 7ff78e415a12 exit 10423 7ff78e415a20 10420->10423 10421 7ff78e4159f0 longjmp 10421->10417 10422->10421 10426 7ff78e420240 20 API calls 10422->10426 10425 7ff78e415bb0 54 API calls 10423->10425 10424->10422 10428 7ff78e415a4e 10425->10428 10426->10421 10427 7ff78e415a80 10429 7ff78e415970 54 API calls 10427->10429 10428->10427 10430 7ff78e420240 20 API calls 10428->10430 10431 7ff78e415ab5 10429->10431 10430->10427 10433 7ff78e415b77 10432->10433 10434 7ff78e415ba1 10433->10434 10435 7ff78e415b8f 10433->10435 10436 7ff78e415ac0 55 API calls 10434->10436 10437 7ff78e413f10 36 API calls 10435->10437 10438 7ff78e415ba6 10436->10438 10439 7ff78e415b94 10437->10439 10440 7ff78e415cb8 10438->10440 10443 7ff78e415bcd 10438->10443 10439->10407 10441 7ff78e415b50 55 API calls 10440->10441 10442 7ff78e415be3 10441->10442 10442->10407 10443->10442 10444 7ff78e415cd4 10443->10444 10445 7ff78e415c55 10443->10445 10446 7ff78e415ac0 55 API calls 10444->10446 10447 7ff78e413f10 36 API calls 10445->10447 10448 7ff78e415cd9 10446->10448 10449 7ff78e415c5d memcpy 10447->10449 10449->10442 10452 7ff78e4225f0 35 API calls 10451->10452 10453 7ff78e415adc 10452->10453 10454 7ff78e414270 37 API calls 10453->10454 10455 7ff78e415b00 10454->10455 10456 7ff78e415a20 56 API calls 10455->10456 10457 7ff78e420240 20 API calls 10455->10457 10456->10455 10457->10455 10459 7ff78e41515b 10458->10459 10462 7ff78e415166 10458->10462 10460 7ff78e413f10 36 API calls 10459->10460 10459->10462 10493 7ff78e415291 10460->10493 10461 7ff78e4151f3 10465 7ff78e41521b strlen 10461->10465 10466 7ff78e415855 10461->10466 10469 7ff78e415236 10461->10469 10462->10461 10463 7ff78e4151ce memcpy 10462->10463 10464 7ff78e4151e6 10462->10464 10463->10464 10464->10461 10467 7ff78e415667 10464->10467 10468 7ff78e415697 memcpy strlen 10465->10468 10465->10469 10466->10420 10467->10469 10471 7ff78e41567c strlen 10467->10471 10468->10420 10469->10466 10497 7ff78e4150a0 10469->10497 10470 7ff78e41574d 10473 7ff78e4142f0 36 API calls 10470->10473 10471->10468 10471->10469 10472 7ff78e41570b 10475 7ff78e4142f0 36 API calls 10472->10475 10476 7ff78e415791 10473->10476 10475->10470 10478 7ff78e4142f0 36 API calls 10476->10478 10479 7ff78e4157d2 10478->10479 10522 7ff78e414a80 10479->10522 10481 7ff78e4156c0 10514 7ff78e421d60 10481->10514 10483 7ff78e4157f6 10484 7ff78e4142f0 36 API calls 10483->10484 10484->10461 10486 7ff78e420460 34 API calls 10486->10493 10487 7ff78e415603 10487->10462 10490 7ff78e415614 memcpy 10487->10490 10488 7ff78e414540 36 API calls 10488->10493 10489 7ff78e412ea0 16 API calls 10489->10493 10490->10462 10491 7ff78e4154e2 memcpy 10491->10493 10492 7ff78e420240 20 API calls 10492->10493 10493->10462 10493->10470 10493->10472 10493->10476 10493->10481 10493->10486 10493->10487 10493->10488 10493->10489 10493->10491 10493->10492 10494 7ff78e412ea0 16 API calls 10493->10494 10501 7ff78e4142f0 10493->10501 10495 7ff78e4158eb memcpy 10494->10495 10496 7ff78e413170 3 API calls 10495->10496 10496->10493 10498 7ff78e4150be 10497->10498 10499 7ff78e4150d0 fwrite 10497->10499 10498->10420 10502 7ff78e4144e0 10501->10502 10507 7ff78e414306 10501->10507 10504 7ff78e421d60 35 API calls 10502->10504 10503 7ff78e41449e 10503->10493 10505 7ff78e4144f8 10504->10505 10505->10493 10506 7ff78e414388 10508 7ff78e412ea0 16 API calls 10506->10508 10507->10503 10507->10506 10509 7ff78e420460 34 API calls 10507->10509 10512 7ff78e414398 10508->10512 10509->10506 10510 7ff78e414459 memcpy 10510->10503 10512->10510 10513 7ff78e413bd0 20 API calls 10512->10513 10513->10510 10515 7ff78e421d7a 10514->10515 10516 7ff78e421d87 10515->10516 10518 7ff78e420460 34 API calls 10515->10518 10517 7ff78e412ea0 16 API calls 10516->10517 10519 7ff78e421d94 10517->10519 10518->10516 10520 7ff78e421dcd 10519->10520 10521 7ff78e413bd0 20 API calls 10519->10521 10520->10472 10521->10520 10523 7ff78e414e40 10522->10523 10525 7ff78e414a99 10522->10525 10524 7ff78e4147f0 38 API calls 10523->10524 10529 7ff78e414e6f 10524->10529 10528 7ff78e414d69 10525->10528 10532 7ff78e4147f0 10525->10532 10527 7ff78e420240 20 API calls 10531 7ff78e414da7 10527->10531 10528->10527 10528->10531 10529->10528 10530 7ff78e420240 20 API calls 10529->10530 10530->10528 10531->10483 10531->10531 10533 7ff78e414a20 10532->10533 10537 7ff78e41481b 10532->10537 10534 7ff78e413f10 36 API calls 10533->10534 10535 7ff78e4149cb 10534->10535 10535->10528 10536 7ff78e414898 10538 7ff78e412ea0 16 API calls 10536->10538 10537->10535 10537->10536 10539 7ff78e420460 34 API calls 10537->10539 10542 7ff78e4148a8 10538->10542 10539->10536 10540 7ff78e41496e memcpy memset 10540->10535 10542->10540 10543 7ff78e413bd0 20 API calls 10542->10543 10543->10540 10558 7ff78e416150 10559 7ff78e4161a0 strlen 10558->10559 10561 7ff78e416162 10558->10561 10560 7ff78e4150a0 fwrite 10559->10560 10562 7ff78e4161b3 exit 10560->10562 10561->10559 10571 7ff78e427555 strlen 10572 7ff78e427570 10571->10572 10580 7ff78e426540 10581 7ff78e42656a 10580->10581 10582 7ff78e426614 fprintf 10581->10582 10583 7ff78e429941 10584 7ff78e42994b 10583->10584 10585 7ff78e427b14 2 API calls 10584->10585 10586 7ff78e42995a 10585->10586 10586->10586 10590 7ff78e42da41 GetLastError 10591 7ff78e412740 10592 7ff78e41276e 10591->10592 10593 7ff78e412610 12 API calls 10592->10593 10593->10592 10594 7ff78e411c40 IsEqualGUID IsEqualGUID IsEqualGUID 10595 7ff78e411c8c 10594->10595 10603 7ff78e4195e8 10604 7ff78e4161c0 36 API calls 10603->10604 10605 7ff78e4195f4 10604->10605 9222 7ff78e4298ee 9223 7ff78e4298fb 9222->9223 9226 7ff78e42991c 9223->9226 9236 7ff78e427ceb 9223->9236 9229 7ff78e427b14 9226->9229 9227 7ff78e42993c 9228 7ff78e427b14 2 API calls 9227->9228 9228->9227 9230 7ff78e427b2b 9229->9230 9231 7ff78e427b6a strlen 9230->9231 9232 7ff78e427b41 9230->9232 9243 7ff78e427a15 9231->9243 9235 7ff78e427a15 fputc 9232->9235 9234 7ff78e427b68 9234->9227 9235->9234 9237 7ff78e427d02 9236->9237 9238 7ff78e427d18 9237->9238 9239 7ff78e427d41 9237->9239 9255 7ff78e427b8c 9238->9255 9241 7ff78e427b8c 5 API calls 9239->9241 9242 7ff78e427d3f 9241->9242 9242->9226 9244 7ff78e427a33 9243->9244 9247 7ff78e427ab8 9244->9247 9249 7ff78e427990 fputc 9244->9249 9246 7ff78e427ae4 9248 7ff78e427b0c 9246->9248 9250 7ff78e427990 fputc 9246->9250 9247->9246 9251 7ff78e427990 9247->9251 9248->9234 9249->9244 9250->9246 9252 7ff78e4279af 9251->9252 9253 7ff78e4279d1 fputc 9252->9253 9254 7ff78e4279e5 9252->9254 9253->9254 9254->9247 9265 7ff78e42d600 9255->9265 9257 7ff78e427bb7 9261 7ff78e427c4a 9257->9261 9263 7ff78e427990 fputc 9257->9263 9258 7ff78e427cbb 9259 7ff78e427ce3 9258->9259 9262 7ff78e427990 fputc 9258->9262 9259->9242 9260 7ff78e42d600 4 API calls 9260->9261 9261->9258 9261->9260 9264 7ff78e427990 fputc 9261->9264 9262->9258 9263->9257 9264->9261 9266 7ff78e42d620 ___mb_cur_max_func ___lc_codepage_func 9265->9266 9270 7ff78e42d540 9266->9270 9271 7ff78e42d58f 9270->9271 9272 7ff78e42d560 9270->9272 9274 7ff78e42d57c 9271->9274 9275 7ff78e42d5e5 _errno 9271->9275 9273 7ff78e42d56a _errno 9272->9273 9272->9274 9273->9274 9274->9257 9275->9274 10609 7ff78e4199f0 10610 7ff78e415b50 56 API calls 10609->10610 10611 7ff78e419a4c 10610->10611 10612 7ff78e419aa8 SysStringLen 10611->10612 10613 7ff78e419a85 10611->10613 10641 7ff78e416580 10612->10641 10616 7ff78e419bdc _setjmp 10628 7ff78e419c1d 10616->10628 10617 7ff78e419b16 CoInitialize 10621 7ff78e419aea 10617->10621 10619 7ff78e419e82 strlen 10620 7ff78e421d60 35 API calls 10619->10620 10622 7ff78e419eb0 memcpy 10620->10622 10621->10616 10621->10617 10621->10628 10634 7ff78e415bb0 56 API calls 10621->10634 10638 7ff78e420240 20 API calls 10621->10638 10646 7ff78e422480 10621->10646 10654 7ff78e4187d0 10621->10654 10622->10628 10623 7ff78e413f10 36 API calls 10623->10628 10624 7ff78e419c9e VariantCopy 10624->10628 10626 7ff78e420300 56 API calls 10626->10628 10628->10613 10628->10619 10628->10623 10628->10624 10628->10626 10629 7ff78e419f5e memcpy 10628->10629 10631 7ff78e419fa5 memcpy 10628->10631 10632 7ff78e4225f0 35 API calls 10628->10632 10635 7ff78e420240 20 API calls 10628->10635 10639 7ff78e420420 20 API calls 10628->10639 10640 7ff78e415a20 56 API calls 10628->10640 10671 7ff78e416540 10628->10671 10676 7ff78e419280 10628->10676 10703 7ff78e418fd0 10628->10703 10729 7ff78e422bf0 10628->10729 10629->10628 10631->10628 10632->10628 10634->10621 10635->10628 10638->10621 10639->10628 10640->10628 10642 7ff78e41659e WideCharToMultiByte 10641->10642 10643 7ff78e416648 SysFreeString 10641->10643 10644 7ff78e413f10 36 API calls 10642->10644 10643->10616 10643->10621 10645 7ff78e416601 WideCharToMultiByte 10644->10645 10645->10643 10647 7ff78e42249f 10646->10647 10648 7ff78e4224ac 10647->10648 10649 7ff78e420460 34 API calls 10647->10649 10650 7ff78e412ea0 16 API calls 10648->10650 10649->10648 10651 7ff78e4224ba 10650->10651 10652 7ff78e4224ef 10651->10652 10653 7ff78e413bd0 20 API calls 10651->10653 10652->10621 10653->10652 10657 7ff78e4187ed 10654->10657 10655 7ff78e418852 10658 7ff78e415b50 56 API calls 10655->10658 10663 7ff78e4188a7 10655->10663 10656 7ff78e418c13 10659 7ff78e415ac0 56 API calls 10656->10659 10657->10655 10657->10656 10660 7ff78e413f10 36 API calls 10657->10660 10661 7ff78e418834 10657->10661 10665 7ff78e418992 10658->10665 10669 7ff78e4188f2 VariantCopy 10659->10669 10660->10661 10661->10655 10662 7ff78e420240 20 API calls 10661->10662 10662->10655 10664 7ff78e415b50 56 API calls 10663->10664 10663->10669 10667 7ff78e418a65 10664->10667 10665->10663 10666 7ff78e420240 20 API calls 10665->10666 10666->10663 10667->10656 10668 7ff78e418a80 10667->10668 10667->10669 10668->10669 10670 7ff78e420240 20 API calls 10668->10670 10669->10621 10669->10628 10670->10669 10672 7ff78e41655f 10671->10672 10673 7ff78e416550 longjmp 10671->10673 10674 7ff78e415110 49 API calls 10672->10674 10673->10672 10675 7ff78e41656b exit 10674->10675 10677 7ff78e41929a 10676->10677 10685 7ff78e4192dc 10676->10685 10678 7ff78e4192a6 10677->10678 10680 7ff78e421d60 35 API calls 10677->10680 10679 7ff78e4192af 10678->10679 10681 7ff78e4142f0 36 API calls 10678->10681 10682 7ff78e4192b8 10679->10682 10683 7ff78e4193ce 10679->10683 10680->10678 10681->10679 10682->10685 10687 7ff78e419437 10682->10687 10688 7ff78e4192c5 10682->10688 10686 7ff78e4142f0 36 API calls 10683->10686 10684 7ff78e413f10 36 API calls 10684->10685 10685->10684 10690 7ff78e4142f0 36 API calls 10685->10690 10692 7ff78e4195d0 10685->10692 10693 7ff78e4161c0 36 API calls 10685->10693 10698 7ff78e419349 10685->10698 10686->10687 10689 7ff78e414a80 38 API calls 10687->10689 10691 7ff78e4142f0 36 API calls 10688->10691 10695 7ff78e419478 10689->10695 10696 7ff78e419511 memcpy 10690->10696 10691->10685 10694 7ff78e4161c0 36 API calls 10692->10694 10693->10685 10697 7ff78e4195dc 10694->10697 10695->10685 10699 7ff78e413f10 36 API calls 10695->10699 10696->10685 10700 7ff78e4142f0 36 API calls 10698->10700 10701 7ff78e4194aa memcpy 10699->10701 10702 7ff78e419354 memcpy 10700->10702 10701->10685 10702->10628 10704 7ff78e418ff1 10703->10704 10705 7ff78e418fe5 10703->10705 10707 7ff78e4191e8 10704->10707 10708 7ff78e418ffa 10704->10708 10705->10704 10706 7ff78e4190f0 10705->10706 10709 7ff78e4190f7 10706->10709 10710 7ff78e419170 10706->10710 10712 7ff78e413f10 36 API calls 10707->10712 10711 7ff78e419008 10708->10711 10715 7ff78e416370 36 API calls 10708->10715 10709->10711 10713 7ff78e419100 10709->10713 10714 7ff78e416370 36 API calls 10710->10714 10718 7ff78e413f10 36 API calls 10711->10718 10728 7ff78e419203 10712->10728 10716 7ff78e413f10 36 API calls 10713->10716 10717 7ff78e419178 10714->10717 10715->10711 10720 7ff78e41912a 10716->10720 10717->10711 10719 7ff78e419184 10717->10719 10721 7ff78e41902f memcpy 10718->10721 10722 7ff78e419248 10719->10722 10723 7ff78e41918d 10719->10723 10725 7ff78e41909a memcpy 10720->10725 10721->10725 10726 7ff78e4190b8 10721->10726 10724 7ff78e413f10 36 API calls 10722->10724 10727 7ff78e413f10 36 API calls 10723->10727 10724->10728 10725->10726 10726->10628 10727->10720 10728->10628 10730 7ff78e422c08 10729->10730 10735 7ff78e422af0 10730->10735 10734 7ff78e422c3b 10736 7ff78e422b80 10735->10736 10737 7ff78e422b03 10735->10737 10739 7ff78e41db40 fputc 10736->10739 10747 7ff78e41db40 10737->10747 10741 7ff78e422b96 10739->10741 10740 7ff78e422b4f fwrite 10740->10734 10741->10740 10742 7ff78e422bad fputc 10741->10742 10745 7ff78e41db40 fputc 10741->10745 10742->10740 10742->10741 10743 7ff78e422b25 10743->10740 10744 7ff78e422b36 fputc 10743->10744 10746 7ff78e41db40 fputc 10743->10746 10744->10740 10744->10743 10745->10741 10746->10743 10748 7ff78e427930 fputc 10747->10748 10749 7ff78e41db64 10748->10749 10749->10743 10760 7ff78e4116f0 GetModuleHandleA 10761 7ff78e411717 LoadLibraryA GetProcAddress GetProcAddress 10760->10761 10762 7ff78e411757 10760->10762 10761->10762 10767 7ff78e4110f6 10768 7ff78e411154 214 API calls 10767->10768 10769 7ff78e411117 10768->10769 10773 7ff78e42d9d9 VirtualFree 10777 7ff78e42d4d7 ___mb_cur_max_func ___lc_codepage_func 10778 7ff78e42d509 10777->10778 10779 7ff78e42d130 3 API calls 10778->10779 10780 7ff78e42d532 10779->10780 10784 7ff78e41bee0 10785 7ff78e41bef6 10784->10785 10793 7ff78e41bf03 10784->10793 10786 7ff78e41b420 36 API calls 10785->10786 10785->10793 10787 7ff78e41bf1d 10786->10787 10788 7ff78e41bb80 40 API calls 10787->10788 10789 7ff78e41bf2a 10788->10789 10790 7ff78e41b420 36 API calls 10789->10790 10791 7ff78e41bf50 10790->10791 10792 7ff78e41bb80 40 API calls 10791->10792 10792->10793 10798 7ff78e4271e1 10799 7ff78e427200 10798->10799 10800 7ff78e4271f6 10798->10800 10799->10800 10801 7ff78e42725b free 10799->10801 10801->10800 10802 7ff78e429ce0 10803 7ff78e429cf3 10802->10803 10807 7ff78e429d1d 10802->10807 10808 7ff78e429635 10803->10808 10805 7ff78e429635 12 API calls 10806 7ff78e429d59 10805->10806 10806->10806 10807->10805 10809 7ff78e42966b 10808->10809 10810 7ff78e42966f 10809->10810 10812 7ff78e42968c 10809->10812 10811 7ff78e42884b fputc 10810->10811 10813 7ff78e429687 10811->10813 10814 7ff78e4296ca 10812->10814 10817 7ff78e4296e4 10812->10817 10813->10807 10815 7ff78e42884b fputc 10814->10815 10815->10813 10818 7ff78e42919c 10817->10818 10832 7ff78e4291cb 10818->10832 10819 7ff78e429473 10820 7ff78e429490 10819->10820 10821 7ff78e4294a3 10819->10821 10822 7ff78e427990 fputc 10820->10822 10823 7ff78e4294c6 10821->10823 10824 7ff78e4294b3 10821->10824 10825 7ff78e4294a1 10822->10825 10823->10825 10827 7ff78e427990 fputc 10823->10827 10826 7ff78e427990 fputc 10824->10826 10828 7ff78e427990 fputc 10825->10828 10826->10825 10827->10825 10829 7ff78e4294f6 10828->10829 10830 7ff78e427990 fputc 10829->10830 10835 7ff78e429511 10830->10835 10831 7ff78e429554 10833 7ff78e42957a 10831->10833 10844 7ff78e4287dd 10831->10844 10832->10819 10834 7ff78e427990 fputc 10832->10834 10837 7ff78e4295a2 10833->10837 10838 7ff78e427990 fputc 10833->10838 10834->10832 10835->10831 10840 7ff78e427990 fputc 10835->10840 10839 7ff78e427990 fputc 10837->10839 10838->10833 10841 7ff78e4295bd 10839->10841 10840->10835 10842 7ff78e427df4 fputc 10841->10842 10843 7ff78e42962d 10842->10843 10843->10813 10845 7ff78e4287f2 10844->10845 10846 7ff78e428800 10844->10846 10847 7ff78e428659 12 API calls 10845->10847 10848 7ff78e428835 10846->10848 10849 7ff78e428806 10846->10849 10850 7ff78e4287fe 10847->10850 10851 7ff78e427990 fputc 10848->10851 10849->10850 10852 7ff78e427b8c 5 API calls 10849->10852 10850->10831 10851->10850 10852->10850 10853 7ff78e429fe5 10854 7ff78e429fef memset localeconv 10853->10854 10856 7ff78e4297d4 10853->10856 10855 7ff78e42d2fe 5 API calls 10854->10855 10855->10856 10857 7ff78e42a143 10856->10857 10858 7ff78e427990 fputc 10856->10858 10858->10856 10859 7ff78e429be4 10860 7ff78e429bf7 10859->10860 10861 7ff78e429c21 10859->10861 10865 7ff78e428e4c 10860->10865 10863 7ff78e428e4c 16 API calls 10861->10863 10864 7ff78e429c5d 10863->10864 10864->10864 10866 7ff78e428e6e 10865->10866 10878 7ff78e4285f7 10866->10878 10869 7ff78e428eae 10871 7ff78e42884b fputc 10869->10871 10870 7ff78e428ec5 10872 7ff78e428936 12 API calls 10870->10872 10873 7ff78e428ec3 10871->10873 10874 7ff78e428ee0 10872->10874 10875 7ff78e42a20f free 10873->10875 10874->10873 10877 7ff78e427990 fputc 10874->10877 10876 7ff78e428f14 10875->10876 10876->10861 10877->10874 10879 7ff78e428488 4 API calls 10878->10879 10880 7ff78e428652 10879->10880 10880->10869 10880->10870 10881 7ff78e42da09 LoadLibraryA 10895 7ff78e429dfc 10898 7ff78e4297d4 10895->10898 10896 7ff78e42a143 10897 7ff78e427990 fputc 10897->10898 10898->10896 10898->10897 10905 7ff78e413a00 10906 7ff78e413a28 10905->10906 10907 7ff78e413a1a 10905->10907 10908 7ff78e413170 3 API calls 10906->10908 10909 7ff78e413a42 10908->10909 10927 7ff78e42d0a8 fflush 10928 7ff78e45e3bc 10927->10928 10939 7ff78e4134b0 10940 7ff78e413380 22 API calls 10939->10940 10941 7ff78e4134ca 10940->10941 10942 7ff78e413380 22 API calls 10941->10942 10943 7ff78e4134d6 10942->10943 10944 7ff78e413380 22 API calls 10943->10944 10945 7ff78e4134e2 10944->10945 10963 7ff78e42cc9d 10964 7ff78e42bfa6 malloc 10963->10964 10965 7ff78e42ccc9 10964->10965 10980 7ff78e4270a3 signal 10981 7ff78e4270c4 signal 10980->10981 10982 7ff78e4270d9 10980->10982 10981->10982 11015 7ff78e4138c0 11016 7ff78e4139f0 11015->11016 11017 7ff78e4138db 11015->11017 11017->11016 11018 7ff78e420240 20 API calls 11017->11018 11019 7ff78e41fff0 22 API calls 11017->11019 11020 7ff78e412ea0 16 API calls 11017->11020 11018->11017 11019->11017 11021 7ff78e41393a memcpy 11020->11021 11022 7ff78e413170 3 API calls 11021->11022 11022->11017

    Executed Functions

    Function 00007FF78E41C240 Relevance: 149.6, APIs: 46, Strings: 38, Instructions: 2611memorysleepCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitmemcpy$ByteCharHeapMultiProcessSleepWide$CountTickVersion
    • String ID: * -_$.v>!$CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$Jk5$JDF7$Ju4J$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VariantConversionError$VirtualProtect$WaitForSingleObject$com.nim$j{t`$p$toVariant$bz$ME$HYk
    • API String ID: 4036915570-214144126
    • Opcode ID: 69e930487f80bd1ae76e9734cf0d26f57097afb2058310c5517ae0ab230f896f
    • Instruction ID: 1ef5c1930cbc1f022ab22dfd2806282c5d526d83febae3e63234f84c2ff3a320
    • Opcode Fuzzy Hash: 69e930487f80bd1ae76e9734cf0d26f57097afb2058310c5517ae0ab230f896f
    • Instruction Fuzzy Hash: 48437762A09B4781EA14FB95E8543BDA3A1FF85B84FE04436EA5D07796EF3CE404C360
    Function 00007FF78E418C30 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1196 7ff78e418c30-7ff78e418cb5 _fileno _setmode _fileno _setmode _fileno _setmode SetConsoleOutputCP SetConsoleCP LoadLibraryA 1200 7ff78e418cb7-7ff78e418cbe GetProcAddress 1196->1200 1201 7ff78e418cc4-7ff78e418cd1 1196->1201 1200->1201 1202 7ff78e418cd7-7ff78e418cfb 1201->1202 1203 7ff78e418fb9 call 7ff78e411df0 1201->1203 1202->1203 1205 7ff78e418d01-7ff78e418d1e 1202->1205 1206 7ff78e418fbe-7ff78e418fcf call 7ff78e411e40 1203->1206 1205->1203 1207 7ff78e418d24-7ff78e418d41 1205->1207 1207->1203 1209 7ff78e418d47-7ff78e418d64 1207->1209 1209->1203 1211 7ff78e418d6a-7ff78e418d87 1209->1211 1211->1203 1212 7ff78e418d8d-7ff78e418db1 1211->1212 1212->1206 1213 7ff78e418db7-7ff78e418ddb 1212->1213 1213->1203 1214 7ff78e418de1-7ff78e418dfe 1213->1214 1214->1203 1215 7ff78e418e04-7ff78e418e57 1214->1215 1216 7ff78e418e68-7ff78e418e7f call 7ff78e422480 1215->1216 1217 7ff78e418e59-7ff78e418e61 CoInitialize 1215->1217 1220 7ff78e418f50-7ff78e418f5b call 7ff78e420300 1216->1220 1221 7ff78e418e85-7ff78e418e8f 1216->1221 1217->1216 1229 7ff78e418f5d 1220->1229 1230 7ff78e418f62-7ff78e418f6c 1220->1230 1223 7ff78e418f08-7ff78e418f13 call 7ff78e420300 1221->1223 1224 7ff78e418e91-7ff78e418ec3 call 7ff78e4187d0 1221->1224 1232 7ff78e418f1a-7ff78e418f24 1223->1232 1233 7ff78e418f15 1223->1233 1234 7ff78e418edb-7ff78e418eea 1224->1234 1235 7ff78e418ec5-7ff78e418ed9 1224->1235 1229->1230 1236 7ff78e418f6e-7ff78e418f82 1230->1236 1237 7ff78e418f84 1230->1237 1238 7ff78e418f3c-7ff78e418f43 1232->1238 1239 7ff78e418f26-7ff78e418f3a 1232->1239 1233->1232 1235->1234 1240 7ff78e418ef0-7ff78e418f04 call 7ff78e420240 1235->1240 1236->1237 1241 7ff78e418f90-7ff78e418f95 call 7ff78e420240 1236->1241 1237->1241 1238->1224 1239->1238 1243 7ff78e418fa8-7ff78e418fb4 call 7ff78e420240 1239->1243 1241->1243 1243->1224
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _fileno_setmode$Console$AddressInitializeLibraryLoadOutputProc
    • String ID: Ws2_32.dll$inet_ntop
    • API String ID: 1755878316-2739477577
    • Opcode ID: 6b7b38b38fdb6f2231155c0515883c19ac27669e06fffbb159bd7b89048bd062
    • Instruction ID: ae7a87e26f65640ece2079322184d3dad90682ca32970feabf52e60368fa149d
    • Opcode Fuzzy Hash: 6b7b38b38fdb6f2231155c0515883c19ac27669e06fffbb159bd7b89048bd062
    • Instruction Fuzzy Hash: 38912472A19B5781EA14AB94E81437CE3A1FB89B44FF44436EA9D433A4DF7CE459C320
    Function 00007FF78E411154 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1249 7ff78e411154-7ff78e411193 call 7ff78e42d060 1252 7ff78e4111a8-7ff78e4111d5 1249->1252 1253 7ff78e411195-7ff78e41119f 1249->1253 1254 7ff78e4111f8-7ff78e41122d 1252->1254 1253->1252 1255 7ff78e4111d7-7ff78e4111df 1254->1255 1256 7ff78e41122f-7ff78e41123b 1254->1256 1257 7ff78e4111ea-7ff78e4111ef 1255->1257 1258 7ff78e4111e1-7ff78e4111e8 1255->1258 1259 7ff78e411249-7ff78e411254 1256->1259 1260 7ff78e41123d-7ff78e411247 _amsg_exit 1256->1260 1257->1254 1258->1256 1262 7ff78e41127e 1259->1262 1263 7ff78e411256-7ff78e41127c _initterm 1259->1263 1261 7ff78e411288-7ff78e411294 1260->1261 1264 7ff78e4112bc-7ff78e4112c0 1261->1264 1265 7ff78e411296-7ff78e4112b6 _initterm 1261->1265 1262->1261 1263->1261 1266 7ff78e4112e1-7ff78e4112ee 1264->1266 1267 7ff78e4112c2-7ff78e4112e0 1264->1267 1265->1264 1268 7ff78e41130c-7ff78e411364 call 7ff78e426dcd call 7ff78e42d7f0 call 7ff78e426660 call 7ff78e42d950 1266->1268 1269 7ff78e4112f0-7ff78e411305 1266->1269 1267->1266 1279 7ff78e4113cc-7ff78e4113d7 1268->1279 1280 7ff78e411366 1268->1280 1269->1268 1282 7ff78e4113d9-7ff78e4113e4 1279->1282 1283 7ff78e4113fa-7ff78e411440 call 7ff78e411591 call 7ff78e4263d7 call 7ff78e42da70 1279->1283 1281 7ff78e411385-7ff78e41138e 1280->1281 1285 7ff78e411368-7ff78e411371 1281->1285 1286 7ff78e411390-7ff78e411399 1281->1286 1287 7ff78e4113ef 1282->1287 1288 7ff78e4113e6-7ff78e4113ed 1282->1288 1302 7ff78e411445-7ff78e411453 1283->1302 1289 7ff78e411380 1285->1289 1290 7ff78e411373-7ff78e41137d 1285->1290 1292 7ff78e4113a8-7ff78e4113b1 1286->1292 1293 7ff78e41139b-7ff78e41139f 1286->1293 1294 7ff78e4113f4 1287->1294 1288->1294 1289->1281 1290->1289 1297 7ff78e4113be-7ff78e4113c9 1292->1297 1298 7ff78e4113b3-7ff78e4113bc 1292->1298 1293->1285 1296 7ff78e4113a1 1293->1296 1294->1283 1296->1292 1297->1279 1298->1297 1300 7ff78e4113a3 1298->1300 1300->1292 1303 7ff78e411462-7ff78e41146a 1302->1303 1304 7ff78e411455-7ff78e41145d exit 1302->1304 1305 7ff78e41146c _cexit 1303->1305 1306 7ff78e411471-7ff78e41147f 1303->1306 1304->1303 1305->1306
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _initterm$_amsg_exit_cexitexit
    • String ID: 0
    • API String ID: 602970348-4108050209
    • Opcode ID: c5bb0eb04c8fb6cd053ca287a568665df2e0e3d12505647d5b9f2f4fedc3075a
    • Instruction ID: 0d847bdbbb6a79ded6f89817690303faf4172b2a431d36d437bedef7dbc39615
    • Opcode Fuzzy Hash: c5bb0eb04c8fb6cd053ca287a568665df2e0e3d12505647d5b9f2f4fedc3075a
    • Instruction Fuzzy Hash: EEA1E866F09B1789FB50AB95E89036CB7A0BB08B88FA04035ED4D577A4DF7DE540C760
    Function 00007FF78E41F6D0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 373fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1307 7ff78e41f6d0-7ff78e41f71d 1308 7ff78e41f729-7ff78e41f72d 1307->1308 1309 7ff78e41f71f-7ff78e41f726 1307->1309 1310 7ff78e41fbd0-7ff78e41fc0d call 7ff78e415ac0 1308->1310 1311 7ff78e41f733-7ff78e41f736 1308->1311 1309->1308 1316 7ff78e41fc16-7ff78e41fc2a 1310->1316 1317 7ff78e41fc11 call 7ff78e413f10 1310->1317 1311->1310 1312 7ff78e41f73c-7ff78e41f7a4 call 7ff78e413f10 call 7ff78e41b420 call 7ff78e41bb80 1311->1312 1334 7ff78e41f7bc-7ff78e41f80c CreateFileA 1312->1334 1335 7ff78e41f7a6-7ff78e41f7b9 1312->1335 1320 7ff78e41fd48-7ff78e41fd57 1316->1320 1321 7ff78e41fc30-7ff78e41fc33 1316->1321 1317->1316 1323 7ff78e41fce0-7ff78e41fcf8 1321->1323 1325 7ff78e41fcfe-7ff78e41fd08 1323->1325 1326 7ff78e41fc40-7ff78e41fc4d 1323->1326 1327 7ff78e41fd0a-7ff78e41fd16 1325->1327 1330 7ff78e41fd60-7ff78e41fd67 1325->1330 1326->1327 1328 7ff78e41fc53-7ff78e41fc5a 1326->1328 1336 7ff78e41fd1c-7ff78e41fd46 call 7ff78e414540 * 3 1327->1336 1328->1327 1331 7ff78e41fc60-7ff78e41fcd5 call 7ff78e414540 * 4 1328->1331 1332 7ff78e41fd69-7ff78e41fd77 call 7ff78e414540 1330->1332 1333 7ff78e41fd7c-7ff78e41fd89 1330->1333 1349 7ff78e41fcd8-7ff78e41fcde 1331->1349 1332->1349 1339 7ff78e41fd8b-7ff78e41fdad call 7ff78e414540 * 2 1333->1339 1340 7ff78e41fdb2-7ff78e41fdda 1333->1340 1351 7ff78e41f812-7ff78e41f880 ReadFile 1334->1351 1352 7ff78e41fab5-7ff78e41facf 1334->1352 1335->1334 1336->1320 1336->1323 1339->1349 1340->1336 1349->1320 1349->1323 1366 7ff78e41fbc8 1351->1366 1367 7ff78e41f886-7ff78e41f8a1 1351->1367 1370 7ff78e41fae0-7ff78e41fafb 1352->1370 1366->1310 1369 7ff78e41f8af-7ff78e41f939 call 7ff78e413f10 call 7ff78e41bb80 call 7ff78e41f490 1367->1369 1377 7ff78e41f8a8-7ff78e41f8ab 1369->1377 1378 7ff78e41f93f-7ff78e41f982 1369->1378 1377->1369 1378->1370 1379 7ff78e41f988-7ff78e41f9ca 1378->1379 1380 7ff78e41f9fe-7ff78e41fa13 1379->1380 1381 7ff78e41f9d0-7ff78e41f9d3 1380->1381 1382 7ff78e41fa15-7ff78e41fa38 1380->1382 1383 7ff78e41f9e1-7ff78e41f9ed 1381->1383 1384 7ff78e41f9d5-7ff78e41f9df strcmp 1381->1384 1385 7ff78e41fa3a-7ff78e41fa45 1382->1385 1386 7ff78e41fa49-7ff78e41fa92 1382->1386 1383->1370 1387 7ff78e41f9f3-7ff78e41f9fb 1383->1387 1384->1382 1384->1383 1385->1386 1390 7ff78e41faa6-7ff78e41faa9 1386->1390 1387->1380 1391 7ff78e41fa98-7ff78e41faa4 1390->1391 1392 7ff78e41faab-7ff78e41faaf 1390->1392 1391->1390 1393 7ff78e41fafc-7ff78e41fafe 1391->1393 1392->1391 1394 7ff78e41fab1-7ff78e41fab3 1392->1394 1395 7ff78e41fb00-7ff78e41fb63 1393->1395 1394->1395 1396 7ff78e41fba6-7ff78e41fba8 1395->1396 1397 7ff78e41fb65-7ff78e41fba1 1395->1397 1398 7ff78e41fbb0-7ff78e41fbc1 1396->1398 1397->1383 1398->1398 1399 7ff78e41fbc3 1398->1399 1399->1383
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: File$CreateRead
    • String ID: ME
    • API String ID: 3388366904-1625691762
    • Opcode ID: c91cc91aec063e0dbae3efeb34dab07cb7a92331081eabfc2945e3a851a375f5
    • Instruction ID: e3f7379b64e0c2f845c32822f32fc7419b181ce3e26ed995d03352813738d30b
    • Opcode Fuzzy Hash: c91cc91aec063e0dbae3efeb34dab07cb7a92331081eabfc2945e3a851a375f5
    • Instruction Fuzzy Hash: 86F1CF22A0DA8285DB11DFA9E4403ADBBA1FF95B85FA98036EE8D43755DF3CD145C320
    Function 00007FF78E42DA70 Relevance: 293.3, APIs: 4, Strings: 162, Instructions: 2775COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff78e42da70-7ff78e42e8cf call 7ff78e4263d7 call 7ff78e412020 5 7ff78e4322bf-7ff78e4322c6 call 7ff78e412050 0->5 6 7ff78e42e8d5-7ff78e42ef09 call 7ff78e4120f0 * 2 call 7ff78e4117f0 0->6 10 7ff78e4322cb-7ff78e4322d2 call 7ff78e412050 5->10 20 7ff78e43234b-7ff78e432350 call 7ff78e411df0 6->20 21 7ff78e42ef0f-7ff78e42f24f call 7ff78e4117f0 call 7ff78e41fde0 * 5 call 7ff78e42d058 signal * 4 call 7ff78e412020 6->21 13 7ff78e4322d7-7ff78e4322de call 7ff78e412050 10->13 17 7ff78e4322e3-7ff78e4322ea call 7ff78e412050 13->17 22 7ff78e4322ef-7ff78e4322f6 call 7ff78e412050 17->22 21->10 56 7ff78e42f255-7ff78e42f281 call 7ff78e4120f0 call 7ff78e412020 21->56 28 7ff78e4322fb-7ff78e432302 call 7ff78e412050 22->28 32 7ff78e432307-7ff78e43230e call 7ff78e412050 28->32 36 7ff78e432313-7ff78e43231a call 7ff78e412050 32->36 40 7ff78e43231f-7ff78e432326 call 7ff78e412050 36->40 45 7ff78e43232b-7ff78e432332 call 7ff78e412050 40->45 48 7ff78e432337-7ff78e43233a call 7ff78e412050 45->48 52 7ff78e43233f-7ff78e432346 call 7ff78e412050 48->52 52->20 56->13 61 7ff78e42f287-7ff78e42f2b3 call 7ff78e4120f0 call 7ff78e412020 56->61 66 7ff78e42f2b9-7ff78e42f319 call 7ff78e4120f0 * 3 call 7ff78e412020 61->66 67 7ff78e4322b3-7ff78e4322ba call 7ff78e412050 61->67 66->17 77 7ff78e42f31f-7ff78e42f483 call 7ff78e4120f0 * 13 call 7ff78e412020 66->77 67->5 77->22 106 7ff78e42f489-7ff78e42f5bc call 7ff78e4120f0 * 2 call 7ff78e412020 77->106 106->28 113 7ff78e42f5c2-7ff78e4319be call 7ff78e4120f0 * 2 call 7ff78e412020 106->113 113->36 120 7ff78e4319c4-7ff78e431a0a call 7ff78e4120f0 * 2 call 7ff78e412020 113->120 120->32 127 7ff78e431a10-7ff78e431abe call 7ff78e4120f0 * 6 call 7ff78e412020 120->127 127->40 142 7ff78e431ac4-7ff78e431af0 call 7ff78e4120f0 call 7ff78e412020 127->142 142->45 147 7ff78e431af6-7ff78e4321af call 7ff78e4120f0 * 3 call 7ff78e41bb80 call 7ff78e412020 142->147 147->48 158 7ff78e4321b5-7ff78e4321e1 call 7ff78e4120f0 call 7ff78e412020 147->158 158->52 163 7ff78e4321e7-7ff78e432242 call 7ff78e4120f0 * 2 call 7ff78e418c30 call 7ff78e4117f0 call 7ff78e41c240 158->163 171 7ff78e432244-7ff78e4322b2 163->171
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: signal$memcpy$AddressProcexit
    • String ID: :state$AddRef$CLRCreateInstance$CoInitialize$CreateProcessW$CreateToolhelp32Snapshot$DispGetIDsOfNames$Field0$Field1$Field2$GetCommandLineW$GetCurrentProcess$GetCurrentThread$GetField$GetFieldNames$GetFieldNoCopy$GetFileAttributesW$GetForegroundWindow$GetGuid$GetIDsOfNames$GetModuleFileNameW$GetName$GetProcAddress$GetProcessHeap$GetSize$GetThreadContext$GetTypeInfo$GetTypeInfoCount$GetWindowThreadProcessId$HeapAlloc$HeapCreate$Hi32$InitializeProcThreadAttributeList$Invoke$IsEqualGUID$IsMatchingType$Lo32$Lo64$LoadLibraryA$Mid32$MultiByteToWideChar$NtFlushInstructionCache4$OpenProcess$PutField$PutFieldNoCopy$QueryInterface$RecordClear$RecordCopy$RecordCreate$RecordCreateCopy$RecordDestroy$RecordInit$Release$ResumeThread$RtlGetVersion$SafeArrayCreate$SafeArrayPutElement$SetConsoleCP$SetConsoleOutputCP$SysAllocString$SysFreeString$SysStringLen$Thread32First$Thread32Next$UpdateProcThreadAttribute$VariantClear$VariantCopy$WaitForSingleObject$WideCharToMultiByte$bCryptGenRandom$bVal$boolVal$bstrVal$byref$cDims$cElements$cLocks$cVal$cbElements$cipher$coresCount$counter$cyVal$data$date$dblVal$dctx6$decVal$fFeatures$filename$fltVal$hIntel$hresult$iVal$int64$intVal$key5$lLbound$lVal$line$llVal$lpVtbl$lstrlenW$msg$name$pRecInfo$parent$parray$pbVal$pboolVal$pbstrVal$pcVal$pcyVal$pdate$pdblVal$pdecVal$pdispVal$pfltVal$piVal$pintVal$plVal$pllVal$pparray$ppdispVal$ppunkVal$procname$pscode$puiVal$puintVal$pulVal$pullVal$punkVal$pvData$pvRecord$pvarVal$queryIdleProcessorCycleTime$queryProcessCycleTime$queryUnbiasedInterruptTime$raw$remoteProcID2$rgsabound$scale$scode$sign$signscale$skey$struct1$tProcess1$trace$treadHandle3$uiVal$uintVal$ulVal$ullVal$union1$union2$wReserved$wReserved1$wReserved2$wReserved3$zonedTimeFromAdjTimeImpl$zonedTimeFromTimeImpl
    • API String ID: 1418167214-113516584
    • Opcode ID: 289b29ce79b924c64fd36017754f045c1dadd6a6d6f83a0279adc11ace8a1520
    • Instruction ID: 3404bbce0a9393c76cb188170a957fcb2babb26d0ffaca52a5c36c12668210da
    • Opcode Fuzzy Hash: 289b29ce79b924c64fd36017754f045c1dadd6a6d6f83a0279adc11ace8a1520
    • Instruction Fuzzy Hash: 0993FD21C1CA8791F712AB98A8453F5B3A0BF91344FA05335ED9C93661EF7EB249C360
    Function 00007FF78E412260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1400 7ff78e412260-7ff78e4122a7 call 7ff78e411db0 exit 1405 7ff78e4122a9-7ff78e4122af 1400->1405 1406 7ff78e412300-7ff78e41231c VirtualAlloc 1400->1406 1405->1406 1407 7ff78e4122b1-7ff78e4122fe 1405->1407 1408 7ff78e41231e-7ff78e41235b 1406->1408 1409 7ff78e412360-7ff78e412386 call 7ff78e412260 1406->1409 1408->1407 1413 7ff78e4125d8-7ff78e4125df 1409->1413 1414 7ff78e41238c-7ff78e412399 1409->1414 1415 7ff78e41239f-7ff78e4123aa 1414->1415 1416 7ff78e412450-7ff78e412486 1414->1416 1417 7ff78e4123af-7ff78e4123be 1415->1417 1416->1417 1418 7ff78e4125b8-7ff78e4125c9 VirtualAlloc 1417->1418 1419 7ff78e4123c4-7ff78e4123d5 VirtualAlloc 1417->1419 1420 7ff78e4125cf-7ff78e4125d4 call 7ff78e412260 1418->1420 1421 7ff78e4123e2-7ff78e4123f7 1418->1421 1422 7ff78e4123db 1419->1422 1423 7ff78e4125e4-7ff78e4125fd VirtualAlloc 1419->1423 1420->1413 1424 7ff78e412400-7ff78e412407 1421->1424 1422->1421 1423->1420 1426 7ff78e4125ff 1423->1426 1427 7ff78e41248b-7ff78e4124a1 1424->1427 1428 7ff78e41240d-7ff78e412417 1424->1428 1431 7ff78e4124a4-7ff78e4124cc 1427->1431 1428->1424 1430 7ff78e412419-7ff78e41244a call 7ff78e412290 1428->1430 1430->1431 1433 7ff78e4124d8-7ff78e4124dc 1431->1433 1434 7ff78e4124ce 1431->1434 1437 7ff78e4124de-7ff78e4124fb 1433->1437 1438 7ff78e4124d0-7ff78e4124d6 1433->1438 1436 7ff78e412509-7ff78e412516 1434->1436 1440 7ff78e412518-7ff78e41251d 1436->1440 1441 7ff78e412522-7ff78e41253d 1436->1441 1437->1436 1439 7ff78e4124fd-7ff78e412506 1437->1439 1438->1433 1438->1436 1439->1436 1440->1441 1442 7ff78e41253f 1441->1442 1443 7ff78e412550-7ff78e412554 1441->1443 1444 7ff78e4125a8 1442->1444 1445 7ff78e412548-7ff78e41254e 1443->1445 1446 7ff78e412556-7ff78e41257e 1443->1446 1447 7ff78e4125ac-7ff78e4125b2 1444->1447 1445->1443 1445->1444 1446->1447 1448 7ff78e412580-7ff78e412584 1446->1448 1450 7ff78e412589-7ff78e4125a0 1447->1450 1448->1447 1449 7ff78e412586 1448->1449 1449->1450
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual$exitfwritestrlen
    • String ID: out of memory
    • API String ID: 4248889879-49810860
    • Opcode ID: 0516ab19841267af8d97caf5014a6074e881b3db8c10cd40e0e435bc0d2a0d95
    • Instruction ID: bbdc45ba930872c8b4d8c6dae6ba02efce478e6a3097a76b41102ad0eaa7d612
    • Opcode Fuzzy Hash: 0516ab19841267af8d97caf5014a6074e881b3db8c10cd40e0e435bc0d2a0d95
    • Instruction Fuzzy Hash: D4216D32B05B8682EB145B69E5483ADA3A0F708BE0FA48235DB6D473D2DF3DE454D314
    Function 00007FF78E412290 Relevance: 3.9, APIs: 3, Instructions: 153memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1451 7ff78e412290-7ff78e4122a7 1452 7ff78e4122a9-7ff78e4122af 1451->1452 1453 7ff78e412300-7ff78e41231c VirtualAlloc 1451->1453 1452->1453 1454 7ff78e4122b1-7ff78e4122fe 1452->1454 1455 7ff78e41231e-7ff78e41235b 1453->1455 1456 7ff78e412360-7ff78e412386 call 7ff78e412260 1453->1456 1455->1454 1460 7ff78e4125d8-7ff78e4125df 1456->1460 1461 7ff78e41238c-7ff78e412399 1456->1461 1462 7ff78e41239f-7ff78e4123aa 1461->1462 1463 7ff78e412450-7ff78e412486 1461->1463 1464 7ff78e4123af-7ff78e4123be 1462->1464 1463->1464 1465 7ff78e4125b8-7ff78e4125c9 VirtualAlloc 1464->1465 1466 7ff78e4123c4-7ff78e4123d5 VirtualAlloc 1464->1466 1467 7ff78e4125cf-7ff78e4125d4 call 7ff78e412260 1465->1467 1468 7ff78e4123e2-7ff78e4123f7 1465->1468 1469 7ff78e4123db 1466->1469 1470 7ff78e4125e4-7ff78e4125fd VirtualAlloc 1466->1470 1467->1460 1471 7ff78e412400-7ff78e412407 1468->1471 1469->1468 1470->1467 1473 7ff78e4125ff 1470->1473 1474 7ff78e41248b-7ff78e4124a1 1471->1474 1475 7ff78e41240d-7ff78e412417 1471->1475 1478 7ff78e4124a4-7ff78e4124cc 1474->1478 1475->1471 1477 7ff78e412419-7ff78e41244a call 7ff78e412290 1475->1477 1477->1478 1480 7ff78e4124d8-7ff78e4124dc 1478->1480 1481 7ff78e4124ce 1478->1481 1484 7ff78e4124de-7ff78e4124fb 1480->1484 1485 7ff78e4124d0-7ff78e4124d6 1480->1485 1483 7ff78e412509-7ff78e412516 1481->1483 1487 7ff78e412518-7ff78e41251d 1483->1487 1488 7ff78e412522-7ff78e41253d 1483->1488 1484->1483 1486 7ff78e4124fd-7ff78e412506 1484->1486 1485->1480 1485->1483 1486->1483 1487->1488 1489 7ff78e41253f 1488->1489 1490 7ff78e412550-7ff78e412554 1488->1490 1491 7ff78e4125a8 1489->1491 1492 7ff78e412548-7ff78e41254e 1490->1492 1493 7ff78e412556-7ff78e41257e 1490->1493 1494 7ff78e4125ac-7ff78e4125b2 1491->1494 1492->1490 1492->1491 1493->1494 1495 7ff78e412580-7ff78e412584 1493->1495 1497 7ff78e412589-7ff78e4125a0 1494->1497 1495->1494 1496 7ff78e412586 1495->1496 1496->1497
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 727153abf217048879292d18050c8b28e4688193c53aaa6d340e0ed37de13772
    • Instruction ID: efa2f8cbad1ef8a1aadcc15285b09cb84732419566e7467ee8e6e0c179a3d496
    • Opcode Fuzzy Hash: 727153abf217048879292d18050c8b28e4688193c53aaa6d340e0ed37de13772
    • Instruction Fuzzy Hash: E4517F32705B8681EF149B6AE4583ADA6A1FB48BC4FA48135EE4D4B3C5EF3CE085D314
    Function 00007FF78E41BB80 Relevance: 3.9, APIs: 3, Instructions: 143COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID:
    • API String ID: 438689982-0
    • Opcode ID: 1b5bdb6c99ab6d8c5d26906455fead17df7766ec203ba2dfbcc180d9a118df1e
    • Instruction ID: b2eaa3a46cf2ffbd5d0a4b7cb65518a272ce3143f2e7e83a72c2d02a6359c7bc
    • Opcode Fuzzy Hash: 1b5bdb6c99ab6d8c5d26906455fead17df7766ec203ba2dfbcc180d9a118df1e
    • Instruction Fuzzy Hash: B5517E72609B86D1EE10EF85E4403ADB7A4FB84B84FA58536EA8C47795EF3CD508C350
    Function 00007FF78E422AF0 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1530 7ff78e422af0-7ff78e422b01 1531 7ff78e422b80-7ff78e422b98 call 7ff78e41db40 1530->1531 1532 7ff78e422b03-7ff78e422b20 call 7ff78e41db40 1530->1532 1537 7ff78e422ba0-7ff78e422ba2 1531->1537 1535 7ff78e422b25 1532->1535 1538 7ff78e422b27-7ff78e422b2d 1535->1538 1539 7ff78e422b4f-7ff78e422b57 1537->1539 1540 7ff78e422ba4-7ff78e422bab 1537->1540 1538->1539 1541 7ff78e422b2f-7ff78e422b34 1538->1541 1542 7ff78e422bcb-7ff78e422bdf call 7ff78e41db40 1540->1542 1543 7ff78e422bad-7ff78e422bb9 fputc 1540->1543 1544 7ff78e422b60-7ff78e422b72 call 7ff78e41db40 1541->1544 1545 7ff78e422b36-7ff78e422b42 fputc 1541->1545 1542->1539 1553 7ff78e422be5-7ff78e422be7 1542->1553 1543->1539 1546 7ff78e422bbb-7ff78e422bc0 1543->1546 1544->1539 1554 7ff78e422b74-7ff78e422b76 1544->1554 1545->1539 1548 7ff78e422b44-7ff78e422b4d 1545->1548 1546->1539 1550 7ff78e422bc2-7ff78e422bc9 1546->1550 1548->1539 1548->1541 1550->1542 1550->1543 1553->1537 1554->1538
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fputc
    • String ID:
    • API String ID: 1992160199-0
    • Opcode ID: 57ccfcea121c233f8d07f3c2467c4ac64782e5a1e049ec43631ea0a2ba6a73a8
    • Instruction ID: 01ad5bcad994541bdeaac04cd110b5f20039edf74cfe1e732b314e82f4da2b83
    • Opcode Fuzzy Hash: 57ccfcea121c233f8d07f3c2467c4ac64782e5a1e049ec43631ea0a2ba6a73a8
    • Instruction Fuzzy Hash: 6D21F3A1B0874759FA247E9199A53B9DA487F14BC5FE80434EE1E4B395EF7DE040C228
    Function 00007FF78E427B14 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36stringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: strlen
    • String ID: (null)
    • API String ID: 39653677-3941151225
    • Opcode ID: ff5024eb9933e06b0bbfa2a66c989f9e381f0049ca6fda50563a0ccd99e4c395
    • Instruction ID: 2055aaae85194ae7df304a2749fea65de6d2019287312634e7858a8b416304e3
    • Opcode Fuzzy Hash: ff5024eb9933e06b0bbfa2a66c989f9e381f0049ca6fda50563a0ccd99e4c395
    • Instruction Fuzzy Hash: E0011A22A04B428EE700EF76D8852A867A1F748BD8F600C35FA1C87B99DF34D561C3A0
    Function 00007FF78E412370 Relevance: 2.6, APIs: 2, Instructions: 149memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1566 7ff78e412370-7ff78e412386 1567 7ff78e4125d8-7ff78e4125df 1566->1567 1568 7ff78e41238c-7ff78e412399 1566->1568 1569 7ff78e41239f-7ff78e4123aa 1568->1569 1570 7ff78e412450-7ff78e412486 1568->1570 1571 7ff78e4123af-7ff78e4123be 1569->1571 1570->1571 1572 7ff78e4125b8-7ff78e4125c9 VirtualAlloc 1571->1572 1573 7ff78e4123c4-7ff78e4123d5 VirtualAlloc 1571->1573 1574 7ff78e4125cf-7ff78e4125d4 call 7ff78e412260 1572->1574 1575 7ff78e4123e2-7ff78e4123f7 1572->1575 1576 7ff78e4123db 1573->1576 1577 7ff78e4125e4-7ff78e4125fd VirtualAlloc 1573->1577 1574->1567 1578 7ff78e412400-7ff78e412407 1575->1578 1576->1575 1577->1574 1580 7ff78e4125ff 1577->1580 1581 7ff78e41248b-7ff78e4124a1 1578->1581 1582 7ff78e41240d-7ff78e412417 1578->1582 1585 7ff78e4124a4-7ff78e4124cc 1581->1585 1582->1578 1584 7ff78e412419-7ff78e41244a call 7ff78e412290 1582->1584 1584->1585 1587 7ff78e4124d8-7ff78e4124dc 1585->1587 1588 7ff78e4124ce 1585->1588 1591 7ff78e4124de-7ff78e4124fb 1587->1591 1592 7ff78e4124d0-7ff78e4124d6 1587->1592 1590 7ff78e412509-7ff78e412516 1588->1590 1594 7ff78e412518-7ff78e41251d 1590->1594 1595 7ff78e412522-7ff78e41253d 1590->1595 1591->1590 1593 7ff78e4124fd-7ff78e412506 1591->1593 1592->1587 1592->1590 1593->1590 1594->1595 1596 7ff78e41253f 1595->1596 1597 7ff78e412550-7ff78e412554 1595->1597 1598 7ff78e4125a8 1596->1598 1599 7ff78e412548-7ff78e41254e 1597->1599 1600 7ff78e412556-7ff78e41257e 1597->1600 1601 7ff78e4125ac-7ff78e4125b2 1598->1601 1599->1597 1599->1598 1600->1601 1602 7ff78e412580-7ff78e412584 1600->1602 1604 7ff78e412589-7ff78e4125a0 1601->1604 1602->1601 1603 7ff78e412586 1602->1603 1603->1604
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a86c5dc9920d05f400155eb031ff4e8cb55972a930c6a7583547e339d0d6e71f
    • Instruction ID: cec50de362983cd66bea837deba0187e2400aa18f861d0fc8251ebbc48e55adb
    • Opcode Fuzzy Hash: a86c5dc9920d05f400155eb031ff4e8cb55972a930c6a7583547e339d0d6e71f
    • Instruction Fuzzy Hash: FB515D72706B8681EE15AB56D8583AD63A1FB54FC4FA88536EE0D4B388FF38E041D314
    Function 00007FF78E427990 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1605 7ff78e427990-7ff78e4279ad 1606 7ff78e4279af-7ff78e4279bf 1605->1606 1607 7ff78e4279c1-7ff78e4279cf 1605->1607 1606->1607 1608 7ff78e4279fd-7ff78e427a14 1606->1608 1609 7ff78e4279d1-7ff78e4279e3 fputc 1607->1609 1610 7ff78e4279e5-7ff78e4279fb 1607->1610 1609->1608 1610->1608
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fputc
    • String ID:
    • API String ID: 1992160199-0
    • Opcode ID: 504284c848961401c03dab208bcdb2fd3e9e69f166b779f959cc6528fe2ed3ec
    • Instruction ID: 250c0fac9b843e1a4ff6b5f6ede01798bae149da7a2143a28b58e1deed89508e
    • Opcode Fuzzy Hash: 504284c848961401c03dab208bcdb2fd3e9e69f166b779f959cc6528fe2ed3ec
    • Instruction Fuzzy Hash: 0311FAB7A04B458AEB10CF2AC48259C7BB1F798BD87548921EF0C47768DB34D8A1C7A4
    Function 00007FF78E422BF0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1611 7ff78e422bf0-7ff78e422c34 call 7ff78e422af0 fwrite 1616 7ff78e422c3b-7ff78e422c43 1611->1616
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fputcfwrite
    • String ID:
    • API String ID: 1748715138-0
    • Opcode ID: 439de3348a76cb714ffd0b45168a55d101903fa0adb1ac598fcf396fd099d506
    • Instruction ID: ac28a5fa46696fc722d664d1ca8ba31a2d62986410c0dc00b8f6cf36fba8135b
    • Opcode Fuzzy Hash: 439de3348a76cb714ffd0b45168a55d101903fa0adb1ac598fcf396fd099d506
    • Instruction Fuzzy Hash: 79E04820B1500345E604B392B8517B85251BB4D784FE40438ED1D4B3D3DEBFD481C364
    Function 00007FF78E412EA0 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1617 7ff78e412ea0-7ff78e412ec3 1618 7ff78e412f30-7ff78e412f3f 1617->1618 1619 7ff78e412ec5-7ff78e412ed0 1617->1619 1622 7ff78e413098-7ff78e41309d call 7ff78e4129d0 1618->1622 1623 7ff78e412f45-7ff78e412f4c 1618->1623 1620 7ff78e412fa0-7ff78e412fbd VirtualAlloc 1619->1620 1621 7ff78e412ed6-7ff78e412eed call 7ff78e4129d0 1619->1621 1624 7ff78e41315d-7ff78e41316e call 7ff78e412260 1620->1624 1625 7ff78e412fc3-7ff78e413001 1620->1625 1640 7ff78e413051-7ff78e413069 1621->1640 1641 7ff78e412ef3-7ff78e412f09 call 7ff78e412d60 1621->1641 1634 7ff78e4130a2-7ff78e4130de 1622->1634 1628 7ff78e413148-7ff78e413154 1623->1628 1629 7ff78e412f52-7ff78e412f68 1623->1629 1630 7ff78e41301c-7ff78e413020 1625->1630 1631 7ff78e413003 1625->1631 1628->1624 1635 7ff78e412f6a-7ff78e412f72 1629->1635 1636 7ff78e412f0d-7ff78e412f2c 1629->1636 1638 7ff78e413010-7ff78e413016 1630->1638 1639 7ff78e413022-7ff78e41304b 1630->1639 1637 7ff78e413118-7ff78e41313c call 7ff78e412290 1631->1637 1643 7ff78e4130e0 1634->1643 1644 7ff78e4130e4-7ff78e4130f0 1634->1644 1645 7ff78e412f78-7ff78e412f83 1635->1645 1646 7ff78e4130f6-7ff78e413101 1635->1646 1638->1630 1638->1637 1639->1640 1639->1641 1649 7ff78e41306b-7ff78e413072 1640->1649 1650 7ff78e413080-7ff78e41308e 1640->1650 1641->1636 1643->1644 1644->1636 1644->1646 1651 7ff78e412f8d-7ff78e412f95 1645->1651 1652 7ff78e412f85-7ff78e412f89 1645->1652 1646->1651 1653 7ff78e413107-7ff78e41310f 1646->1653 1649->1641 1650->1641 1651->1636 1652->1651 1653->1651
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: f2edbc15cdf84d54289b1ee0bea3483cdf8f1befdda1efe5bcdab0cd9a36917b
    • Instruction ID: 841d8a4e56efba2a20908af527caa53683d1a7d78ea7bae205ba7dc56b416f6b
    • Opcode Fuzzy Hash: f2edbc15cdf84d54289b1ee0bea3483cdf8f1befdda1efe5bcdab0cd9a36917b
    • Instruction Fuzzy Hash: 6761DF62A05B8290EE15AF59D4043ADA3A0FF04B84FB88239EE5D47794EF38E5D0D320
    Function 00007FF78E413F10 Relevance: 1.3, APIs: 1, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1656 7ff78e413f10-7ff78e413f2b 1657 7ff78e413fb0-7ff78e413fb8 1656->1657 1658 7ff78e413f31-7ff78e413f3f 1656->1658 1659 7ff78e413fba-7ff78e413fbf call 7ff78e420460 1657->1659 1660 7ff78e413f41-7ff78e413f71 call 7ff78e412ea0 1657->1660 1658->1657 1658->1660 1659->1660 1665 7ff78e413f77-7ff78e413f8a 1660->1665 1666 7ff78e414060-7ff78e41406c 1660->1666 1668 7ff78e413fc8-7ff78e413fd7 1665->1668 1669 7ff78e413f8c-7ff78e413f93 1665->1669 1667 7ff78e413f96-7ff78e413fae memset 1666->1667 1668->1669 1670 7ff78e413fd9-7ff78e413fe8 1668->1670 1669->1667 1670->1669 1671 7ff78e413fea-7ff78e413ff9 1670->1671 1671->1669 1672 7ff78e413ffb-7ff78e41400a 1671->1672 1672->1669 1673 7ff78e414010-7ff78e41401f 1672->1673 1673->1669 1674 7ff78e414025-7ff78e414034 1673->1674 1674->1669 1675 7ff78e41403a-7ff78e414049 1674->1675 1676 7ff78e41404b-7ff78e414055 1675->1676 1677 7ff78e414071-7ff78e414080 call 7ff78e413bd0 1675->1677 1676->1667 1677->1667
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: 8b02143593e92ac2916d54e6260cb3ac124fb366926f2417c8424ac6dc95cb66
    • Instruction ID: 5ce4dc47f646ee33e25e52102a50ab4fc41f0187592ab00e67a9974fab4ef264
    • Opcode Fuzzy Hash: 8b02143593e92ac2916d54e6260cb3ac124fb366926f2417c8424ac6dc95cb66
    • Instruction Fuzzy Hash: B5410DA6A08B87A0EA10EF95D4502BCB374F748BA4FE54277EA2D43790DF38D495C360

    Non-executed Functions

    Function 00007FF78E41D570 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 334threadlibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: Handle$Thread$ByteCharCloseContextModuleMultiWidememcpy$AddressCreateCurrentExceptionFirstHandlerInitLoadOpenProcProcessSnapshotStringThread32Toolhelp32UnicodeVectoredmemset
    • String ID: Ju4J$NrTP$jP~$bz
    • API String ID: 3395284975-2228891234
    • Opcode ID: b45bdde2e050a73820c03575133c645b573c8b00ded2bee2f5eea24cf29b9914
    • Instruction ID: 9d35042d8a63671415ee242223e6f18cfdc13832b3cd752cc4660fc0e75ce6cb
    • Opcode Fuzzy Hash: b45bdde2e050a73820c03575133c645b573c8b00ded2bee2f5eea24cf29b9914
    • Instruction Fuzzy Hash: 0BE19D62A0864381EE14BB91A8143BEA3A1BF85785FF48035FA4E47799DF7CE445C360
    Function 00007FF78E420460 Relevance: 19.5, APIs: 11, Strings: 1, Instructions: 1506COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: d41118d21125260021136046d49c4ddac0172a0b69c53b1cfd141be858fcfbda
    • Instruction ID: c6e6093a39d9eb408e204241188989728a03c3058d98e97419f0f8588e82a00a
    • Opcode Fuzzy Hash: d41118d21125260021136046d49c4ddac0172a0b69c53b1cfd141be858fcfbda
    • Instruction Fuzzy Hash: 53E2E7B2B05A4782EE54AB85C0483BDA3A6FB41BC4FE59536EA1E473D5DF78E490C310
    Function 00007FF78E422CA0 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 605COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmp
    • String ID: ntime of$o get ru$unable t
    • API String ID: 3051281561-3332830050
    • Opcode ID: d0554340613ade2734ec52f66b3ad006e85fbc4489e651fa7a6d65edd9e85561
    • Instruction ID: caa3bd1adef9f527bded4a4f227225936b387dcb533016769c28ff17f12772fe
    • Opcode Fuzzy Hash: d0554340613ade2734ec52f66b3ad006e85fbc4489e651fa7a6d65edd9e85561
    • Instruction Fuzzy Hash: C4623C76B09B4791EB20AF95E4503AAB3B1FB84B84FA08132EA4D477A4DF7DD444C760
    Function 00007FF78E42A61A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: Infinity$NaN
    • API String ID: 0-4285296124
    • Opcode ID: 43a24777cb2a7448191f746b4a8f09d76225fbc947654351fbeea7187872f442
    • Instruction ID: 6b6f8f3d4d6b948d1137b29649f13df122cd4da52f0fdf8163316fd07a7137a6
    • Opcode Fuzzy Hash: 43a24777cb2a7448191f746b4a8f09d76225fbc947654351fbeea7187872f442
    • Instruction Fuzzy Hash: ADE25732A04B868EE711DFB9C4443AC77A1FB4578CF608226FA0D5BB59DB78E485CB50
    Function 00007FF78E416970 Relevance: 4.2, Strings: 2, Instructions: 1713COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memset
    • String ID: $@
    • API String ID: 2221118986-1077428164
    • Opcode ID: 03b27ce39678605c4c05157e0135865bc365a15c590f11ba998ac2ac2b446451
    • Instruction ID: 10d607b3fab77e5c6ca0b1a6dfdc89323716e93afd6c261cddd90111207ffa34
    • Opcode Fuzzy Hash: 03b27ce39678605c4c05157e0135865bc365a15c590f11ba998ac2ac2b446451
    • Instruction Fuzzy Hash: B1D225A2718B9542FE10CBA1A9207EBA791FB59BC4F59A531EF9D57B49CB3CE101C300
    Function 00007FF78E41E7F0 Relevance: 3.2, Strings: 2, Instructions: 657COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: """"""""$DDDDDDDD
    • API String ID: 0-1621327129
    • Opcode ID: 2d363e052113f3d8cd9e6b6330711e63bcd5a0466a8e22fb94e76f087d7d2b95
    • Instruction ID: 623037476b392d46b4c4d0dcebca10e153f79ca161e02c959b177e3abe6c3414
    • Opcode Fuzzy Hash: 2d363e052113f3d8cd9e6b6330711e63bcd5a0466a8e22fb94e76f087d7d2b95
    • Instruction Fuzzy Hash: 2F425E62718BD481E660CFA1B92179BE7A1F7897D4F54A226EE8C67F18DB3CD041CB00
    Function 00007FF78E414A80 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
    Download Yara Rule
    Strings
    • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF78E414ABC, 00007FF78E414D26
    • c, xrefs: 00007FF78E414A9E
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$c
    • API String ID: 0-131350621
    • Opcode ID: fe9ec9832198bf8c78be8ed1d10407d067a980f3333fc5e30a7e9afb6ea7d0de
    • Instruction ID: a99c037e9642545f44664279a03039d89390a9c78336defb22645b39990b91c5
    • Opcode Fuzzy Hash: fe9ec9832198bf8c78be8ed1d10407d067a980f3333fc5e30a7e9afb6ea7d0de
    • Instruction Fuzzy Hash: 0BC1B592B18B4A86EE609B69A8053BDA251FB59BA4FB44331EF3D477D4EB3CD504C310
    Function 00007FF78E416760 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: 33333333$UUUUUUUU
    • API String ID: 0-3483174168
    • Opcode ID: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
    • Instruction ID: ce635fbe03f273c4060d4f95008f9c0126ce9dda3d0ee2486fa34e039c3354eb
    • Opcode Fuzzy Hash: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
    • Instruction Fuzzy Hash: 7D41C3E3B70BB895EA01CF559905AD56761F314FE8A19E026DF0E3BB0EC638DA47C241
    Function 00007FF78E41B420 Relevance: .4, Instructions: 447COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 58d152655350713289c819be8dccde4b231c5deb1e4a479145f82acc2a1a33ee
    • Instruction ID: f5fbe1fb62393563b6391bd17e55d603ea712de299dad0e4c275d42cc4dbddbf
    • Opcode Fuzzy Hash: 58d152655350713289c819be8dccde4b231c5deb1e4a479145f82acc2a1a33ee
    • Instruction Fuzzy Hash: 82025953F74FD580F713577C6802EA4AA04ABB33E0B65A301FD5662FE3D76296178A04
    Function 00007FF78E45CF08 Relevance: .1, Instructions: 78COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6ebbe443d4d5eec7067146e404a23c1702ac5f29493cc888530308e17ef8ef7e
    • Instruction ID: 0e61130fe5f806c7a1f68273e03baab87664133aa8e6132fc5521efbd1a9a86c
    • Opcode Fuzzy Hash: 6ebbe443d4d5eec7067146e404a23c1702ac5f29493cc888530308e17ef8ef7e
    • Instruction Fuzzy Hash: 4A21578795E7D22ED3539BB81C651AC7FB09AE291079E81A7DBC8D32C3E44C5819C322
    Function 00007FF78E4199F0 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 373COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: String$CopyFreeInitializeVariant_setjmp
    • String ID: hander:$VariantConversionError$com.nim$d except$de event$ion insi$newVariant$uncatche
    • API String ID: 1008739868-602244300
    • Opcode ID: 73eab3e3a8e54823fae27a0f2d74788e3fa71f517200aa9c444ffa85e95ef9c7
    • Instruction ID: 2ba8fb2addd619392d8cffb5ec1eeca72bfb0cd129fed75f66ac4dfbc90f260f
    • Opcode Fuzzy Hash: 73eab3e3a8e54823fae27a0f2d74788e3fa71f517200aa9c444ffa85e95ef9c7
    • Instruction Fuzzy Hash: E8025B72A09B4781EE10AF95E4443BEB7A0FB84B84FA44436EA4D477A5EF3CE544C360
    Function 00007FF78E4183F0 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 224COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: CommandLine
    • String ID: contain$ not in $ not in $ not in $0 ..$0 ..$IndexDefect$er is em$inde$index ou$nds, the$os.nim$paramStr$pty$t of bou
    • API String ID: 3253501508-475797482
    • Opcode ID: ae8af6ebdb65100db110cd49cbf6243cfd4987e597e8c8f6b34ff7532a8fb47d
    • Instruction ID: a6bcfb1466f2dab1c76cb7ffc9b2556ec278cf85d7f1c6f7d6a478a0d9093e82
    • Opcode Fuzzy Hash: ae8af6ebdb65100db110cd49cbf6243cfd4987e597e8c8f6b34ff7532a8fb47d
    • Instruction Fuzzy Hash: 98A19832A09B4381EB10AF95E54436DB7A4FF48B84FA58036EA5D07395EF3CE555C3A0
    Function 00007FF78E41A740 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 297memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ArrayByteCharInitializeMultiSafeStringWide$AllocCreateElementFree_setjmpmemcpy
    • String ID: specifi$VariantConversionError$com.nim$ed membe$o invoke$r: $toVariant$unable t
    • API String ID: 4234589578-1707675
    • Opcode ID: 40dd78bd37efff150318ba0ad35e508670c7ec19cf888205b5695cbcda88311e
    • Instruction ID: 71df4d97f6a8e9def57ca63b567ec89d3719d4a979e955175a800e59d174e616
    • Opcode Fuzzy Hash: 40dd78bd37efff150318ba0ad35e508670c7ec19cf888205b5695cbcda88311e
    • Instruction Fuzzy Hash: 52F12C32A09B8781EA20AF95F4443AEF3A4FB84B84FA44135EA8D47755EF7CE444C760
    Function 00007FF78E415110 Relevance: 27.5, APIs: 8, Strings: 10, Instructions: 466stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpystrlen
    • String ID: excepti$Error: u$ReraiseDefect$[[rerais$]]$ed from:$fatal.nim$nhandled$on: $sysFatal
    • API String ID: 3412268980-331123295
    • Opcode ID: 8f4dde3022c81423b768480ceda97c10880ad535dc9c362d3ef7fb7deb79978a
    • Instruction ID: 3d92837f47a596a548beb0c9ec962529e091b0e91b485dec1d6c9230f5e06b1f
    • Opcode Fuzzy Hash: 8f4dde3022c81423b768480ceda97c10880ad535dc9c362d3ef7fb7deb79978a
    • Instruction Fuzzy Hash: C622BA72A08B8381EE10AB85E4047AEA7A5FB45B94FF48136EE5C07795EF3CE444C760
    Function 00007FF78E419280 Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 193COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: H$VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
    • API String ID: 3510742995-1705348919
    • Opcode ID: 337739e223be188f628012b87c5b85072a9b5b8a4ef4e15056e466ec34cbc926
    • Instruction ID: 0394d53ea68b9e01ecad5f1f473c053b6488cee964b29edc2f0c097a8636dee7
    • Opcode Fuzzy Hash: 337739e223be188f628012b87c5b85072a9b5b8a4ef4e15056e466ec34cbc926
    • Instruction Fuzzy Hash: FC816972A08B4685EA10AB55E4443ADA3A4FB54BC4FE98536EF4D073A1EF7CE444C360
    Function 00007FF78E422790 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 167COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: CLRError$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
    • API String ID: 3510742995-153200016
    • Opcode ID: 216522f65f7b7ecf525798e0b75d0ca7fecc0448bf14dbf4ae37d6973f2ee7d0
    • Instruction ID: 6efe1864fa7a6a074c78c5a4dc3df341d8e96e85da45b4b7a1325c97eea4e09a
    • Opcode Fuzzy Hash: 216522f65f7b7ecf525798e0b75d0ca7fecc0448bf14dbf4ae37d6973f2ee7d0
    • Instruction Fuzzy Hash: 33716C72B09B4381EB10EF95E9443ADA3A0FB45B94FA48536EA9C0B785EF7CD154C360
    Function 00007FF78E41D1F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmpmemcpy
    • String ID: ValueError$gfffffff$integer:$invalid $parseInt$strutils.nim
    • API String ID: 2721286225-831327929
    • Opcode ID: d42cb93ac16e04f855ba17adc5a1d2855ebe73bfd532347f31365ef0ddec713f
    • Instruction ID: 08f521a08165ef2b064f48470d39177bad80b911264dc3b604861a0a7a823591
    • Opcode Fuzzy Hash: d42cb93ac16e04f855ba17adc5a1d2855ebe73bfd532347f31365ef0ddec713f
    • Instruction Fuzzy Hash: 2D919072A09B5B81EE20AB85E4443ADB3A0FB44B94FE44232EA5D473D5DF7DE544C350
    Function 00007FF78E416150 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 28stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitstrlen
    • String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
    • API String ID: 4213389737-3987738871
    • Opcode ID: e106d0bf56c6f6c14220b101e35efae5d1955080e8f0331f6d695c16fe7ff00b
    • Instruction ID: 4b9aa30f1e36849e5996802262eda8b97dd365016906507905818b389e652d7b
    • Opcode Fuzzy Hash: e106d0bf56c6f6c14220b101e35efae5d1955080e8f0331f6d695c16fe7ff00b
    • Instruction Fuzzy Hash: 11F0F920A0844350FE29B7D068559BCA251BF42385FF90539F52D57A63CF7CB445C230
    Function 00007FF78E418FD0 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 142COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: to $convert $convert $convert $convert $convert $from
    • API String ID: 3510742995-1950068461
    • Opcode ID: fd36f46ad0ae37d4b4bddbbc41cb48c1798a24c9597a1145c937eb4c79994910
    • Instruction ID: 8ab5dbf57a82094de69ebebef4bb8f08efef6b9029e97869554b571a40b32302
    • Opcode Fuzzy Hash: fd36f46ad0ae37d4b4bddbbc41cb48c1798a24c9597a1145c937eb4c79994910
    • Instruction Fuzzy Hash: 5C617D72A05B4781EF05EF81D44839DBBA1FB58B84FA9803AEA0D47395EF78D941C391
    Function 00007FF78E4116F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: b2bd19885756fac5e715177d44c2c246ee0f40da9efa5fc0257f11007989734f
    • Instruction ID: b573451d84250467d8f14ca29960e22e9338769570c2261941bd53c03e20ccf6
    • Opcode Fuzzy Hash: b2bd19885756fac5e715177d44c2c246ee0f40da9efa5fc0257f11007989734f
    • Instruction Fuzzy Hash: 3101F324B0AA0791EE11BB91BC505B9A364BF48788FE80932FC5E03324EF3CA505C320
    Function 00007FF78E414F70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitlongjmp
    • String ID: 5$ReraiseDefect$fatal.nim$sysFatal
    • API String ID: 2266059207-1761478562
    • Opcode ID: 6dba0bab8b8842a3087f969b2d79c435c3b861759359c708d2e6c07f5b605d46
    • Instruction ID: cb4d428d96a436475439c00ea4b68c60cdd1248caf4e57951c0ad014fc7c906c
    • Opcode Fuzzy Hash: 6dba0bab8b8842a3087f969b2d79c435c3b861759359c708d2e6c07f5b605d46
    • Instruction Fuzzy Hash: F9310565A08A0791EE00BB94E4486BEA3A4FB44B84FF40436EA1C47392EF3CE544C3A0
    Function 00007FF78E41E170 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 257stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: strlen
    • String ID: JDF7$MZ$HYk$HYk
    • API String ID: 39653677-2708922670
    • Opcode ID: fb128b31eecae01c74019f75152d3cf190f191e744a191f74645c25cc66dacfe
    • Instruction ID: c731aec84acf981aa83f151ac0d20596c72dcd71dbcb269af49889b7d77a5e47
    • Opcode Fuzzy Hash: fb128b31eecae01c74019f75152d3cf190f191e744a191f74645c25cc66dacfe
    • Instruction Fuzzy Hash: B9C1CF25B0958792EA20BF95D4502BEA3A1FF84788FF08135FA8D07A99DF3CE545C760
    Function 00007FF78E41B080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 191COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 633353902-3035603046
    • Opcode ID: 69b7a0743af9c74be4fe706768bacf6f89d1360f85a604e1a72977d30e1db7da
    • Instruction ID: 2bf82175c42c7c5240fa460812525899e012ac1bafa74a8f2cd5b3a4358a7d50
    • Opcode Fuzzy Hash: 69b7a0743af9c74be4fe706768bacf6f89d1360f85a604e1a72977d30e1db7da
    • Instruction Fuzzy Hash: 50911632A19A4781EA10AB95E8543BEA3A4FF85784FF4443AFA4D47795DF7CE008C360
    Function 00007FF78E426F20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: CCG
    • API String ID: 0-1584390748
    • Opcode ID: 08d7eed76709450e368a73cb412f1c952c93ae8a5c57bb94bda8ef868f485690
    • Instruction ID: 38c8a0991f51f51b664e4f85ef93a6339d21c67a61a4bd59c2c2e163e9e67f6e
    • Opcode Fuzzy Hash: 08d7eed76709450e368a73cb412f1c952c93ae8a5c57bb94bda8ef868f485690
    • Instruction Fuzzy Hash: FF415471A086178AF720ABA4C8483BC6261BF45358FB04A35EE2D877E5CF3CE541D320
    Function 00007FF78E411E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register global variable; too many global variables, xrefs: 00007FF78E411E5C
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register global variable; too many global variables
    • API String ID: 3476253079-2146260042
    • Opcode ID: 437ef05ad9c949bf7c3cade124a65ed7813bdb6dbf6992e3187067ae8dbba8cc
    • Instruction ID: 774ebc558379c4c0275d012d178ad591ebe06d901a760018fa4f953e256d57bb
    • Opcode Fuzzy Hash: 437ef05ad9c949bf7c3cade124a65ed7813bdb6dbf6992e3187067ae8dbba8cc
    • Instruction Fuzzy Hash: 2B4190B2B05A4281EE04EB58D0543BCA761FB94BC4FB18A35DA0E47351EF7EE545C320
    Function 00007FF78E4120F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AddressProcexit
    • String ID: @$could not import:
    • API String ID: 2129014486-260091680
    • Opcode ID: 69dd1521f8cfb840d2ca3ee137f161da04b393e1b82e55d6114af6ee7714bfbc
    • Instruction ID: 4b4db1a5a71561f5d3b38fd0cd4376752e53103dfd6fe7ef3cf905c831ef23c3
    • Opcode Fuzzy Hash: 69dd1521f8cfb840d2ca3ee137f161da04b393e1b82e55d6114af6ee7714bfbc
    • Instruction Fuzzy Hash: F731F562F0918355EE29E7A9E9047BD9A52BB457C4FA84235EE0E07386EF7CE005C364
    Function 00007FF78E415970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitlongjmp
    • String ID: fatal.nim$sysFatal
    • API String ID: 2266059207-2644091575
    • Opcode ID: 46b2c20323a3814dd39974bb7dba7c9da256c0f213f5ca93764d1b22c13c85d6
    • Instruction ID: e853e1f4bc0960c851606a2f0892c778f1910ac33ea2c81d4357bceb0d897b48
    • Opcode Fuzzy Hash: 46b2c20323a3814dd39974bb7dba7c9da256c0f213f5ca93764d1b22c13c85d6
    • Instruction Fuzzy Hash: 98415662B15B0792EE10AB99D8887BDB3A4FB48BC4FB44536EA5C07355EF38D445C360
    Function 00007FF78E412050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ErrorLastexitfwritestrlen
    • String ID: (bad format; library may be wrong architecture)$could not load:
    • API String ID: 671075621-2754783905
    • Opcode ID: 80ccbc06463d05bc2b5888fd3e508f9d5f8e55bf2f70a7f2de8dd596c3c45509
    • Instruction ID: d9b5be997cc9a4f7612310fe7d860138b9838117a874f2798b978e77edbd0841
    • Opcode Fuzzy Hash: 80ccbc06463d05bc2b5888fd3e508f9d5f8e55bf2f70a7f2de8dd596c3c45509
    • Instruction Fuzzy Hash: 2C011A20A0951351FE44B7E1A819BB89665BF45780FF44139FE0E47396EF3CA801C235
    Function 00007FF78E411DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FF78E411E0C
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register thread local variable; too many thread local variables
    • API String ID: 3476253079-685140759
    • Opcode ID: c3f1f31466da6b0e5659f2dcc0f8f8b56ac89d22bc30fdeb04acf319fe540aed
    • Instruction ID: f97038bd30869c6c78a023f01e9689e6d7fc4f40e1ef21219bedba93bcb8e00e
    • Opcode Fuzzy Hash: c3f1f31466da6b0e5659f2dcc0f8f8b56ac89d22bc30fdeb04acf319fe540aed
    • Instruction Fuzzy Hash: E2E0EC20E045438AF60477D2A4157F8A660FF87B85FE05438EA1E5B392DF7EA806C365
    Function 00007FF78E41A3E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 196COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID: CLRError$clr.nim$clrError
    • API String ID: 438689982-2830349459
    • Opcode ID: 77f3dd17192c832a47128c647c90bb103ff66cefc69fe6e175ad23bf75e257b3
    • Instruction ID: 8a8196bd9ae1b4f10881c6e3fa745fe7a3ffc2f6446044f70495ded53e07f488
    • Opcode Fuzzy Hash: 77f3dd17192c832a47128c647c90bb103ff66cefc69fe6e175ad23bf75e257b3
    • Instruction Fuzzy Hash: FA91B262A18B8385EA11AB4598002BDA761FB547A4FA50231FF6D0B3D2DF7CE554D360
    Function 00007FF78E41A080 Relevance: 6.1, APIs: 4, Instructions: 128memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocInitializeString
    • String ID:
    • API String ID: 1889743751-0
    • Opcode ID: 65b687b48c692aee826a9be4b8a57595faa841ef06bbf31540a48bb328041d11
    • Instruction ID: 9027796017c039f925c97fd35c3d25ee1052f0696c8750305c0df39b43d09cbd
    • Opcode Fuzzy Hash: 65b687b48c692aee826a9be4b8a57595faa841ef06bbf31540a48bb328041d11
    • Instruction Fuzzy Hash: 3C516962B0AA4781EE15AF95A80437EA3A0BF44B84FF44535EE0D47395EF7CE445D360
    Function 00007FF78E413170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: c68e12f655a03d91ba896f2f687b174e3f78ce3526b737a923ed8198372fbc25
    • Instruction ID: 4dbe25d93a57e4827d5891b3b2c3d607ff8c84b7c6a8a7e2ce7fc36fec180f47
    • Opcode Fuzzy Hash: c68e12f655a03d91ba896f2f687b174e3f78ce3526b737a923ed8198372fbc25
    • Instruction Fuzzy Hash: 8951CDB2B05B4680EE04EB55C458BAC73A5FB04B80FB2C235EA5D47398EF7AD984C350
    Function 00007FF78E426540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-3474627141
    • Opcode ID: a9984ae661c6ac48f04b27f6ff2a17c140177e5de2a6c16ce8aaa602cf112a1e
    • Instruction ID: 6d45a739406bca77e55b1c0bf29aa8e6ea982bff0b83095a6e9a7a6f54d3c9a6
    • Opcode Fuzzy Hash: a9984ae661c6ac48f04b27f6ff2a17c140177e5de2a6c16ce8aaa602cf112a1e
    • Instruction Fuzzy Hash: 5B214926A04F858AD7119FA8E8413EAB371FF59799F944622FE8C17764EF78D245C300
    Function 00007FF78E42658C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2713391170
    • Opcode ID: fa2246ec60d3f2d2c8e860e0b899dddbbb1b0a01b347715d37e67942b8b6f4d3
    • Instruction ID: 19ab70fae6f3ada45faa9f87204a68471ea50a4906df6a92ea4f050132045ab4
    • Opcode Fuzzy Hash: fa2246ec60d3f2d2c8e860e0b899dddbbb1b0a01b347715d37e67942b8b6f4d3
    • Instruction Fuzzy Hash: DA015E26A04F858AD7019F69D8402AA7771FF4D799F544722EF8D27724DF38C145C310
    Function 00007FF78E4265B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4283191376
    • Opcode ID: 100d4e92daa1d8cb9e2847d07ef5ff8e49b239cca73fcd96e7544013f80db1bf
    • Instruction ID: 781677d5110813843ace821e37e4b524d64b24556166a680f68f73c4fc8bd08d
    • Opcode Fuzzy Hash: 100d4e92daa1d8cb9e2847d07ef5ff8e49b239cca73fcd96e7544013f80db1bf
    • Instruction Fuzzy Hash: 9B015E26A04F858AD7019F69D8402AA7771FF4D799F554722EF8D27725DF38C145C310
    Function 00007FF78E426599 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2468659920
    • Opcode ID: ff2584cf3f57ae6350a126f8e35093b32cbe0b374b796bb6d5cdb4394ffb26a0
    • Instruction ID: 737a6fe8d29f4238c17d2f04d70d6e8272d536b90bde8901f7bd3437ec06e659
    • Opcode Fuzzy Hash: ff2584cf3f57ae6350a126f8e35093b32cbe0b374b796bb6d5cdb4394ffb26a0
    • Instruction Fuzzy Hash: F4019E26A04F858AD7019F68D8402AA7371FF4D798F544722EF8D27728DF38C145C310
    Function 00007FF78E4265A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4064033741
    • Opcode ID: 9e894c05ad2901ed1daa551ccda28ddea90dc3bd28c1571126fd109856676168
    • Instruction ID: 71816b8532b4be82482f21dbdf39c09ede487547dfe12b292252ab7af301881a
    • Opcode Fuzzy Hash: 9e894c05ad2901ed1daa551ccda28ddea90dc3bd28c1571126fd109856676168
    • Instruction Fuzzy Hash: D7015E26A04F898AD7019F69D8402AAB771FF4D799F554722EF8D27764DF38C145C310
    Function 00007FF78E4265CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2187435201
    • Opcode ID: 431faf95ef2588800d0d27bfca1691eee4811e92dd30b5b8fce71afe1fc2f45c
    • Instruction ID: 789ec758ec0d233eb4b0e85130f9f8a3f8b0b6677d95edb0325516b28e0a0be9
    • Opcode Fuzzy Hash: 431faf95ef2588800d0d27bfca1691eee4811e92dd30b5b8fce71afe1fc2f45c
    • Instruction Fuzzy Hash: F8015E26A04F858AD7019F69D8402AA7771FF4D799F554722EF8D27724DF38C145C310
    Function 00007FF78E4265C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2954539764.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000000.00000002.2954517675.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954568050.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954590553.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954613376.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954633631.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2954693841.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4273532761
    • Opcode ID: f2129813e4aca10fd5bf26985deab3776ad89d1813962d43f4c18ca8cbf0e0d2
    • Instruction ID: 4ecd1637e6635a752ff5c6dc24c1bca5849e86b7f094329d74bc10f006a3626d
    • Opcode Fuzzy Hash: f2129813e4aca10fd5bf26985deab3776ad89d1813962d43f4c18ca8cbf0e0d2
    • Instruction Fuzzy Hash: 1C014C26A04F858AD7019F69D8402AA7761FB4D799F554622EE8D27724DF38C185C310

    Execution Graph

    Execution Coverage:9.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1313
    Total number of Limit Nodes:19
    execution_graph 17354 7ff78e419768 17357 7ff78e4161c0 17354->17357 17356 7ff78e419774 17358 7ff78e4161d8 17357->17358 17360 7ff78e4161d1 17357->17360 17358->17356 17359 7ff78e416229 17362 7ff78e412ea0 16 API calls 17359->17362 17360->17358 17360->17359 17361 7ff78e420460 35 API calls 17360->17361 17361->17359 17365 7ff78e416239 17362->17365 17363 7ff78e4162f6 memcpy 17363->17356 17365->17363 17366 7ff78e413bd0 20 API calls 17365->17366 17366->17363 17367 153c16d185b 17369 153c16d07da 17367->17369 17368 153c16d0849 17369->17368 17371 153c16d1b10 17369->17371 17372 153c16d1b5d 17371->17372 17373 153c16d1b6f NtProtectVirtualMemory 17372->17373 17375 153c16d1bc6 17373->17375 17374 153c16d1bcc NtCreateSection 17376 153c16d1c21 17374->17376 17375->17374 17376->17368 18276 7ff78e429876 18277 7ff78e42988a 18276->18277 18278 7ff78e429890 18276->18278 18277->18278 18279 7ff78e4298c0 18277->18279 18280 7ff78e427b8c 5 API calls 18278->18280 18281 7ff78e427a15 fputc 18279->18281 18284 7ff78e4297d4 18280->18284 18281->18284 18282 7ff78e42a143 18283 7ff78e427990 fputc 18283->18284 18284->18282 18284->18283 18348 7ff78e42d65b ___lc_codepage_func ___mb_cur_max_func 18349 7ff78e42d6a4 18348->18349 18354 7ff78e42d6b0 18348->18354 18350 7ff78e42d6c5 18349->18350 18353 7ff78e42d756 18349->18353 18349->18354 18352 7ff78e42d540 2 API calls 18350->18352 18350->18354 18351 7ff78e42d540 2 API calls 18351->18353 18352->18350 18353->18351 18353->18354 18358 7ff78e429c62 18359 7ff78e429c75 18358->18359 18360 7ff78e429c9f 18358->18360 18364 7ff78e428fc7 18359->18364 18362 7ff78e428fc7 18 API calls 18360->18362 18363 7ff78e429cdb 18362->18363 18363->18363 18365 7ff78e428fe9 18364->18365 18366 7ff78e428595 4 API calls 18365->18366 18367 7ff78e429033 18366->18367 18368 7ff78e42905b 18367->18368 18369 7ff78e429041 18367->18369 18371 7ff78e429132 18368->18371 18374 7ff78e429079 18368->18374 18370 7ff78e42884b fputc 18369->18370 18382 7ff78e429056 18370->18382 18372 7ff78e429142 18371->18372 18373 7ff78e429155 strlen 18371->18373 18376 7ff78e428d01 12 API calls 18372->18376 18373->18372 18375 7ff78e4290a0 strlen 18374->18375 18378 7ff78e429089 18374->18378 18375->18378 18376->18382 18377 7ff78e42a20f free 18379 7ff78e429194 18377->18379 18380 7ff78e428936 12 API calls 18378->18380 18379->18360 18381 7ff78e429108 18380->18381 18381->18382 18383 7ff78e427990 fputc 18381->18383 18382->18377 18383->18381 17388 7ff78e42995f 17390 7ff78e429965 17388->17390 17389 7ff78e4299fd 17402 7ff78e42816c 17389->17402 17390->17389 17394 7ff78e427df4 17390->17394 17393 7ff78e429a30 17393->17393 17395 7ff78e427e2b 17394->17395 17397 7ff78e428056 17395->17397 17410 7ff78e427990 17395->17410 17396 7ff78e42813b 17399 7ff78e428163 17396->17399 17400 7ff78e427990 fputc 17396->17400 17397->17396 17398 7ff78e427990 fputc 17397->17398 17398->17397 17399->17389 17400->17396 17403 7ff78e428196 17402->17403 17404 7ff78e428439 17403->17404 17409 7ff78e427990 fputc 17403->17409 17405 7ff78e42845f 17404->17405 17406 7ff78e427990 fputc 17404->17406 17407 7ff78e42847f 17405->17407 17408 7ff78e427990 fputc 17405->17408 17406->17404 17407->17393 17408->17405 17409->17403 17411 7ff78e4279af 17410->17411 17412 7ff78e4279e5 17411->17412 17413 7ff78e4279d1 fputc 17411->17413 17412->17395 17413->17412 17414 7ff78e429b66 17415 7ff78e429b79 17414->17415 17416 7ff78e429ba3 17414->17416 17420 7ff78e428f1c 17415->17420 17418 7ff78e428f1c 16 API calls 17416->17418 17419 7ff78e429bdf 17418->17419 17419->17419 17421 7ff78e428f3e 17420->17421 17431 7ff78e428595 17421->17431 17424 7ff78e428f98 17438 7ff78e428d01 17424->17438 17425 7ff78e428f81 17434 7ff78e42884b 17425->17434 17428 7ff78e428f96 17446 7ff78e42a20f 17428->17446 17449 7ff78e428488 17431->17449 17435 7ff78e428877 17434->17435 17580 7ff78e427a15 17435->17580 17439 7ff78e428d2e 17438->17439 17588 7ff78e428936 17439->17588 17442 7ff78e427990 fputc 17443 7ff78e428e0f 17442->17443 17444 7ff78e427df4 fputc 17443->17444 17445 7ff78e428e45 17444->17445 17445->17428 17447 7ff78e42c0e8 free 17446->17447 17448 7ff78e428fbf 17447->17448 17448->17416 17450 7ff78e4284b9 17449->17450 17453 7ff78e42a61a 17450->17453 17454 7ff78e42a67e 17453->17454 17455 7ff78e42a731 17453->17455 17457 7ff78e42858e 17454->17457 17458 7ff78e42a700 17454->17458 17461 7ff78e42a68c 17454->17461 17456 7ff78e42a1a2 malloc 17455->17456 17456->17457 17457->17424 17457->17425 17529 7ff78e42a1a2 17458->17529 17460 7ff78e42a7a6 17462 7ff78e42a1a2 malloc 17460->17462 17461->17457 17461->17460 17525 7ff78e42a4f0 17461->17525 17462->17457 17464 7ff78e42a79a 17532 7ff78e42c0e8 17464->17532 17466 7ff78e42a6d7 17466->17464 17467 7ff78e42a7da 17466->17467 17536 7ff78e42a150 17467->17536 17469 7ff78e42b2b5 17470 7ff78e42b350 17469->17470 17473 7ff78e42b2f1 17469->17473 17474 7ff78e42b356 17469->17474 17472 7ff78e42c29b malloc 17470->17472 17475 7ff78e42b373 17472->17475 17476 7ff78e42b32a 17473->17476 17543 7ff78e42c507 17473->17543 17477 7ff78e42c507 3 API calls 17474->17477 17481 7ff78e42c507 3 API calls 17475->17481 17490 7ff78e42b38c 17475->17490 17476->17470 17480 7ff78e42c507 3 API calls 17476->17480 17477->17470 17480->17470 17481->17490 17482 7ff78e42c0e8 free 17491 7ff78e42baaf 17482->17491 17484 7ff78e42c0e8 free 17484->17457 17487 7ff78e42bad3 17492 7ff78e42c0e8 free 17487->17492 17488 7ff78e42c0e8 free 17488->17476 17489 7ff78e42b423 17494 7ff78e42c6c0 2 API calls 17489->17494 17502 7ff78e42b442 17489->17502 17490->17489 17556 7ff78e42c6c0 17490->17556 17491->17487 17495 7ff78e42c0e8 free 17491->17495 17499 7ff78e42ae0a 17491->17499 17492->17499 17494->17502 17495->17487 17496 7ff78e42b49c 17497 7ff78e42b531 17496->17497 17500 7ff78e42b4b9 17496->17500 17498 7ff78e42b53b 17497->17498 17506 7ff78e42b94d 17497->17506 17501 7ff78e42b550 17498->17501 17503 7ff78e42c6c0 2 API calls 17498->17503 17499->17484 17505 7ff78e42c170 3 API calls 17500->17505 17521 7ff78e42afee 17500->17521 17522 7ff78e42b5b5 17501->17522 17569 7ff78e42bfa6 17501->17569 17502->17496 17562 7ff78e42c170 17502->17562 17503->17501 17505->17521 17509 7ff78e42b9a9 17506->17509 17511 7ff78e42c170 3 API calls 17506->17511 17514 7ff78e42c6c0 2 API calls 17509->17514 17509->17521 17510 7ff78e42b570 memcpy 17512 7ff78e42c6c0 2 API calls 17510->17512 17511->17506 17512->17522 17513 7ff78e42c170 3 API calls 17513->17496 17514->17521 17516 7ff78e42c0e8 free 17516->17522 17517 7ff78e42b6d5 17518 7ff78e42b7ba 17517->17518 17523 7ff78e42b6fa 17517->17523 17519 7ff78e42c6c0 2 API calls 17518->17519 17518->17521 17519->17521 17520 7ff78e42c170 malloc free memcpy 17520->17522 17521->17482 17521->17499 17522->17509 17522->17516 17522->17517 17522->17520 17522->17521 17573 7ff78e42c91a 17522->17573 17523->17521 17524 7ff78e42c170 malloc free memcpy 17523->17524 17524->17523 17526 7ff78e42a516 17525->17526 17527 7ff78e42bfa6 malloc 17526->17527 17528 7ff78e42a52f 17527->17528 17528->17466 17530 7ff78e42a150 malloc 17529->17530 17531 7ff78e42a1c0 17530->17531 17531->17457 17533 7ff78e42c0fb 17532->17533 17535 7ff78e42c112 17532->17535 17534 7ff78e42c107 free 17533->17534 17533->17535 17534->17535 17535->17460 17537 7ff78e42a16b 17536->17537 17538 7ff78e42bfa6 malloc 17537->17538 17539 7ff78e42a187 17538->17539 17539->17469 17539->17499 17539->17521 17540 7ff78e42c29b 17539->17540 17541 7ff78e42bfa6 malloc 17540->17541 17542 7ff78e42c2b0 17541->17542 17542->17469 17544 7ff78e42c525 17543->17544 17546 7ff78e42c550 17543->17546 17545 7ff78e42c170 3 API calls 17544->17545 17545->17546 17547 7ff78e42b306 17546->17547 17549 7ff78e42c29b malloc 17546->17549 17551 7ff78e42c5b0 17546->17551 17552 7ff78e42c2e1 17547->17552 17548 7ff78e42c2e1 malloc 17548->17551 17549->17551 17550 7ff78e42c0e8 free 17550->17551 17551->17547 17551->17548 17551->17550 17553 7ff78e42c306 17552->17553 17554 7ff78e42bfa6 malloc 17553->17554 17555 7ff78e42b31a 17554->17555 17555->17488 17557 7ff78e42c700 17556->17557 17558 7ff78e42bfa6 malloc 17557->17558 17560 7ff78e42c719 17558->17560 17559 7ff78e42c724 17559->17489 17560->17559 17561 7ff78e42c0e8 free 17560->17561 17561->17559 17563 7ff78e42c1a9 17562->17563 17564 7ff78e42bfa6 malloc 17563->17564 17568 7ff78e42b47b 17563->17568 17565 7ff78e42c217 17564->17565 17566 7ff78e42c229 memcpy 17565->17566 17565->17568 17567 7ff78e42c0e8 free 17566->17567 17567->17568 17568->17496 17568->17513 17570 7ff78e42bfbb 17569->17570 17571 7ff78e42c086 malloc 17570->17571 17572 7ff78e42bfe4 17570->17572 17571->17572 17572->17510 17574 7ff78e42c93a 17573->17574 17575 7ff78e42c981 17574->17575 17576 7ff78e42c943 17574->17576 17578 7ff78e42bfa6 malloc 17575->17578 17577 7ff78e42bfa6 malloc 17576->17577 17579 7ff78e42c94d 17577->17579 17578->17579 17579->17522 17581 7ff78e427a33 17580->17581 17584 7ff78e427ab8 17581->17584 17586 7ff78e427990 fputc 17581->17586 17582 7ff78e427990 fputc 17582->17584 17583 7ff78e427ae4 17585 7ff78e427b0c 17583->17585 17587 7ff78e427990 fputc 17583->17587 17584->17582 17584->17583 17585->17428 17586->17581 17587->17583 17592 7ff78e428953 17588->17592 17589 7ff78e428af8 17590 7ff78e428afe 17589->17590 17591 7ff78e428b11 17589->17591 17593 7ff78e427990 fputc 17590->17593 17594 7ff78e428b21 17591->17594 17595 7ff78e428b34 17591->17595 17592->17589 17599 7ff78e427990 fputc 17592->17599 17601 7ff78e428b0f 17593->17601 17596 7ff78e427990 fputc 17594->17596 17597 7ff78e427990 fputc 17595->17597 17595->17601 17596->17601 17597->17601 17598 7ff78e428b99 17600 7ff78e428c47 17598->17600 17603 7ff78e428ba3 17598->17603 17599->17592 17602 7ff78e427990 fputc 17600->17602 17601->17598 17605 7ff78e427990 fputc 17601->17605 17610 7ff78e428c45 17602->17610 17604 7ff78e427990 fputc 17603->17604 17603->17610 17614 7ff78e427b8c 17603->17614 17604->17603 17605->17601 17607 7ff78e428cf9 17607->17442 17608 7ff78e428cb3 17608->17607 17613 7ff78e427990 fputc 17608->17613 17609 7ff78e428c7f 17609->17608 17611 7ff78e427990 fputc 17609->17611 17610->17609 17624 7ff78e428659 17610->17624 17611->17609 17613->17608 17640 7ff78e42d600 17614->17640 17616 7ff78e427cbb 17618 7ff78e427ce3 17616->17618 17619 7ff78e427990 fputc 17616->17619 17617 7ff78e42d600 4 API calls 17622 7ff78e427c4a 17617->17622 17618->17603 17619->17616 17620 7ff78e427bb7 17621 7ff78e427990 fputc 17620->17621 17620->17622 17621->17620 17622->17616 17622->17617 17623 7ff78e427990 fputc 17622->17623 17623->17622 17625 7ff78e42867a memset 17624->17625 17626 7ff78e4286b2 17624->17626 17627 7ff78e428696 17625->17627 17628 7ff78e4287c1 17626->17628 17629 7ff78e4286e2 17626->17629 17651 7ff78e42d2fe 17627->17651 17630 7ff78e427990 fputc 17628->17630 17632 7ff78e42872a memset 17629->17632 17638 7ff78e4287ac 17630->17638 17633 7ff78e42d600 4 API calls 17632->17633 17634 7ff78e42876f 17633->17634 17635 7ff78e4287ae 17634->17635 17637 7ff78e428778 17634->17637 17636 7ff78e427990 fputc 17635->17636 17636->17638 17637->17638 17639 7ff78e427990 fputc 17637->17639 17638->17609 17639->17637 17641 7ff78e42d620 ___mb_cur_max_func ___lc_codepage_func 17640->17641 17645 7ff78e42d540 17641->17645 17646 7ff78e42d560 17645->17646 17648 7ff78e42d58f 17645->17648 17647 7ff78e42d56a _errno 17646->17647 17650 7ff78e42d57c 17646->17650 17647->17650 17649 7ff78e42d5e5 _errno 17648->17649 17648->17650 17649->17650 17650->17620 17652 7ff78e42d326 ___mb_cur_max_func ___lc_codepage_func 17651->17652 17654 7ff78e42d34a 17652->17654 17657 7ff78e42d130 17654->17657 17658 7ff78e42d159 17657->17658 17662 7ff78e42d14f 17657->17662 17659 7ff78e42d293 17658->17659 17660 7ff78e42d1ad 17658->17660 17661 7ff78e42d20b 17658->17661 17658->17662 17659->17662 17665 7ff78e42d2e1 _errno 17659->17665 17660->17662 17664 7ff78e42d1ec _errno 17660->17664 17661->17659 17663 7ff78e42d227 17661->17663 17662->17626 17663->17662 17666 7ff78e42d27a _errno 17663->17666 17664->17662 17665->17662 17666->17662 18392 7ff78e429863 18393 7ff78e427990 fputc 18392->18393 18394 7ff78e4297d4 18393->18394 18395 7ff78e42a143 18394->18395 18396 7ff78e427990 fputc 18394->18396 18396->18394 18463 7ff78e413690 18464 7ff78e413380 22 API calls 18463->18464 18465 7ff78e4136aa 18464->18465 18466 7ff78e413380 22 API calls 18465->18466 18467 7ff78e4136b6 18466->18467 16869 7ff78e41bf80 16880 7ff78e41b420 16869->16880 16874 7ff78e41c040 BaseThreadInitThunk 16875 7ff78e41bfe3 16876 7ff78e41b420 37 API calls 16875->16876 16877 7ff78e41bff4 16876->16877 16878 7ff78e41bb80 41 API calls 16877->16878 16879 7ff78e41c001 SetThreadContext 16878->16879 16879->16874 16881 7ff78e41b471 16880->16881 16882 7ff78e41b47c 16880->16882 16881->16882 16896 7ff78e416370 16881->16896 16884 7ff78e41bb80 16882->16884 16885 7ff78e41b420 37 API calls 16884->16885 16886 7ff78e41bbb1 16885->16886 16887 7ff78e41bce2 GetThreadContext 16886->16887 16888 7ff78e416370 37 API calls 16886->16888 16889 7ff78e41b420 37 API calls 16886->16889 16890 7ff78e413f10 37 API calls 16886->16890 16891 7ff78e413f10 37 API calls 16886->16891 16895 7ff78e41bc94 memcpy 16886->16895 17153 7ff78e413f10 16886->17153 16887->16874 16887->16875 16888->16886 16889->16886 16893 7ff78e41bd6d memcpy 16890->16893 16891->16886 16893->16886 16894 7ff78e41bc5f memcpy 16894->16895 16895->16886 16897 7ff78e4163a2 16896->16897 16898 7ff78e4163b6 16897->16898 16905 7ff78e420460 16897->16905 16960 7ff78e412ea0 16898->16960 16901 7ff78e416408 memcpy 16901->16882 16902 7ff78e4163c6 16902->16901 16979 7ff78e413bd0 16902->16979 16956 7ff78e420478 16905->16956 16906 7ff78e421ac9 16906->16898 16907 7ff78e420c69 16985 7ff78e41ddd0 16907->16985 16909 7ff78e420ca4 16910 7ff78e420cd5 16909->16910 16991 7ff78e420240 16909->16991 16910->16898 16911 7ff78e421622 16915 7ff78e421649 16911->16915 16916 7ff78e413170 3 API calls 16911->16916 16912 7ff78e420c8f 16912->16909 16912->16911 16914 7ff78e41ddd0 23 API calls 16912->16914 16914->16912 16917 7ff78e413170 3 API calls 16915->16917 16916->16911 16918 7ff78e42166b 16917->16918 16919 7ff78e412ea0 16 API calls 16918->16919 16920 7ff78e42168e 16919->16920 16936 7ff78e42170f 16920->16936 17005 7ff78e41fff0 16920->17005 16921 7ff78e412ea0 16 API calls 16924 7ff78e421016 memcpy 16921->16924 16922 7ff78e412ea0 16 API calls 16926 7ff78e42159b memcpy 16922->16926 16929 7ff78e413170 3 API calls 16924->16929 16925 7ff78e412ea0 16 API calls 16930 7ff78e421080 memcpy 16925->16930 16932 7ff78e413170 3 API calls 16926->16932 16927 7ff78e412ea0 16 API calls 16933 7ff78e421a15 memcpy 16927->16933 16928 7ff78e412ea0 16 API calls 16934 7ff78e421a7a memcpy 16928->16934 16929->16956 16935 7ff78e413170 3 API calls 16930->16935 16931 7ff78e412ea0 16 API calls 16937 7ff78e421217 memcpy 16931->16937 16932->16956 16938 7ff78e413170 3 API calls 16933->16938 16939 7ff78e413170 3 API calls 16934->16939 16935->16956 16941 7ff78e41fff0 22 API calls 16936->16941 16958 7ff78e421788 16936->16958 16942 7ff78e413170 3 API calls 16937->16942 16938->16956 16939->16956 16940 7ff78e412ea0 16 API calls 16943 7ff78e4213aa memcpy 16940->16943 16941->16936 16942->16956 16945 7ff78e413170 3 API calls 16943->16945 16944 7ff78e412ea0 16 API calls 16947 7ff78e421474 memcpy 16944->16947 16945->16956 16946 7ff78e412ea0 16 API calls 16949 7ff78e42140f memcpy 16946->16949 16950 7ff78e413170 3 API calls 16947->16950 16948 7ff78e412ea0 16 API calls 16951 7ff78e420ea5 memcpy 16948->16951 16953 7ff78e413170 3 API calls 16949->16953 16950->16956 16998 7ff78e413170 16951->16998 16952 7ff78e412ea0 16 API calls 16955 7ff78e4219b0 memcpy 16952->16955 16953->16956 16957 7ff78e413170 3 API calls 16955->16957 16956->16906 16956->16907 16956->16921 16956->16922 16956->16925 16956->16927 16956->16928 16956->16931 16956->16940 16956->16944 16956->16946 16956->16948 16956->16952 16957->16956 16958->16909 16959 7ff78e413170 VirtualFree exit fputc 16958->16959 16959->16958 16961 7ff78e412f30 16960->16961 16962 7ff78e412ec5 16960->16962 16965 7ff78e413098 16961->16965 16966 7ff78e412f45 16961->16966 16963 7ff78e412fa0 VirtualAlloc 16962->16963 16964 7ff78e412ed6 16962->16964 16963->16966 16967 7ff78e412fc3 16963->16967 16968 7ff78e4129d0 15 API calls 16964->16968 17077 7ff78e4129d0 16965->17077 16973 7ff78e412f09 16966->16973 17112 7ff78e412260 16966->17112 16970 7ff78e413003 16967->16970 16974 7ff78e413022 16967->16974 16971 7ff78e412ede 16968->16971 17094 7ff78e412290 16970->17094 17087 7ff78e412d60 16971->17087 16973->16902 16974->16971 16975 7ff78e413162 16978 7ff78e413125 16978->16902 16980 7ff78e413c08 16979->16980 16981 7ff78e413beb 16979->16981 16982 7ff78e412ea0 16 API calls 16980->16982 16981->16901 16983 7ff78e413c34 memcpy 16982->16983 16984 7ff78e413170 3 API calls 16983->16984 16984->16981 16990 7ff78e41ddf0 16985->16990 16986 7ff78e41df00 16986->16912 16987 7ff78e41de50 VariantClear 16987->16990 16988 7ff78e413c70 22 API calls 16988->16990 16989 7ff78e413170 3 API calls 16989->16990 16990->16986 16990->16987 16990->16988 16990->16989 16992 7ff78e420260 16991->16992 16993 7ff78e420253 16991->16993 16994 7ff78e412ea0 16 API calls 16992->16994 16997 7ff78e42027b 16992->16997 16993->16909 16995 7ff78e4202c1 memcpy 16994->16995 16996 7ff78e413170 3 API calls 16995->16996 16996->16997 16997->16909 16999 7ff78e4132a0 16998->16999 17000 7ff78e4131a2 16998->17000 16999->16956 17000->16999 17001 7ff78e413242 VirtualFree 17000->17001 17001->16999 17002 7ff78e413288 17001->17002 17017 7ff78e422c50 17002->17017 17029 7ff78e41db70 17005->17029 17008 7ff78e42021f 17009 7ff78e413c70 22 API calls 17008->17009 17010 7ff78e420232 17009->17010 17010->17010 17011 7ff78e4200e8 17011->16920 17012 7ff78e41db70 20 API calls 17015 7ff78e420015 17012->17015 17013 7ff78e4201aa 17013->17015 17040 7ff78e413c70 17013->17040 17015->17011 17015->17012 17016 7ff78e413c70 22 API calls 17015->17016 17016->17015 17018 7ff78e422c79 17017->17018 17021 7ff78e427930 17018->17021 17020 7ff78e413294 exit 17020->16999 17022 7ff78e427950 17021->17022 17025 7ff78e42975f 17022->17025 17024 7ff78e427974 17024->17020 17028 7ff78e42977e 17025->17028 17026 7ff78e42a143 17026->17024 17027 7ff78e427990 fputc 17027->17028 17028->17026 17028->17027 17030 7ff78e41dbba 17029->17030 17031 7ff78e41dce0 17030->17031 17033 7ff78e41dc35 17030->17033 17036 7ff78e41dbd7 17030->17036 17032 7ff78e412ea0 16 API calls 17031->17032 17034 7ff78e41dd01 memset 17032->17034 17035 7ff78e412ea0 16 API calls 17033->17035 17037 7ff78e41dd2d 17034->17037 17035->17036 17036->17008 17036->17013 17036->17015 17038 7ff78e413170 3 API calls 17037->17038 17039 7ff78e41dd95 17038->17039 17041 7ff78e413c85 17040->17041 17043 7ff78e413cb1 17040->17043 17041->17043 17044 7ff78e413ce0 17041->17044 17045 7ff78e413caa 17041->17045 17042 7ff78e413c70 22 API calls 17042->17044 17043->17013 17044->17042 17044->17043 17045->17043 17048 7ff78e413d50 17045->17048 17053 7ff78e413380 17045->17053 17049 7ff78e413d79 17048->17049 17050 7ff78e413d90 17048->17050 17049->17045 17050->17049 17051 7ff78e413d50 22 API calls 17050->17051 17052 7ff78e413380 22 API calls 17050->17052 17051->17050 17052->17050 17054 7ff78e41338e 17053->17054 17063 7ff78e4133bb 17053->17063 17055 7ff78e41339b 17054->17055 17058 7ff78e413480 17054->17058 17056 7ff78e4133a1 17055->17056 17057 7ff78e4133e0 17055->17057 17060 7ff78e412ea0 16 API calls 17056->17060 17056->17063 17059 7ff78e41db70 20 API calls 17057->17059 17058->17063 17064 7ff78e412ea0 16 API calls 17058->17064 17061 7ff78e420004 17059->17061 17062 7ff78e413427 memcpy 17060->17062 17067 7ff78e42021f 17061->17067 17073 7ff78e4201aa 17061->17073 17076 7ff78e420015 17061->17076 17065 7ff78e413170 3 API calls 17062->17065 17063->17045 17066 7ff78e4202c1 memcpy 17064->17066 17065->17063 17068 7ff78e413170 3 API calls 17066->17068 17069 7ff78e413c70 20 API calls 17067->17069 17068->17063 17070 7ff78e420232 17069->17070 17070->17070 17071 7ff78e4200e8 17071->17045 17072 7ff78e41db70 20 API calls 17072->17076 17074 7ff78e413c70 20 API calls 17073->17074 17073->17076 17074->17073 17075 7ff78e413c70 20 API calls 17075->17076 17076->17071 17076->17072 17076->17075 17078 7ff78e4129ed 17077->17078 17086 7ff78e412b96 17077->17086 17079 7ff78e412cf4 17078->17079 17081 7ff78e412370 15 API calls 17078->17081 17083 7ff78e412b46 17078->17083 17078->17086 17079->17086 17137 7ff78e412370 17079->17137 17080 7ff78e412290 12 API calls 17084 7ff78e412bea 17080->17084 17081->17079 17083->17086 17133 7ff78e412610 17083->17133 17084->16973 17086->17080 17086->17084 17088 7ff78e412d8b 17087->17088 17089 7ff78e412e30 17087->17089 17091 7ff78e412d97 17088->17091 17093 7ff78e412d60 12 API calls 17088->17093 17090 7ff78e412e3c 17089->17090 17092 7ff78e412290 12 API calls 17089->17092 17090->16973 17091->16973 17092->17090 17093->17091 17095 7ff78e4122a9 17094->17095 17096 7ff78e412300 VirtualAlloc 17094->17096 17095->17096 17097 7ff78e4122b1 17095->17097 17096->17097 17098 7ff78e412360 17096->17098 17097->16978 17099 7ff78e412260 8 API calls 17098->17099 17101 7ff78e412365 17099->17101 17100 7ff78e4125d4 17100->16978 17101->17100 17102 7ff78e4125b8 VirtualAlloc 17101->17102 17103 7ff78e4123c4 VirtualAlloc 17101->17103 17104 7ff78e4125cf 17102->17104 17109 7ff78e4123e2 17102->17109 17105 7ff78e4123db 17103->17105 17106 7ff78e4125e4 VirtualAlloc 17103->17106 17107 7ff78e412260 8 API calls 17104->17107 17105->17109 17106->17104 17108 7ff78e4125ff 17106->17108 17107->17100 17110 7ff78e412290 8 API calls 17109->17110 17111 7ff78e412426 17109->17111 17110->17111 17111->16978 17113 7ff78e41226f 17112->17113 17150 7ff78e411db0 strlen fwrite 17113->17150 17115 7ff78e41227e exit 17116 7ff78e412290 17115->17116 17117 7ff78e412300 VirtualAlloc 17116->17117 17118 7ff78e4122b1 17116->17118 17117->17118 17119 7ff78e412360 17117->17119 17118->16975 17120 7ff78e412260 7 API calls 17119->17120 17122 7ff78e412365 17120->17122 17121 7ff78e4125d4 17121->16975 17122->17121 17123 7ff78e4125b8 VirtualAlloc 17122->17123 17124 7ff78e4123c4 VirtualAlloc 17122->17124 17125 7ff78e4125cf 17123->17125 17130 7ff78e4123e2 17123->17130 17126 7ff78e4123db 17124->17126 17127 7ff78e4125e4 VirtualAlloc 17124->17127 17128 7ff78e412260 7 API calls 17125->17128 17126->17130 17127->17125 17129 7ff78e4125ff 17127->17129 17128->17121 17131 7ff78e412290 7 API calls 17130->17131 17132 7ff78e412426 17130->17132 17131->17132 17132->16975 17134 7ff78e412666 17133->17134 17135 7ff78e4126e6 17134->17135 17136 7ff78e412290 12 API calls 17134->17136 17135->17086 17136->17135 17138 7ff78e41238c 17137->17138 17146 7ff78e4125d4 17137->17146 17139 7ff78e4125b8 VirtualAlloc 17138->17139 17140 7ff78e4123c4 VirtualAlloc 17138->17140 17141 7ff78e4125cf 17139->17141 17147 7ff78e4123e2 17139->17147 17142 7ff78e4123db 17140->17142 17143 7ff78e4125e4 VirtualAlloc 17140->17143 17144 7ff78e412260 12 API calls 17141->17144 17142->17147 17143->17141 17145 7ff78e4125ff 17143->17145 17144->17146 17146->17083 17148 7ff78e412290 12 API calls 17147->17148 17149 7ff78e412426 17147->17149 17148->17149 17149->17083 17151 7ff78e42d0a8 fflush 17150->17151 17151->17115 17152 7ff78e45e3bc 17151->17152 17154 7ff78e413f31 17153->17154 17155 7ff78e413f41 17154->17155 17156 7ff78e420460 35 API calls 17154->17156 17157 7ff78e412ea0 16 API calls 17155->17157 17156->17155 17160 7ff78e413f51 17157->17160 17158 7ff78e413f8c memset 17158->16894 17160->17158 17161 7ff78e413bd0 20 API calls 17160->17161 17161->17158 17679 7ff78e42d380 17680 7ff78e42d3ae ___lc_codepage_func ___mb_cur_max_func 17679->17680 17682 7ff78e42d3d6 17680->17682 17684 7ff78e42d3e2 17680->17684 17682->17684 17685 7ff78e42d483 17682->17685 17687 7ff78e42d3f7 17682->17687 17683 7ff78e42d130 3 API calls 17683->17685 17685->17683 17685->17684 17686 7ff78e42d130 3 API calls 17686->17687 17687->17684 17687->17686 18486 7ff78e42aa2e 18487 7ff78e42aabd 18486->18487 18488 7ff78e42a150 malloc 18487->18488 18502 7ff78e42aac7 18488->18502 18489 7ff78e42b2b5 18490 7ff78e42b350 18489->18490 18493 7ff78e42b2f1 18489->18493 18494 7ff78e42b356 18489->18494 18492 7ff78e42c29b malloc 18490->18492 18491 7ff78e42c29b malloc 18491->18489 18495 7ff78e42b373 18492->18495 18496 7ff78e42b32a 18493->18496 18498 7ff78e42c507 3 API calls 18493->18498 18497 7ff78e42c507 3 API calls 18494->18497 18501 7ff78e42c507 3 API calls 18495->18501 18511 7ff78e42b38c 18495->18511 18496->18490 18500 7ff78e42c507 3 API calls 18496->18500 18497->18490 18499 7ff78e42b306 18498->18499 18504 7ff78e42c2e1 malloc 18499->18504 18500->18490 18501->18511 18502->18489 18502->18491 18520 7ff78e42ae0a 18502->18520 18537 7ff78e42afee 18502->18537 18503 7ff78e42c0e8 free 18512 7ff78e42baaf 18503->18512 18506 7ff78e42b31a 18504->18506 18505 7ff78e42c0e8 free 18507 7ff78e42baf1 18505->18507 18509 7ff78e42c0e8 free 18506->18509 18508 7ff78e42bad3 18513 7ff78e42c0e8 free 18508->18513 18509->18496 18510 7ff78e42b423 18515 7ff78e42c6c0 2 API calls 18510->18515 18523 7ff78e42b442 18510->18523 18511->18510 18514 7ff78e42c6c0 2 API calls 18511->18514 18512->18508 18516 7ff78e42c0e8 free 18512->18516 18512->18520 18513->18520 18514->18510 18515->18523 18516->18508 18517 7ff78e42b49c 18518 7ff78e42b531 18517->18518 18521 7ff78e42b4b9 18517->18521 18519 7ff78e42b53b 18518->18519 18527 7ff78e42b94d 18518->18527 18522 7ff78e42b550 18519->18522 18524 7ff78e42c6c0 2 API calls 18519->18524 18520->18505 18526 7ff78e42c170 3 API calls 18521->18526 18521->18537 18528 7ff78e42bfa6 malloc 18522->18528 18543 7ff78e42b5b5 18522->18543 18523->18517 18525 7ff78e42c170 3 API calls 18523->18525 18524->18522 18529 7ff78e42b47b 18525->18529 18526->18537 18530 7ff78e42b9a9 18527->18530 18532 7ff78e42c170 3 API calls 18527->18532 18531 7ff78e42b570 memcpy 18528->18531 18529->18517 18534 7ff78e42c170 3 API calls 18529->18534 18535 7ff78e42c6c0 2 API calls 18530->18535 18530->18537 18533 7ff78e42c6c0 2 API calls 18531->18533 18532->18527 18533->18543 18534->18517 18535->18537 18536 7ff78e42c91a malloc 18536->18543 18537->18503 18537->18520 18538 7ff78e42c0e8 free 18538->18543 18539 7ff78e42b6d5 18540 7ff78e42b7ba 18539->18540 18544 7ff78e42b6fa 18539->18544 18540->18537 18541 7ff78e42c6c0 2 API calls 18540->18541 18541->18537 18542 7ff78e42c170 malloc free memcpy 18542->18543 18543->18530 18543->18536 18543->18537 18543->18538 18543->18539 18543->18542 18544->18537 18545 7ff78e42c170 malloc free memcpy 18544->18545 18545->18544 18549 7ff78e429a35 18550 7ff78e429a43 18549->18550 18551 7ff78e427df4 fputc 18550->18551 18552 7ff78e429af2 18551->18552 18552->18552 18553 153c16d0730 18556 153c16d0780 18553->18556 18554 153c16d1b10 2 API calls 18555 153c16d0849 18554->18555 18556->18554 18556->18555 18557 7ff78e411017 18558 7ff78e411024 18557->18558 18559 7ff78e411037 __set_app_type 18558->18559 18560 7ff78e411043 18558->18560 18559->18560 17714 7ff78e426f20 17715 7ff78e426f4f 17714->17715 17716 7ff78e426f90 17715->17716 17717 7ff78e42704f signal 17715->17717 17720 7ff78e426f60 17715->17720 17719 7ff78e426ff8 signal 17716->17719 17716->17720 17718 7ff78e427069 signal 17717->17718 17717->17720 17718->17720 17719->17720 17721 7ff78e427012 signal 17719->17721 17721->17720 17166 7ff78e411125 17169 7ff78e411154 17166->17169 17170 7ff78e411188 17169->17170 17171 7ff78e411249 17170->17171 17172 7ff78e41123d _amsg_exit 17170->17172 17173 7ff78e41127e 17171->17173 17174 7ff78e411256 _initterm 17171->17174 17172->17173 17175 7ff78e411296 _initterm 17173->17175 17176 7ff78e4112bc 17173->17176 17174->17173 17175->17176 17185 7ff78e411591 17176->17185 17178 7ff78e41140e 17190 7ff78e42da70 17178->17190 17181 7ff78e411462 17183 7ff78e41146c _cexit 17181->17183 17184 7ff78e411146 17181->17184 17182 7ff78e411455 exit 17182->17181 17183->17184 17186 7ff78e4115b7 17185->17186 17187 7ff78e41166a 17186->17187 17188 7ff78e4115d2 17186->17188 17187->17178 17189 7ff78e4115f1 malloc memcpy 17188->17189 17189->17186 17191 7ff78e42db18 17190->17191 17351 7ff78e412020 17191->17351 17193 7ff78e42e8c2 17194 7ff78e4322bf 17193->17194 17196 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17193->17196 17195 7ff78e412050 strlen fwrite fflush GetLastError exit 17194->17195 17197 7ff78e4322cb 17195->17197 17198 7ff78e42e8e1 17196->17198 17199 7ff78e412050 strlen fwrite fflush GetLastError exit 17197->17199 17200 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17198->17200 17201 7ff78e4322d7 17199->17201 17202 7ff78e42e8fb 17200->17202 17203 7ff78e412050 strlen fwrite fflush GetLastError exit 17201->17203 17206 7ff78e43234b 17202->17206 17212 7ff78e41fde0 15 API calls 17202->17212 17204 7ff78e4322e3 17203->17204 17205 7ff78e412050 strlen fwrite fflush GetLastError exit 17204->17205 17207 7ff78e4322ef 17205->17207 17208 7ff78e411df0 fwrite fflush exit 17206->17208 17209 7ff78e412050 strlen fwrite fflush GetLastError exit 17207->17209 17210 7ff78e432350 17208->17210 17211 7ff78e4322fb 17209->17211 17213 7ff78e412050 strlen fwrite fflush GetLastError exit 17211->17213 17214 7ff78e42ef92 17212->17214 17215 7ff78e432307 17213->17215 17216 7ff78e41fde0 15 API calls 17214->17216 17217 7ff78e412050 strlen fwrite fflush GetLastError exit 17215->17217 17218 7ff78e42efa5 17216->17218 17220 7ff78e432313 17217->17220 17219 7ff78e41fde0 15 API calls 17218->17219 17221 7ff78e42efb8 17219->17221 17222 7ff78e412050 strlen fwrite fflush GetLastError exit 17220->17222 17224 7ff78e41fde0 15 API calls 17221->17224 17223 7ff78e43231f 17222->17223 17225 7ff78e412050 strlen fwrite fflush GetLastError exit 17223->17225 17226 7ff78e42efc4 17224->17226 17227 7ff78e43232b 17225->17227 17228 7ff78e41fde0 15 API calls 17226->17228 17229 7ff78e412050 strlen fwrite fflush GetLastError exit 17227->17229 17230 7ff78e42eff1 17228->17230 17231 7ff78e432337 17229->17231 17233 7ff78e42f01e signal signal signal signal 17230->17233 17232 7ff78e412050 strlen fwrite fflush GetLastError exit 17231->17232 17234 7ff78e43233f 17232->17234 17235 7ff78e412020 LoadLibraryA 17233->17235 17236 7ff78e412050 strlen fwrite fflush GetLastError exit 17234->17236 17237 7ff78e42f242 17235->17237 17236->17206 17237->17197 17238 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17237->17238 17239 7ff78e42f261 17238->17239 17240 7ff78e412020 LoadLibraryA 17239->17240 17241 7ff78e42f274 17240->17241 17241->17201 17242 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17241->17242 17243 7ff78e42f293 17242->17243 17244 7ff78e412020 LoadLibraryA 17243->17244 17245 7ff78e42f2a6 17244->17245 17246 7ff78e42f2b9 17245->17246 17247 7ff78e4322b3 17245->17247 17248 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17246->17248 17249 7ff78e412050 strlen fwrite fflush GetLastError exit 17247->17249 17250 7ff78e42f2c5 17248->17250 17249->17194 17251 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17250->17251 17252 7ff78e42f2df 17251->17252 17253 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17252->17253 17254 7ff78e42f2f9 17253->17254 17255 7ff78e412020 LoadLibraryA 17254->17255 17256 7ff78e42f30c 17255->17256 17256->17204 17257 7ff78e42f31f 17256->17257 17258 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17257->17258 17259 7ff78e42f32b 17258->17259 17260 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17259->17260 17261 7ff78e42f345 17260->17261 17262 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17261->17262 17263 7ff78e42f35f 17262->17263 17264 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17263->17264 17265 7ff78e42f379 17264->17265 17266 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17265->17266 17267 7ff78e42f393 17266->17267 17268 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17267->17268 17269 7ff78e42f3ad 17268->17269 17270 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17269->17270 17271 7ff78e42f3c7 17270->17271 17272 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17271->17272 17273 7ff78e42f3e1 17272->17273 17274 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17273->17274 17275 7ff78e42f3fb 17274->17275 17276 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17275->17276 17277 7ff78e42f415 17276->17277 17278 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17277->17278 17279 7ff78e42f42f 17278->17279 17280 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17279->17280 17281 7ff78e42f449 17280->17281 17282 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17281->17282 17283 7ff78e42f463 17282->17283 17284 7ff78e412020 LoadLibraryA 17283->17284 17285 7ff78e42f476 17284->17285 17285->17207 17286 7ff78e42f489 17285->17286 17287 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17286->17287 17288 7ff78e42f49c 17287->17288 17289 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17288->17289 17290 7ff78e42f4b6 17289->17290 17291 7ff78e412020 LoadLibraryA 17290->17291 17292 7ff78e42f5af 17291->17292 17292->17211 17293 7ff78e42f5c2 17292->17293 17294 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17293->17294 17295 7ff78e42f5ce 17294->17295 17296 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17295->17296 17297 7ff78e42f5e8 17296->17297 17298 7ff78e412020 LoadLibraryA 17297->17298 17299 7ff78e4319b1 17298->17299 17299->17220 17300 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17299->17300 17301 7ff78e4319d0 17300->17301 17302 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17301->17302 17303 7ff78e4319ea 17302->17303 17304 7ff78e412020 LoadLibraryA 17303->17304 17305 7ff78e4319fd 17304->17305 17305->17215 17306 7ff78e431a10 17305->17306 17307 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17306->17307 17308 7ff78e431a1c 17307->17308 17309 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17308->17309 17310 7ff78e431a36 17309->17310 17311 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17310->17311 17312 7ff78e431a50 17311->17312 17313 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17312->17313 17314 7ff78e431a6a 17313->17314 17315 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17314->17315 17316 7ff78e431a84 17315->17316 17317 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17316->17317 17318 7ff78e431a9e 17317->17318 17319 7ff78e412020 LoadLibraryA 17318->17319 17320 7ff78e431ab1 17319->17320 17320->17223 17321 7ff78e431ac4 17320->17321 17322 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17321->17322 17323 7ff78e431ad0 17322->17323 17324 7ff78e412020 LoadLibraryA 17323->17324 17325 7ff78e431ae3 17324->17325 17325->17227 17326 7ff78e431af6 17325->17326 17327 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17326->17327 17328 7ff78e431b09 17327->17328 17329 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17328->17329 17330 7ff78e431b23 17329->17330 17331 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17330->17331 17332 7ff78e431b3d 17331->17332 17333 7ff78e41bb80 41 API calls 17332->17333 17334 7ff78e432197 17333->17334 17335 7ff78e412020 LoadLibraryA 17334->17335 17336 7ff78e4321a2 17335->17336 17336->17231 17337 7ff78e4321b5 17336->17337 17338 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17337->17338 17339 7ff78e4321c1 17338->17339 17340 7ff78e412020 LoadLibraryA 17339->17340 17341 7ff78e4321d4 17340->17341 17341->17234 17342 7ff78e4321e7 17341->17342 17343 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17342->17343 17344 7ff78e4321f3 17343->17344 17345 7ff78e4120f0 strlen fwrite fflush GetProcAddress exit 17344->17345 17346 7ff78e43220d 17345->17346 17349 7ff78e418c30 75 API calls 17346->17349 17347 7ff78e43221e 17350 7ff78e41c240 186 API calls 17347->17350 17348 7ff78e411445 17348->17181 17348->17182 17349->17347 17350->17348 17352 7ff78e412038 LoadLibraryA 17351->17352 17353 7ff78e41202c 17351->17353 17353->17352 18579 7ff78e422a50 18580 7ff78e4225f0 36 API calls 18579->18580 18581 7ff78e422a6c 18580->18581 18582 7ff78e414270 38 API calls 18581->18582 18585 7ff78e422a90 18582->18585 18583 7ff78e420420 20 API calls 18583->18585 18584 7ff78e420240 20 API calls 18584->18585 18585->18583 18585->18584 18586 7ff78e415a20 57 API calls 18585->18586 18586->18585 17745 7ff78e416150 17746 7ff78e4161a0 strlen 17745->17746 17749 7ff78e416162 17745->17749 17750 7ff78e4150a0 17746->17750 17749->17746 17751 7ff78e4150be exit 17750->17751 17752 7ff78e4150d0 fwrite 17750->17752 17754 7ff78e427555 strlen 17755 7ff78e427570 17754->17755 16863 153c16d1b10 16864 153c16d1b5d 16863->16864 16865 153c16d1b6f NtProtectVirtualMemory 16864->16865 16867 153c16d1bc6 16865->16867 16866 153c16d1bcc NtCreateSection 16868 153c16d1c21 16866->16868 16867->16866 17759 7ff78e426540 17760 7ff78e42656a 17759->17760 17761 7ff78e426614 fprintf 17760->17761 17762 7ff78e429941 17763 7ff78e42994b 17762->17763 17766 7ff78e427b14 17763->17766 17765 7ff78e42995a 17765->17765 17767 7ff78e427b2b 17766->17767 17768 7ff78e427b6a strlen 17767->17768 17769 7ff78e427b41 17767->17769 17770 7ff78e427a15 fputc 17768->17770 17772 7ff78e427a15 fputc 17769->17772 17771 7ff78e427b68 17770->17771 17771->17765 17772->17771 18606 7ff78e42da41 GetLastError 17773 7ff78e412740 17774 7ff78e41276e 17773->17774 17775 7ff78e412610 12 API calls 17774->17775 17775->17774 18607 7ff78e411c40 IsEqualGUID IsEqualGUID IsEqualGUID 18608 7ff78e411c8c 18607->18608 17780 7ff78e4195e8 17781 7ff78e4161c0 37 API calls 17780->17781 17782 7ff78e4195f4 17781->17782 18627 7ff78e4298ee 18628 7ff78e4298fb 18627->18628 18629 7ff78e42991c 18628->18629 18633 7ff78e427ceb 18628->18633 18631 7ff78e427b14 2 API calls 18629->18631 18632 7ff78e42993c 18631->18632 18632->18632 18634 7ff78e427d02 18633->18634 18635 7ff78e427d18 18634->18635 18636 7ff78e427d41 18634->18636 18637 7ff78e427b8c 5 API calls 18635->18637 18638 7ff78e427b8c 5 API calls 18636->18638 18639 7ff78e427d3f 18637->18639 18638->18639 18639->18629 17791 7ff78e4199f0 17823 7ff78e415b50 17791->17823 17794 7ff78e419aa8 SysStringLen 17842 7ff78e416580 17794->17842 17795 7ff78e419a85 17798 7ff78e419bdc _setjmp 17821 7ff78e419c1d 17798->17821 17799 7ff78e419b16 CoInitialize 17816 7ff78e419aea 17799->17816 17801 7ff78e419e82 strlen 17962 7ff78e421d60 17801->17962 17803 7ff78e419c9e VariantCopy 17803->17821 17805 7ff78e413f10 37 API calls 17805->17821 17806 7ff78e420300 57 API calls 17806->17821 17809 7ff78e419f5e memcpy 17809->17821 17811 7ff78e419fa5 memcpy 17811->17821 17815 7ff78e420240 20 API calls 17815->17821 17816->17798 17816->17799 17820 7ff78e420240 20 API calls 17816->17820 17816->17821 17847 7ff78e422480 17816->17847 17855 7ff78e4187d0 17816->17855 17872 7ff78e415bb0 17816->17872 17820->17816 17821->17795 17821->17801 17821->17803 17821->17805 17821->17806 17821->17809 17821->17811 17821->17815 17884 7ff78e416540 17821->17884 17889 7ff78e4225f0 17821->17889 17897 7ff78e419280 17821->17897 17924 7ff78e418fd0 17821->17924 17950 7ff78e420420 17821->17950 17954 7ff78e415a20 17821->17954 17970 7ff78e422bf0 17821->17970 17824 7ff78e415b77 17823->17824 17825 7ff78e415ba1 17824->17825 17827 7ff78e415b8f 17824->17827 17976 7ff78e415ac0 17825->17976 17829 7ff78e413f10 37 API calls 17827->17829 17830 7ff78e415b94 17829->17830 17830->17794 17830->17795 17843 7ff78e41659e WideCharToMultiByte 17842->17843 17844 7ff78e416648 SysFreeString 17842->17844 17845 7ff78e413f10 37 API calls 17843->17845 17844->17798 17844->17816 17846 7ff78e416601 WideCharToMultiByte 17845->17846 17846->17844 17848 7ff78e42249f 17847->17848 17849 7ff78e4224ac 17848->17849 17850 7ff78e420460 35 API calls 17848->17850 17851 7ff78e412ea0 16 API calls 17849->17851 17850->17849 17853 7ff78e4224ba 17851->17853 17852 7ff78e4224ef 17852->17816 17853->17852 17854 7ff78e413bd0 20 API calls 17853->17854 17854->17852 17857 7ff78e4187ed 17855->17857 17856 7ff78e418852 17858 7ff78e415b50 57 API calls 17856->17858 17863 7ff78e4188a7 17856->17863 17857->17856 17860 7ff78e413f10 37 API calls 17857->17860 17861 7ff78e418834 17857->17861 17869 7ff78e418c13 17857->17869 17865 7ff78e418992 17858->17865 17859 7ff78e415ac0 57 API calls 17871 7ff78e4188f2 VariantCopy 17859->17871 17860->17861 17861->17856 17862 7ff78e420240 20 API calls 17861->17862 17862->17856 17864 7ff78e415b50 57 API calls 17863->17864 17863->17871 17867 7ff78e418a65 17864->17867 17865->17863 17866 7ff78e420240 20 API calls 17865->17866 17866->17863 17868 7ff78e418a80 17867->17868 17867->17869 17867->17871 17870 7ff78e420240 20 API calls 17868->17870 17868->17871 17869->17859 17870->17871 17871->17816 17871->17821 17873 7ff78e415cb8 17872->17873 17876 7ff78e415bcd 17872->17876 17874 7ff78e415b50 56 API calls 17873->17874 17875 7ff78e415be3 17874->17875 17875->17816 17876->17875 17877 7ff78e415cd4 17876->17877 17879 7ff78e415c55 17876->17879 17878 7ff78e415ac0 56 API calls 17877->17878 17880 7ff78e415cd9 17878->17880 17881 7ff78e413f10 37 API calls 17879->17881 17882 7ff78e415c5d memcpy 17881->17882 17882->17875 17885 7ff78e41655f 17884->17885 17886 7ff78e416550 longjmp 17884->17886 18011 7ff78e415110 17885->18011 17886->17885 17888 7ff78e41656b exit 17890 7ff78e42260f 17889->17890 17891 7ff78e422620 17890->17891 17893 7ff78e420460 35 API calls 17890->17893 17892 7ff78e412ea0 16 API calls 17891->17892 17895 7ff78e42262e 17892->17895 17893->17891 17894 7ff78e422663 17894->17821 17895->17894 17896 7ff78e413bd0 20 API calls 17895->17896 17896->17894 17898 7ff78e41929a 17897->17898 17909 7ff78e4192dc 17897->17909 17899 7ff78e4192a6 17898->17899 17901 7ff78e421d60 36 API calls 17898->17901 17900 7ff78e4192af 17899->17900 17902 7ff78e4142f0 37 API calls 17899->17902 17903 7ff78e4192b8 17900->17903 17904 7ff78e4193ce 17900->17904 17901->17899 17902->17900 17907 7ff78e4192c5 17903->17907 17908 7ff78e419437 17903->17908 17903->17909 17906 7ff78e4142f0 37 API calls 17904->17906 17905 7ff78e413f10 37 API calls 17905->17909 17906->17908 17911 7ff78e4142f0 37 API calls 17907->17911 17913 7ff78e414a80 39 API calls 17908->17913 17909->17905 17910 7ff78e4142f0 37 API calls 17909->17910 17912 7ff78e4195d0 17909->17912 17915 7ff78e4161c0 37 API calls 17909->17915 17920 7ff78e419349 17909->17920 17914 7ff78e419511 memcpy 17910->17914 17911->17909 17916 7ff78e4161c0 37 API calls 17912->17916 17917 7ff78e419478 17913->17917 17914->17909 17915->17909 17918 7ff78e4195dc 17916->17918 17917->17909 17919 7ff78e413f10 37 API calls 17917->17919 17921 7ff78e4194aa memcpy 17919->17921 17922 7ff78e4142f0 37 API calls 17920->17922 17921->17909 17923 7ff78e419354 memcpy 17922->17923 17923->17821 17925 7ff78e418ff1 17924->17925 17926 7ff78e418fe5 17924->17926 17928 7ff78e4191e8 17925->17928 17929 7ff78e418ffa 17925->17929 17926->17925 17927 7ff78e4190f0 17926->17927 17930 7ff78e4190f7 17927->17930 17931 7ff78e419170 17927->17931 17933 7ff78e413f10 37 API calls 17928->17933 17932 7ff78e419008 17929->17932 17936 7ff78e416370 37 API calls 17929->17936 17930->17932 17934 7ff78e419100 17930->17934 17935 7ff78e416370 37 API calls 17931->17935 17940 7ff78e413f10 37 API calls 17932->17940 17949 7ff78e419203 17933->17949 17937 7ff78e413f10 37 API calls 17934->17937 17938 7ff78e419178 17935->17938 17936->17932 17939 7ff78e41912a 17937->17939 17938->17932 17941 7ff78e419184 17938->17941 17946 7ff78e41909a memcpy 17939->17946 17942 7ff78e41902f memcpy 17940->17942 17943 7ff78e419248 17941->17943 17944 7ff78e41918d 17941->17944 17942->17946 17947 7ff78e4190b8 17942->17947 17945 7ff78e413f10 37 API calls 17943->17945 17948 7ff78e413f10 37 API calls 17944->17948 17945->17949 17946->17947 17947->17821 17948->17939 17949->17821 17951 7ff78e420430 17950->17951 17952 7ff78e420446 17950->17952 17951->17952 17953 7ff78e420240 20 API calls 17951->17953 17952->17821 17953->17952 17955 7ff78e415a39 17954->17955 17956 7ff78e415bb0 57 API calls 17955->17956 17958 7ff78e415a4e 17956->17958 17957 7ff78e415a80 18085 7ff78e415970 17957->18085 17958->17957 17960 7ff78e420240 20 API calls 17958->17960 17960->17957 17963 7ff78e421d7a 17962->17963 17964 7ff78e421d87 17963->17964 17966 7ff78e420460 35 API calls 17963->17966 17965 7ff78e412ea0 16 API calls 17964->17965 17968 7ff78e421d94 17965->17968 17966->17964 17967 7ff78e419eb0 memcpy 17967->17821 17968->17967 17969 7ff78e413bd0 20 API calls 17968->17969 17969->17967 17971 7ff78e422c08 17970->17971 18101 7ff78e422af0 17971->18101 17975 7ff78e422c3b 17977 7ff78e4225f0 36 API calls 17976->17977 17978 7ff78e415adc 17977->17978 17983 7ff78e414270 17978->17983 17980 7ff78e415b00 17981 7ff78e415a20 57 API calls 17980->17981 17982 7ff78e420240 20 API calls 17980->17982 17981->17980 17982->17980 17984 7ff78e414287 17983->17984 17985 7ff78e414280 17983->17985 17984->17980 17985->17984 17988 7ff78e421ec0 17985->17988 17987 7ff78e4142b8 memcpy 17987->17980 17989 7ff78e421efb 17988->17989 17990 7ff78e421f0c 17989->17990 17993 7ff78e420460 35 API calls 17989->17993 17991 7ff78e421fd8 17990->17991 17992 7ff78e421f24 17990->17992 17996 7ff78e421fee 17991->17996 17997 7ff78e422140 17991->17997 17994 7ff78e422050 VirtualAlloc 17992->17994 17995 7ff78e421f35 17992->17995 17993->17990 17999 7ff78e4221f8 17994->17999 18000 7ff78e422073 17994->18000 17998 7ff78e4129d0 15 API calls 17995->17998 17996->17999 18005 7ff78e421f70 memset 17996->18005 18001 7ff78e4129d0 15 API calls 17997->18001 18002 7ff78e421f41 17998->18002 18004 7ff78e412260 12 API calls 17999->18004 18000->18002 18003 7ff78e4220ac 18000->18003 18001->18005 18009 7ff78e412d60 12 API calls 18002->18009 18008 7ff78e412290 12 API calls 18003->18008 18007 7ff78e422215 18004->18007 18005->17987 18010 7ff78e4221d6 18008->18010 18009->18005 18010->17987 18012 7ff78e41515b 18011->18012 18016 7ff78e415166 18011->18016 18013 7ff78e413f10 37 API calls 18012->18013 18012->18016 18049 7ff78e415291 18013->18049 18014 7ff78e41521b strlen 18018 7ff78e415697 memcpy strlen 18014->18018 18019 7ff78e415236 18014->18019 18015 7ff78e415855 18015->17888 18017 7ff78e4151ce memcpy 18016->18017 18036 7ff78e4151f3 18016->18036 18044 7ff78e4151e6 18016->18044 18017->18044 18018->17888 18019->18015 18024 7ff78e4150a0 fwrite 18019->18024 18020 7ff78e415667 18020->18019 18021 7ff78e41567c strlen 18020->18021 18021->18018 18021->18019 18022 7ff78e41574d 18023 7ff78e4142f0 37 API calls 18022->18023 18025 7ff78e415791 18023->18025 18026 7ff78e41525f 18024->18026 18028 7ff78e4142f0 37 API calls 18025->18028 18026->17888 18027 7ff78e4142f0 37 API calls 18027->18022 18029 7ff78e4157d2 18028->18029 18063 7ff78e414a80 18029->18063 18031 7ff78e421d60 36 API calls 18033 7ff78e41570b 18031->18033 18032 7ff78e4157f6 18034 7ff78e4142f0 37 API calls 18032->18034 18033->18027 18034->18036 18035 7ff78e4156c0 18035->18031 18036->18014 18036->18015 18036->18019 18038 7ff78e420460 35 API calls 18038->18049 18039 7ff78e415603 18039->18016 18043 7ff78e415614 memcpy 18039->18043 18040 7ff78e414540 37 API calls 18040->18049 18041 7ff78e412ea0 16 API calls 18041->18049 18042 7ff78e420240 20 API calls 18042->18049 18043->18016 18044->18020 18044->18036 18045 7ff78e4154e2 memcpy 18045->18049 18046 7ff78e412ea0 16 API calls 18047 7ff78e4158eb memcpy 18046->18047 18048 7ff78e413170 3 API calls 18047->18048 18048->18049 18049->18016 18049->18022 18049->18025 18049->18033 18049->18035 18049->18038 18049->18039 18049->18040 18049->18041 18049->18042 18049->18045 18049->18046 18050 7ff78e4142f0 18049->18050 18051 7ff78e4144e0 18050->18051 18056 7ff78e414306 18050->18056 18052 7ff78e421d60 36 API calls 18051->18052 18054 7ff78e4144f8 18052->18054 18053 7ff78e41449e 18053->18049 18054->18049 18055 7ff78e414388 18057 7ff78e412ea0 16 API calls 18055->18057 18056->18053 18056->18055 18058 7ff78e420460 35 API calls 18056->18058 18061 7ff78e414398 18057->18061 18058->18055 18059 7ff78e414459 memcpy 18059->18053 18061->18059 18062 7ff78e413bd0 20 API calls 18061->18062 18062->18059 18064 7ff78e414e40 18063->18064 18065 7ff78e414a99 18063->18065 18066 7ff78e4147f0 39 API calls 18064->18066 18069 7ff78e414d69 18065->18069 18073 7ff78e4147f0 18065->18073 18070 7ff78e414e6f 18066->18070 18068 7ff78e420240 20 API calls 18072 7ff78e414da7 18068->18072 18069->18068 18069->18072 18070->18069 18071 7ff78e420240 20 API calls 18070->18071 18071->18069 18072->18032 18072->18072 18074 7ff78e414a20 18073->18074 18078 7ff78e41481b 18073->18078 18076 7ff78e413f10 37 API calls 18074->18076 18075 7ff78e4149cb 18075->18069 18076->18075 18077 7ff78e414898 18079 7ff78e412ea0 16 API calls 18077->18079 18078->18075 18078->18077 18080 7ff78e420460 35 API calls 18078->18080 18083 7ff78e4148a8 18079->18083 18080->18077 18081 7ff78e41496e memcpy memset 18081->18075 18083->18081 18084 7ff78e413bd0 20 API calls 18083->18084 18084->18081 18086 7ff78e415a0d 18085->18086 18090 7ff78e415988 18085->18090 18087 7ff78e415110 50 API calls 18086->18087 18089 7ff78e415a12 exit 18087->18089 18088 7ff78e4159be 18091 7ff78e4159f0 longjmp 18088->18091 18094 7ff78e420240 20 API calls 18088->18094 18093 7ff78e415a20 18089->18093 18090->18088 18092 7ff78e420240 20 API calls 18090->18092 18091->18086 18092->18088 18095 7ff78e415bb0 55 API calls 18093->18095 18094->18091 18097 7ff78e415a4e 18095->18097 18096 7ff78e415a80 18098 7ff78e415970 55 API calls 18096->18098 18097->18096 18099 7ff78e420240 20 API calls 18097->18099 18100 7ff78e415ab5 18098->18100 18099->18096 18102 7ff78e422b80 18101->18102 18103 7ff78e422b03 18101->18103 18104 7ff78e41db40 fputc 18102->18104 18113 7ff78e41db40 18103->18113 18109 7ff78e422b96 18104->18109 18106 7ff78e422b4f fwrite 18106->17975 18107 7ff78e422b25 18107->18106 18108 7ff78e422b36 fputc 18107->18108 18112 7ff78e41db40 fputc 18107->18112 18108->18106 18108->18107 18109->18106 18110 7ff78e422bad fputc 18109->18110 18111 7ff78e41db40 fputc 18109->18111 18110->18106 18110->18109 18111->18109 18112->18107 18114 7ff78e427930 fputc 18113->18114 18115 7ff78e41db64 18114->18115 18115->18107 18643 7ff78e4116f0 GetModuleHandleA 18644 7ff78e411717 LoadLibraryA GetProcAddress GetProcAddress 18643->18644 18645 7ff78e411757 18643->18645 18644->18645 18650 7ff78e4110f6 18651 7ff78e411154 216 API calls 18650->18651 18652 7ff78e411117 18651->18652 18126 7ff78e42d9d9 VirtualFree 18656 7ff78e42d4d7 ___mb_cur_max_func ___lc_codepage_func 18657 7ff78e42d509 18656->18657 18658 7ff78e42d130 3 API calls 18657->18658 18659 7ff78e42d532 18658->18659 18660 7ff78e41bee0 18661 7ff78e41bf03 18660->18661 18662 7ff78e41bef6 18660->18662 18662->18661 18663 7ff78e41b420 37 API calls 18662->18663 18664 7ff78e41bf1d 18663->18664 18665 7ff78e41bb80 41 API calls 18664->18665 18666 7ff78e41bf2a 18665->18666 18667 7ff78e41b420 37 API calls 18666->18667 18668 7ff78e41bf50 18667->18668 18669 7ff78e41bb80 41 API calls 18668->18669 18669->18661 18134 7ff78e4271e1 18135 7ff78e4271f6 18134->18135 18136 7ff78e427200 18134->18136 18136->18135 18137 7ff78e42725b free 18136->18137 18137->18135 18674 7ff78e429ce0 18675 7ff78e429d1d 18674->18675 18676 7ff78e429cf3 18674->18676 18678 7ff78e429635 12 API calls 18675->18678 18680 7ff78e429635 18676->18680 18679 7ff78e429d59 18678->18679 18679->18679 18681 7ff78e42966b 18680->18681 18682 7ff78e42966f 18681->18682 18685 7ff78e42968c 18681->18685 18683 7ff78e42884b fputc 18682->18683 18684 7ff78e429687 18683->18684 18684->18675 18686 7ff78e4296ca 18685->18686 18688 7ff78e4296e4 18685->18688 18687 7ff78e42884b fputc 18686->18687 18687->18684 18690 7ff78e42919c 18688->18690 18704 7ff78e4291cb 18690->18704 18691 7ff78e429473 18692 7ff78e429490 18691->18692 18693 7ff78e4294a3 18691->18693 18694 7ff78e427990 fputc 18692->18694 18695 7ff78e4294c6 18693->18695 18696 7ff78e4294b3 18693->18696 18697 7ff78e4294a1 18694->18697 18695->18697 18700 7ff78e427990 fputc 18695->18700 18698 7ff78e427990 fputc 18696->18698 18699 7ff78e427990 fputc 18697->18699 18698->18697 18701 7ff78e4294f6 18699->18701 18700->18697 18702 7ff78e427990 fputc 18701->18702 18707 7ff78e429511 18702->18707 18703 7ff78e429554 18705 7ff78e42957a 18703->18705 18716 7ff78e4287dd 18703->18716 18704->18691 18706 7ff78e427990 fputc 18704->18706 18709 7ff78e4295a2 18705->18709 18712 7ff78e427990 fputc 18705->18712 18706->18704 18707->18703 18711 7ff78e427990 fputc 18707->18711 18710 7ff78e427990 fputc 18709->18710 18713 7ff78e4295bd 18710->18713 18711->18707 18712->18705 18714 7ff78e427df4 fputc 18713->18714 18715 7ff78e42962d 18714->18715 18715->18684 18717 7ff78e4287f2 18716->18717 18718 7ff78e428800 18716->18718 18719 7ff78e428659 12 API calls 18717->18719 18720 7ff78e428835 18718->18720 18722 7ff78e428806 18718->18722 18721 7ff78e4287fe 18719->18721 18723 7ff78e427990 fputc 18720->18723 18721->18703 18722->18721 18724 7ff78e427b8c 5 API calls 18722->18724 18723->18721 18724->18721 18138 7ff78e429fe5 18139 7ff78e429fef memset localeconv 18138->18139 18143 7ff78e4297d4 18138->18143 18140 7ff78e42d2fe 5 API calls 18139->18140 18140->18143 18141 7ff78e42a143 18142 7ff78e427990 fputc 18142->18143 18143->18141 18143->18142 18144 7ff78e429be4 18145 7ff78e429bf7 18144->18145 18146 7ff78e429c21 18144->18146 18150 7ff78e428e4c 18145->18150 18148 7ff78e428e4c 16 API calls 18146->18148 18149 7ff78e429c5d 18148->18149 18149->18149 18151 7ff78e428e6e 18150->18151 18163 7ff78e4285f7 18151->18163 18154 7ff78e428eae 18156 7ff78e42884b fputc 18154->18156 18155 7ff78e428ec5 18157 7ff78e428936 12 API calls 18155->18157 18158 7ff78e428ec3 18156->18158 18159 7ff78e428ee0 18157->18159 18160 7ff78e42a20f free 18158->18160 18159->18158 18161 7ff78e427990 fputc 18159->18161 18162 7ff78e428f14 18160->18162 18161->18159 18162->18146 18164 7ff78e428488 4 API calls 18163->18164 18165 7ff78e428652 18164->18165 18165->18154 18165->18155 18166 7ff78e42da09 LoadLibraryA 18177 7ff78e429dfc 18180 7ff78e4297d4 18177->18180 18178 7ff78e42a143 18179 7ff78e427990 fputc 18179->18180 18180->18178 18180->18179 18184 7ff78e413a00 18185 7ff78e413a1a 18184->18185 18186 7ff78e413a28 18184->18186 18187 7ff78e413170 3 API calls 18186->18187 18188 7ff78e413a42 18187->18188 18765 7ff78e42d0a8 fflush 18766 7ff78e45e3bc 18765->18766 18771 7ff78e4134b0 18772 7ff78e413380 22 API calls 18771->18772 18773 7ff78e4134ca 18772->18773 18774 7ff78e413380 22 API calls 18773->18774 18775 7ff78e4134d6 18774->18775 18776 7ff78e413380 22 API calls 18775->18776 18777 7ff78e4134e2 18776->18777 18782 7ff78e42cc9d 18783 7ff78e42bfa6 malloc 18782->18783 18784 7ff78e42ccc9 18783->18784 17162 153c16d1ba8 17164 153c16d1bc6 17162->17164 17163 153c16d1bcc NtCreateSection 17165 153c16d1c21 17163->17165 17164->17163 18796 7ff78e4270a3 signal 18797 7ff78e4270c4 signal 18796->18797 18798 7ff78e4270d9 18796->18798 18797->18798 18252 153c16d087c 18253 153c16d07da 18252->18253 18254 153c16d1b10 2 API calls 18253->18254 18255 153c16d0849 18254->18255 18824 7ff78e4138c0 18825 7ff78e4139f0 18824->18825 18826 7ff78e4138db 18824->18826 18826->18825 18827 7ff78e420240 20 API calls 18826->18827 18828 7ff78e41fff0 22 API calls 18826->18828 18829 7ff78e412ea0 16 API calls 18826->18829 18827->18826 18828->18826 18830 7ff78e41393a memcpy 18829->18830 18831 7ff78e413170 3 API calls 18830->18831 18831->18826

    Executed Functions

    Function 00007FF78E41C240 Relevance: 147.9, APIs: 45, Strings: 38, Instructions: 2611memorysleepCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitmemcpy$ByteCharHeapMultiProcessSleepWide$CountTickVersion
    • String ID: * -_$.v>!$CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$Jk5$JDF7$Ju4J$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VariantConversionError$VirtualProtect$WaitForSingleObject$com.nim$j{t`$p$toVariant$bz$ME$HYk
    • API String ID: 4036915570-214144126
    • Opcode ID: 76df0a278d06ba526b916e1918ba5bcf453f18b5cb2c1e949b4a8eb49b42f0ef
    • Instruction ID: 1ef5c1930cbc1f022ab22dfd2806282c5d526d83febae3e63234f84c2ff3a320
    • Opcode Fuzzy Hash: 76df0a278d06ba526b916e1918ba5bcf453f18b5cb2c1e949b4a8eb49b42f0ef
    • Instruction Fuzzy Hash: 48437762A09B4781EA14FB95E8543BDA3A1FF85B84FE04436EA5D07796EF3CE404C360
    Function 00007FF78E41D570 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 334threadlibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1197 7ff78e41d570-7ff78e41d5a6 call 7ff78e4278f0 1200 7ff78e41d5ac-7ff78e41d5e5 RtlAddVectoredExceptionHandler memset 1197->1200 1201 7ff78e41d971-7ff78e41d999 call 7ff78e41b420 call 7ff78e41bb80 1197->1201 1203 7ff78e41d5e8-7ff78e41d5eb 1200->1203 1210 7ff78e41d9a7-7ff78e41d9b5 GetModuleHandleA 1201->1210 1211 7ff78e41d99b-7ff78e41d9a3 1201->1211 1205 7ff78e41d5f0-7ff78e41d5fa 1203->1205 1205->1205 1207 7ff78e41d5fc-7ff78e41d617 1205->1207 1207->1203 1209 7ff78e41d619-7ff78e41d63a CreateToolhelp32Snapshot 1207->1209 1212 7ff78e41d658-7ff78e41d69f Thread32First 1209->1212 1213 7ff78e41d63c-7ff78e41d657 1209->1213 1216 7ff78e41d9b7-7ff78e41d9bf 1210->1216 1217 7ff78e41da2f-7ff78e41daba call 7ff78e41b420 call 7ff78e41bb80 call 7ff78e41b420 call 7ff78e41bb80 call 7ff78e416670 RtlInitUnicodeString LdrLoadDll 1210->1217 1211->1210 1214 7ff78e41dac8-7ff78e41dae6 call 7ff78e41b420 call 7ff78e41bb80 1212->1214 1215 7ff78e41d6a5-7ff78e41d6b1 Thread32Next 1212->1215 1250 7ff78e41daeb-7ff78e41db04 call 7ff78e41b420 call 7ff78e41bb80 1214->1250 1218 7ff78e41d6db-7ff78e41d6e6 CloseHandle 1215->1218 1219 7ff78e41d6b3-7ff78e41d6bd GetCurrentProcessId 1215->1219 1222 7ff78e41d9c4-7ff78e41d9ec call 7ff78e41b420 call 7ff78e41bb80 1216->1222 1252 7ff78e41da0c-7ff78e41da2a call 7ff78e41b420 call 7ff78e41bb80 1217->1252 1274 7ff78e41dac0 1217->1274 1224 7ff78e41d6ec-7ff78e41d6fb 1218->1224 1225 7ff78e41d7b0-7ff78e41d7d8 call 7ff78e41b420 call 7ff78e41bb80 1218->1225 1219->1215 1223 7ff78e41d6bf-7ff78e41d6d9 1219->1223 1245 7ff78e41d9fa-7ff78e41da05 GetProcAddress 1222->1245 1246 7ff78e41d9ee-7ff78e41d9f6 1222->1246 1223->1218 1223->1219 1230 7ff78e41d702-7ff78e41d718 OpenThread 1224->1230 1253 7ff78e41d7da-7ff78e41d7e2 1225->1253 1254 7ff78e41d7e6-7ff78e41d81d GetModuleHandleA call 7ff78e41b420 call 7ff78e41bb80 1225->1254 1230->1213 1237 7ff78e41d71e-7ff78e41d72c GetThreadContext 1230->1237 1237->1213 1242 7ff78e41d732-7ff78e41d739 1237->1242 1248 7ff78e41d73b-7ff78e41d741 1242->1248 1249 7ff78e41d743-7ff78e41d780 call 7ff78e41bb80 SetThreadContext 1242->1249 1245->1252 1246->1245 1248->1249 1255 7ff78e41d793-7ff78e41d7aa CloseHandle 1248->1255 1249->1213 1266 7ff78e41d786-7ff78e41d78e call 7ff78e41bb80 1249->1266 1269 7ff78e41db09 1250->1269 1252->1217 1253->1254 1254->1250 1278 7ff78e41d823-7ff78e41d83e 1254->1278 1255->1225 1255->1230 1266->1255 1273 7ff78e41db10 1269->1273 1277 7ff78e41db17-7ff78e41db1e 1273->1277 1274->1222 1279 7ff78e41d856-7ff78e41d8db call 7ff78e413f10 call 7ff78e41b420 call 7ff78e41bb80 call 7ff78e41f490 1278->1279 1288 7ff78e41d840-7ff78e41d850 1279->1288 1289 7ff78e41d8e1-7ff78e41d91a call 7ff78e41b420 call 7ff78e41bb80 1279->1289 1288->1250 1288->1279 1289->1269 1294 7ff78e41d920-7ff78e41d929 1289->1294 1295 7ff78e41d93c-7ff78e41d963 call 7ff78e41b420 call 7ff78e41bb80 1294->1295 1300 7ff78e41d92b-7ff78e41d936 1295->1300 1301 7ff78e41d965-7ff78e41d96c 1295->1301 1300->1273 1300->1295 1301->1277
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: Handle$Thread$ByteCharCloseContextModuleMultiThread32Widememcpy$AddressCreateCurrentExceptionFirstHandlerInitLoadNextOpenProcProcessSnapshotStringToolhelp32UnicodeVectoredmemset
    • String ID: Ju4J$NrTP$jP~$bz
    • API String ID: 902128316-2228891234
    • Opcode ID: 5caa98e862dff868fa780ae6cdfbd0bf8742712e53fe9a6ecd63f3fdd6b37e3a
    • Instruction ID: 9d35042d8a63671415ee242223e6f18cfdc13832b3cd752cc4660fc0e75ce6cb
    • Opcode Fuzzy Hash: 5caa98e862dff868fa780ae6cdfbd0bf8742712e53fe9a6ecd63f3fdd6b37e3a
    • Instruction Fuzzy Hash: 0BE19D62A0864381EE14BB91A8143BEA3A1BF85785FF48035FA4E47799DF7CE445C360
    Function 00007FF78E420460 Relevance: 19.5, APIs: 11, Strings: 1, Instructions: 1506COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: d41118d21125260021136046d49c4ddac0172a0b69c53b1cfd141be858fcfbda
    • Instruction ID: c6e6093a39d9eb408e204241188989728a03c3058d98e97419f0f8588e82a00a
    • Opcode Fuzzy Hash: d41118d21125260021136046d49c4ddac0172a0b69c53b1cfd141be858fcfbda
    • Instruction Fuzzy Hash: 53E2E7B2B05A4782EE54AB85C0483BDA3A6FB41BC4FE59536EA1E473D5DF78E490C310
    Function 00007FF78E422CA0 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 605COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1876 7ff78e422ca0-7ff78e422cc2 1877 7ff78e422cc8-7ff78e422ccd 1876->1877 1878 7ff78e4230b6-7ff78e4230c2 1876->1878 1879 7ff78e4230a0-7ff78e4230b0 call 7ff78e416370 1877->1879 1880 7ff78e422cd3-7ff78e422cdf 1877->1880 1879->1878 1879->1880 1881 7ff78e422dc7-7ff78e422e50 _setjmp 1880->1881 1882 7ff78e422ce5-7ff78e422d4e _setjmp 1880->1882 1885 7ff78e423288-7ff78e4232af 1881->1885 1886 7ff78e422e56-7ff78e422e75 1881->1886 1887 7ff78e422ed8-7ff78e422f02 CLRCreateInstance 1882->1887 1888 7ff78e422d54-7ff78e422d5b 1882->1888 1900 7ff78e4232bf-7ff78e4232f1 call 7ff78e416670 1885->1900 1901 7ff78e4232b1-7ff78e4232ba call 7ff78e41a3e0 1885->1901 1891 7ff78e422e77 1886->1891 1892 7ff78e422e7d-7ff78e422e85 1886->1892 1889 7ff78e422f08-7ff78e422f18 1887->1889 1890 7ff78e423070-7ff78e42307e call 7ff78e41a3e0 1887->1890 1893 7ff78e422d5e-7ff78e422d76 1888->1893 1902 7ff78e422f1e-7ff78e422f29 1889->1902 1891->1892 1896 7ff78e422e87 1892->1896 1897 7ff78e422e8d-7ff78e422e95 1892->1897 1898 7ff78e422d78 1893->1898 1899 7ff78e422d7e-7ff78e422d89 1893->1899 1896->1897 1904 7ff78e422e97 1897->1904 1905 7ff78e422e9d-7ff78e422ea5 1897->1905 1898->1899 1906 7ff78e422d8b 1899->1906 1907 7ff78e422d91-7ff78e422d9a 1899->1907 1928 7ff78e4232f7-7ff78e423300 1900->1928 1929 7ff78e4233c3-7ff78e4233de 1900->1929 1901->1900 1910 7ff78e423088-7ff78e423096 call 7ff78e41a3e0 1902->1910 1911 7ff78e422f2f-7ff78e422f5d 1902->1911 1904->1905 1912 7ff78e422ea7 1905->1912 1913 7ff78e422ead-7ff78e422eb6 1905->1913 1906->1907 1914 7ff78e423067-7ff78e42306c call 7ff78e416540 1907->1914 1915 7ff78e422da0-7ff78e422da9 1907->1915 1910->1879 1911->1893 1927 7ff78e422f63-7ff78e422fa1 _setjmp 1911->1927 1912->1913 1913->1914 1918 7ff78e422ebc-7ff78e422ed3 1913->1918 1914->1890 1916 7ff78e422db9-7ff78e422dc2 call 7ff78e41a3e0 1915->1916 1917 7ff78e422dab-7ff78e422db7 1915->1917 1916->1881 1917->1881 1917->1916 1930 7ff78e422fa7-7ff78e422fcb 1927->1930 1931 7ff78e423033-7ff78e423061 1927->1931 1932 7ff78e4237cb-7ff78e4237d0 1928->1932 1933 7ff78e423306-7ff78e423380 call 7ff78e413f10 1928->1933 1939 7ff78e423678-7ff78e423686 call 7ff78e41a3e0 1929->1939 1940 7ff78e4233e4-7ff78e4233ea 1929->1940 1930->1931 1942 7ff78e422fcd-7ff78e422ffd _setjmp 1930->1942 1931->1911 1931->1914 1938 7ff78e4237da-7ff78e4237e1 1932->1938 1946 7ff78e4233b9-7ff78e4233be call 7ff78e41a3e0 1933->1946 1947 7ff78e423382-7ff78e4233b5 memcpy 1933->1947 1944 7ff78e4237e8-7ff78e4237fa 1938->1944 1957 7ff78e423690-7ff78e423698 1939->1957 1940->1939 1945 7ff78e4233f0-7ff78e423419 1940->1945 1948 7ff78e4230d0-7ff78e423116 call 7ff78e413f10 1942->1948 1949 7ff78e423003-7ff78e423031 1942->1949 1944->1944 1952 7ff78e4237fc 1944->1952 1959 7ff78e423429-7ff78e423452 1945->1959 1960 7ff78e42341b-7ff78e423424 call 7ff78e41a3e0 1945->1960 1946->1929 1947->1946 1948->1949 1965 7ff78e42311c-7ff78e423173 call 7ff78e413f10 1948->1965 1949->1914 1949->1931 1958 7ff78e423801-7ff78e423805 1952->1958 1961 7ff78e42380a 1957->1961 1962 7ff78e42369e-7ff78e4236a5 1957->1962 1958->1962 1967 7ff78e423471-7ff78e423487 1959->1967 1968 7ff78e423454-7ff78e42346b 1959->1968 1960->1959 1978 7ff78e423179-7ff78e423187 1965->1978 1979 7ff78e423255-7ff78e42325f 1965->1979 1973 7ff78e42348d-7ff78e4234b6 1967->1973 1974 7ff78e4236c0-7ff78e4236ce call 7ff78e41a3e0 1967->1974 1968->1967 1976 7ff78e4234fc-7ff78e423534 1968->1976 1988 7ff78e4236d8-7ff78e4236e6 call 7ff78e41a3e0 1973->1988 1989 7ff78e4234bc-7ff78e4234d2 1973->1989 1974->1988 1980 7ff78e423544-7ff78e42355e call 7ff78e422480 1976->1980 1981 7ff78e423536-7ff78e423541 1976->1981 1978->1958 1986 7ff78e42318d-7ff78e42319b 1978->1986 1979->1957 1984 7ff78e423265-7ff78e42327d call 7ff78e416580 call 7ff78e4161c0 1979->1984 1993 7ff78e423780-7ff78e42378b call 7ff78e420300 1980->1993 1994 7ff78e423564-7ff78e423571 1980->1994 1981->1980 1984->1949 1986->1938 1991 7ff78e4231a1-7ff78e4231a5 1986->1991 2013 7ff78e4236f0-7ff78e4236fe call 7ff78e41a3e0 1988->2013 2009 7ff78e423708-7ff78e423716 call 7ff78e41a3e0 1989->2009 2010 7ff78e4234d8-7ff78e4234e5 1989->2010 1991->1938 1997 7ff78e4231ab-7ff78e4231b6 1991->1997 2017 7ff78e42378d 1993->2017 2018 7ff78e423792-7ff78e42379f 1993->2018 2001 7ff78e423577-7ff78e423621 call 7ff78e4187d0 call 7ff78e41adb0 * 3 1994->2001 2002 7ff78e423730-7ff78e42373b call 7ff78e420300 1994->2002 1999 7ff78e4231bc-7ff78e4231c6 1997->1999 2000 7ff78e42371b-7ff78e42371e 1997->2000 2006 7ff78e4231d0-7ff78e4231e1 1999->2006 2000->2002 2045 7ff78e423626-7ff78e42362c 2001->2045 2028 7ff78e42373d 2002->2028 2029 7ff78e423742-7ff78e42374f 2002->2029 2006->2006 2014 7ff78e4231e3-7ff78e4231f0 2006->2014 2009->2000 2025 7ff78e4234eb-7ff78e4234f6 2010->2025 2013->2009 2021 7ff78e423252 2014->2021 2022 7ff78e4231f2-7ff78e423201 2014->2022 2017->2018 2026 7ff78e4237bc-7ff78e4237c3 2018->2026 2027 7ff78e4237a1-7ff78e4237b5 2018->2027 2021->1979 2033 7ff78e42321b-7ff78e423231 2022->2033 2034 7ff78e423203-7ff78e423219 2022->2034 2025->1976 2025->2013 2026->1932 2027->2026 2036 7ff78e4237b7 call 7ff78e420240 2027->2036 2028->2029 2030 7ff78e42376c-7ff78e423773 2029->2030 2031 7ff78e423751-7ff78e423765 2029->2031 2030->1993 2031->2030 2037 7ff78e423767 call 7ff78e420240 2031->2037 2033->2021 2038 7ff78e423233-7ff78e423246 2033->2038 2034->2021 2034->2033 2036->2026 2037->2030 2038->2021 2042 7ff78e423248-7ff78e42324d 2038->2042 2042->2021 2046 7ff78e42362e 2045->2046 2047 7ff78e423633-7ff78e423640 2045->2047 2046->2047 2048 7ff78e423658-7ff78e42366c 2047->2048 2049 7ff78e423642-7ff78e423656 2047->2049 2048->1939 2049->2048 2050 7ff78e4236b0-7ff78e4236b5 call 7ff78e420240 2049->2050 2050->2048
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmp$CreateInstance
    • String ID: ntime of$o get ru$unable t
    • API String ID: 1775370524-3332830050
    • Opcode ID: fbe6d5bac598c0a1259f9fdf6e2ac1c3ead579d97badba0988d49303e089c53f
    • Instruction ID: caa3bd1adef9f527bded4a4f227225936b387dcb533016769c28ff17f12772fe
    • Opcode Fuzzy Hash: fbe6d5bac598c0a1259f9fdf6e2ac1c3ead579d97badba0988d49303e089c53f
    • Instruction Fuzzy Hash: C4623C76B09B4791EB20AF95E4503AAB3B1FB84B84FA08132EA4D477A4DF7DD444C760
    Function 00007FF78E411154 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2053 7ff78e411154-7ff78e411193 call 7ff78e42d060 2056 7ff78e4111a8-7ff78e4111d5 2053->2056 2057 7ff78e411195-7ff78e41119f 2053->2057 2058 7ff78e4111f8-7ff78e41122d 2056->2058 2057->2056 2059 7ff78e4111d7-7ff78e4111df 2058->2059 2060 7ff78e41122f-7ff78e41123b 2058->2060 2063 7ff78e4111ea-7ff78e4111ef 2059->2063 2064 7ff78e4111e1-7ff78e4111e8 2059->2064 2061 7ff78e411249-7ff78e411254 2060->2061 2062 7ff78e41123d-7ff78e411247 _amsg_exit 2060->2062 2066 7ff78e41127e 2061->2066 2067 7ff78e411256-7ff78e41127c _initterm 2061->2067 2065 7ff78e411288-7ff78e411294 2062->2065 2063->2058 2064->2060 2068 7ff78e4112bc-7ff78e4112c0 2065->2068 2069 7ff78e411296-7ff78e4112b6 _initterm 2065->2069 2066->2065 2067->2065 2070 7ff78e4112e1-7ff78e4112ee 2068->2070 2071 7ff78e4112c2-7ff78e4112e0 2068->2071 2069->2068 2072 7ff78e41130c-7ff78e411364 call 7ff78e426dcd call 7ff78e42d7f0 call 7ff78e426660 call 7ff78e42d950 2070->2072 2073 7ff78e4112f0-7ff78e411305 2070->2073 2071->2070 2083 7ff78e4113cc-7ff78e4113d7 2072->2083 2084 7ff78e411366 2072->2084 2073->2072 2085 7ff78e4113d9-7ff78e4113e4 2083->2085 2086 7ff78e4113fa-7ff78e411440 call 7ff78e411591 call 7ff78e4263d7 call 7ff78e42da70 2083->2086 2087 7ff78e411385-7ff78e41138e 2084->2087 2088 7ff78e4113ef 2085->2088 2089 7ff78e4113e6-7ff78e4113ed 2085->2089 2106 7ff78e411445-7ff78e411453 2086->2106 2091 7ff78e411368-7ff78e411371 2087->2091 2092 7ff78e411390-7ff78e411399 2087->2092 2093 7ff78e4113f4 2088->2093 2089->2093 2094 7ff78e411380 2091->2094 2095 7ff78e411373-7ff78e41137d 2091->2095 2097 7ff78e4113a8-7ff78e4113b1 2092->2097 2098 7ff78e41139b-7ff78e41139f 2092->2098 2093->2086 2094->2087 2095->2094 2099 7ff78e4113be-7ff78e4113c9 2097->2099 2100 7ff78e4113b3-7ff78e4113bc 2097->2100 2098->2091 2102 7ff78e4113a1 2098->2102 2099->2083 2100->2099 2103 7ff78e4113a3 2100->2103 2102->2097 2103->2097 2107 7ff78e411462-7ff78e41146a 2106->2107 2108 7ff78e411455-7ff78e41145d exit 2106->2108 2109 7ff78e41146c _cexit 2107->2109 2110 7ff78e411471-7ff78e41147f 2107->2110 2108->2107 2109->2110
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _initterm$_amsg_exit_cexitexit
    • String ID: 0
    • API String ID: 602970348-4108050209
    • Opcode ID: c5bb0eb04c8fb6cd053ca287a568665df2e0e3d12505647d5b9f2f4fedc3075a
    • Instruction ID: 0d847bdbbb6a79ded6f89817690303faf4172b2a431d36d437bedef7dbc39615
    • Opcode Fuzzy Hash: c5bb0eb04c8fb6cd053ca287a568665df2e0e3d12505647d5b9f2f4fedc3075a
    • Instruction Fuzzy Hash: EEA1E866F09B1789FB50AB95E89036CB7A0BB08B88FA04035ED4D577A4DF7DE540C760
    Function 00007FF78E41F6D0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 373fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2111 7ff78e41f6d0-7ff78e41f71d 2112 7ff78e41f729-7ff78e41f72d 2111->2112 2113 7ff78e41f71f-7ff78e41f726 2111->2113 2114 7ff78e41fbd0-7ff78e41fc0d call 7ff78e415ac0 2112->2114 2115 7ff78e41f733-7ff78e41f736 2112->2115 2113->2112 2120 7ff78e41fc16-7ff78e41fc2a 2114->2120 2121 7ff78e41fc11 call 7ff78e413f10 2114->2121 2115->2114 2117 7ff78e41f73c-7ff78e41f7a4 call 7ff78e413f10 call 7ff78e41b420 call 7ff78e41bb80 2115->2117 2135 7ff78e41f7bc-7ff78e41f80c CreateFileA 2117->2135 2136 7ff78e41f7a6-7ff78e41f7b9 2117->2136 2123 7ff78e41fd48-7ff78e41fd57 2120->2123 2124 7ff78e41fc30-7ff78e41fc33 2120->2124 2121->2120 2126 7ff78e41fce0-7ff78e41fcf8 2124->2126 2128 7ff78e41fcfe-7ff78e41fd08 2126->2128 2129 7ff78e41fc40-7ff78e41fc4d 2126->2129 2132 7ff78e41fd0a-7ff78e41fd16 2128->2132 2133 7ff78e41fd60-7ff78e41fd67 2128->2133 2129->2132 2134 7ff78e41fc53-7ff78e41fc5a 2129->2134 2139 7ff78e41fd1c-7ff78e41fd46 call 7ff78e414540 * 3 2132->2139 2137 7ff78e41fd69-7ff78e41fd77 call 7ff78e414540 2133->2137 2138 7ff78e41fd7c-7ff78e41fd89 2133->2138 2134->2132 2140 7ff78e41fc60-7ff78e41fcd5 call 7ff78e414540 * 4 2134->2140 2152 7ff78e41f812-7ff78e41f880 ReadFile 2135->2152 2153 7ff78e41fab5-7ff78e41facf 2135->2153 2136->2135 2154 7ff78e41fcd8-7ff78e41fcde 2137->2154 2142 7ff78e41fd8b-7ff78e41fdad call 7ff78e414540 * 2 2138->2142 2143 7ff78e41fdb2-7ff78e41fdda 2138->2143 2139->2123 2139->2126 2140->2154 2142->2154 2143->2139 2171 7ff78e41fbc8 2152->2171 2172 7ff78e41f886-7ff78e41f8a1 2152->2172 2174 7ff78e41fae0-7ff78e41fafb 2153->2174 2154->2123 2154->2126 2171->2114 2173 7ff78e41f8af-7ff78e41f939 call 7ff78e413f10 call 7ff78e41bb80 call 7ff78e41f490 2172->2173 2181 7ff78e41f8a8-7ff78e41f8ab 2173->2181 2182 7ff78e41f93f-7ff78e41f982 2173->2182 2181->2173 2182->2174 2183 7ff78e41f988-7ff78e41f9ca 2182->2183 2184 7ff78e41f9fe-7ff78e41fa13 2183->2184 2185 7ff78e41f9d0-7ff78e41f9d3 2184->2185 2186 7ff78e41fa15-7ff78e41fa38 2184->2186 2187 7ff78e41f9e1-7ff78e41f9ed 2185->2187 2188 7ff78e41f9d5-7ff78e41f9df strcmp 2185->2188 2189 7ff78e41fa3a-7ff78e41fa45 2186->2189 2190 7ff78e41fa49-7ff78e41fa92 2186->2190 2187->2174 2191 7ff78e41f9f3-7ff78e41f9fb 2187->2191 2188->2186 2188->2187 2189->2190 2194 7ff78e41faa6-7ff78e41faa9 2190->2194 2191->2184 2195 7ff78e41fa98-7ff78e41faa4 2194->2195 2196 7ff78e41faab-7ff78e41faaf 2194->2196 2195->2194 2197 7ff78e41fafc-7ff78e41fafe 2195->2197 2196->2195 2198 7ff78e41fab1-7ff78e41fab3 2196->2198 2199 7ff78e41fb00-7ff78e41fb63 2197->2199 2198->2199 2200 7ff78e41fba6-7ff78e41fba8 2199->2200 2201 7ff78e41fb65-7ff78e41fba1 2199->2201 2202 7ff78e41fbb0-7ff78e41fbc1 2200->2202 2201->2187 2202->2202 2203 7ff78e41fbc3 2202->2203 2203->2187
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: File$CreateRead
    • String ID: ME
    • API String ID: 3388366904-1625691762
    • Opcode ID: f62ba25d732be71ec3c5ae50afd3e3164ab71c9ff0a7c9cb1df3716b1e638057
    • Instruction ID: e3f7379b64e0c2f845c32822f32fc7419b181ce3e26ed995d03352813738d30b
    • Opcode Fuzzy Hash: f62ba25d732be71ec3c5ae50afd3e3164ab71c9ff0a7c9cb1df3716b1e638057
    • Instruction Fuzzy Hash: 86F1CF22A0DA8285DB11DFA9E4403ADBBA1FF95B85FA98036EE8D43755DF3CD145C320
    Function 00007FF78E41BF80 Relevance: 4.6, APIs: 3, Instructions: 58threadinjectionCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: Thread$Contextmemcpy$BaseInitThunk
    • String ID:
    • API String ID: 2238238550-0
    • Opcode ID: c43e258c4f01fee23de003e19650e6d8b38c1bae0ff2e7acfe210e28294bdbcd
    • Instruction ID: 3d80403821aed1e14548ed5db10ffd234668a8a75ef1578b5206c76674e94b70
    • Opcode Fuzzy Hash: c43e258c4f01fee23de003e19650e6d8b38c1bae0ff2e7acfe210e28294bdbcd
    • Instruction Fuzzy Hash: 1721906260864795EA10AFA2F81037AA355BB89BE4FA44235ED6D877D9CF3CD044C710
    Function 00000153C16D1B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2953425980.00000153C16D0000.00000020.00000400.00020000.00000000.sdmp, Offset: 00000153C16D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_153c16d0000_66WXq58R0I.jbxd
    Similarity
    • API ID: CreateMemoryProtectSectionVirtual
    • String ID:
    • API String ID: 1366966015-0
    • Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction ID: cc05d559bff73cd9d09bc43024f9a238ace9d79263d9d3caba7b33eef5d579ae
    • Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
    • Instruction Fuzzy Hash: 1031207061CF0C8FE714B67CDC456B972D4EBD9312F10072FE89AE3291EAA4D9154686
    Function 00000153C16D1BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2953425980.00000153C16D0000.00000020.00000400.00020000.00000000.sdmp, Offset: 00000153C16D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_153c16d0000_66WXq58R0I.jbxd
    Similarity
    • API ID: CreateSection
    • String ID:
    • API String ID: 2449625523-0
    • Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction ID: 1bc6c13553d500370b2751e065fc6e4cee9ae7d1ac91eae01852f01ca6d3079a
    • Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
    • Instruction Fuzzy Hash: 3201D67170CF084FE7689A6CEC4A77973C0D7C5322F40072FE899E76D2E9A5A8124686
    Function 00007FF78E42DA70 Relevance: 293.3, APIs: 4, Strings: 162, Instructions: 2775COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff78e42da70-7ff78e42e8cf call 7ff78e4263d7 call 7ff78e412020 5 7ff78e4322bf-7ff78e4322c6 call 7ff78e412050 0->5 6 7ff78e42e8d5-7ff78e42ef09 call 7ff78e4120f0 * 2 call 7ff78e4117f0 0->6 9 7ff78e4322cb-7ff78e4322d2 call 7ff78e412050 5->9 20 7ff78e43234b-7ff78e432350 call 7ff78e411df0 6->20 21 7ff78e42ef0f-7ff78e42f24f call 7ff78e4117f0 call 7ff78e41fde0 * 5 call 7ff78e42d058 signal * 4 call 7ff78e412020 6->21 13 7ff78e4322d7-7ff78e4322de call 7ff78e412050 9->13 17 7ff78e4322e3-7ff78e4322ea call 7ff78e412050 13->17 22 7ff78e4322ef-7ff78e4322f6 call 7ff78e412050 17->22 21->9 56 7ff78e42f255-7ff78e42f281 call 7ff78e4120f0 call 7ff78e412020 21->56 28 7ff78e4322fb-7ff78e432302 call 7ff78e412050 22->28 32 7ff78e432307-7ff78e43230e call 7ff78e412050 28->32 37 7ff78e432313-7ff78e43231a call 7ff78e412050 32->37 40 7ff78e43231f-7ff78e432326 call 7ff78e412050 37->40 44 7ff78e43232b-7ff78e432332 call 7ff78e412050 40->44 48 7ff78e432337-7ff78e43233a call 7ff78e412050 44->48 52 7ff78e43233f-7ff78e432346 call 7ff78e412050 48->52 52->20 56->13 61 7ff78e42f287-7ff78e42f2b3 call 7ff78e4120f0 call 7ff78e412020 56->61 66 7ff78e42f2b9-7ff78e42f319 call 7ff78e4120f0 * 3 call 7ff78e412020 61->66 67 7ff78e4322b3-7ff78e4322ba call 7ff78e412050 61->67 66->17 77 7ff78e42f31f-7ff78e42f483 call 7ff78e4120f0 * 13 call 7ff78e412020 66->77 67->5 77->22 106 7ff78e42f489-7ff78e42f5bc call 7ff78e4120f0 * 2 call 7ff78e412020 77->106 106->28 113 7ff78e42f5c2-7ff78e4319be call 7ff78e4120f0 * 2 call 7ff78e412020 106->113 113->37 120 7ff78e4319c4-7ff78e431a0a call 7ff78e4120f0 * 2 call 7ff78e412020 113->120 120->32 127 7ff78e431a10-7ff78e431abe call 7ff78e4120f0 * 6 call 7ff78e412020 120->127 127->40 142 7ff78e431ac4-7ff78e431af0 call 7ff78e4120f0 call 7ff78e412020 127->142 142->44 147 7ff78e431af6-7ff78e4321af call 7ff78e4120f0 * 3 call 7ff78e41bb80 call 7ff78e412020 142->147 147->48 158 7ff78e4321b5-7ff78e4321e1 call 7ff78e4120f0 call 7ff78e412020 147->158 158->52 163 7ff78e4321e7-7ff78e432242 call 7ff78e4120f0 * 2 call 7ff78e418c30 call 7ff78e4117f0 call 7ff78e41c240 158->163 171 7ff78e432244-7ff78e4322b2 163->171
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: signal$memcpy$AddressProcexit
    • String ID: :state$AddRef$CLRCreateInstance$CoInitialize$CreateProcessW$CreateToolhelp32Snapshot$DispGetIDsOfNames$Field0$Field1$Field2$GetCommandLineW$GetCurrentProcess$GetCurrentThread$GetField$GetFieldNames$GetFieldNoCopy$GetFileAttributesW$GetForegroundWindow$GetGuid$GetIDsOfNames$GetModuleFileNameW$GetName$GetProcAddress$GetProcessHeap$GetSize$GetThreadContext$GetTypeInfo$GetTypeInfoCount$GetWindowThreadProcessId$HeapAlloc$HeapCreate$Hi32$InitializeProcThreadAttributeList$Invoke$IsEqualGUID$IsMatchingType$Lo32$Lo64$LoadLibraryA$Mid32$MultiByteToWideChar$NtFlushInstructionCache4$OpenProcess$PutField$PutFieldNoCopy$QueryInterface$RecordClear$RecordCopy$RecordCreate$RecordCreateCopy$RecordDestroy$RecordInit$Release$ResumeThread$RtlGetVersion$SafeArrayCreate$SafeArrayPutElement$SetConsoleCP$SetConsoleOutputCP$SysAllocString$SysFreeString$SysStringLen$Thread32First$Thread32Next$UpdateProcThreadAttribute$VariantClear$VariantCopy$WaitForSingleObject$WideCharToMultiByte$bCryptGenRandom$bVal$boolVal$bstrVal$byref$cDims$cElements$cLocks$cVal$cbElements$cipher$coresCount$counter$cyVal$data$date$dblVal$dctx6$decVal$fFeatures$filename$fltVal$hIntel$hresult$iVal$int64$intVal$key5$lLbound$lVal$line$llVal$lpVtbl$lstrlenW$msg$name$pRecInfo$parent$parray$pbVal$pboolVal$pbstrVal$pcVal$pcyVal$pdate$pdblVal$pdecVal$pdispVal$pfltVal$piVal$pintVal$plVal$pllVal$pparray$ppdispVal$ppunkVal$procname$pscode$puiVal$puintVal$pulVal$pullVal$punkVal$pvData$pvRecord$pvarVal$queryIdleProcessorCycleTime$queryProcessCycleTime$queryUnbiasedInterruptTime$raw$remoteProcID2$rgsabound$scale$scode$sign$signscale$skey$struct1$tProcess1$trace$treadHandle3$uiVal$uintVal$ulVal$ullVal$union1$union2$wReserved$wReserved1$wReserved2$wReserved3$zonedTimeFromAdjTimeImpl$zonedTimeFromTimeImpl
    • API String ID: 1418167214-113516584
    • Opcode ID: 8e9a48657c1b5c700ace5fe9dc3f56d2322ee6397c0adfebe6d25ab97b2bcfb0
    • Instruction ID: 3404bbce0a9393c76cb188170a957fcb2babb26d0ffaca52a5c36c12668210da
    • Opcode Fuzzy Hash: 8e9a48657c1b5c700ace5fe9dc3f56d2322ee6397c0adfebe6d25ab97b2bcfb0
    • Instruction Fuzzy Hash: 0993FD21C1CA8791F712AB98A8453F5B3A0BF91344FA05335ED9C93661EF7EB249C360
    Function 00007FF78E41A740 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 297memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1302 7ff78e41a740-7ff78e41a7e9 call 7ff78e416670 SysAllocString _setjmp 1305 7ff78e41a930-7ff78e41a937 1302->1305 1306 7ff78e41a7ef-7ff78e41a7f8 1302->1306 1307 7ff78e41a93a-7ff78e41a955 SysFreeString 1305->1307 1308 7ff78e41aa38-7ff78e41aa3f 1306->1308 1309 7ff78e41a7fe-7ff78e41a876 1306->1309 1312 7ff78e41a95b-7ff78e41a96b 1307->1312 1313 7ff78e41aa30-7ff78e41aa35 call 7ff78e416540 1307->1313 1310 7ff78e41aa50-7ff78e41aa67 call 7ff78e422480 1308->1310 1311 7ff78e41aa41-7ff78e41aa49 CoInitialize 1308->1311 1316 7ff78e41a881-7ff78e41a889 1309->1316 1323 7ff78e41abfd-7ff78e41ac08 call 7ff78e420300 1310->1323 1324 7ff78e41aa6d-7ff78e41aa77 1310->1324 1311->1310 1313->1308 1319 7ff78e41a970-7ff78e41aa2e call 7ff78e413f10 memcpy call 7ff78e41a3e0 1316->1319 1320 7ff78e41a88f-7ff78e41a8b7 1316->1320 1319->1313 1321 7ff78e41a8c8-7ff78e41a8df call 7ff78e422480 1320->1321 1322 7ff78e41a8b9-7ff78e41a8c1 CoInitialize 1320->1322 1337 7ff78e41ab70-7ff78e41ab7b call 7ff78e420300 1321->1337 1338 7ff78e41a8e5-7ff78e41a8ef 1321->1338 1322->1321 1339 7ff78e41ac0a 1323->1339 1340 7ff78e41ac0f-7ff78e41ac19 1323->1340 1328 7ff78e41aced-7ff78e41acf8 call 7ff78e420300 1324->1328 1329 7ff78e41aa7d-7ff78e41aad9 call 7ff78e4187d0 SafeArrayCreate 1324->1329 1343 7ff78e41acfa 1328->1343 1344 7ff78e41acff-7ff78e41ad09 1328->1344 1350 7ff78e41aadf 1329->1350 1351 7ff78e41ac42-7ff78e41ac8c call 7ff78e4225f0 call 7ff78e419280 call 7ff78e418fd0 1329->1351 1361 7ff78e41ab7d 1337->1361 1362 7ff78e41ab82-7ff78e41ab8c 1337->1362 1346 7ff78e41abb8-7ff78e41abc3 call 7ff78e420300 1338->1346 1347 7ff78e41a8f5-7ff78e41a92d call 7ff78e4187d0 1338->1347 1339->1340 1348 7ff78e41ac1b-7ff78e41ac2f 1340->1348 1349 7ff78e41ac36 1340->1349 1343->1344 1353 7ff78e41ad0b-7ff78e41ad1f 1344->1353 1354 7ff78e41ad26 1344->1354 1372 7ff78e41abca-7ff78e41abd4 1346->1372 1373 7ff78e41abc5 1346->1373 1347->1307 1348->1349 1356 7ff78e41ac31 call 7ff78e420240 1348->1356 1349->1351 1358 7ff78e41aae0-7ff78e41ab0c SafeArrayPutElement 1350->1358 1383 7ff78e41ac8e 1351->1383 1384 7ff78e41ac93-7ff78e41ac9b 1351->1384 1353->1354 1363 7ff78e41ad21 call 7ff78e420240 1353->1363 1356->1349 1358->1358 1367 7ff78e41ab0e-7ff78e41ab60 1358->1367 1361->1362 1369 7ff78e41aba9 1362->1369 1370 7ff78e41ab8e-7ff78e41aba2 1362->1370 1363->1354 1367->1337 1369->1346 1370->1369 1375 7ff78e41aba4 call 7ff78e420240 1370->1375 1376 7ff78e41abf1 1372->1376 1377 7ff78e41abd6-7ff78e41abea 1372->1377 1373->1372 1375->1369 1376->1323 1377->1376 1378 7ff78e41abec call 7ff78e420240 1377->1378 1378->1376 1383->1384 1385 7ff78e41acb8-7ff78e41ace8 call 7ff78e420420 call 7ff78e415a20 1384->1385 1386 7ff78e41ac9d-7ff78e41acb1 1384->1386 1385->1328 1386->1385 1387 7ff78e41acb3 call 7ff78e420240 1386->1387 1387->1385
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ArrayByteCharInitializeMultiSafeStringWide$AllocCreateElementFree_setjmpmemcpy
    • String ID: specifi$VariantConversionError$com.nim$ed membe$o invoke$r: $toVariant$unable t
    • API String ID: 4234589578-1707675
    • Opcode ID: 40dd78bd37efff150318ba0ad35e508670c7ec19cf888205b5695cbcda88311e
    • Instruction ID: 71df4d97f6a8e9def57ca63b567ec89d3719d4a979e955175a800e59d174e616
    • Opcode Fuzzy Hash: 40dd78bd37efff150318ba0ad35e508670c7ec19cf888205b5695cbcda88311e
    • Instruction Fuzzy Hash: 52F12C32A09B8781EA20AF95F4443AEF3A4FB84B84FA44135EA8D47755EF7CE444C760
    Function 00007FF78E418C30 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1392 7ff78e418c30-7ff78e418cb5 _fileno _setmode _fileno _setmode _fileno _setmode SetConsoleOutputCP SetConsoleCP LoadLibraryA 1396 7ff78e418cb7-7ff78e418cbe GetProcAddress 1392->1396 1397 7ff78e418cc4-7ff78e418cd1 1392->1397 1396->1397 1398 7ff78e418cd7-7ff78e418cfb 1397->1398 1399 7ff78e418fb9 call 7ff78e411df0 1397->1399 1398->1399 1401 7ff78e418d01-7ff78e418d1e 1398->1401 1402 7ff78e418fbe-7ff78e418fcf call 7ff78e411e40 1399->1402 1401->1399 1403 7ff78e418d24-7ff78e418d41 1401->1403 1403->1399 1405 7ff78e418d47-7ff78e418d64 1403->1405 1405->1399 1407 7ff78e418d6a-7ff78e418d87 1405->1407 1407->1399 1408 7ff78e418d8d-7ff78e418db1 1407->1408 1408->1402 1409 7ff78e418db7-7ff78e418ddb 1408->1409 1409->1399 1410 7ff78e418de1-7ff78e418dfe 1409->1410 1410->1399 1411 7ff78e418e04-7ff78e418e57 1410->1411 1412 7ff78e418e68-7ff78e418e7f call 7ff78e422480 1411->1412 1413 7ff78e418e59-7ff78e418e61 CoInitialize 1411->1413 1416 7ff78e418f50-7ff78e418f5b call 7ff78e420300 1412->1416 1417 7ff78e418e85-7ff78e418e8f 1412->1417 1413->1412 1424 7ff78e418f5d 1416->1424 1425 7ff78e418f62-7ff78e418f6c 1416->1425 1419 7ff78e418f08-7ff78e418f13 call 7ff78e420300 1417->1419 1420 7ff78e418e91-7ff78e418ec3 call 7ff78e4187d0 1417->1420 1432 7ff78e418f1a-7ff78e418f24 1419->1432 1433 7ff78e418f15 1419->1433 1428 7ff78e418edb-7ff78e418eea 1420->1428 1429 7ff78e418ec5-7ff78e418ed9 1420->1429 1424->1425 1430 7ff78e418f6e-7ff78e418f82 1425->1430 1431 7ff78e418f84 1425->1431 1429->1428 1436 7ff78e418ef0-7ff78e418f04 call 7ff78e420240 1429->1436 1430->1431 1437 7ff78e418f90-7ff78e418f95 call 7ff78e420240 1430->1437 1431->1437 1434 7ff78e418f3c-7ff78e418f43 1432->1434 1435 7ff78e418f26-7ff78e418f3a 1432->1435 1433->1432 1434->1420 1435->1434 1438 7ff78e418fa8-7ff78e418fb4 call 7ff78e420240 1435->1438 1437->1438 1438->1420
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _fileno_setmode$Console$AddressInitializeLibraryLoadOutputProc
    • String ID: Ws2_32.dll$inet_ntop
    • API String ID: 1755878316-2739477577
    • Opcode ID: 6b7b38b38fdb6f2231155c0515883c19ac27669e06fffbb159bd7b89048bd062
    • Instruction ID: ae7a87e26f65640ece2079322184d3dad90682ca32970feabf52e60368fa149d
    • Opcode Fuzzy Hash: 6b7b38b38fdb6f2231155c0515883c19ac27669e06fffbb159bd7b89048bd062
    • Instruction Fuzzy Hash: 38912472A19B5781EA14AB94E81437CE3A1FB89B44FF44436EA9D433A4DF7CE459C320
    Function 00007FF78E412260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2204 7ff78e412260-7ff78e4122a7 call 7ff78e411db0 exit 2209 7ff78e4122a9-7ff78e4122af 2204->2209 2210 7ff78e412300-7ff78e41231c VirtualAlloc 2204->2210 2209->2210 2211 7ff78e4122b1-7ff78e4122fe 2209->2211 2212 7ff78e41231e-7ff78e41235b 2210->2212 2213 7ff78e412360-7ff78e412386 call 7ff78e412260 2210->2213 2212->2211 2217 7ff78e4125d8-7ff78e4125df 2213->2217 2218 7ff78e41238c-7ff78e412399 2213->2218 2219 7ff78e41239f-7ff78e4123aa 2218->2219 2220 7ff78e412450-7ff78e412486 2218->2220 2221 7ff78e4123af-7ff78e4123be 2219->2221 2220->2221 2222 7ff78e4125b8-7ff78e4125c9 VirtualAlloc 2221->2222 2223 7ff78e4123c4-7ff78e4123d5 VirtualAlloc 2221->2223 2224 7ff78e4125cf-7ff78e4125d4 call 7ff78e412260 2222->2224 2225 7ff78e4123e2-7ff78e4123f7 2222->2225 2226 7ff78e4123db 2223->2226 2227 7ff78e4125e4-7ff78e4125fd VirtualAlloc 2223->2227 2224->2217 2229 7ff78e412400-7ff78e412407 2225->2229 2226->2225 2227->2224 2230 7ff78e4125ff 2227->2230 2232 7ff78e41248b-7ff78e4124a1 2229->2232 2233 7ff78e41240d-7ff78e412417 2229->2233 2235 7ff78e4124a4-7ff78e4124cc 2232->2235 2233->2229 2234 7ff78e412419-7ff78e41244a call 7ff78e412290 2233->2234 2234->2235 2236 7ff78e4124d8-7ff78e4124dc 2235->2236 2237 7ff78e4124ce 2235->2237 2240 7ff78e4124de-7ff78e4124fb 2236->2240 2241 7ff78e4124d0-7ff78e4124d6 2236->2241 2239 7ff78e412509-7ff78e412516 2237->2239 2244 7ff78e412518-7ff78e41251d 2239->2244 2245 7ff78e412522-7ff78e41253d 2239->2245 2240->2239 2243 7ff78e4124fd-7ff78e412506 2240->2243 2241->2236 2241->2239 2243->2239 2244->2245 2246 7ff78e41253f 2245->2246 2247 7ff78e412550-7ff78e412554 2245->2247 2248 7ff78e4125a8 2246->2248 2249 7ff78e412548-7ff78e41254e 2247->2249 2250 7ff78e412556-7ff78e41257e 2247->2250 2251 7ff78e4125ac-7ff78e4125b2 2248->2251 2249->2247 2249->2248 2250->2251 2252 7ff78e412580-7ff78e412584 2250->2252 2253 7ff78e412589-7ff78e4125a0 2251->2253 2252->2251 2254 7ff78e412586 2252->2254 2254->2253
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual$exitfwritestrlen
    • String ID: out of memory
    • API String ID: 4248889879-49810860
    • Opcode ID: 0516ab19841267af8d97caf5014a6074e881b3db8c10cd40e0e435bc0d2a0d95
    • Instruction ID: bbdc45ba930872c8b4d8c6dae6ba02efce478e6a3097a76b41102ad0eaa7d612
    • Opcode Fuzzy Hash: 0516ab19841267af8d97caf5014a6074e881b3db8c10cd40e0e435bc0d2a0d95
    • Instruction Fuzzy Hash: D4216D32B05B8682EB145B69E5483ADA3A0F708BE0FA48235DB6D473D2DF3DE454D314
    Function 00007FFD9B8905E4 Relevance: 5.3, Strings: 4, Instructions: 308COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2255 7ffd9b8905e4-7ffd9b8905f1 2258 7ffd9b8905f4-7ffd9b8905f6 2255->2258 2259 7ffd9b8905f8-7ffd9b890614 2258->2259 2260 7ffd9b890653-7ffd9b890655 2258->2260 2259->2258 2266 7ffd9b890616 2259->2266 2262 7ffd9b890657-7ffd9b890671 2260->2262 2267 7ffd9b890673-7ffd9b8906b5 2262->2267 2266->2267 2268 7ffd9b890618-7ffd9b890635 2266->2268 2278 7ffd9b8906b7-7ffd9b8906c0 2267->2278 2275 7ffd9b890637 2268->2275 2276 7ffd9b8906b4-7ffd9b8906b5 2268->2276 2275->2260 2276->2278 2279 7ffd9b890651 2278->2279 2280 7ffd9b8906c2-7ffd9b8906d9 2278->2280 2279->2262 2283 7ffd9b890718-7ffd9b89071f 2280->2283 2284 7ffd9b8906db-7ffd9b89071f 2280->2284 2285 7ffd9b890721-7ffd9b890813 2283->2285 2284->2285 2303 7ffd9b890815-7ffd9b890828 2285->2303 2304 7ffd9b89083b-7ffd9b89083d 2285->2304 2307 7ffd9b89082f-7ffd9b89083a 2303->2307 2305 7ffd9b89083f-7ffd9b890861 2304->2305 2310 7ffd9b89082b-7ffd9b89082d 2305->2310 2311 7ffd9b890863-7ffd9b8908a7 2305->2311 2307->2305 2310->2307 2316 7ffd9b8908a9-7ffd9b8908b7 call 7ffd9b8904a8 2311->2316 2318 7ffd9b8908bc-7ffd9b8908d5 2316->2318
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: K^]$N_^$N_^$N_^
    • API String ID: 0-1679923151
    • Opcode ID: 981b3109eff993e2ea14ff384ffcae5723bddec8376c34123f6c81e1d1eefc5e
    • Instruction ID: 9eae7f2ba71069c09890e5672e5cb693e5f3d4c326b36657eb601148aac16418
    • Opcode Fuzzy Hash: 981b3109eff993e2ea14ff384ffcae5723bddec8376c34123f6c81e1d1eefc5e
    • Instruction Fuzzy Hash: 64A10553A1F6D55FEB2667A86C790E83FA0EF5175471900FBC0D88B0E7E91865068382
    Function 00007FFD9B8905D7 Relevance: 5.3, Strings: 4, Instructions: 297COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2320 7ffd9b8905d7-7ffd9b8905d9 2321 7ffd9b890619-7ffd9b890635 2320->2321 2322 7ffd9b8905db-7ffd9b8905df 2320->2322 2325 7ffd9b890637-7ffd9b890655 2321->2325 2326 7ffd9b8906b4-7ffd9b8906b5 2321->2326 2322->2321 2331 7ffd9b890657-7ffd9b8906b5 2325->2331 2327 7ffd9b8906b7-7ffd9b8906c0 2326->2327 2328 7ffd9b890651 2327->2328 2329 7ffd9b8906c2-7ffd9b8906d9 2327->2329 2328->2331 2336 7ffd9b890718-7ffd9b89071f 2329->2336 2337 7ffd9b8906db-7ffd9b89071f 2329->2337 2331->2327 2339 7ffd9b890721-7ffd9b890813 2336->2339 2337->2339 2361 7ffd9b890815-7ffd9b890828 2339->2361 2362 7ffd9b89083b-7ffd9b89083d 2339->2362 2365 7ffd9b89082f-7ffd9b89083a 2361->2365 2363 7ffd9b89083f-7ffd9b890861 2362->2363 2368 7ffd9b89082b-7ffd9b89082d 2363->2368 2369 7ffd9b890863-7ffd9b8908a7 2363->2369 2365->2363 2368->2365 2374 7ffd9b8908a9-7ffd9b8908b7 call 7ffd9b8904a8 2369->2374 2376 7ffd9b8908bc-7ffd9b8908d5 2374->2376
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: K^]$N_^$N_^$N_^
    • API String ID: 0-1679923151
    • Opcode ID: 0d71c3bba0a7ce75b40000f5fbd3640c19668965e86863348e09a27d10381d85
    • Instruction ID: 3b558e81b22d6d223ab8d593bebc32a28ead80bd3009202853d9967996847c5b
    • Opcode Fuzzy Hash: 0d71c3bba0a7ce75b40000f5fbd3640c19668965e86863348e09a27d10381d85
    • Instruction Fuzzy Hash: 77914763B1F6D55FE72667A86C790E83F90EF5175470900FBD1E88B0E3ED18650A8382
    Function 00007FFD9B89064D Relevance: 5.3, Strings: 4, Instructions: 271COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2378 7ffd9b89064d-7ffd9b89065f 2379 7ffd9b890661-7ffd9b8906c0 2378->2379 2387 7ffd9b890651-7ffd9b89065c 2379->2387 2388 7ffd9b8906c2-7ffd9b8906d9 2379->2388 2387->2379 2392 7ffd9b890718-7ffd9b89071f 2388->2392 2393 7ffd9b8906db-7ffd9b89071f 2388->2393 2394 7ffd9b890721-7ffd9b890813 2392->2394 2393->2394 2412 7ffd9b890815-7ffd9b890828 2394->2412 2413 7ffd9b89083b-7ffd9b89083d 2394->2413 2416 7ffd9b89082f-7ffd9b89083a 2412->2416 2414 7ffd9b89083f-7ffd9b890861 2413->2414 2419 7ffd9b89082b-7ffd9b89082d 2414->2419 2420 7ffd9b890863-7ffd9b8908b7 call 7ffd9b8904a8 2414->2420 2416->2414 2419->2416 2427 7ffd9b8908bc-7ffd9b8908d5 2420->2427
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: K^]$N_^$N_^$N_^
    • API String ID: 0-1679923151
    • Opcode ID: 7b07f58f80d32fab2ae5140cc2eaaabbb37baa8960157d4cc9f55ae53732ba30
    • Instruction ID: 804ba4e728aa4b96e47c1c21fb0f0f491c3f864c6e800daeea1ea9c7eca4aa57
    • Opcode Fuzzy Hash: 7b07f58f80d32fab2ae5140cc2eaaabbb37baa8960157d4cc9f55ae53732ba30
    • Instruction Fuzzy Hash: BB813663B1F6D55FE72767A86C790E97FA0EF4175470900FBD0E88B0A3ED18650A8382
    Function 00007FF78E412290 Relevance: 3.9, APIs: 3, Instructions: 153memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2440 7ff78e412290-7ff78e4122a7 2441 7ff78e4122a9-7ff78e4122af 2440->2441 2442 7ff78e412300-7ff78e41231c VirtualAlloc 2440->2442 2441->2442 2443 7ff78e4122b1-7ff78e4122fe 2441->2443 2444 7ff78e41231e-7ff78e41235b 2442->2444 2445 7ff78e412360-7ff78e412386 call 7ff78e412260 2442->2445 2444->2443 2449 7ff78e4125d8-7ff78e4125df 2445->2449 2450 7ff78e41238c-7ff78e412399 2445->2450 2451 7ff78e41239f-7ff78e4123aa 2450->2451 2452 7ff78e412450-7ff78e412486 2450->2452 2453 7ff78e4123af-7ff78e4123be 2451->2453 2452->2453 2454 7ff78e4125b8-7ff78e4125c9 VirtualAlloc 2453->2454 2455 7ff78e4123c4-7ff78e4123d5 VirtualAlloc 2453->2455 2456 7ff78e4125cf-7ff78e4125d4 call 7ff78e412260 2454->2456 2457 7ff78e4123e2-7ff78e4123f7 2454->2457 2458 7ff78e4123db 2455->2458 2459 7ff78e4125e4-7ff78e4125fd VirtualAlloc 2455->2459 2456->2449 2461 7ff78e412400-7ff78e412407 2457->2461 2458->2457 2459->2456 2462 7ff78e4125ff 2459->2462 2464 7ff78e41248b-7ff78e4124a1 2461->2464 2465 7ff78e41240d-7ff78e412417 2461->2465 2467 7ff78e4124a4-7ff78e4124cc 2464->2467 2465->2461 2466 7ff78e412419-7ff78e41244a call 7ff78e412290 2465->2466 2466->2467 2468 7ff78e4124d8-7ff78e4124dc 2467->2468 2469 7ff78e4124ce 2467->2469 2472 7ff78e4124de-7ff78e4124fb 2468->2472 2473 7ff78e4124d0-7ff78e4124d6 2468->2473 2471 7ff78e412509-7ff78e412516 2469->2471 2476 7ff78e412518-7ff78e41251d 2471->2476 2477 7ff78e412522-7ff78e41253d 2471->2477 2472->2471 2475 7ff78e4124fd-7ff78e412506 2472->2475 2473->2468 2473->2471 2475->2471 2476->2477 2478 7ff78e41253f 2477->2478 2479 7ff78e412550-7ff78e412554 2477->2479 2480 7ff78e4125a8 2478->2480 2481 7ff78e412548-7ff78e41254e 2479->2481 2482 7ff78e412556-7ff78e41257e 2479->2482 2483 7ff78e4125ac-7ff78e4125b2 2480->2483 2481->2479 2481->2480 2482->2483 2484 7ff78e412580-7ff78e412584 2482->2484 2485 7ff78e412589-7ff78e4125a0 2483->2485 2484->2483 2486 7ff78e412586 2484->2486 2486->2485
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 727153abf217048879292d18050c8b28e4688193c53aaa6d340e0ed37de13772
    • Instruction ID: efa2f8cbad1ef8a1aadcc15285b09cb84732419566e7467ee8e6e0c179a3d496
    • Opcode Fuzzy Hash: 727153abf217048879292d18050c8b28e4688193c53aaa6d340e0ed37de13772
    • Instruction Fuzzy Hash: E4517F32705B8681EF149B6AE4583ADA6A1FB48BC4FA48135EE4D4B3C5EF3CE085D314
    Function 00007FF78E41BB80 Relevance: 3.9, APIs: 3, Instructions: 143COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID:
    • API String ID: 438689982-0
    • Opcode ID: 47af80f8d585bb8eaf351b5b245895dcb42a4c0a20f3c9c2433354ba6dfa0c1d
    • Instruction ID: b2eaa3a46cf2ffbd5d0a4b7cb65518a272ce3143f2e7e83a72c2d02a6359c7bc
    • Opcode Fuzzy Hash: 47af80f8d585bb8eaf351b5b245895dcb42a4c0a20f3c9c2433354ba6dfa0c1d
    • Instruction Fuzzy Hash: B5517E72609B86D1EE10EF85E4403ADB7A4FB84B84FA58536EA8C47795EF3CD508C350
    Function 00007FF78E412370 Relevance: 2.6, APIs: 2, Instructions: 149memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a86c5dc9920d05f400155eb031ff4e8cb55972a930c6a7583547e339d0d6e71f
    • Instruction ID: cec50de362983cd66bea837deba0187e2400aa18f861d0fc8251ebbc48e55adb
    • Opcode Fuzzy Hash: a86c5dc9920d05f400155eb031ff4e8cb55972a930c6a7583547e339d0d6e71f
    • Instruction Fuzzy Hash: FB515D72706B8681EE15AB56D8583AD63A1FB54FC4FA88536EE0D4B388FF38E041D314
    Function 00007FFD9B891AC8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: N_H$,N_
    • API String ID: 0-1881918159
    • Opcode ID: 55f521dc49053408206c1555f62a9709207f1b72bd3aa2ac80349650e189e6d0
    • Instruction ID: 08a734bc073b4db8baabf071b8e2483fde53c925097546787def53e3d1e1b99f
    • Opcode Fuzzy Hash: 55f521dc49053408206c1555f62a9709207f1b72bd3aa2ac80349650e189e6d0
    • Instruction Fuzzy Hash: 4A21D762F2EF494BDB6CA7785465575B6D1EFA834074441BAE05BC31EBFC28E9024341
    Function 00007FF78E41ADB0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmp
    • String ID:
    • API String ID: 3051281561-0
    • Opcode ID: 11c62ada9a8221c4bbbbc44d46ea302a526bbffaa33909e8a56b8878bd430247
    • Instruction ID: c44a39f091776f29f5396179b411dab1fbf5f76f6b04100c0d2c7fd1c34942cf
    • Opcode Fuzzy Hash: 11c62ada9a8221c4bbbbc44d46ea302a526bbffaa33909e8a56b8878bd430247
    • Instruction Fuzzy Hash: 81711C36609B86C5EB61EB55E4403AEB7A0FB88B84FA04136EA8D43768DF7DD444CB50
    Function 00007FF78E41DDD0 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 6591676397270a4e3217357eda89af4b9744021b9baa0fe6884c5ea28a42c5a8
    • Instruction ID: a1ce1fc66c5e92602c1a67a97e589ce9d15867b426e29f1eeef5797d8fb3f65e
    • Opcode Fuzzy Hash: 6591676397270a4e3217357eda89af4b9744021b9baa0fe6884c5ea28a42c5a8
    • Instruction Fuzzy Hash: E4318CA3B04B5681EF18AF5AC48866D6765FB54B99FA64132EE2C033D0DF39D881C350
    Function 00007FF78E41E630 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmp
    • String ID:
    • API String ID: 3051281561-0
    • Opcode ID: 0985e1f2feb46b6cf15dadd3a91707ceedb4e0726fb7f37f1a927fe6a31959d7
    • Instruction ID: 770d48b6ca13092f6c6b30002ff2e5e7bf6071e25327d33bc332ee60c6106759
    • Opcode Fuzzy Hash: 0985e1f2feb46b6cf15dadd3a91707ceedb4e0726fb7f37f1a927fe6a31959d7
    • Instruction Fuzzy Hash: 3F41E07A609F8780EB65AB55E0543AEB3A1FB84B84FA08036EE9D47754DF3CD045C750
    Function 00007FFD9B8905A5 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: Z
    • API String ID: 0-1505515367
    • Opcode ID: d7fb815c03b26ab561ef70f1b47ff6446063583d243e95421a91a2cb188588d1
    • Instruction ID: 3d1d50c73bf31908616d2a3df448022f816ea274751ea23e93d379c28f2131dc
    • Opcode Fuzzy Hash: d7fb815c03b26ab561ef70f1b47ff6446063583d243e95421a91a2cb188588d1
    • Instruction Fuzzy Hash: A0711A61B1E9491FE76867BC286A6B97BC1DF89720B1942FEE44DC32DBDC1C6C024281
    Function 00007FFD9B8908D9 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: 5N_H
    • API String ID: 0-3650223996
    • Opcode ID: 24fc7132ebc8583fabe3854f3f904bcd1fc99e5d30954e5d455ef76c8482345f
    • Instruction ID: 552ec588c404c3f9729f6dcc53ed706ae86664d06d1d3970f46f88c097205a74
    • Opcode Fuzzy Hash: 24fc7132ebc8583fabe3854f3f904bcd1fc99e5d30954e5d455ef76c8482345f
    • Instruction Fuzzy Hash: 2751C571B19E4D4FDF98EF6888A4AA977E1FF6830070505BAD41DC7296DE34EC028740
    Function 00007FF78E412EA0 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: f2edbc15cdf84d54289b1ee0bea3483cdf8f1befdda1efe5bcdab0cd9a36917b
    • Instruction ID: 841d8a4e56efba2a20908af527caa53683d1a7d78ea7bae205ba7dc56b416f6b
    • Opcode Fuzzy Hash: f2edbc15cdf84d54289b1ee0bea3483cdf8f1befdda1efe5bcdab0cd9a36917b
    • Instruction Fuzzy Hash: 6761DF62A05B8290EE15AF59D4043ADA3A0FF04B84FB88239EE5D47794EF38E5D0D320
    Function 00007FF78E416370 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: 233dc74edd6d16f76b361879b0056e042be489a83ed074eb344440320959ce30
    • Instruction ID: 25ca94b73cc140557d0e13f2d3156785a2c6574e5c5fb57972430ae4b21a12c7
    • Opcode Fuzzy Hash: 233dc74edd6d16f76b361879b0056e042be489a83ed074eb344440320959ce30
    • Instruction Fuzzy Hash: 75414EB6604F4690EE00EF96D5402BCB365FB48B94FE04672EA2D83791DF38E495C360
    Function 00007FF78E413F10 Relevance: 1.3, APIs: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: 8b02143593e92ac2916d54e6260cb3ac124fb366926f2417c8424ac6dc95cb66
    • Instruction ID: 5ce4dc47f646ee33e25e52102a50ab4fc41f0187592ab00e67a9974fab4ef264
    • Opcode Fuzzy Hash: 8b02143593e92ac2916d54e6260cb3ac124fb366926f2417c8424ac6dc95cb66
    • Instruction Fuzzy Hash: B5410DA6A08B87A0EA10EF95D4502BCB374F748BA4FE54277EA2D43790DF38D495C360
    Function 00007FFD9B890508 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: N_H
    • API String ID: 0-1668069477
    • Opcode ID: 83217b59779640013bd42a6f5a5d3f3a8dc5a5467019e38d199077c3d10989f5
    • Instruction ID: 79fe78468e4a6309136e1ad97b5877300e89996629cd428c38e74ceb497afc1d
    • Opcode Fuzzy Hash: 83217b59779640013bd42a6f5a5d3f3a8dc5a5467019e38d199077c3d10989f5
    • Instruction Fuzzy Hash: D6119831F29E094BDB6CB77454659B6B2D1EF68344B4044B9D01FC31DAFC39E4424341
    Function 00007FFD9B89454D Relevance: 1.3, Strings: 1, Instructions: 42COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: #@
    • API String ID: 0-742695533
    • Opcode ID: 25a251a0bb0606a923219f2a18edb3393cd47a0ebdc5ba3b9e9a2ccdb8e79f44
    • Instruction ID: 10c56cb25f84646c407bde072f5bc52f0acfae2cef191ec8be733126115ea2ad
    • Opcode Fuzzy Hash: 25a251a0bb0606a923219f2a18edb3393cd47a0ebdc5ba3b9e9a2ccdb8e79f44
    • Instruction Fuzzy Hash: 58F0597180E28C6FDF21DBB848164E97FB0FF05310B0442DBE418D7062D528A6458742
    Function 00007FFD9B8905D0 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: #@
    • API String ID: 0-742695533
    • Opcode ID: a72add07acd7c17cbb4b15244cca5a697043826b81d75447ae7c9d11cec6a295
    • Instruction ID: ff2f79abf4fd4e28af4ae2a751007fc0e4a12497175ea8fa29af8ae3955db757
    • Opcode Fuzzy Hash: a72add07acd7c17cbb4b15244cca5a697043826b81d75447ae7c9d11cec6a295
    • Instruction Fuzzy Hash: D8E0DF3081AA4C6FDF51EBB488054EEBFA4FF04204F0045AAE42DE3011D638A6448B42
    Function 00007FFD9B891378 Relevance: .9, Instructions: 870COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4c3c3cb499cfe8f098a9155befefa5856a92ae4b4e0f3e3b69fc6433ec0d348f
    • Instruction ID: 8f8a74470568e2413350fe160440462710bec8f3695f9d9d3e18ea527cf5528b
    • Opcode Fuzzy Hash: 4c3c3cb499cfe8f098a9155befefa5856a92ae4b4e0f3e3b69fc6433ec0d348f
    • Instruction Fuzzy Hash: 1E42D331B1DA4E4FEB6CDF9894656B97BE1FF98300B11017AD44EC32A6DE24F9428781
    Function 00007FFD9B894172 Relevance: .3, Instructions: 342COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 69a48e89cbad6328bad03512f330dceb84ad35845881e8191c7862e36bbc1e2e
    • Instruction ID: d6e56265fce78d5924087e706eb4a085635ea256bf5ae40bc5a0b7b1562df00b
    • Opcode Fuzzy Hash: 69a48e89cbad6328bad03512f330dceb84ad35845881e8191c7862e36bbc1e2e
    • Instruction Fuzzy Hash: A8813961B1EA891FF769A7BC1C665B97BC1DF89620B1941FEE449C31DBDC1C6C028382
    Function 00007FFD9B894E90 Relevance: .3, Instructions: 298COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6956c2f9412f0c4701d465acc6e5b75caa7ee3d90233fd619f548f6ee04a03af
    • Instruction ID: 6c70c06da27c7faf48d395edfc219e8f6fe7c22e72288f1ef3c3bee9a5e6f0b8
    • Opcode Fuzzy Hash: 6956c2f9412f0c4701d465acc6e5b75caa7ee3d90233fd619f548f6ee04a03af
    • Instruction Fuzzy Hash: B6A10630A09A8D4FEB95EF78C425AE97BE0FF59314B0404FDD45ACB2E2DA28AC05C740
    Function 00007FFD9B891E9D Relevance: .3, Instructions: 251COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b63bdd4684716adda0d4666eca53dfe767f879abf669c217249c8de8377f3227
    • Instruction ID: cc21229fde784b59ae6f4bab0fc06f09c73f1c751f0a1e93651f4a2ceee9ddaa
    • Opcode Fuzzy Hash: b63bdd4684716adda0d4666eca53dfe767f879abf669c217249c8de8377f3227
    • Instruction Fuzzy Hash: FE61E863F0F7DA1FE762AB695C754943FA0EF5722470A02FBC488CB0A3ED1959068355
    Function 00007FFD9B894AF2 Relevance: .1, Instructions: 122COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6af3d45b565703bd174622b68af37553fa045373f62d555b2e358f1b136e87ae
    • Instruction ID: 35b97e2db146a73c9db30def31150b85938efc2ffebb5c26720ec66e590d0805
    • Opcode Fuzzy Hash: 6af3d45b565703bd174622b68af37553fa045373f62d555b2e358f1b136e87ae
    • Instruction Fuzzy Hash: 1F213717B1B52E0BE635B3ADB8B15E8BF80DFC6133B1503BBC204D7092DC4A144B82A4
    Function 00007FFD9B894626 Relevance: .1, Instructions: 117COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e00ade8d36df4b2f3375ae0536e5c02078f3a7e30a93f190510ef5220aa3133a
    • Instruction ID: c866bf7fc77c8ce3fcd94812cb2fce61a1522460d0cc16cd81e3fbe2f604ff77
    • Opcode Fuzzy Hash: e00ade8d36df4b2f3375ae0536e5c02078f3a7e30a93f190510ef5220aa3133a
    • Instruction Fuzzy Hash: FD31C561B0994D4FEFA5FBB884296FD7BE1EF49355B0504FAE44DC71A3DE2899008381
    Function 00007FFD9B892265 Relevance: .1, Instructions: 105COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f18a85f92760fdafb6359c4a5b481245b96f57fbbe29f56064e337e75096cc1d
    • Instruction ID: 47d6d9ef4c0411e5ef9e923cc64b7c13731e372f797217790a9ba026a631261c
    • Opcode Fuzzy Hash: f18a85f92760fdafb6359c4a5b481245b96f57fbbe29f56064e337e75096cc1d
    • Instruction Fuzzy Hash: EE313A21B0EB890FEB599BB844655797FD1EF99290B4900BEE08EC72E7DD1C99438341
    Function 00007FFD9B894BD5 Relevance: .1, Instructions: 62COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 309246325ea9c84349279e8c7939cbcb8e509be269fe13b77132d1e05832d358
    • Instruction ID: e7ea728f68f845b79b440765cda1864de5c772ca479cb20b937444bdabcd4489
    • Opcode Fuzzy Hash: 309246325ea9c84349279e8c7939cbcb8e509be269fe13b77132d1e05832d358
    • Instruction Fuzzy Hash: 57010851B1F64A4BEB7567A408766B93F809F4A221F4A41FDC409CB2E3DC0D29478256
    Function 00007FFD9B891101 Relevance: .1, Instructions: 59COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c34249108ab9ea9fbfb1650259b00dd903c824235d8568c777178d04a71700a1
    • Instruction ID: e555721dc022a1f17f48529a3a9bf6b6faf7cd9276b8ced5487498b6bc7e56d2
    • Opcode Fuzzy Hash: c34249108ab9ea9fbfb1650259b00dd903c824235d8568c777178d04a71700a1
    • Instruction Fuzzy Hash: AF112B2194E6CD1FDB4297A08C689E9BFE0DF8B200F0901F7E088C71A3DC6C59468351
    Function 00007FFD9B890A90 Relevance: .0, Instructions: 39COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 897a7ed43c93749b57a7e4e4b6771efb9712d40ca6baa9f350a1a15adce850fe
    • Instruction ID: a0d1c4d650b3dc6206452c231b46926c73d3fe87d79bbb92d0e81d5e9496ae3e
    • Opcode Fuzzy Hash: 897a7ed43c93749b57a7e4e4b6771efb9712d40ca6baa9f350a1a15adce850fe
    • Instruction Fuzzy Hash: 25F09035B15A0E8FDBA8DF68C491AB673D2FF98308B620478D01DC3195CE35E8428780
    Function 00007FFD9B8910BB Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6d1faff235b80f88e12d398f7a0030b229419da520a85662d5e118f6ec50f4c0
    • Instruction ID: 3a7b295cc054285c9cac71ccdade7b0de4ecebcf50f24ca6365f7238301f60a1
    • Opcode Fuzzy Hash: 6d1faff235b80f88e12d398f7a0030b229419da520a85662d5e118f6ec50f4c0
    • Instruction Fuzzy Hash: D8F0ED3061160C8FD748EF68C844A9537A0FF09308F5000AAE80CC7392DA3AE9E1CB81
    Function 00007FFD9B894710 Relevance: .0, Instructions: 28COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b65be6e4c9ad10a2b7cc1c74d958da3caa69f7c0a7cafbf2e4337f4d75a14743
    • Instruction ID: 87f4dbd7f201d646158bf5edf37d6d4006da01e568c93a52dc8ff6ee93b21881
    • Opcode Fuzzy Hash: b65be6e4c9ad10a2b7cc1c74d958da3caa69f7c0a7cafbf2e4337f4d75a14743
    • Instruction Fuzzy Hash: 44E0263195EA5D9BCF64AB98BC102E57BA5FF4D308F05056EE05CC31A1E7365A90C741
    Function 00007FFD9B895160 Relevance: .0, Instructions: 9COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 95c6bbff73cb9be06479fc33827f9d00d78ccf679ef85903d7d62c5a9129f58e
    • Instruction ID: e039d595f7baaba64c953c70fc194d8b398e427f181d78e1058c186771f07b17
    • Opcode Fuzzy Hash: 95c6bbff73cb9be06479fc33827f9d00d78ccf679ef85903d7d62c5a9129f58e
    • Instruction Fuzzy Hash: DDB01204E5680A01C90C31B60C9206830919B89004FC404209818C01CDE84D18944342
    Function 00007FFD9B894C50 Relevance: .0, Instructions: 8COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.2956849577.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ffd9b890000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d2dfd365486cc3850c98de051ec8f31c9fc1fb72c22ff7c69fd3432053135f94
    • Instruction ID: 84dddcbb82b4e708f684993eef82a79956ccc3942a655eafa85bb13305133723
    • Opcode Fuzzy Hash: d2dfd365486cc3850c98de051ec8f31c9fc1fb72c22ff7c69fd3432053135f94
    • Instruction Fuzzy Hash: 62B01211C2903912EB047BC8BD534F833508B843D1B420469EC098D193D81D53E251A5

    Non-executed Functions

    Function 00007FF78E4199F0 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 373COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: String$CopyFreeInitializeVariant_setjmp
    • String ID: hander:$VariantConversionError$com.nim$d except$de event$ion insi$newVariant$uncatche
    • API String ID: 1008739868-602244300
    • Opcode ID: 11ce26baa4aa0d701453141a9494270b61a522db57f4edc48ce201d80866295f
    • Instruction ID: 2ba8fb2addd619392d8cffb5ec1eeca72bfb0cd129fed75f66ac4dfbc90f260f
    • Opcode Fuzzy Hash: 11ce26baa4aa0d701453141a9494270b61a522db57f4edc48ce201d80866295f
    • Instruction Fuzzy Hash: E8025B72A09B4781EE10AF95E4443BEB7A0FB84B84FA44436EA4D477A5EF3CE544C360
    Function 00007FF78E4183F0 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 224COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: CommandLine
    • String ID: contain$ not in $ not in $ not in $0 ..$0 ..$IndexDefect$er is em$inde$index ou$nds, the$os.nim$paramStr$pty$t of bou
    • API String ID: 3253501508-475797482
    • Opcode ID: ae8af6ebdb65100db110cd49cbf6243cfd4987e597e8c8f6b34ff7532a8fb47d
    • Instruction ID: a6bcfb1466f2dab1c76cb7ffc9b2556ec278cf85d7f1c6f7d6a478a0d9093e82
    • Opcode Fuzzy Hash: ae8af6ebdb65100db110cd49cbf6243cfd4987e597e8c8f6b34ff7532a8fb47d
    • Instruction Fuzzy Hash: 98A19832A09B4381EB10AF95E54436DB7A4FF48B84FA58036EA5D07395EF3CE555C3A0
    Function 00007FF78E415110 Relevance: 27.5, APIs: 8, Strings: 10, Instructions: 466stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpystrlen
    • String ID: excepti$Error: u$ReraiseDefect$[[rerais$]]$ed from:$fatal.nim$nhandled$on: $sysFatal
    • API String ID: 3412268980-331123295
    • Opcode ID: 8f4dde3022c81423b768480ceda97c10880ad535dc9c362d3ef7fb7deb79978a
    • Instruction ID: 3d92837f47a596a548beb0c9ec962529e091b0e91b485dec1d6c9230f5e06b1f
    • Opcode Fuzzy Hash: 8f4dde3022c81423b768480ceda97c10880ad535dc9c362d3ef7fb7deb79978a
    • Instruction Fuzzy Hash: C622BA72A08B8381EE10AB85E4047AEA7A5FB45B94FF48136EE5C07795EF3CE444C760
    Function 00007FF78E419280 Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 193COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: H$VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
    • API String ID: 3510742995-1705348919
    • Opcode ID: 337739e223be188f628012b87c5b85072a9b5b8a4ef4e15056e466ec34cbc926
    • Instruction ID: 0394d53ea68b9e01ecad5f1f473c053b6488cee964b29edc2f0c097a8636dee7
    • Opcode Fuzzy Hash: 337739e223be188f628012b87c5b85072a9b5b8a4ef4e15056e466ec34cbc926
    • Instruction Fuzzy Hash: FC816972A08B4685EA10AB55E4443ADA3A4FB54BC4FE98536EF4D073A1EF7CE444C360
    Function 00007FF78E422790 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 167COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: CLRError$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
    • API String ID: 3510742995-153200016
    • Opcode ID: 216522f65f7b7ecf525798e0b75d0ca7fecc0448bf14dbf4ae37d6973f2ee7d0
    • Instruction ID: 6efe1864fa7a6a074c78c5a4dc3df341d8e96e85da45b4b7a1325c97eea4e09a
    • Opcode Fuzzy Hash: 216522f65f7b7ecf525798e0b75d0ca7fecc0448bf14dbf4ae37d6973f2ee7d0
    • Instruction Fuzzy Hash: 33716C72B09B4381EB10EF95E9443ADA3A0FB45B94FA48536EA9C0B785EF7CD154C360
    Function 00007FF78E41D1F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: _setjmpmemcpy
    • String ID: ValueError$gfffffff$integer:$invalid $parseInt$strutils.nim
    • API String ID: 2721286225-831327929
    • Opcode ID: d42cb93ac16e04f855ba17adc5a1d2855ebe73bfd532347f31365ef0ddec713f
    • Instruction ID: 08f521a08165ef2b064f48470d39177bad80b911264dc3b604861a0a7a823591
    • Opcode Fuzzy Hash: d42cb93ac16e04f855ba17adc5a1d2855ebe73bfd532347f31365ef0ddec713f
    • Instruction Fuzzy Hash: 2D919072A09B5B81EE20AB85E4443ADB3A0FB44B94FE44232EA5D473D5DF7DE544C350
    Function 00007FF78E416150 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 28stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitstrlen
    • String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
    • API String ID: 4213389737-3987738871
    • Opcode ID: e106d0bf56c6f6c14220b101e35efae5d1955080e8f0331f6d695c16fe7ff00b
    • Instruction ID: 4b9aa30f1e36849e5996802262eda8b97dd365016906507905818b389e652d7b
    • Opcode Fuzzy Hash: e106d0bf56c6f6c14220b101e35efae5d1955080e8f0331f6d695c16fe7ff00b
    • Instruction Fuzzy Hash: 11F0F920A0844350FE29B7D068559BCA251BF42385FF90539F52D57A63CF7CB445C230
    Function 00007FF78E418FD0 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 142COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy
    • String ID: to $convert $convert $convert $convert $convert $from
    • API String ID: 3510742995-1950068461
    • Opcode ID: fd36f46ad0ae37d4b4bddbbc41cb48c1798a24c9597a1145c937eb4c79994910
    • Instruction ID: 8ab5dbf57a82094de69ebebef4bb8f08efef6b9029e97869554b571a40b32302
    • Opcode Fuzzy Hash: fd36f46ad0ae37d4b4bddbbc41cb48c1798a24c9597a1145c937eb4c79994910
    • Instruction Fuzzy Hash: 5C617D72A05B4781EF05EF81D44839DBBA1FB58B84FA9803AEA0D47395EF78D941C391
    Function 00007FF78E4116F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: b2bd19885756fac5e715177d44c2c246ee0f40da9efa5fc0257f11007989734f
    • Instruction ID: b573451d84250467d8f14ca29960e22e9338769570c2261941bd53c03e20ccf6
    • Opcode Fuzzy Hash: b2bd19885756fac5e715177d44c2c246ee0f40da9efa5fc0257f11007989734f
    • Instruction Fuzzy Hash: 3101F324B0AA0791EE11BB91BC505B9A364BF48788FE80932FC5E03324EF3CA505C320
    Function 00007FF78E414F70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitlongjmp
    • String ID: 5$ReraiseDefect$fatal.nim$sysFatal
    • API String ID: 2266059207-1761478562
    • Opcode ID: 6dba0bab8b8842a3087f969b2d79c435c3b861759359c708d2e6c07f5b605d46
    • Instruction ID: cb4d428d96a436475439c00ea4b68c60cdd1248caf4e57951c0ad014fc7c906c
    • Opcode Fuzzy Hash: 6dba0bab8b8842a3087f969b2d79c435c3b861759359c708d2e6c07f5b605d46
    • Instruction Fuzzy Hash: F9310565A08A0791EE00BB94E4486BEA3A4FB44B84FF40436EA1C47392EF3CE544C3A0
    Function 00007FF78E41E170 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 257stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: strlen
    • String ID: JDF7$MZ$HYk$HYk
    • API String ID: 39653677-2708922670
    • Opcode ID: 94c6417f10c9750efabe6c0aa8dad0cc91598c17a4138bae4fbfefadc9b2a79d
    • Instruction ID: c731aec84acf981aa83f151ac0d20596c72dcd71dbcb269af49889b7d77a5e47
    • Opcode Fuzzy Hash: 94c6417f10c9750efabe6c0aa8dad0cc91598c17a4138bae4fbfefadc9b2a79d
    • Instruction Fuzzy Hash: B9C1CF25B0958792EA20BF95D4502BEA3A1FF84788FF08135FA8D07A99DF3CE545C760
    Function 00007FF78E41B080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 191COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: CopyInitializeVariant
    • String ID: VariantConversionError$com.nim$toVariant
    • API String ID: 633353902-3035603046
    • Opcode ID: 6476d55cf4dd1f5fe45e3bf9ef567c15420c12c968b5b0298e89105b166aa263
    • Instruction ID: 2bf82175c42c7c5240fa460812525899e012ac1bafa74a8f2cd5b3a4358a7d50
    • Opcode Fuzzy Hash: 6476d55cf4dd1f5fe45e3bf9ef567c15420c12c968b5b0298e89105b166aa263
    • Instruction Fuzzy Hash: 50911632A19A4781EA10AB95E8543BEA3A4FF85784FF4443AFA4D47795DF7CE008C360
    Function 00007FF78E426F20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID:
    • String ID: CCG
    • API String ID: 0-1584390748
    • Opcode ID: 08d7eed76709450e368a73cb412f1c952c93ae8a5c57bb94bda8ef868f485690
    • Instruction ID: 38c8a0991f51f51b664e4f85ef93a6339d21c67a61a4bd59c2c2e163e9e67f6e
    • Opcode Fuzzy Hash: 08d7eed76709450e368a73cb412f1c952c93ae8a5c57bb94bda8ef868f485690
    • Instruction Fuzzy Hash: FF415471A086178AF720ABA4C8483BC6261BF45358FB04A35EE2D877E5CF3CE541D320
    Function 00007FF78E411E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register global variable; too many global variables, xrefs: 00007FF78E411E5C
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register global variable; too many global variables
    • API String ID: 3476253079-2146260042
    • Opcode ID: b7571dad61ca20dee86a2af1c9d979772e7033c268770b4022c9546089bfcbf8
    • Instruction ID: 774ebc558379c4c0275d012d178ad591ebe06d901a760018fa4f953e256d57bb
    • Opcode Fuzzy Hash: b7571dad61ca20dee86a2af1c9d979772e7033c268770b4022c9546089bfcbf8
    • Instruction Fuzzy Hash: 2B4190B2B05A4281EE04EB58D0543BCA761FB94BC4FB18A35DA0E47351EF7EE545C320
    Function 00007FF78E4120F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: AddressProcexit
    • String ID: @$could not import:
    • API String ID: 2129014486-260091680
    • Opcode ID: 69dd1521f8cfb840d2ca3ee137f161da04b393e1b82e55d6114af6ee7714bfbc
    • Instruction ID: 4b4db1a5a71561f5d3b38fd0cd4376752e53103dfd6fe7ef3cf905c831ef23c3
    • Opcode Fuzzy Hash: 69dd1521f8cfb840d2ca3ee137f161da04b393e1b82e55d6114af6ee7714bfbc
    • Instruction Fuzzy Hash: F731F562F0918355EE29E7A9E9047BD9A52BB457C4FA84235EE0E07386EF7CE005C364
    Function 00007FF78E415970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitlongjmp
    • String ID: fatal.nim$sysFatal
    • API String ID: 2266059207-2644091575
    • Opcode ID: 46b2c20323a3814dd39974bb7dba7c9da256c0f213f5ca93764d1b22c13c85d6
    • Instruction ID: e853e1f4bc0960c851606a2f0892c778f1910ac33ea2c81d4357bceb0d897b48
    • Opcode Fuzzy Hash: 46b2c20323a3814dd39974bb7dba7c9da256c0f213f5ca93764d1b22c13c85d6
    • Instruction Fuzzy Hash: 98415662B15B0792EE10AB99D8887BDB3A4FB48BC4FB44536EA5C07355EF38D445C360
    Function 00007FF78E412050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ErrorLastexitfwritestrlen
    • String ID: (bad format; library may be wrong architecture)$could not load:
    • API String ID: 671075621-2754783905
    • Opcode ID: 80ccbc06463d05bc2b5888fd3e508f9d5f8e55bf2f70a7f2de8dd596c3c45509
    • Instruction ID: d9b5be997cc9a4f7612310fe7d860138b9838117a874f2798b978e77edbd0841
    • Opcode Fuzzy Hash: 80ccbc06463d05bc2b5888fd3e508f9d5f8e55bf2f70a7f2de8dd596c3c45509
    • Instruction Fuzzy Hash: 2C011A20A0951351FE44B7E1A819BB89665BF45780FF44139FE0E47396EF3CA801C235
    Function 00007FF78E411DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • [GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FF78E411E0C
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: exitfflushfwrite
    • String ID: [GC] cannot register thread local variable; too many thread local variables
    • API String ID: 3476253079-685140759
    • Opcode ID: d644f526e3d56218455da416d993ee9c210ffd2179d7a09f73680639e114c0dc
    • Instruction ID: f97038bd30869c6c78a023f01e9689e6d7fc4f40e1ef21219bedba93bcb8e00e
    • Opcode Fuzzy Hash: d644f526e3d56218455da416d993ee9c210ffd2179d7a09f73680639e114c0dc
    • Instruction Fuzzy Hash: E2E0EC20E045438AF60477D2A4157F8A660FF87B85FE05438EA1E5B392DF7EA806C365
    Function 00007FF78E41A3E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 196COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: memcpy$memset
    • String ID: CLRError$clr.nim$clrError
    • API String ID: 438689982-2830349459
    • Opcode ID: 77f3dd17192c832a47128c647c90bb103ff66cefc69fe6e175ad23bf75e257b3
    • Instruction ID: 8a8196bd9ae1b4f10881c6e3fa745fe7a3ffc2f6446044f70495ded53e07f488
    • Opcode Fuzzy Hash: 77f3dd17192c832a47128c647c90bb103ff66cefc69fe6e175ad23bf75e257b3
    • Instruction Fuzzy Hash: FA91B262A18B8385EA11AB4598002BDA761FB547A4FA50231FF6D0B3D2DF7CE554D360
    Function 00007FF78E41A080 Relevance: 6.1, APIs: 4, Instructions: 128memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocInitializeString
    • String ID:
    • API String ID: 1889743751-0
    • Opcode ID: 65b687b48c692aee826a9be4b8a57595faa841ef06bbf31540a48bb328041d11
    • Instruction ID: 9027796017c039f925c97fd35c3d25ee1052f0696c8750305c0df39b43d09cbd
    • Opcode Fuzzy Hash: 65b687b48c692aee826a9be4b8a57595faa841ef06bbf31540a48bb328041d11
    • Instruction Fuzzy Hash: 3C516962B0AA4781EE15AF95A80437EA3A0BF44B84FF44535EE0D47395EF7CE445D360
    Function 00007FF78E413170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: FreeVirtualexit
    • String ID: virtualFree failing!
    • API String ID: 1212090140-3108117800
    • Opcode ID: c68e12f655a03d91ba896f2f687b174e3f78ce3526b737a923ed8198372fbc25
    • Instruction ID: 4dbe25d93a57e4827d5891b3b2c3d607ff8c84b7c6a8a7e2ce7fc36fec180f47
    • Opcode Fuzzy Hash: c68e12f655a03d91ba896f2f687b174e3f78ce3526b737a923ed8198372fbc25
    • Instruction Fuzzy Hash: 8951CDB2B05B4680EE04EB55C458BAC73A5FB04B80FB2C235EA5D47398EF7AD984C350
    Function 00007FF78E426540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-3474627141
    • Opcode ID: a9984ae661c6ac48f04b27f6ff2a17c140177e5de2a6c16ce8aaa602cf112a1e
    • Instruction ID: 6d45a739406bca77e55b1c0bf29aa8e6ea982bff0b83095a6e9a7a6f54d3c9a6
    • Opcode Fuzzy Hash: a9984ae661c6ac48f04b27f6ff2a17c140177e5de2a6c16ce8aaa602cf112a1e
    • Instruction Fuzzy Hash: 5B214926A04F858AD7119FA8E8413EAB371FF59799F944622FE8C17764EF78D245C300
    Function 00007FF78E42658C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2713391170
    • Opcode ID: fa2246ec60d3f2d2c8e860e0b899dddbbb1b0a01b347715d37e67942b8b6f4d3
    • Instruction ID: 19ab70fae6f3ada45faa9f87204a68471ea50a4906df6a92ea4f050132045ab4
    • Opcode Fuzzy Hash: fa2246ec60d3f2d2c8e860e0b899dddbbb1b0a01b347715d37e67942b8b6f4d3
    • Instruction Fuzzy Hash: DA015E26A04F858AD7019F69D8402AA7771FF4D799F544722EF8D27724DF38C145C310
    Function 00007FF78E4265B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4283191376
    • Opcode ID: 100d4e92daa1d8cb9e2847d07ef5ff8e49b239cca73fcd96e7544013f80db1bf
    • Instruction ID: 781677d5110813843ace821e37e4b524d64b24556166a680f68f73c4fc8bd08d
    • Opcode Fuzzy Hash: 100d4e92daa1d8cb9e2847d07ef5ff8e49b239cca73fcd96e7544013f80db1bf
    • Instruction Fuzzy Hash: 9B015E26A04F858AD7019F69D8402AA7771FF4D799F554722EF8D27725DF38C145C310
    Function 00007FF78E426599 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2468659920
    • Opcode ID: ff2584cf3f57ae6350a126f8e35093b32cbe0b374b796bb6d5cdb4394ffb26a0
    • Instruction ID: 737a6fe8d29f4238c17d2f04d70d6e8272d536b90bde8901f7bd3437ec06e659
    • Opcode Fuzzy Hash: ff2584cf3f57ae6350a126f8e35093b32cbe0b374b796bb6d5cdb4394ffb26a0
    • Instruction Fuzzy Hash: F4019E26A04F858AD7019F68D8402AA7371FF4D798F544722EF8D27728DF38C145C310
    Function 00007FF78E4265A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4064033741
    • Opcode ID: 9e894c05ad2901ed1daa551ccda28ddea90dc3bd28c1571126fd109856676168
    • Instruction ID: 71816b8532b4be82482f21dbdf39c09ede487547dfe12b292252ab7af301881a
    • Opcode Fuzzy Hash: 9e894c05ad2901ed1daa551ccda28ddea90dc3bd28c1571126fd109856676168
    • Instruction Fuzzy Hash: D7015E26A04F898AD7019F69D8402AAB771FF4D799F554722EF8D27764DF38C145C310
    Function 00007FF78E4265CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2187435201
    • Opcode ID: 431faf95ef2588800d0d27bfca1691eee4811e92dd30b5b8fce71afe1fc2f45c
    • Instruction ID: 789ec758ec0d233eb4b0e85130f9f8a3f8b0b6677d95edb0325516b28e0a0be9
    • Opcode Fuzzy Hash: 431faf95ef2588800d0d27bfca1691eee4811e92dd30b5b8fce71afe1fc2f45c
    • Instruction Fuzzy Hash: F8015E26A04F858AD7019F69D8402AA7771FF4D799F554722EF8D27724DF38C145C310
    Function 00007FF78E4265C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2956305689.00007FF78E411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E410000, based on PE: true
    • Associated: 00000002.00000002.2956292410.00007FF78E410000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956326512.00007FF78E433000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956340099.00007FF78E434000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956356665.00007FF78E446000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E448000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E455000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956410392.00007FF78E458000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2956459077.00007FF78E461000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_7ff78e410000_66WXq58R0I.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4273532761
    • Opcode ID: f2129813e4aca10fd5bf26985deab3776ad89d1813962d43f4c18ca8cbf0e0d2
    • Instruction ID: 4ecd1637e6635a752ff5c6dc24c1bca5849e86b7f094329d74bc10f006a3626d
    • Opcode Fuzzy Hash: f2129813e4aca10fd5bf26985deab3776ad89d1813962d43f4c18ca8cbf0e0d2
    • Instruction Fuzzy Hash: 1C014C26A04F858AD7019F69D8402AA7761FB4D799F554622EE8D27724DF38C185C310