Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
clip64.dll

Overview

General Information

Sample name:clip64.dll
Analysis ID:1423302
MD5:8ee29b714ba490ec4a0828816f15ed4f
SHA1:0556df48a668c35c6611ffce1425f1d9e89d0cd7
SHA256:fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5
Infos:

Detection

Amadey
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Found potential dummy code loops (likely to delay analysis)
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3508 cmdline: loaddll32.exe "C:\Users\user\Desktop\clip64.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5476 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 4460 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2144 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6968 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5276 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2304 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4036 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4560 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"Wallet Addresses": ["bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj", "0x091451c16090f09214C57cB2D15c0cf7967E04d8", "ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel", "DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2", "48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
clip64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        0000000A.00000002.4622302958.00000000738F1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.rundll32.exe.738f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            7.2.rundll32.exe.738f0000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
              10.2.rundll32.exe.738f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                10.2.rundll32.exe.738f0000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: clip64.dllAvira: detected
                  Found malware configuration
                  Source: clip64.dllMalware Configuration Extractor: Amadey {"Wallet Addresses": ["bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj", "0x091451c16090f09214C57cB2D15c0cf7967E04d8", "ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel", "DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2", "48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc"]}
                  Multi AV Scanner detection for submitted file
                  Source: clip64.dllReversingLabs: Detection: 83%
                  Sample uses string decryption to hide its real strings
                  Source: 7.2.rundll32.exe.738f0000.0.unpackString decryptor: bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj
                  Source: 7.2.rundll32.exe.738f0000.0.unpackString decryptor: 0x091451c16090f09214C57cB2D15c0cf7967E04d8
                  Source: 7.2.rundll32.exe.738f0000.0.unpackString decryptor: ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel
                  Source: 7.2.rundll32.exe.738f0000.0.unpackString decryptor: DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2
                  Source: 7.2.rundll32.exe.738f0000.0.unpackString decryptor: 48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc
                  Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb source: rundll32.exe, 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4622328387.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, clip64.dll
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F7D7E FindFirstFileExW,7_2_738F7D7E
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep,7_2_738F15E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep,7_2_738F15E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep,7_2_738F15E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F15E0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,Sleep,7_2_738F15E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738FDB017_2_738FDB01
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  Source: classification engineClassification label: mal88.spyw.evad.winDLL@18/0@0/0
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
                  Source: clip64.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                  Source: clip64.dllReversingLabs: Detection: 83%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\clip64.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,Main
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,MainJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",MainJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Mktmp\Amadey\ClipperDLL\Release\CLIPPERDLL.pdb source: rundll32.exe, 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4622328387.00000000738FF000.00000002.00000001.01000000.00000003.sdmp, clip64.dll
                  Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F4196 push ecx; ret 7_2_738F41A9
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2574Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7425Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2900Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7099Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 7.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072Thread sleep count: 2574 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072Thread sleep time: -2574000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072Thread sleep count: 7425 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 5072Thread sleep time: -7425000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760Thread sleep count: 2900 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760Thread sleep time: -2900000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760Thread sleep count: 7099 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 2760Thread sleep time: -7099000s >= -30000sJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F7D7E FindFirstFileExW,7_2_738F7D7E
                  Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior

                  Anti Debugging

                  barindex
                  Found potential dummy code loops (likely to delay analysis)
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 42% for more than 60s
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F5BB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_738F5BB4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F62E0 mov eax, dword ptr fs:[00000030h]7_2_738F62E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F7885 mov eax, dword ptr fs:[00000030h]7_2_738F7885
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F92A5 GetProcessHeap,7_2_738F92A5
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F5BB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_738F5BB4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F42F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_738F42F4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F4025 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_738F4025
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F3E45 cpuid 7_2_738F3E45
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_738F41AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_738F41AC

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadeys Clipper DLL
                  Source: Yara matchFile source: clip64.dll, type: SAMPLE
                  Source: Yara matchFile source: 7.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: clip64.dll, type: SAMPLE
                  Source: Yara matchFile source: 7.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.738f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4622302958.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		11
                  Process Injection                  		112
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		11
                  Process Injection                  		LSASS Memory12
                  Security Software Discovery                  		Remote Desktop Protocol3
                  Clipboard Data                  		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		Security Account Manager112
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Rundll32                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1423302 Sample: clip64.dll Startdate: 09/04/2024 Architecture: WINDOWS Score: 88 22 Found malware configuration 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 3 other signatures 2->28 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 5 other processes 7->15 process5 17 rundll32.exe 9->17         started        signatures6 20 Found potential dummy code loops (likely to delay analysis) 17->20

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  clip64.dll83%ReversingLabsWin32.Trojan.Amadey
                  clip64.dll100%AviraHEUR/AGEN.1301048

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1423302
                  Start date and time:2024-04-09 21:57:51 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 35s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:13
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:clip64.dll
                  Detection:MAL
                  Classification:mal88.spyw.evad.winDLL@18/0@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 5
                  • Number of non-executed functions: 25
                  Cookbook Comments:
                  • Found application associated with file extension: .dll
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: clip64.dll

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  21:58:55API Interceptor1x Sleep call for process: loaddll32.exe modified
                  21:59:26API Interceptor11694429x Sleep call for process: rundll32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.3473860804256095
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:clip64.dll
                  File size:91'136 bytes
                  MD5:8ee29b714ba490ec4a0828816f15ed4f
                  SHA1:0556df48a668c35c6611ffce1425f1d9e89d0cd7
                  SHA256:fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5
                  SHA512:df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8
                  SSDEEP:1536:tgYNPCKLbqoYkbpplW9YoUsxXbbcouNh72ZszsWuKcdJUgzaB89p:tg0CWbBNpplToUsNuNh725LJUmaB89p
                  TLSH:5E935B1030D2C071D97E55351878EAB68B7CB914CFE08EEF27551A7A8E702D1AE36D3A
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........,Cy..Cy..Cy.....~Iy.....~.y.....~Qy.....~Ly.....~Ry.....~by.....~Fy..Cy...y.....~@y.....~By......By.....~By..RichCy.........

                  File Icon

                  Icon Hash:7ae282899bbab082

                  Static PE Info

                  General

                  Entrypoint:0x10003e00
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x10000000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x63BC2D74 [Mon Jan 9 15:06:28 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:52982bbab8b9d5eafbb4ec438626f86a

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  cmp dword ptr [ebp+0Ch], 01h
                  jne 00007F0D08E2EEA7h
                  call 00007F0D08E2F290h
                  push dword ptr [ebp+10h]
                  push dword ptr [ebp+0Ch]
                  push dword ptr [ebp+08h]
                  call 00007F0D08E2ED58h
                  add esp, 0Ch
                  pop ebp
                  retn 000Ch
                  jmp 00007F0D08E31EB3h
                  push ebp
                  mov ebp, esp
                  sub esp, 0Ch
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007F0D08E2E667h
                  push 10014590h
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  call 00007F0D08E2F4F8h
                  int3
                  push ebp
                  mov ebp, esp
                  and dword ptr [10016A48h], 00000000h
                  sub esp, 24h
                  or dword ptr [10016004h], 01h
                  push 0000000Ah
                  call 00007F0D08E3910Ch
                  test eax, eax
                  je 00007F0D08E2F04Fh
                  and dword ptr [ebp-10h], 00000000h
                  xor eax, eax
                  push ebx
                  push esi
                  push edi
                  xor ecx, ecx
                  lea edi, dword ptr [ebp-24h]
                  push ebx
                  cpuid
                  mov esi, ebx
                  pop ebx
                  mov dword ptr [edi], eax
                  mov dword ptr [edi+04h], esi
                  mov dword ptr [edi+08h], ecx
                  xor ecx, ecx
                  mov dword ptr [edi+0Ch], edx
                  mov eax, dword ptr [ebp-24h]
                  mov edi, dword ptr [ebp-1Ch]
                  mov dword ptr [ebp-0Ch], eax
                  xor edi, 6C65746Eh
                  mov eax, dword ptr [ebp-18h]
                  xor eax, 49656E69h
                  mov dword ptr [ebp-08h], eax
                  mov eax, dword ptr [ebp-20h]
                  xor eax, 756E6547h
                  mov dword ptr [ebp-04h], eax
                  xor eax, eax
                  inc eax
                  push ebx
                  cpuid
                  mov esi, ebx
                  pop ebx
                  lea ebx, dword ptr [ebp-24h]
                  mov dword ptr [ebx], eax
                  mov eax, dword ptr [ebp-04h]
                  mov dword ptr [ebx+04h], esi
                  or eax, edi
                  or eax, dword ptr [ebp-08h]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x14aa00x9c.rdata
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x14b3c0x3c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000xf8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x190000x1054.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x13f200x70.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13f900x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0xf0000x12c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000xdd560xde00774a7ce91e30ef3e3d7da140db35dc34False0.5611099380630631data6.65624829160936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0xf0000x61ee0x6200e4ee272fe0863b0d859bd6ef543ae195False0.4253029336734694data4.998521354979746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x160000x14440xc007b35d9606a8db5f8a5e5b03ea0fcbcf3False0.1494140625DOS executable (block device driver @\273)2.05558001204947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x180000xf80x200d455d3af38ec99962a36d1f49a978aeeFalse0.3359375data2.5195793504807127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x190000x10540x120004bba41d6da9e277608bbfbbab660375False0.712890625data6.26182229426962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_MANIFEST0x180600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

                  Imports

                  DLLImport
                  KERNEL32.dllGlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, DecodePointer
                  USER32.dllSetClipboardData, EmptyClipboard, OpenClipboard, CloseClipboard, GetClipboardData

                  Exports

                  NameOrdinalAddress
                  ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z10x10001120
                  ??4CClipperDLL@@QAEAAV0@ABV0@@Z20x10001120
                  Main30x10003040

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:21:58:45
                  Start date:09/04/2024
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\clip64.dll"
                  Imagebase:0xee0000
                  File size:126'464 bytes
                  MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:21:58:45
                  Start date:09/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:21:58:46
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                  Imagebase:0x1c0000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:21:58:46
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:21:58:46
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:21:58:49
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:21:58:52
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,Main
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:8
                  Start time:21:58:55
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:21:58:55
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:21:58:55
                  Start date:09/04/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main
                  Imagebase:0xb40000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000002.4622302958.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:3.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:2.6%
                    Total number of Nodes:1686
                    Total number of Limit Nodes:36
                    execution_graph 7434 738f7b8f 7435 738f7b9f 7434->7435 7444 738f7bb3 7434->7444 7436 738f792f _free 14 API calls 7435->7436 7437 738f7ba4 7436->7437 7438 738f5d60 ___std_exception_copy 25 API calls 7437->7438 7440 738f7bae 7438->7440 7441 738f7c2a 7441->7441 7473 738f66a0 7441->7473 7443 738f7c98 7445 738f799f _free 14 API calls 7443->7445 7444->7441 7450 738f7ca3 7444->7450 7455 738f7d7e 7444->7455 7445->7450 7446 738f7c8f 7446->7443 7451 738f7d73 7446->7451 7479 738faa97 7446->7479 7448 738f7d5f 7449 738f799f _free 14 API calls 7448->7449 7449->7440 7450->7448 7452 738f799f _free 14 API calls 7450->7452 7453 738f5d8d ___std_exception_copy 11 API calls 7451->7453 7452->7450 7454 738f7d7d 7453->7454 7456 738f7d8a 7455->7456 7456->7456 7457 738f7942 _free 14 API calls 7456->7457 7458 738f7db8 7457->7458 7459 738faa97 25 API calls 7458->7459 7460 738f7de4 7459->7460 7461 738f5d8d ___std_exception_copy 11 API calls 7460->7461 7462 738f7e2e 7461->7462 7488 738f8087 7462->7488 7467 738f7f45 7468 738f8087 37 API calls 7467->7468 7469 738f7f82 7468->7469 7496 738f7aa3 7469->7496 7472 738f7d7e 43 API calls 7474 738f66b1 7473->7474 7478 738f66e3 7473->7478 7475 738f7942 _free 14 API calls 7474->7475 7474->7478 7476 738f66da 7475->7476 7477 738f799f _free 14 API calls 7476->7477 7477->7478 7478->7446 7482 738fa9e4 7479->7482 7480 738fa9fc 7481 738f792f _free 14 API calls 7480->7481 7483 738faa10 7480->7483 7487 738faa06 7481->7487 7482->7480 7482->7483 7485 738faa34 7482->7485 7483->7446 7484 738f5d60 ___std_exception_copy 25 API calls 7484->7483 7485->7483 7486 738f792f _free 14 API calls 7485->7486 7486->7487 7487->7484 7519 738f5dc1 7488->7519 7492 738f7ef7 7493 738f7b72 7492->7493 7676 738f79f1 7493->7676 7497 738f7acd 7496->7497 7498 738f7ab1 7496->7498 7499 738f7af4 7497->7499 7500 738f7ad4 7497->7500 7501 738f80c6 14 API calls 7498->7501 7729 738f8ca0 7499->7729 7514 738f7abb 7500->7514 7724 738f80e0 7500->7724 7501->7514 7504 738f7b04 7505 738f7b0b GetLastError 7504->7505 7506 738f7b21 7504->7506 7507 738f78f9 __dosmaperr 14 API calls 7505->7507 7508 738f7b32 7506->7508 7511 738f80e0 15 API calls 7506->7511 7510 738f7b17 7507->7510 7509 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 7508->7509 7508->7514 7512 738f7b4a 7509->7512 7513 738f792f _free 14 API calls 7510->7513 7511->7508 7512->7514 7515 738f7b51 GetLastError 7512->7515 7513->7514 7514->7472 7516 738f78f9 __dosmaperr 14 API calls 7515->7516 7517 738f7b5d 7516->7517 7518 738f792f _free 14 API calls 7517->7518 7518->7514 7520 738f5dd8 7519->7520 7521 738f5de1 7519->7521 7520->7492 7527 738f904d 7520->7527 7521->7520 7530 738f735c GetLastError 7521->7530 7673 738f8e75 7527->7673 7531 738f7373 7530->7531 7534 738f7379 7530->7534 7533 738f90ea _free 6 API calls 7531->7533 7532 738f9129 _free 6 API calls 7535 738f7397 7532->7535 7533->7534 7534->7532 7555 738f737f SetLastError 7534->7555 7536 738f7942 _free 14 API calls 7535->7536 7535->7555 7538 738f73a7 7536->7538 7539 738f73af 7538->7539 7540 738f73c6 7538->7540 7544 738f9129 _free 6 API calls 7539->7544 7543 738f9129 _free 6 API calls 7540->7543 7541 738f5e01 7557 738f769d 7541->7557 7542 738f7413 7565 738f6ee7 7542->7565 7547 738f73d2 7543->7547 7548 738f73bd 7544->7548 7549 738f73e7 7547->7549 7550 738f73d6 7547->7550 7553 738f799f _free 14 API calls 7548->7553 7552 738f715e _free 14 API calls 7549->7552 7551 738f9129 _free 6 API calls 7550->7551 7551->7548 7554 738f73f2 7552->7554 7553->7555 7556 738f799f _free 14 API calls 7554->7556 7555->7541 7555->7542 7556->7555 7558 738f76b0 7557->7558 7560 738f5e17 7557->7560 7558->7560 7630 738fa0da 7558->7630 7561 738f76ca 7560->7561 7562 738f76f2 7561->7562 7563 738f76dd 7561->7563 7562->7520 7563->7562 7652 738f8915 7563->7652 7576 738f961d 7565->7576 7569 738f6f20 7606 738f63d6 7569->7606 7570 738f6f01 IsProcessorFeaturePresent 7572 738f6f0d 7570->7572 7571 738f6ef7 7571->7569 7571->7570 7574 738f5bb4 __fassign 8 API calls 7572->7574 7574->7569 7609 738f954f 7576->7609 7579 738f966b 7580 738f9677 ___scrt_is_nonwritable_in_current_image 7579->7580 7581 738f74b3 _free 14 API calls 7580->7581 7585 738f96a4 __fassign 7580->7585 7587 738f969e __fassign 7580->7587 7581->7587 7582 738f96e9 7584 738f792f _free 14 API calls 7582->7584 7583 738f96d3 7583->7571 7586 738f96ee 7584->7586 7590 738f9715 7585->7590 7620 738f77d8 EnterCriticalSection 7585->7620 7588 738f5d60 ___std_exception_copy 25 API calls 7586->7588 7587->7582 7587->7583 7587->7585 7588->7583 7592 738f975d 7590->7592 7593 738f9852 7590->7593 7603 738f9788 7590->7603 7592->7603 7621 738f9662 7592->7621 7594 738f985d 7593->7594 7628 738f7820 LeaveCriticalSection 7593->7628 7597 738f63d6 __fassign 23 API calls 7594->7597 7598 738f9865 7597->7598 7601 738f735c __fassign 37 API calls 7604 738f97dc 7601->7604 7602 738f9662 __fassign 37 API calls 7602->7603 7624 738f97fe 7603->7624 7604->7583 7605 738f735c __fassign 37 API calls 7604->7605 7605->7583 7607 738f627c __fassign 23 API calls 7606->7607 7608 738f63e7 7607->7608 7610 738f955b ___scrt_is_nonwritable_in_current_image 7609->7610 7615 738f77d8 EnterCriticalSection 7610->7615 7612 738f9569 7616 738f95a7 7612->7616 7615->7612 7619 738f7820 LeaveCriticalSection 7616->7619 7618 738f6eec 7618->7571 7618->7579 7619->7618 7620->7590 7622 738f735c __fassign 37 API calls 7621->7622 7623 738f9667 7622->7623 7623->7602 7625 738f97cd 7624->7625 7626 738f9804 7624->7626 7625->7583 7625->7601 7625->7604 7629 738f7820 LeaveCriticalSection 7626->7629 7628->7594 7629->7625 7631 738fa0e6 ___scrt_is_nonwritable_in_current_image 7630->7631 7632 738f735c __fassign 37 API calls 7631->7632 7633 738fa0ef 7632->7633 7634 738fa135 7633->7634 7643 738f77d8 EnterCriticalSection 7633->7643 7634->7560 7636 738fa10d 7644 738fa15b 7636->7644 7641 738f6ee7 __fassign 37 API calls 7642 738fa15a 7641->7642 7643->7636 7645 738fa169 __fassign 7644->7645 7647 738fa11e 7644->7647 7646 738f9e8e __fassign 14 API calls 7645->7646 7645->7647 7646->7647 7648 738fa13a 7647->7648 7651 738f7820 LeaveCriticalSection 7648->7651 7650 738fa131 7650->7634 7650->7641 7651->7650 7653 738f735c __fassign 37 API calls 7652->7653 7654 738f891f 7653->7654 7657 738f882d 7654->7657 7658 738f8839 ___scrt_is_nonwritable_in_current_image 7657->7658 7665 738f8853 7658->7665 7668 738f77d8 EnterCriticalSection 7658->7668 7661 738f6ee7 __fassign 37 API calls 7666 738f88cc 7661->7666 7662 738f885a 7662->7562 7663 738f8863 7664 738f888f 7663->7664 7667 738f799f _free 14 API calls 7663->7667 7669 738f88ac 7664->7669 7665->7661 7665->7662 7667->7664 7668->7663 7672 738f7820 LeaveCriticalSection 7669->7672 7671 738f88b3 7671->7665 7672->7671 7674 738f8f8a _free 5 API calls 7673->7674 7675 738f8e8b 7674->7675 7675->7492 7677 738f79ff 7676->7677 7678 738f7a19 7676->7678 7694 738f80c6 7677->7694 7679 738f7a3f 7678->7679 7680 738f7a20 7678->7680 7703 738f8c24 7679->7703 7693 738f7a09 FindFirstFileExW 7680->7693 7698 738f811c 7680->7698 7684 738f7a4e 7685 738f7a55 GetLastError 7684->7685 7687 738f811c 15 API calls 7684->7687 7690 738f7a7b 7684->7690 7706 738f78f9 7685->7706 7687->7690 7688 738f8c24 __fassign MultiByteToWideChar 7691 738f7a92 7688->7691 7690->7688 7690->7693 7691->7685 7691->7693 7692 738f792f _free 14 API calls 7692->7693 7693->7467 7695 738f80d9 7694->7695 7696 738f80d1 7694->7696 7695->7693 7697 738f799f _free 14 API calls 7696->7697 7697->7695 7699 738f80c6 14 API calls 7698->7699 7700 738f812a 7699->7700 7711 738f815b 7700->7711 7704 738f8c35 MultiByteToWideChar 7703->7704 7704->7684 7721 738f791c 7706->7721 7708 738f7904 _free 7709 738f792f _free 14 API calls 7708->7709 7710 738f7917 7709->7710 7710->7692 7714 738f7837 7711->7714 7715 738f7875 7714->7715 7719 738f7845 _free 7714->7719 7717 738f792f _free 14 API calls 7715->7717 7716 738f7860 HeapAlloc 7718 738f7873 7716->7718 7716->7719 7717->7718 7718->7693 7719->7715 7719->7716 7720 738f5f36 _free 2 API calls 7719->7720 7720->7719 7722 738f74b3 _free 14 API calls 7721->7722 7723 738f7921 7722->7723 7723->7708 7725 738f80c6 14 API calls 7724->7725 7726 738f80ee 7725->7726 7727 738f815b 15 API calls 7726->7727 7728 738f80fc 7727->7728 7728->7514 7730 738f8cb9 WideCharToMultiByte 7729->7730 7730->7504 8430 738f8c0b GetCommandLineA GetCommandLineW 7732 738f948a 7733 738f948f 7732->7733 7734 738f94b2 7733->7734 7736 738faf69 7733->7736 7737 738faf76 7736->7737 7741 738faf98 7736->7741 7738 738faf84 DeleteCriticalSection 7737->7738 7739 738faf92 7737->7739 7738->7738 7738->7739 7740 738f799f _free 14 API calls 7739->7740 7740->7741 7741->7733 7742 738f6c88 7745 738f68ab 7742->7745 7746 738f68ba 7745->7746 7751 738f681d 7746->7751 7749 738f681d 14 API calls 7750 738f68df 7749->7750 7752 738f682a 7751->7752 7753 738f6847 7751->7753 7754 738f6841 7752->7754 7755 738f799f _free 14 API calls 7752->7755 7753->7749 7756 738f799f _free 14 API calls 7754->7756 7755->7752 7756->7753 7757 738f1280 7760 738f31b0 7757->7760 7759 738f1293 7761 738f31eb 7760->7761 7762 738f31d0 ___scrt_fastfail 7760->7762 7763 738f3279 7761->7763 7764 738f31f7 7761->7764 7762->7759 7790 738f35e0 7763->7790 7767 738f3241 7764->7767 7768 738f3220 7764->7768 7766 738f327e 7793 738f11e0 7766->7793 7774 738f3772 26 API calls 7767->7774 7776 738f3236 ___scrt_fastfail 7767->7776 7768->7766 7770 738f3227 7768->7770 7777 738f3772 7770->7777 7771 738f322d 7771->7776 7799 738f5d70 7771->7799 7774->7776 7776->7759 7778 738f3777 ___std_exception_copy 7777->7778 7779 738f3791 7778->7779 7780 738f5f36 _free 2 API calls 7778->7780 7781 738f3793 7778->7781 7779->7771 7780->7778 7782 738f11e0 Concurrency::cancel_current_task 7781->7782 7783 738f379d 7781->7783 7804 738f4497 7782->7804 7785 738f4497 Concurrency::cancel_current_task RaiseException 7783->7785 7787 738f3e44 7785->7787 7786 738f11fc 7807 738f4415 7786->7807 7822 738f3701 7790->7822 7794 738f11ee Concurrency::cancel_current_task 7793->7794 7795 738f4497 Concurrency::cancel_current_task RaiseException 7794->7795 7796 738f11fc 7795->7796 7797 738f4415 ___std_exception_copy 25 API calls 7796->7797 7798 738f1223 7797->7798 7798->7771 7800 738f5cfc ___std_exception_copy 25 API calls 7799->7800 7801 738f5d7f 7800->7801 7802 738f5d8d ___std_exception_copy 11 API calls 7801->7802 7803 738f5d8c 7802->7803 7805 738f44e1 RaiseException 7804->7805 7806 738f44b1 7804->7806 7805->7786 7806->7805 7808 738f4422 ___std_exception_copy 7807->7808 7812 738f1223 7807->7812 7809 738f444f 7808->7809 7808->7812 7813 738f6e8d 7808->7813 7811 738f6e36 ___std_exception_destroy 14 API calls 7809->7811 7811->7812 7812->7771 7814 738f6e9a 7813->7814 7816 738f6ea8 7813->7816 7814->7816 7820 738f6ebf 7814->7820 7815 738f792f _free 14 API calls 7817 738f6eb0 7815->7817 7816->7815 7818 738f5d60 ___std_exception_copy 25 API calls 7817->7818 7819 738f6eba 7818->7819 7819->7809 7820->7819 7821 738f792f _free 14 API calls 7820->7821 7821->7817 7827 738f3660 7822->7827 7825 738f4497 Concurrency::cancel_current_task RaiseException 7826 738f3720 7825->7826 7830 738f3610 7827->7830 7831 738f4415 ___std_exception_copy 25 API calls 7830->7831 7832 738f363c 7831->7832 7832->7825 7425 738f3e00 7426 738f3e0e dllmain_dispatch 7425->7426 7427 738f3e09 7425->7427 7429 738f41f9 7427->7429 7430 738f420f 7429->7430 7432 738f4218 7430->7432 7433 738f41ac GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7430->7433 7432->7426 7433->7432 7833 738f1080 7838 738f3350 7833->7838 7835 738f1091 7853 738f3aa7 7835->7853 7841 738f3366 7838->7841 7843 738f338e 7838->7843 7839 738f346c 7840 738f35e0 26 API calls 7839->7840 7842 738f3471 7840->7842 7841->7835 7846 738f11e0 Concurrency::cancel_current_task 26 API calls 7842->7846 7843->7839 7844 738f33fb 7843->7844 7845 738f33d6 7843->7845 7849 738f3772 26 API calls 7844->7849 7851 738f33e7 ___scrt_uninitialize_crt 7844->7851 7845->7842 7848 738f3772 26 API calls 7845->7848 7847 738f3476 7846->7847 7848->7851 7849->7851 7850 738f5d70 25 API calls 7850->7839 7851->7850 7852 738f344e 7851->7852 7852->7835 7856 738f3a7a 7853->7856 7857 738f3a89 7856->7857 7858 738f3a90 7856->7858 7862 738f6bbf 7857->7862 7865 738f6c2b 7858->7865 7861 738f109b 7863 738f6c2b 28 API calls 7862->7863 7864 738f6bd1 7863->7864 7864->7861 7868 738f6942 7865->7868 7869 738f694e ___scrt_is_nonwritable_in_current_image 7868->7869 7876 738f77d8 EnterCriticalSection 7869->7876 7871 738f695c 7877 738f69bc 7871->7877 7873 738f6969 7887 738f6991 7873->7887 7876->7871 7878 738f69d8 7877->7878 7886 738f6a4f _free 7877->7886 7885 738f6a2f 7878->7885 7878->7886 7890 738f8e08 7878->7890 7879 738f8e08 28 API calls 7881 738f6a45 7879->7881 7883 738f799f _free 14 API calls 7881->7883 7882 738f6a25 7884 738f799f _free 14 API calls 7882->7884 7883->7886 7884->7885 7885->7879 7885->7886 7886->7873 7886->7886 7918 738f7820 LeaveCriticalSection 7887->7918 7889 738f697a 7889->7861 7891 738f8e15 7890->7891 7892 738f8e30 7890->7892 7891->7892 7893 738f8e21 7891->7893 7894 738f8e3f 7892->7894 7899 738fadd6 7892->7899 7895 738f792f _free 14 API calls 7893->7895 7906 738fae09 7894->7906 7898 738f8e26 ___scrt_fastfail 7895->7898 7898->7882 7900 738fadf6 HeapSize 7899->7900 7901 738fade1 7899->7901 7900->7894 7902 738f792f _free 14 API calls 7901->7902 7903 738fade6 7902->7903 7904 738f5d60 ___std_exception_copy 25 API calls 7903->7904 7905 738fadf1 7904->7905 7905->7894 7907 738fae16 7906->7907 7908 738fae21 7906->7908 7909 738f7837 15 API calls 7907->7909 7910 738fae29 7908->7910 7917 738fae32 _free 7908->7917 7914 738fae1e 7909->7914 7911 738f799f _free 14 API calls 7910->7911 7911->7914 7912 738fae5c HeapReAlloc 7912->7914 7912->7917 7913 738fae37 7915 738f792f _free 14 API calls 7913->7915 7914->7898 7915->7914 7916 738f5f36 _free 2 API calls 7916->7917 7917->7912 7917->7913 7917->7916 7918->7889 8431 738f1000 8432 738f3350 26 API calls 8431->8432 8433 738f1011 8432->8433 8434 738f3aa7 28 API calls 8433->8434 8435 738f101b 8434->8435 8441 738f1300 8442 738f31b0 26 API calls 8441->8442 8445 738f131d 8442->8445 8443 738f1454 8445->8443 8446 738f5ef3 8445->8446 8447 738f5f0f __fassign 8446->8447 8448 738f5f01 8446->8448 8447->8445 8451 738f5e66 8448->8451 8452 738f5dc1 __fassign 37 API calls 8451->8452 8453 738f5e79 8452->8453 8456 738f5e9f 8453->8456 8455 738f5e8a 8455->8445 8457 738f5edc 8456->8457 8458 738f5eac 8456->8458 8469 738f75ae 8457->8469 8461 738f5ebb __fassign 8458->8461 8462 738f75d2 8458->8462 8461->8455 8463 738f5dc1 __fassign 37 API calls 8462->8463 8464 738f75ef 8463->8464 8465 738fa1ab 40 API calls 8464->8465 8466 738f75ff 8464->8466 8465->8466 8467 738f42e3 _ValidateLocalCookies 5 API calls 8466->8467 8468 738f769b 8467->8468 8468->8461 8470 738f735c __fassign 37 API calls 8469->8470 8471 738f75b9 8470->8471 8472 738f769d __fassign 37 API calls 8471->8472 8473 738f75c9 8472->8473 8473->8461 8474 738fc41f 8475 738fc428 8474->8475 8476 738fc4ce 8475->8476 8480 738fc44f 8475->8480 8477 738fd1b7 20 API calls 8476->8477 8479 738fc4de 8477->8479 8478 738fd0e0 8480->8478 8481 738fd1b7 20 API calls 8480->8481 8482 738fd0de 8481->8482 7919 738f369a 7922 738f1130 7919->7922 7923 738f4415 ___std_exception_copy 25 API calls 7922->7923 7924 738f1153 7923->7924 8483 738f9c1a 8484 738f9b49 ___scrt_uninitialize_crt 66 API calls 8483->8484 8485 738f9c22 8484->8485 8493 738fbce9 8485->8493 8487 738f9c27 8503 738fbd94 8487->8503 8490 738f9c51 8491 738f799f _free 14 API calls 8490->8491 8492 738f9c5c 8491->8492 8494 738fbcf5 ___scrt_is_nonwritable_in_current_image 8493->8494 8507 738f77d8 EnterCriticalSection 8494->8507 8496 738fbd6c 8521 738fbd8b 8496->8521 8497 738fbd00 8497->8496 8499 738fbd40 DeleteCriticalSection 8497->8499 8508 738fc19b 8497->8508 8502 738f799f _free 14 API calls 8499->8502 8502->8497 8504 738fbdab 8503->8504 8505 738f9c36 DeleteCriticalSection 8503->8505 8504->8505 8506 738f799f _free 14 API calls 8504->8506 8505->8487 8505->8490 8506->8505 8507->8497 8509 738fc1a7 ___scrt_is_nonwritable_in_current_image 8508->8509 8510 738fc1c6 8509->8510 8511 738fc1b1 8509->8511 8517 738fc1c1 8510->8517 8524 738f9c66 EnterCriticalSection 8510->8524 8512 738f792f _free 14 API calls 8511->8512 8514 738fc1b6 8512->8514 8516 738f5d60 ___std_exception_copy 25 API calls 8514->8516 8515 738fc1e3 8525 738fc124 8515->8525 8516->8517 8517->8497 8519 738fc1ee 8541 738fc215 8519->8541 8613 738f7820 LeaveCriticalSection 8521->8613 8523 738fbd78 8523->8487 8524->8515 8526 738fc146 8525->8526 8527 738fc131 8525->8527 8529 738f9a9c ___scrt_uninitialize_crt 62 API calls 8526->8529 8534 738fc141 8526->8534 8528 738f792f _free 14 API calls 8527->8528 8530 738fc136 8528->8530 8531 738fc15b 8529->8531 8532 738f5d60 ___std_exception_copy 25 API calls 8530->8532 8533 738fbd94 14 API calls 8531->8533 8532->8534 8535 738fc163 8533->8535 8534->8519 8536 738f9dea ___scrt_uninitialize_crt 25 API calls 8535->8536 8537 738fc169 8536->8537 8544 738fc797 8537->8544 8540 738f799f _free 14 API calls 8540->8534 8612 738f9c7a LeaveCriticalSection 8541->8612 8543 738fc21d 8543->8517 8545 738fc7bd 8544->8545 8546 738fc7a8 8544->8546 8548 738fc806 8545->8548 8552 738fc7e4 8545->8552 8547 738f791c __dosmaperr 14 API calls 8546->8547 8549 738fc7ad 8547->8549 8550 738f791c __dosmaperr 14 API calls 8548->8550 8551 738f792f _free 14 API calls 8549->8551 8553 738fc80b 8550->8553 8554 738fc16f 8551->8554 8559 738fc70b 8552->8559 8556 738f792f _free 14 API calls 8553->8556 8554->8534 8554->8540 8557 738fc813 8556->8557 8558 738f5d60 ___std_exception_copy 25 API calls 8557->8558 8558->8554 8560 738fc717 ___scrt_is_nonwritable_in_current_image 8559->8560 8570 738fb03c EnterCriticalSection 8560->8570 8562 738fc725 8563 738fc74c 8562->8563 8564 738fc757 8562->8564 8571 738fc824 8563->8571 8566 738f792f _free 14 API calls 8564->8566 8567 738fc752 8566->8567 8586 738fc78b 8567->8586 8570->8562 8589 738fb113 8571->8589 8573 738fc83a 8602 738fb082 8573->8602 8575 738fc834 8575->8573 8576 738fc86c 8575->8576 8579 738fb113 ___scrt_uninitialize_crt 25 API calls 8575->8579 8576->8573 8577 738fb113 ___scrt_uninitialize_crt 25 API calls 8576->8577 8581 738fc878 CloseHandle 8577->8581 8580 738fc863 8579->8580 8583 738fb113 ___scrt_uninitialize_crt 25 API calls 8580->8583 8581->8573 8584 738fc884 GetLastError 8581->8584 8582 738fc8b4 8582->8567 8583->8576 8584->8573 8585 738f78f9 __dosmaperr 14 API calls 8585->8582 8611 738fb05f LeaveCriticalSection 8586->8611 8588 738fc774 8588->8554 8590 738fb135 8589->8590 8591 738fb120 8589->8591 8594 738f791c __dosmaperr 14 API calls 8590->8594 8596 738fb15a 8590->8596 8592 738f791c __dosmaperr 14 API calls 8591->8592 8593 738fb125 8592->8593 8595 738f792f _free 14 API calls 8593->8595 8597 738fb165 8594->8597 8598 738fb12d 8595->8598 8596->8575 8599 738f792f _free 14 API calls 8597->8599 8598->8575 8600 738fb16d 8599->8600 8601 738f5d60 ___std_exception_copy 25 API calls 8600->8601 8601->8598 8603 738fb0f8 8602->8603 8606 738fb091 8602->8606 8604 738f792f _free 14 API calls 8603->8604 8605 738fb0fd 8604->8605 8607 738f791c __dosmaperr 14 API calls 8605->8607 8606->8603 8610 738fb0bb 8606->8610 8608 738fb0e8 8607->8608 8608->8582 8608->8585 8609 738fb0e2 SetStdHandle 8609->8608 8610->8608 8610->8609 8611->8588 8612->8543 8613->8523 7925 738f7797 7926 738f77a2 7925->7926 7927 738f916b 6 API calls 7926->7927 7928 738f77cb 7926->7928 7929 738f77c7 7926->7929 7927->7926 7931 738f77ef 7928->7931 7932 738f781b 7931->7932 7933 738f77fc 7931->7933 7932->7929 7934 738f7806 DeleteCriticalSection 7933->7934 7934->7932 7934->7934 7935 738f3d95 ___scrt_dllmain_exception_filter 8614 738fc910 8617 738fc92e 8614->8617 8616 738fc926 8621 738fc933 8617->8621 8618 738fd1f3 15 API calls 8619 738fcb5f 8618->8619 8619->8616 8620 738fc9c8 8620->8616 8621->8618 8621->8620 7940 738f92a5 GetProcessHeap 7941 738f45a0 7942 738f45be 7941->7942 7953 738f4560 7942->7953 7954 738f457f 7953->7954 7955 738f4572 7953->7955 7957 738f42e3 7955->7957 7958 738f42ee IsProcessorFeaturePresent 7957->7958 7959 738f42ec 7957->7959 7961 738f4330 7958->7961 7959->7954 7964 738f42f4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7961->7964 7963 738f4413 7963->7954 7964->7963 7965 738fa5a0 7966 738fa5da 7965->7966 7967 738f792f _free 14 API calls 7966->7967 7972 738fa5ee 7966->7972 7968 738fa5e3 7967->7968 7969 738f5d60 ___std_exception_copy 25 API calls 7968->7969 7969->7972 7970 738f42e3 _ValidateLocalCookies 5 API calls 7971 738fa5fb 7970->7971 7972->7970 7973 738f11a0 7976 738f4478 7973->7976 7977 738f11af 7976->7977 7978 738f4485 7976->7978 7979 738f6e36 ___std_exception_destroy 14 API calls 7978->7979 7979->7977 7985 738f6cbe 7986 738f4538 ___scrt_uninitialize_crt 7 API calls 7985->7986 7987 738f6cc5 7986->7987 7988 738f92b7 GetStartupInfoW 7989 738f92dd 7988->7989 7990 738f9371 7988->7990 7989->7990 7991 738faf9e 26 API calls 7989->7991 7992 738f9305 7991->7992 7992->7990 7993 738f9335 GetFileType 7992->7993 7993->7992 8627 738f4f30 RtlUnwind 6630 738f3ccf 6631 738f3cdb ___scrt_is_nonwritable_in_current_image 6630->6631 6632 738f3d04 dllmain_raw 6631->6632 6634 738f3cea 6631->6634 6636 738f3cff 6631->6636 6633 738f3d1e dllmain_crt_dispatch 6632->6633 6632->6634 6633->6634 6633->6636 6635 738f3d6b 6635->6634 6637 738f3d74 dllmain_crt_dispatch 6635->6637 6636->6635 6639 738f3d57 dllmain_crt_dispatch dllmain_raw 6636->6639 6637->6634 6638 738f3d87 dllmain_raw 6637->6638 6638->6634 6639->6635 7994 738fadc7 7997 738f88cd 7994->7997 7998 738f88d6 7997->7998 7999 738f8908 7997->7999 8003 738f7419 7998->8003 8004 738f742a 8003->8004 8005 738f7424 8003->8005 8007 738f9129 _free 6 API calls 8004->8007 8012 738f7430 8004->8012 8006 738f90ea _free 6 API calls 8005->8006 8006->8004 8008 738f7444 8007->8008 8010 738f7942 _free 14 API calls 8008->8010 8008->8012 8009 738f6ee7 __fassign 37 API calls 8011 738f74b2 8009->8011 8013 738f7454 8010->8013 8012->8009 8016 738f74a9 8012->8016 8014 738f745c 8013->8014 8015 738f7471 8013->8015 8018 738f9129 _free 6 API calls 8014->8018 8017 738f9129 _free 6 API calls 8015->8017 8028 738f8714 8016->8028 8019 738f747d 8017->8019 8020 738f7468 8018->8020 8021 738f7481 8019->8021 8022 738f7490 8019->8022 8023 738f799f _free 14 API calls 8020->8023 8024 738f9129 _free 6 API calls 8021->8024 8025 738f715e _free 14 API calls 8022->8025 8023->8012 8024->8020 8026 738f749b 8025->8026 8027 738f799f _free 14 API calls 8026->8027 8027->8012 8029 738f882d __fassign 37 API calls 8028->8029 8030 738f8727 8029->8030 8047 738f84bd 8030->8047 8033 738f8740 8033->7999 8034 738f7837 15 API calls 8035 738f8751 8034->8035 8036 738f8783 8035->8036 8054 738f8928 8035->8054 8039 738f799f _free 14 API calls 8036->8039 8041 738f8791 8039->8041 8040 738f877e 8042 738f792f _free 14 API calls 8040->8042 8041->7999 8042->8036 8043 738f87c5 8043->8036 8065 738f83af 8043->8065 8044 738f8799 8044->8043 8045 738f799f _free 14 API calls 8044->8045 8045->8043 8048 738f5dc1 __fassign 37 API calls 8047->8048 8049 738f84cf 8048->8049 8050 738f84de GetOEMCP 8049->8050 8051 738f84f0 8049->8051 8053 738f8507 8050->8053 8052 738f84f5 GetACP 8051->8052 8051->8053 8052->8053 8053->8033 8053->8034 8055 738f84bd 39 API calls 8054->8055 8056 738f8948 8055->8056 8058 738f8982 IsValidCodePage 8056->8058 8062 738f89be ___scrt_fastfail 8056->8062 8057 738f42e3 _ValidateLocalCookies 5 API calls 8059 738f8776 8057->8059 8060 738f8994 8058->8060 8058->8062 8059->8040 8059->8044 8061 738f89c3 GetCPInfo 8060->8061 8064 738f899d ___scrt_fastfail 8060->8064 8061->8062 8061->8064 8062->8057 8073 738f8593 8064->8073 8066 738f83bb ___scrt_is_nonwritable_in_current_image 8065->8066 8151 738f77d8 EnterCriticalSection 8066->8151 8068 738f83c5 8152 738f83fc 8068->8152 8074 738f85bb GetCPInfo 8073->8074 8083 738f8684 8073->8083 8079 738f85d3 8074->8079 8074->8083 8075 738f42e3 _ValidateLocalCookies 5 API calls 8077 738f8712 8075->8077 8077->8062 8084 738fa1ab 8079->8084 8082 738fad7e 41 API calls 8082->8083 8083->8075 8085 738f5dc1 __fassign 37 API calls 8084->8085 8086 738fa1cb 8085->8086 8087 738f8c24 __fassign MultiByteToWideChar 8086->8087 8090 738fa1f8 8087->8090 8088 738fa289 8089 738f42e3 _ValidateLocalCookies 5 API calls 8088->8089 8092 738f863b 8089->8092 8090->8088 8091 738f7837 15 API calls 8090->8091 8095 738fa21e ___scrt_fastfail 8090->8095 8091->8095 8099 738fad7e 8092->8099 8093 738fa283 8104 738fa2ae 8093->8104 8095->8093 8096 738f8c24 __fassign MultiByteToWideChar 8095->8096 8097 738fa26c 8096->8097 8097->8093 8098 738fa273 GetStringTypeW 8097->8098 8098->8093 8100 738f5dc1 __fassign 37 API calls 8099->8100 8101 738fad91 8100->8101 8108 738fab94 8101->8108 8105 738fa2ba 8104->8105 8107 738fa2cb 8104->8107 8106 738f799f _free 14 API calls 8105->8106 8105->8107 8106->8107 8107->8088 8109 738fabaf 8108->8109 8110 738f8c24 __fassign MultiByteToWideChar 8109->8110 8113 738fabf3 8110->8113 8111 738fad58 8112 738f42e3 _ValidateLocalCookies 5 API calls 8111->8112 8114 738f865c 8112->8114 8113->8111 8116 738f7837 15 API calls 8113->8116 8120 738fac18 8113->8120 8114->8082 8115 738facbd 8119 738fa2ae __freea 14 API calls 8115->8119 8116->8120 8117 738f8c24 __fassign MultiByteToWideChar 8118 738fac5e 8117->8118 8118->8115 8136 738f91b6 8118->8136 8119->8111 8120->8115 8120->8117 8123 738faccc 8125 738f7837 15 API calls 8123->8125 8129 738facde 8123->8129 8124 738fac94 8124->8115 8126 738f91b6 6 API calls 8124->8126 8125->8129 8126->8115 8127 738fad49 8128 738fa2ae __freea 14 API calls 8127->8128 8128->8115 8129->8127 8130 738f91b6 6 API calls 8129->8130 8131 738fad26 8130->8131 8131->8127 8132 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 8131->8132 8133 738fad40 8132->8133 8133->8127 8134 738fad75 8133->8134 8135 738fa2ae __freea 14 API calls 8134->8135 8135->8115 8142 738f8e8f 8136->8142 8139 738f91c7 8139->8115 8139->8123 8139->8124 8141 738f9207 LCMapStringW 8141->8139 8143 738f8f8a _free 5 API calls 8142->8143 8144 738f8ea5 8143->8144 8144->8139 8145 738f9213 8144->8145 8148 738f8ea9 8145->8148 8147 738f921e 8147->8141 8149 738f8f8a _free 5 API calls 8148->8149 8150 738f8ebf 8149->8150 8150->8147 8151->8068 8162 738f8b1b 8152->8162 8154 738f841e 8155 738f8b1b 25 API calls 8154->8155 8156 738f843d 8155->8156 8157 738f799f _free 14 API calls 8156->8157 8158 738f83d2 8156->8158 8157->8158 8159 738f83f0 8158->8159 8176 738f7820 LeaveCriticalSection 8159->8176 8161 738f83de 8161->8036 8163 738f8b2c 8162->8163 8169 738f8b28 ___scrt_uninitialize_crt 8162->8169 8164 738f8b33 8163->8164 8168 738f8b46 ___scrt_fastfail 8163->8168 8165 738f792f _free 14 API calls 8164->8165 8166 738f8b38 8165->8166 8167 738f5d60 ___std_exception_copy 25 API calls 8166->8167 8167->8169 8168->8169 8170 738f8b7d 8168->8170 8171 738f8b74 8168->8171 8169->8154 8170->8169 8173 738f792f _free 14 API calls 8170->8173 8172 738f792f _free 14 API calls 8171->8172 8174 738f8b79 8172->8174 8173->8174 8175 738f5d60 ___std_exception_copy 25 API calls 8174->8175 8175->8169 8176->8161 8177 738f6cc7 8180 738f6d2e 8177->8180 8181 738f6cda 8180->8181 8182 738f6d42 8180->8182 8182->8181 8183 738f799f _free 14 API calls 8182->8183 8183->8181 6640 738f3ac5 6641 738f3b03 6640->6641 6642 738f3ad0 6640->6642 6679 738f3c1f 6641->6679 6643 738f3af5 6642->6643 6644 738f3ad5 6642->6644 6652 738f3b18 6643->6652 6646 738f3aeb 6644->6646 6647 738f3ada 6644->6647 6671 738f3851 6646->6671 6651 738f3adf 6647->6651 6666 738f3870 6647->6666 6653 738f3b24 ___scrt_is_nonwritable_in_current_image 6652->6653 6701 738f38e1 6653->6701 6655 738f3b2b 6656 738f3c17 6655->6656 6657 738f3b52 6655->6657 6663 738f3b8e ___scrt_is_nonwritable_in_current_image __fassign 6655->6663 6720 738f4025 IsProcessorFeaturePresent 6656->6720 6712 738f3843 6657->6712 6660 738f3c1e 6661 738f3b61 __RTC_Initialize 6661->6663 6715 738f4244 InitializeSListHead 6661->6715 6663->6651 6664 738f3b6f 6664->6663 6716 738f3818 6664->6716 6977 738f6d79 6666->6977 7183 738f4522 6671->7183 6674 738f385a 6674->6651 6677 738f386d 6677->6651 6678 738f452d 21 API calls 6678->6674 6680 738f3c2b ___scrt_is_nonwritable_in_current_image 6679->6680 6681 738f3c5c 6680->6681 6682 738f3cc7 6680->6682 6697 738f3c34 6680->6697 7203 738f38b1 6681->7203 6683 738f4025 ___scrt_fastfail 4 API calls 6682->6683 6687 738f3cce ___scrt_is_nonwritable_in_current_image 6683->6687 6685 738f3c61 7212 738f4250 6685->7212 6689 738f3d04 dllmain_raw 6687->6689 6691 738f3cea 6687->6691 6696 738f3cff 6687->6696 6688 738f3c66 __RTC_Initialize 7215 738f3a52 6688->7215 6690 738f3d1e dllmain_crt_dispatch 6689->6690 6689->6691 6690->6691 6690->6696 6691->6651 6695 738f3d6b 6695->6691 6698 738f3d74 dllmain_crt_dispatch 6695->6698 6696->6695 6700 738f3d57 dllmain_crt_dispatch dllmain_raw 6696->6700 6697->6651 6698->6691 6699 738f3d87 dllmain_raw 6698->6699 6699->6691 6700->6695 6702 738f38ea 6701->6702 6724 738f3e45 IsProcessorFeaturePresent 6702->6724 6706 738f38fb 6707 738f38ff 6706->6707 6734 738f6d5c 6706->6734 6707->6655 6710 738f3916 6710->6655 6971 738f391a 6712->6971 6714 738f384a 6714->6661 6715->6664 6717 738f381d ___scrt_release_startup_lock 6716->6717 6718 738f3e45 IsProcessorFeaturePresent 6717->6718 6719 738f3826 6717->6719 6718->6719 6719->6663 6721 738f403a ___scrt_fastfail 6720->6721 6722 738f40e5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6721->6722 6723 738f4130 ___scrt_fastfail 6722->6723 6723->6660 6725 738f38f6 6724->6725 6726 738f4503 6725->6726 6743 738f4acd 6726->6743 6729 738f450c 6729->6706 6731 738f4514 6732 738f451f 6731->6732 6757 738f4b09 6731->6757 6732->6706 6798 738f94b6 6734->6798 6737 738f4538 6738 738f454b 6737->6738 6739 738f4541 6737->6739 6738->6707 6740 738f4ab2 ___vcrt_uninitialize_ptd 6 API calls 6739->6740 6741 738f4546 6740->6741 6742 738f4b09 ___vcrt_uninitialize_locks DeleteCriticalSection 6741->6742 6742->6738 6744 738f4ad6 6743->6744 6746 738f4aff 6744->6746 6747 738f4508 6744->6747 6761 738f4ee8 6744->6761 6748 738f4b09 ___vcrt_uninitialize_locks DeleteCriticalSection 6746->6748 6747->6729 6749 738f4a7f 6747->6749 6748->6747 6779 738f4df9 6749->6779 6754 738f4aaf 6754->6731 6756 738f4a94 6756->6731 6758 738f4b33 6757->6758 6759 738f4b14 6757->6759 6758->6729 6760 738f4b1e DeleteCriticalSection 6759->6760 6760->6758 6760->6760 6766 738f4db0 6761->6766 6764 738f4f20 InitializeCriticalSectionAndSpinCount 6765 738f4f0b 6764->6765 6765->6744 6767 738f4dc8 6766->6767 6771 738f4deb 6766->6771 6767->6771 6772 738f4d04 6767->6772 6770 738f4ddd GetProcAddress 6770->6771 6771->6764 6771->6765 6773 738f4d13 ___vcrt_FlsFree 6772->6773 6774 738f4d2c LoadLibraryExW 6773->6774 6775 738f4da5 6773->6775 6777 738f4d8e FreeLibrary 6773->6777 6778 738f4d66 LoadLibraryExW 6773->6778 6774->6773 6776 738f4d47 GetLastError 6774->6776 6775->6770 6775->6771 6776->6773 6777->6773 6778->6773 6780 738f4db0 ___vcrt_FlsFree 5 API calls 6779->6780 6781 738f4e13 6780->6781 6782 738f4e2c TlsAlloc 6781->6782 6783 738f4a89 6781->6783 6783->6756 6784 738f4eaa 6783->6784 6785 738f4db0 ___vcrt_FlsFree 5 API calls 6784->6785 6786 738f4ec4 6785->6786 6787 738f4edf TlsSetValue 6786->6787 6788 738f4aa2 6786->6788 6787->6788 6788->6754 6789 738f4ab2 6788->6789 6790 738f4abc 6789->6790 6791 738f4ac2 6789->6791 6793 738f4e34 6790->6793 6791->6756 6794 738f4db0 ___vcrt_FlsFree 5 API calls 6793->6794 6795 738f4e4e 6794->6795 6796 738f4e66 TlsFree 6795->6796 6797 738f4e5a 6795->6797 6796->6797 6797->6791 6799 738f94c6 6798->6799 6800 738f3908 6798->6800 6799->6800 6802 738f942a 6799->6802 6800->6710 6800->6737 6803 738f9436 ___scrt_is_nonwritable_in_current_image 6802->6803 6814 738f77d8 EnterCriticalSection 6803->6814 6805 738f943d 6815 738faf9e 6805->6815 6808 738f945b 6839 738f9481 6808->6839 6814->6805 6816 738fafaa ___scrt_is_nonwritable_in_current_image 6815->6816 6817 738fafd4 6816->6817 6818 738fafb3 6816->6818 6842 738f77d8 EnterCriticalSection 6817->6842 6850 738f792f 6818->6850 6822 738fafe0 6827 738fb00c 6822->6827 6843 738faeee 6822->6843 6824 738f944c 6824->6808 6828 738f92c0 GetStartupInfoW 6824->6828 6856 738fb033 6827->6856 6829 738f92dd 6828->6829 6830 738f9371 6828->6830 6829->6830 6831 738faf9e 26 API calls 6829->6831 6834 738f9376 6830->6834 6832 738f9305 6831->6832 6832->6830 6833 738f9335 GetFileType 6832->6833 6833->6832 6835 738f937d 6834->6835 6836 738f93c0 GetStdHandle 6835->6836 6837 738f9426 6835->6837 6838 738f93d3 GetFileType 6835->6838 6836->6835 6837->6808 6838->6835 6970 738f7820 LeaveCriticalSection 6839->6970 6841 738f946c 6841->6799 6842->6822 6859 738f7942 6843->6859 6845 738faf00 6849 738faf0d 6845->6849 6866 738f916b 6845->6866 6847 738faf62 6847->6822 6871 738f799f 6849->6871 6899 738f74b3 GetLastError 6850->6899 6852 738f7934 6853 738f5d60 6852->6853 6951 738f5cfc 6853->6951 6855 738f5d6c 6855->6824 6969 738f7820 LeaveCriticalSection 6856->6969 6858 738fb03a 6858->6824 6863 738f794f _free 6859->6863 6860 738f798f 6864 738f792f _free 13 API calls 6860->6864 6861 738f797a RtlAllocateHeap 6862 738f798d 6861->6862 6861->6863 6862->6845 6863->6860 6863->6861 6877 738f5f36 6863->6877 6864->6862 6886 738f8f8a 6866->6886 6868 738f9187 6869 738f91a5 InitializeCriticalSectionAndSpinCount 6868->6869 6870 738f9190 6868->6870 6869->6870 6870->6845 6872 738f79aa HeapFree 6871->6872 6876 738f79d3 _free 6871->6876 6873 738f79bf 6872->6873 6872->6876 6874 738f792f _free 12 API calls 6873->6874 6875 738f79c5 GetLastError 6874->6875 6875->6876 6876->6847 6880 738f5f63 6877->6880 6881 738f5f6f ___scrt_is_nonwritable_in_current_image 6880->6881 6882 738f77d8 _free EnterCriticalSection 6881->6882 6883 738f5f7a 6882->6883 6884 738f5fb6 _free LeaveCriticalSection 6883->6884 6885 738f5f41 6884->6885 6885->6863 6887 738f8fb8 6886->6887 6891 738f8fb4 _free 6886->6891 6887->6891 6892 738f8ec3 6887->6892 6890 738f8fd2 GetProcAddress 6890->6891 6891->6868 6897 738f8ed4 ___vcrt_FlsFree 6892->6897 6893 738f8f7f 6893->6890 6893->6891 6894 738f8ef2 LoadLibraryExW 6895 738f8f0d GetLastError 6894->6895 6894->6897 6895->6897 6896 738f8f68 FreeLibrary 6896->6897 6897->6893 6897->6894 6897->6896 6898 738f8f40 LoadLibraryExW 6897->6898 6898->6897 6900 738f74ca 6899->6900 6901 738f74d0 6899->6901 6922 738f90ea 6900->6922 6919 738f74d6 SetLastError 6901->6919 6927 738f9129 6901->6927 6905 738f7942 _free 12 API calls 6906 738f74fe 6905->6906 6908 738f751d 6906->6908 6909 738f7506 6906->6909 6911 738f9129 _free 6 API calls 6908->6911 6910 738f9129 _free 6 API calls 6909->6910 6920 738f7514 6910->6920 6912 738f7529 6911->6912 6913 738f753e 6912->6913 6914 738f752d 6912->6914 6932 738f715e 6913->6932 6917 738f9129 _free 6 API calls 6914->6917 6916 738f799f _free 12 API calls 6916->6919 6917->6920 6919->6852 6920->6916 6921 738f799f _free 12 API calls 6921->6919 6923 738f8f8a _free 5 API calls 6922->6923 6924 738f9106 6923->6924 6925 738f910f 6924->6925 6926 738f9121 TlsGetValue 6924->6926 6925->6901 6928 738f8f8a _free 5 API calls 6927->6928 6929 738f9145 6928->6929 6930 738f74ee 6929->6930 6931 738f9163 TlsSetValue 6929->6931 6930->6905 6930->6919 6937 738f6ff2 6932->6937 6938 738f6ffe ___scrt_is_nonwritable_in_current_image 6937->6938 6939 738f77d8 _free EnterCriticalSection 6938->6939 6940 738f7008 6939->6940 6941 738f7038 _free LeaveCriticalSection 6940->6941 6942 738f7026 6941->6942 6943 738f7104 6942->6943 6944 738f7110 ___scrt_is_nonwritable_in_current_image 6943->6944 6945 738f77d8 _free EnterCriticalSection 6944->6945 6946 738f711a 6945->6946 6947 738f72e5 _free 14 API calls 6946->6947 6948 738f7132 6947->6948 6949 738f7152 _free LeaveCriticalSection 6948->6949 6950 738f7140 6949->6950 6950->6921 6952 738f74b3 _free 14 API calls 6951->6952 6953 738f5d07 6952->6953 6955 738f5d15 6953->6955 6959 738f5d8d IsProcessorFeaturePresent 6953->6959 6955->6855 6956 738f5d5f 6957 738f5cfc ___std_exception_copy 25 API calls 6956->6957 6958 738f5d6c 6957->6958 6958->6855 6960 738f5d99 6959->6960 6963 738f5bb4 6960->6963 6964 738f5bd0 ___scrt_fastfail 6963->6964 6965 738f5bfc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6964->6965 6968 738f5ccd ___scrt_fastfail 6965->6968 6966 738f42e3 _ValidateLocalCookies 5 API calls 6967 738f5ceb GetCurrentProcess TerminateProcess 6966->6967 6967->6956 6968->6966 6969->6858 6970->6841 6972 738f3926 6971->6972 6973 738f392a 6971->6973 6972->6714 6974 738f4025 ___scrt_fastfail 4 API calls 6973->6974 6976 738f3937 ___scrt_release_startup_lock 6973->6976 6975 738f39a0 6974->6975 6976->6714 6983 738f7330 6977->6983 6980 738f452d 7163 738f49a9 6980->7163 6984 738f3875 6983->6984 6985 738f733a 6983->6985 6984->6980 6986 738f90ea _free 6 API calls 6985->6986 6987 738f7341 6986->6987 6987->6984 6988 738f9129 _free 6 API calls 6987->6988 6989 738f7354 6988->6989 6991 738f71f7 6989->6991 6992 738f7202 6991->6992 6996 738f7212 6991->6996 6997 738f7218 6992->6997 6995 738f799f _free 14 API calls 6995->6996 6996->6984 6998 738f722d 6997->6998 6999 738f7233 6997->6999 7001 738f799f _free 14 API calls 6998->7001 7000 738f799f _free 14 API calls 6999->7000 7002 738f723f 7000->7002 7001->6999 7003 738f799f _free 14 API calls 7002->7003 7004 738f724a 7003->7004 7005 738f799f _free 14 API calls 7004->7005 7006 738f7255 7005->7006 7007 738f799f _free 14 API calls 7006->7007 7008 738f7260 7007->7008 7009 738f799f _free 14 API calls 7008->7009 7010 738f726b 7009->7010 7011 738f799f _free 14 API calls 7010->7011 7012 738f7276 7011->7012 7013 738f799f _free 14 API calls 7012->7013 7014 738f7281 7013->7014 7015 738f799f _free 14 API calls 7014->7015 7016 738f728c 7015->7016 7017 738f799f _free 14 API calls 7016->7017 7018 738f729a 7017->7018 7023 738f7044 7018->7023 7024 738f7050 ___scrt_is_nonwritable_in_current_image 7023->7024 7039 738f77d8 EnterCriticalSection 7024->7039 7027 738f705a 7029 738f799f _free 14 API calls 7027->7029 7030 738f7084 7027->7030 7029->7030 7040 738f70a3 7030->7040 7031 738f70af 7032 738f70bb ___scrt_is_nonwritable_in_current_image 7031->7032 7044 738f77d8 EnterCriticalSection 7032->7044 7034 738f70c5 7045 738f72e5 7034->7045 7036 738f70d8 7049 738f70f8 7036->7049 7039->7027 7043 738f7820 LeaveCriticalSection 7040->7043 7042 738f7091 7042->7031 7043->7042 7044->7034 7046 738f731b __fassign 7045->7046 7047 738f72f4 __fassign 7045->7047 7046->7036 7047->7046 7052 738f9e8e 7047->7052 7162 738f7820 LeaveCriticalSection 7049->7162 7051 738f70e6 7051->6995 7053 738f9f0e 7052->7053 7057 738f9ea4 7052->7057 7054 738f9f5c 7053->7054 7056 738f799f _free 14 API calls 7053->7056 7120 738f9fff 7054->7120 7058 738f9f30 7056->7058 7057->7053 7059 738f9ed7 7057->7059 7064 738f799f _free 14 API calls 7057->7064 7060 738f799f _free 14 API calls 7058->7060 7061 738f9ef9 7059->7061 7068 738f799f _free 14 API calls 7059->7068 7062 738f9f43 7060->7062 7063 738f799f _free 14 API calls 7061->7063 7067 738f799f _free 14 API calls 7062->7067 7069 738f9f03 7063->7069 7066 738f9ecc 7064->7066 7065 738f9f6a 7070 738f9fca 7065->7070 7079 738f799f 14 API calls _free 7065->7079 7080 738fa2ce 7066->7080 7072 738f9f51 7067->7072 7073 738f9eee 7068->7073 7074 738f799f _free 14 API calls 7069->7074 7075 738f799f _free 14 API calls 7070->7075 7077 738f799f _free 14 API calls 7072->7077 7108 738fa3cc 7073->7108 7074->7053 7076 738f9fd0 7075->7076 7076->7046 7077->7054 7079->7065 7081 738fa2df 7080->7081 7107 738fa3c8 7080->7107 7082 738fa2f0 7081->7082 7083 738f799f _free 14 API calls 7081->7083 7084 738fa302 7082->7084 7085 738f799f _free 14 API calls 7082->7085 7083->7082 7086 738fa314 7084->7086 7087 738f799f _free 14 API calls 7084->7087 7085->7084 7088 738fa326 7086->7088 7089 738f799f _free 14 API calls 7086->7089 7087->7086 7090 738fa338 7088->7090 7091 738f799f _free 14 API calls 7088->7091 7089->7088 7092 738fa34a 7090->7092 7093 738f799f _free 14 API calls 7090->7093 7091->7090 7094 738fa35c 7092->7094 7095 738f799f _free 14 API calls 7092->7095 7093->7092 7096 738fa36e 7094->7096 7097 738f799f _free 14 API calls 7094->7097 7095->7094 7098 738fa380 7096->7098 7099 738f799f _free 14 API calls 7096->7099 7097->7096 7100 738fa392 7098->7100 7101 738f799f _free 14 API calls 7098->7101 7099->7098 7102 738fa3a4 7100->7102 7103 738f799f _free 14 API calls 7100->7103 7101->7100 7104 738fa3b6 7102->7104 7105 738f799f _free 14 API calls 7102->7105 7103->7102 7106 738f799f _free 14 API calls 7104->7106 7104->7107 7105->7104 7106->7107 7107->7059 7109 738fa3d9 7108->7109 7119 738fa431 7108->7119 7110 738fa3e9 7109->7110 7111 738f799f _free 14 API calls 7109->7111 7112 738fa3fb 7110->7112 7113 738f799f _free 14 API calls 7110->7113 7111->7110 7114 738fa40d 7112->7114 7115 738f799f _free 14 API calls 7112->7115 7113->7112 7116 738fa41f 7114->7116 7117 738f799f _free 14 API calls 7114->7117 7115->7114 7118 738f799f _free 14 API calls 7116->7118 7116->7119 7117->7116 7118->7119 7119->7061 7121 738fa00c 7120->7121 7125 738fa02b 7120->7125 7121->7125 7126 738fa46d 7121->7126 7124 738f799f _free 14 API calls 7124->7125 7125->7065 7127 738fa025 7126->7127 7128 738fa47e 7126->7128 7127->7124 7129 738fa435 __fassign 14 API calls 7128->7129 7130 738fa486 7129->7130 7131 738fa435 __fassign 14 API calls 7130->7131 7132 738fa491 7131->7132 7133 738fa435 __fassign 14 API calls 7132->7133 7134 738fa49c 7133->7134 7135 738fa435 __fassign 14 API calls 7134->7135 7136 738fa4a7 7135->7136 7137 738fa435 __fassign 14 API calls 7136->7137 7138 738fa4b5 7137->7138 7139 738f799f _free 14 API calls 7138->7139 7140 738fa4c0 7139->7140 7141 738f799f _free 14 API calls 7140->7141 7142 738fa4cb 7141->7142 7143 738f799f _free 14 API calls 7142->7143 7144 738fa4d6 7143->7144 7145 738fa435 __fassign 14 API calls 7144->7145 7146 738fa4e4 7145->7146 7147 738fa435 __fassign 14 API calls 7146->7147 7148 738fa4f2 7147->7148 7149 738fa435 __fassign 14 API calls 7148->7149 7150 738fa503 7149->7150 7151 738fa435 __fassign 14 API calls 7150->7151 7152 738fa511 7151->7152 7153 738fa435 __fassign 14 API calls 7152->7153 7154 738fa51f 7153->7154 7155 738f799f _free 14 API calls 7154->7155 7156 738fa52a 7155->7156 7157 738f799f _free 14 API calls 7156->7157 7158 738fa535 7157->7158 7159 738f799f _free 14 API calls 7158->7159 7160 738fa540 7159->7160 7161 738f799f _free 14 API calls 7160->7161 7161->7127 7162->7051 7164 738f387a 7163->7164 7165 738f49b6 7163->7165 7164->6651 7166 738f49c4 7165->7166 7171 738f4e6f 7165->7171 7168 738f4eaa ___vcrt_FlsSetValue 6 API calls 7166->7168 7169 738f49d4 7168->7169 7176 738f498d 7169->7176 7172 738f4db0 ___vcrt_FlsFree 5 API calls 7171->7172 7173 738f4e89 7172->7173 7174 738f4ea1 TlsGetValue 7173->7174 7175 738f4e95 7173->7175 7174->7175 7175->7166 7177 738f4997 7176->7177 7178 738f49a4 7176->7178 7177->7178 7180 738f6e36 7177->7180 7178->7164 7181 738f799f _free 14 API calls 7180->7181 7182 738f6e4e 7181->7182 7182->7178 7189 738f49ed 7183->7189 7185 738f3856 7185->6674 7186 738f6d6e 7185->7186 7187 738f74b3 _free 14 API calls 7186->7187 7188 738f3862 7187->7188 7188->6677 7188->6678 7190 738f49f9 GetLastError 7189->7190 7191 738f49f6 7189->7191 7192 738f4e6f ___vcrt_FlsGetValue 6 API calls 7190->7192 7191->7185 7193 738f4a0e 7192->7193 7194 738f4a73 SetLastError 7193->7194 7195 738f4eaa ___vcrt_FlsSetValue 6 API calls 7193->7195 7202 738f4a2d 7193->7202 7194->7185 7196 738f4a27 7195->7196 7197 738f4a4f 7196->7197 7198 738f4eaa ___vcrt_FlsSetValue 6 API calls 7196->7198 7196->7202 7199 738f4eaa ___vcrt_FlsSetValue 6 API calls 7197->7199 7200 738f4a63 7197->7200 7198->7197 7199->7200 7201 738f6e36 ___std_exception_destroy 14 API calls 7200->7201 7201->7202 7202->7194 7204 738f38b6 ___scrt_release_startup_lock 7203->7204 7205 738f38ba 7204->7205 7208 738f38c6 7204->7208 7224 738f6bd5 7205->7224 7209 738f38d3 7208->7209 7227 738f627c 7208->7227 7209->6685 7294 738f496a InterlockedFlushSList 7212->7294 7216 738f3a5e 7215->7216 7220 738f3a74 7216->7220 7298 738f6d81 7216->7298 7218 738f3a6c 7219 738f4538 ___scrt_uninitialize_crt 7 API calls 7218->7219 7219->7220 7221 738f3cc1 7220->7221 7408 738f38d4 7221->7408 7238 738f68e7 7224->7238 7228 738f628a 7227->7228 7236 738f629b 7227->7236 7255 738f6322 GetModuleHandleW 7228->7255 7233 738f62d5 7233->6685 7262 738f6142 7236->7262 7239 738f68f3 ___scrt_is_nonwritable_in_current_image 7238->7239 7246 738f77d8 EnterCriticalSection 7239->7246 7241 738f6901 7247 738f6ae5 7241->7247 7246->7241 7248 738f6b04 7247->7248 7249 738f690e 7247->7249 7248->7249 7250 738f799f _free 14 API calls 7248->7250 7251 738f6936 7249->7251 7250->7249 7254 738f7820 LeaveCriticalSection 7251->7254 7253 738f38c4 7253->6685 7254->7253 7256 738f628f 7255->7256 7256->7236 7257 738f6365 GetModuleHandleExW 7256->7257 7258 738f6384 GetProcAddress 7257->7258 7259 738f6399 7257->7259 7258->7259 7260 738f63ad FreeLibrary 7259->7260 7261 738f63b6 7259->7261 7260->7261 7261->7236 7263 738f614e ___scrt_is_nonwritable_in_current_image 7262->7263 7278 738f77d8 EnterCriticalSection 7263->7278 7265 738f6158 7279 738f618f 7265->7279 7267 738f6165 7283 738f6183 7267->7283 7270 738f62e0 7287 738f7885 GetPEB 7270->7287 7273 738f630f 7275 738f6365 __fassign 3 API calls 7273->7275 7274 738f62ef GetPEB 7274->7273 7276 738f62ff GetCurrentProcess TerminateProcess 7274->7276 7277 738f6317 ExitProcess 7275->7277 7276->7273 7278->7265 7281 738f619b ___scrt_is_nonwritable_in_current_image 7279->7281 7280 738f61fc __fassign 7280->7267 7281->7280 7282 738f6bd5 __fassign 14 API calls 7281->7282 7282->7280 7286 738f7820 LeaveCriticalSection 7283->7286 7285 738f6171 7285->7233 7285->7270 7286->7285 7288 738f789f 7287->7288 7289 738f62ea 7287->7289 7291 738f900d 7288->7291 7289->7273 7289->7274 7292 738f8f8a _free 5 API calls 7291->7292 7293 738f9029 7292->7293 7293->7289 7295 738f425a 7294->7295 7296 738f497a 7294->7296 7295->6688 7296->7295 7297 738f6e36 ___std_exception_destroy 14 API calls 7296->7297 7297->7296 7299 738f6d9e ___scrt_uninitialize_crt 7298->7299 7300 738f6d8c 7298->7300 7299->7218 7301 738f6d9a 7300->7301 7303 738f9b49 7300->7303 7301->7218 7306 738f99f7 7303->7306 7309 738f994b 7306->7309 7310 738f9957 ___scrt_is_nonwritable_in_current_image 7309->7310 7317 738f77d8 EnterCriticalSection 7310->7317 7312 738f99cd 7326 738f99eb 7312->7326 7315 738f9961 ___scrt_uninitialize_crt 7315->7312 7318 738f98bf 7315->7318 7317->7315 7319 738f98cb ___scrt_is_nonwritable_in_current_image 7318->7319 7329 738f9c66 EnterCriticalSection 7319->7329 7321 738f98d5 ___scrt_uninitialize_crt 7325 738f990e 7321->7325 7330 738f9b01 7321->7330 7340 738f993f 7325->7340 7407 738f7820 LeaveCriticalSection 7326->7407 7328 738f99d9 7328->7301 7329->7321 7331 738f9b0e 7330->7331 7332 738f9b17 7330->7332 7333 738f99f7 ___scrt_uninitialize_crt 66 API calls 7331->7333 7343 738f9a9c 7332->7343 7336 738f9b14 7333->7336 7336->7325 7338 738f9b33 7356 738fb21f 7338->7356 7406 738f9c7a LeaveCriticalSection 7340->7406 7342 738f992d 7342->7315 7344 738f9ab4 7343->7344 7348 738f9ad9 7343->7348 7345 738f9dea ___scrt_uninitialize_crt 25 API calls 7344->7345 7344->7348 7346 738f9ad2 7345->7346 7367 738fba15 7346->7367 7348->7336 7349 738f9dea 7348->7349 7350 738f9e0b 7349->7350 7351 738f9df6 7349->7351 7350->7338 7352 738f792f _free 14 API calls 7351->7352 7353 738f9dfb 7352->7353 7354 738f5d60 ___std_exception_copy 25 API calls 7353->7354 7355 738f9e06 7354->7355 7355->7338 7357 738fb23d 7356->7357 7358 738fb230 7356->7358 7359 738fb286 7357->7359 7362 738fb264 7357->7362 7360 738f792f _free 14 API calls 7358->7360 7361 738f792f _free 14 API calls 7359->7361 7366 738fb235 7360->7366 7363 738fb28b 7361->7363 7392 738fb17d 7362->7392 7365 738f5d60 ___std_exception_copy 25 API calls 7363->7365 7365->7366 7366->7336 7368 738fba21 ___scrt_is_nonwritable_in_current_image 7367->7368 7369 738fba29 7368->7369 7370 738fba41 7368->7370 7372 738f791c __dosmaperr 14 API calls 7369->7372 7371 738fbadc 7370->7371 7376 738fba73 7370->7376 7373 738f791c __dosmaperr 14 API calls 7371->7373 7374 738fba2e 7372->7374 7375 738fbae1 7373->7375 7377 738f792f _free 14 API calls 7374->7377 7378 738f792f _free 14 API calls 7375->7378 7379 738fb03c ___scrt_uninitialize_crt EnterCriticalSection 7376->7379 7391 738fba36 7377->7391 7380 738fbae9 7378->7380 7381 738fba79 7379->7381 7382 738f5d60 ___std_exception_copy 25 API calls 7380->7382 7383 738fbaaa 7381->7383 7384 738fba95 7381->7384 7382->7391 7386 738fbb07 ___scrt_uninitialize_crt 60 API calls 7383->7386 7385 738f792f _free 14 API calls 7384->7385 7387 738fba9a 7385->7387 7388 738fbaa5 7386->7388 7389 738f791c __dosmaperr 14 API calls 7387->7389 7390 738fbad4 ___scrt_uninitialize_crt LeaveCriticalSection 7388->7390 7389->7388 7390->7391 7391->7348 7393 738fb189 ___scrt_is_nonwritable_in_current_image 7392->7393 7394 738fb03c ___scrt_uninitialize_crt EnterCriticalSection 7393->7394 7395 738fb198 7394->7395 7396 738fb1df 7395->7396 7397 738fb113 ___scrt_uninitialize_crt 25 API calls 7395->7397 7398 738f792f _free 14 API calls 7396->7398 7399 738fb1c4 FlushFileBuffers 7397->7399 7400 738fb1e4 7398->7400 7399->7400 7401 738fb1d0 7399->7401 7403 738fb213 ___scrt_uninitialize_crt LeaveCriticalSection 7400->7403 7402 738f791c __dosmaperr 14 API calls 7401->7402 7405 738fb1d5 GetLastError 7402->7405 7404 738fb1fc 7403->7404 7404->7366 7405->7396 7406->7342 7407->7328 7413 738f6db1 7408->7413 7411 738f4ab2 ___vcrt_uninitialize_ptd 6 API calls 7412 738f3cc6 7411->7412 7412->6697 7416 738f7594 7413->7416 7417 738f759e 7416->7417 7418 738f38db 7416->7418 7420 738f90ab 7417->7420 7418->7411 7421 738f8f8a _free 5 API calls 7420->7421 7422 738f90c7 7421->7422 7423 738f90e2 TlsFree 7422->7423 7424 738f90d0 7422->7424 7424->7418 8631 738f1240 8632 738f4415 ___std_exception_copy 25 API calls 8631->8632 8633 738f1263 8632->8633 8189 738f6cde 8190 738f799f _free 14 API calls 8189->8190 8191 738f6cec 8190->8191 8192 738f799f _free 14 API calls 8191->8192 8193 738f6cff 8192->8193 8194 738f799f _free 14 API calls 8193->8194 8195 738f6d10 8194->8195 8196 738f799f _free 14 API calls 8195->8196 8197 738f6d21 8196->8197 8639 738f475e 8642 738f47ac 8639->8642 8643 738f4769 8642->8643 8644 738f47b5 8642->8644 8644->8643 8651 738f49df 8644->8651 8646 738f47f0 8647 738f49df 47 API calls 8646->8647 8648 738f47fb 8647->8648 8664 738f6e51 8648->8664 8652 738f49ed 23 API calls 8651->8652 8653 738f49e4 8652->8653 8653->8646 8654 738f961d __fassign 2 API calls 8653->8654 8655 738f6eec 8654->8655 8656 738f966b __fassign 37 API calls 8655->8656 8659 738f6ef7 8655->8659 8656->8659 8657 738f6f20 8661 738f63d6 __fassign 23 API calls 8657->8661 8658 738f6f01 IsProcessorFeaturePresent 8660 738f6f0d 8658->8660 8659->8657 8659->8658 8662 738f5bb4 __fassign 8 API calls 8660->8662 8663 738f6f2a 8661->8663 8662->8657 8665 738f6e5d ___scrt_is_nonwritable_in_current_image 8664->8665 8666 738f735c __fassign 37 API calls 8665->8666 8669 738f6e62 8666->8669 8667 738f6ee7 __fassign 37 API calls 8668 738f6e8c 8667->8668 8669->8667 8670 738f9b52 8671 738f9b5f 8670->8671 8672 738f7942 _free 14 API calls 8671->8672 8673 738f9b79 8672->8673 8674 738f799f _free 14 API calls 8673->8674 8675 738f9b85 8674->8675 8676 738f7942 _free 14 API calls 8675->8676 8680 738f9bab 8675->8680 8677 738f9b9f 8676->8677 8679 738f799f _free 14 API calls 8677->8679 8678 738f916b 6 API calls 8678->8680 8679->8680 8680->8678 8681 738f9bb7 8680->8681 8201 738fc3d1 8202 738fc3f1 8201->8202 8205 738fc428 8202->8205 8204 738fc41b 8206 738fc42f 8205->8206 8207 738fc4ce 8206->8207 8208 738fc44f 8206->8208 8214 738fd1b7 8207->8214 8208->8204 8210 738fd0e0 8208->8210 8212 738fd1b7 20 API calls 8208->8212 8210->8204 8213 738fd0de 8212->8213 8213->8204 8215 738fd1c0 8214->8215 8218 738fd6d3 8215->8218 8219 738fd712 __startOneArgErrorHandling 8218->8219 8223 738fd794 __startOneArgErrorHandling 8219->8223 8226 738fdade 8219->8226 8222 738fd7c9 8224 738f42e3 _ValidateLocalCookies 5 API calls 8222->8224 8223->8222 8229 738fddf7 8223->8229 8225 738fc4de 8224->8225 8225->8204 8236 738fdb01 8226->8236 8230 738fde19 8229->8230 8231 738fde04 8229->8231 8233 738f792f _free 14 API calls 8230->8233 8232 738fde1e 8231->8232 8234 738f792f _free 14 API calls 8231->8234 8232->8222 8233->8232 8235 738fde11 8234->8235 8235->8222 8237 738fdb2c __raise_exc 8236->8237 8238 738fdd25 RaiseException 8237->8238 8239 738fdafc 8238->8239 8239->8223 8240 738f4bd0 8241 738f4bf0 @_EH4_CallFilterFunc@8 8240->8241 8242 738f4be2 8240->8242 8243 738f42e3 _ValidateLocalCookies 5 API calls 8242->8243 8243->8241 8686 738f3050 8687 738f308a 8686->8687 8688 738f306a 8686->8688 8689 738f309c 8687->8689 8690 738f3196 8687->8690 8693 738f30cf 8689->8693 8694 738f30f9 8689->8694 8691 738f35e0 26 API calls 8690->8691 8692 738f319b 8691->8692 8695 738f11e0 Concurrency::cancel_current_task 26 API calls 8692->8695 8693->8692 8696 738f30da 8693->8696 8699 738f3772 26 API calls 8694->8699 8701 738f30e0 ___scrt_uninitialize_crt 8694->8701 8695->8701 8698 738f3772 26 API calls 8696->8698 8697 738f5d70 25 API calls 8700 738f31a5 8697->8700 8698->8701 8699->8701 8701->8697 8702 738f315d ___scrt_uninitialize_crt 8701->8702 8703 738f926f 8704 738f927a 8703->8704 8706 738f92a0 8703->8706 8705 738f928a FreeLibrary 8704->8705 8704->8706 8705->8704 8707 738f7568 8715 738f906c 8707->8715 8710 738f74b3 _free 14 API calls 8711 738f7584 8710->8711 8712 738f7591 8711->8712 8713 738f7594 6 API calls 8711->8713 8714 738f757c 8713->8714 8716 738f8f8a _free 5 API calls 8715->8716 8717 738f9088 8716->8717 8718 738f90a0 TlsAlloc 8717->8718 8719 738f7572 8717->8719 8718->8719 8719->8710 8719->8714 8244 738fd3e7 8245 738fd400 __startOneArgErrorHandling 8244->8245 8247 738fd429 __startOneArgErrorHandling 8245->8247 8248 738fd825 8245->8248 8249 738fd85e __startOneArgErrorHandling 8248->8249 8250 738fd885 __startOneArgErrorHandling 8249->8250 8251 738fdb01 __raise_exc RaiseException 8249->8251 8252 738fd8c8 8250->8252 8253 738fd8a3 8250->8253 8251->8250 8254 738fddf7 __startOneArgErrorHandling 14 API calls 8252->8254 8259 738fde26 8253->8259 8256 738fd8c3 __startOneArgErrorHandling 8254->8256 8257 738f42e3 _ValidateLocalCookies 5 API calls 8256->8257 8258 738fd8ec 8257->8258 8258->8247 8260 738fde35 8259->8260 8261 738fdea9 __startOneArgErrorHandling 8260->8261 8262 738fde54 __startOneArgErrorHandling 8260->8262 8263 738fddf7 __startOneArgErrorHandling 14 API calls 8261->8263 8265 738fdea2 8262->8265 8266 738fddf7 __startOneArgErrorHandling 14 API calls 8262->8266 8264 738fdebe 8263->8264 8264->8256 8265->8256 8266->8265 8267 738fd0e5 8269 738fd10d 8267->8269 8268 738fd145 8269->8268 8270 738fd13e 8269->8270 8271 738fd137 8269->8271 8276 738fd1a0 8270->8276 8273 738fd1b7 20 API calls 8271->8273 8275 738fd13c 8273->8275 8277 738fd1c0 8276->8277 8278 738fd6d3 __startOneArgErrorHandling 20 API calls 8277->8278 8279 738fd143 8278->8279 8720 738f6c62 8721 738f6c1c 8720->8721 8723 738f6c6c 8720->8723 8722 738f6ba9 8721->8722 8724 738f6942 28 API calls 8721->8724 8724->8722 8280 738fc4e1 8281 738fc505 8280->8281 8282 738fc556 8281->8282 8285 738fc5e1 __startOneArgErrorHandling 8281->8285 8286 738fc568 8282->8286 8288 738fd1f3 8282->8288 8283 738fd429 __startOneArgErrorHandling 8285->8283 8287 738fd825 20 API calls 8285->8287 8287->8283 8289 738fd206 DecodePointer 8288->8289 8292 738fd216 8288->8292 8289->8292 8290 738fd25a 8291 738fd2a1 8290->8291 8294 738f792f _free 14 API calls 8290->8294 8291->8286 8292->8290 8292->8291 8293 738fd245 8292->8293 8293->8291 8295 738f792f _free 14 API calls 8293->8295 8294->8291 8295->8291 8725 738f6260 8726 738f6e51 37 API calls 8725->8726 8727 738f6268 8726->8727 8736 738f6e7d 8737 738f6e80 8736->8737 8738 738f6ee7 __fassign 37 API calls 8737->8738 8739 738f6e8c 8738->8739 8301 738f66fb 8302 738f88cd 47 API calls 8301->8302 8303 738f670d 8302->8303 8312 738f8d84 GetEnvironmentStringsW 8303->8312 8306 738f6718 8308 738f799f _free 14 API calls 8306->8308 8310 738f6747 8308->8310 8311 738f799f _free 14 API calls 8311->8306 8313 738f8d9b 8312->8313 8323 738f8df1 8312->8323 8316 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 8313->8316 8314 738f8dfa FreeEnvironmentStringsW 8315 738f6712 8314->8315 8315->8306 8324 738f674d 8315->8324 8317 738f8db4 8316->8317 8318 738f7837 15 API calls 8317->8318 8317->8323 8319 738f8dc4 8318->8319 8320 738f8ddc 8319->8320 8321 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 8319->8321 8322 738f799f _free 14 API calls 8320->8322 8321->8320 8322->8323 8323->8314 8323->8315 8325 738f6762 8324->8325 8326 738f7942 _free 14 API calls 8325->8326 8337 738f6789 8326->8337 8327 738f67ee 8328 738f799f _free 14 API calls 8327->8328 8329 738f6723 8328->8329 8329->8311 8330 738f7942 _free 14 API calls 8330->8337 8331 738f67f0 8332 738f681d 14 API calls 8331->8332 8334 738f67f6 8332->8334 8333 738f6e8d ___std_exception_copy 25 API calls 8333->8337 8335 738f799f _free 14 API calls 8334->8335 8335->8327 8336 738f6810 8338 738f5d8d ___std_exception_copy 11 API calls 8336->8338 8337->8327 8337->8330 8337->8331 8337->8333 8337->8336 8339 738f799f _free 14 API calls 8337->8339 8340 738f681c 8338->8340 8339->8337 8341 738fc8fb IsProcessorFeaturePresent 8740 738f817a 8741 738f818c 8740->8741 8742 738f8188 8740->8742 8743 738f81b7 8741->8743 8744 738f8191 8741->8744 8743->8742 8747 738f8e08 28 API calls 8743->8747 8745 738f7942 _free 14 API calls 8744->8745 8746 738f819a 8745->8746 8748 738f799f _free 14 API calls 8746->8748 8749 738f81d7 8747->8749 8748->8742 8750 738f799f _free 14 API calls 8749->8750 8750->8742 8751 738f6875 8752 738f688d 8751->8752 8753 738f6887 8751->8753 8754 738f681d 14 API calls 8753->8754 8754->8752 8342 738f63f3 8343 738f640a 8342->8343 8344 738f6403 8342->8344 8345 738f642b 8343->8345 8347 738f6415 8343->8347 8346 738f88cd 47 API calls 8345->8346 8348 738f6431 8346->8348 8349 738f792f _free 14 API calls 8347->8349 8366 738f830e GetModuleFileNameW 8348->8366 8351 738f641a 8349->8351 8353 738f5d60 ___std_exception_copy 25 API calls 8351->8353 8353->8344 8356 738f66a0 14 API calls 8357 738f6486 8356->8357 8358 738f648f 8357->8358 8359 738f649b 8357->8359 8361 738f792f _free 14 API calls 8358->8361 8360 738f6529 37 API calls 8359->8360 8363 738f64b3 8360->8363 8365 738f6494 8361->8365 8362 738f799f _free 14 API calls 8362->8344 8364 738f799f _free 14 API calls 8363->8364 8363->8365 8364->8365 8365->8362 8367 738f834e 8366->8367 8368 738f833d GetLastError 8366->8368 8370 738f8087 37 API calls 8367->8370 8369 738f78f9 __dosmaperr 14 API calls 8368->8369 8371 738f8349 8369->8371 8372 738f837f 8370->8372 8374 738f42e3 _ValidateLocalCookies 5 API calls 8371->8374 8382 738f820c 8372->8382 8375 738f6444 8374->8375 8376 738f6529 8375->8376 8378 738f654e 8376->8378 8380 738f65ae 8378->8380 8407 738f8bf3 8378->8407 8379 738f6479 8379->8356 8380->8379 8381 738f8bf3 37 API calls 8380->8381 8381->8380 8383 738f8219 8382->8383 8384 738f8228 8382->8384 8383->8371 8385 738f8255 8384->8385 8386 738f8230 8384->8386 8387 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 8385->8387 8386->8383 8403 738f82d3 8386->8403 8389 738f8265 8387->8389 8390 738f826c GetLastError 8389->8390 8392 738f8282 8389->8392 8391 738f78f9 __dosmaperr 14 API calls 8390->8391 8394 738f8278 8391->8394 8393 738f8293 8392->8393 8395 738f82d3 14 API calls 8392->8395 8393->8383 8396 738f8ca0 ___scrt_uninitialize_crt WideCharToMultiByte 8393->8396 8397 738f792f _free 14 API calls 8394->8397 8395->8393 8398 738f82ab 8396->8398 8397->8383 8398->8383 8399 738f82b2 GetLastError 8398->8399 8400 738f78f9 __dosmaperr 14 API calls 8399->8400 8401 738f82be 8400->8401 8402 738f792f _free 14 API calls 8401->8402 8402->8383 8404 738f82de 8403->8404 8405 738f792f _free 14 API calls 8404->8405 8406 738f82e7 8405->8406 8406->8383 8410 738f8b9c 8407->8410 8411 738f5dc1 __fassign 37 API calls 8410->8411 8412 738f8bb0 8411->8412 8412->8378 8413 738faaf0 8416 738fab07 8413->8416 8415 738fab02 8417 738fab29 8416->8417 8418 738fab15 8416->8418 8419 738fab43 8417->8419 8420 738fab31 8417->8420 8421 738f792f _free 14 API calls 8418->8421 8423 738fab41 8419->8423 8426 738f5dc1 __fassign 37 API calls 8419->8426 8422 738f792f _free 14 API calls 8420->8422 8424 738fab1a 8421->8424 8425 738fab36 8422->8425 8423->8415 8427 738f5d60 ___std_exception_copy 25 API calls 8424->8427 8428 738f5d60 ___std_exception_copy 25 API calls 8425->8428 8426->8423 8429 738fab25 8427->8429 8428->8423 8429->8415 8755 738f7770 8758 738f76f7 8755->8758 8759 738f7703 ___scrt_is_nonwritable_in_current_image 8758->8759 8766 738f77d8 EnterCriticalSection 8759->8766 8761 738f770d 8762 738f773b 8761->8762 8765 738fa15b __fassign 14 API calls 8761->8765 8767 738f7759 8762->8767 8765->8761 8766->8761 8770 738f7820 LeaveCriticalSection 8767->8770 8769 738f7747 8770->8769 8771 738f1170 8772 738f4478 ___std_exception_destroy 14 API calls 8771->8772 8773 738f1185 8772->8773

                    Executed Functions

                    Function 738F15E0 Relevance: 29.9, APIs: 15, Strings: 1, Instructions: 1932COMMON
                    Download Yara Rule
                    Strings
                    • abcdefghijklmnopqrstuvwxyz0123456789, xrefs: 738F189A
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: abcdefghijklmnopqrstuvwxyz0123456789
                    • API String ID: 0-3754357371
                    • Opcode ID: 4b1ca98479daa09b1226a8ea459cd899f71a1821cd555d2bc5ebbeac1fdd53d5
                    • Instruction ID: 8a2b5ce9807ad139f4a6d29fdcf355e71951e3bf2db8f670ff7008c5d9b121f1
                    • Opcode Fuzzy Hash: 4b1ca98479daa09b1226a8ea459cd899f71a1821cd555d2bc5ebbeac1fdd53d5
                    • Instruction Fuzzy Hash: A0E2DF716043468BE305DFACC88175EBBA3EFC5314F648A1CE4968B2D5D772E981CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F3C1F Relevance: 13.6, APIs: 9, Instructions: 134COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __RTC_Initialize.LIBCMT ref: 738F3C66
                    • ___scrt_uninitialize_crt.LIBCMT ref: 738F3C80
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: Initialize___scrt_uninitialize_crt
                    • String ID:
                    • API String ID: 2442719207-0
                    • Opcode ID: 571f3068d4a7eafa9ec08feaa38b0d2d3bd685ce0d8423c96f67336646b21a3b
                    • Instruction ID: 1f7f7f77ce27dd581b82e536f0500b42001105d2d50503ef90618942917ba7e7
                    • Opcode Fuzzy Hash: 571f3068d4a7eafa9ec08feaa38b0d2d3bd685ce0d8423c96f67336646b21a3b
                    • Instruction Fuzzy Hash: E8419672A0472BAFEB11AFEDCC01B9E7A7BEF84794F148119F81567280D7B24D018B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F3B18 Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __RTC_Initialize.LIBCMT ref: 738F3B65
                      • Part of subcall function 738F4244: InitializeSListHead.KERNEL32(73906A58,738F3B6F,73904660,00000010,738F3B00,?,?,?,738F3D28,?,00000001,?,?,00000001,?,739046A8), ref: 738F4249
                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 738F3BCF
                    • ___scrt_fastfail.LIBCMT ref: 738F3C19
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
                    • String ID:
                    • API String ID: 2097537958-0
                    • Opcode ID: eb46ac121697d4bc380a022261e0e43e905776c47fccffb1d07fea7c790af5c0
                    • Instruction ID: cdb44d053cf4ac4821ecec2cbcf5262b71f3daaf93c5666d512726ef52892da0
                    • Opcode Fuzzy Hash: eb46ac121697d4bc380a022261e0e43e905776c47fccffb1d07fea7c790af5c0
                    • Instruction Fuzzy Hash: FC219F323493575FEB017FF8D411B8C3B639B05325F18812AD9926B2C1DBB241848A65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FAEEE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 709 738faeee-738faefb call 738f7942 711 738faf00-738faf0b 709->711 712 738faf0d-738faf0f 711->712 713 738faf11-738faf19 711->713 714 738faf5c-738faf68 call 738f799f 712->714 713->714 715 738faf1b-738faf1f 713->715 717 738faf21-738faf56 call 738f916b 715->717 721 738faf58-738faf5b 717->721 721->714
                    APIs
                      • Part of subcall function 738F7942: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,738F74FE,00000001,00000364,00000006,000000FF,?,00000001,738F7934,738F79C5,?,?,738F6B9D), ref: 738F7983
                    • _free.LIBCMT ref: 738FAF5D
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: a196c6ce620c801bb0f50d97cecf6e5b5d15b8c15d5bd770e9089454c7477d4e
                    • Instruction ID: ab405c7c9b883f051abe00cf539466df1d286d83ff72626e5d3d84eaa5b055a7
                    • Opcode Fuzzy Hash: a196c6ce620c801bb0f50d97cecf6e5b5d15b8c15d5bd770e9089454c7477d4e
                    • Instruction Fuzzy Hash: 8901DBB26043175BD3218F98D885A8AFBA9EF053B0F150669F546AB5C0E7745811CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7942 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 722 738f7942-738f794d 723 738f794f-738f7959 722->723 724 738f795b-738f7961 722->724 723->724 725 738f798f-738f799a call 738f792f 723->725 726 738f797a-738f798b RtlAllocateHeap 724->726 727 738f7963-738f7964 724->727 732 738f799c-738f799e 725->732 728 738f798d 726->728 729 738f7966-738f796d call 738fa551 726->729 727->726 728->732 729->725 735 738f796f-738f7978 call 738f5f36 729->735 735->725 735->726
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,738F74FE,00000001,00000364,00000006,000000FF,?,00000001,738F7934,738F79C5,?,?,738F6B9D), ref: 738F7983
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 03f2891d7464a7684c744af95bafe1a59b568e8bb71a70d8ddc488eeb3825a09
                    • Instruction ID: a382e234cf36a8ee1c3df69e27795993874d93de738cc71215bb5056be9b7e63
                    • Opcode Fuzzy Hash: 03f2891d7464a7684c744af95bafe1a59b568e8bb71a70d8ddc488eeb3825a09
                    • Instruction Fuzzy Hash: C9F0E9323046275BFB126AEACC01F6B776BDF416F0F149111FC0ADA1C4DA38D80186A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 738F5BB4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 738F5CAC
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 738F5CB6
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 738F5CC3
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 776348513db563239602849c9e2f2a9872a218563d9df001d085ee32650d5d99
                    • Instruction ID: f37ddab88d9cd522f25d483ff38f567ec8a1a6c5c8f59545f7b4e100d79ff182
                    • Opcode Fuzzy Hash: 776348513db563239602849c9e2f2a9872a218563d9df001d085ee32650d5d99
                    • Instruction Fuzzy Hash: 9B31E5759113299BCB21DF69D888B8CBBB9BF08310F5081EAE40DA7290E7309B858F54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F62E0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,738F62DF,?,00000001,?,?), ref: 738F6302
                    • TerminateProcess.KERNEL32(00000000,?,738F62DF,?,00000001,?,?), ref: 738F6309
                    • ExitProcess.KERNEL32 ref: 738F631B
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: e9a67794abeea712ce1bf6de270e89ea28dcb491e29d75a40cda0c7b0de69734
                    • Instruction ID: b6772fa126583b2b03247d6e6deb949b0bd4a2af38e827855050dfb753f19df4
                    • Opcode Fuzzy Hash: e9a67794abeea712ce1bf6de270e89ea28dcb491e29d75a40cda0c7b0de69734
                    • Instruction Fuzzy Hash: 45E0EC32001A0AAFDB127FE5C959F5D3B7AFBC4751F244518F90A86220DB75D986CB44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FDB01 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,738FDAFC,?,?,00000008,?,?,738FD794,00000000), ref: 738FDD2E
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: fa2e7bb1ede22e328cf7d2996d5973d925076b4469e302d7ea501cd8261af7e9
                    • Instruction ID: 172ddae2703abf95dfd479a33cda6ac27ddb1add214e77368316a292d69537e6
                    • Opcode Fuzzy Hash: fa2e7bb1ede22e328cf7d2996d5973d925076b4469e302d7ea501cd8261af7e9
                    • Instruction Fuzzy Hash: BBB15E3221060ACFD705CF68C486B557BB2FF45364F198658EA9ACF2E9C335E996CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F3E45 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 738F3E5B
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-0
                    • Opcode ID: d6e42094da1d325f8b9788feb567d6f71f24df06e85de9599ae3b99fe310332b
                    • Instruction ID: 105f94931ce673ebd25956d3272616d190fd7f400a66d60abd3d53337eb376da
                    • Opcode Fuzzy Hash: d6e42094da1d325f8b9788feb567d6f71f24df06e85de9599ae3b99fe310332b
                    • Instruction Fuzzy Hash: 905162B2B05216CBEB15DF9AC98179ABBF5FB84314F24846AD50AEB280D375D940CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7D7E Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0820e088b6c9a45ddc007c8af7128d4716f4d9ba7b01750b10c8992fd44c69a0
                    • Instruction ID: c78943352116d003da414b2b321f13d6e14324eca771980449e2e2b95d8e0d37
                    • Opcode Fuzzy Hash: 0820e088b6c9a45ddc007c8af7128d4716f4d9ba7b01750b10c8992fd44c69a0
                    • Instruction Fuzzy Hash: 4141A57580421AAFEB10DFA9CC89BAABBBAEF45344F1442D9F45DD3240D6359E848F10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F92A5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 24820062235cae49ccc6e65326082071da258248180ff5707f2c78611043715c
                    • Instruction ID: 42be5ed3d6bd3904929a89af7aa54888ac6369f27275507611d5d768bfbaeb4d
                    • Opcode Fuzzy Hash: 24820062235cae49ccc6e65326082071da258248180ff5707f2c78611043715c
                    • Instruction Fuzzy Hash: D3A00471505503CFD7405F37C54571D35D5F5455F5735D075540DC5150D734C5505F05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7885 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5507de7d6159badeca35d953fc3413e00c20d4a341e50c046b19f343d44c49b2
                    • Instruction ID: 110800173096ce938e74236104205af309b5177376d9d4c08096c9bbfe5f3ec7
                    • Opcode Fuzzy Hash: 5507de7d6159badeca35d953fc3413e00c20d4a341e50c046b19f343d44c49b2
                    • Instruction Fuzzy Hash: 2DE08C32921228EBDB11DBCCC900E8AF3FDEB44A40F114496B502D3210C270DE00CBD0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F9E8E Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 844 738f9e8e-738f9ea2 845 738f9ea4-738f9ea9 844->845 846 738f9f10-738f9f18 844->846 845->846 849 738f9eab-738f9eb0 845->849 847 738f9f5f-738f9f77 call 738f9fff 846->847 848 738f9f1a-738f9f1d 846->848 857 738f9f7a-738f9f81 847->857 848->847 850 738f9f1f-738f9f5c call 738f799f * 4 848->850 849->846 852 738f9eb2-738f9eb5 849->852 850->847 852->846 855 738f9eb7-738f9ebf 852->855 858 738f9ed9-738f9ee1 855->858 859 738f9ec1-738f9ec4 855->859 863 738f9f83-738f9f87 857->863 864 738f9fa0-738f9fa4 857->864 861 738f9efb-738f9f0f call 738f799f * 2 858->861 862 738f9ee3-738f9ee6 858->862 859->858 865 738f9ec6-738f9ed8 call 738f799f call 738fa2ce 859->865 861->846 862->861 867 738f9ee8-738f9efa call 738f799f call 738fa3cc 862->867 871 738f9f9d 863->871 872 738f9f89-738f9f8c 863->872 868 738f9fbc-738f9fc8 864->868 869 738f9fa6-738f9fab 864->869 865->858 867->861 868->857 881 738f9fca-738f9fd5 call 738f799f 868->881 878 738f9fad-738f9fb0 869->878 879 738f9fb9 869->879 871->864 872->871 874 738f9f8e-738f9f9c call 738f799f * 2 872->874 874->871 878->879 886 738f9fb2-738f9fb8 call 738f799f 878->886 879->868 886->879
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 738F9ED2
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA2EB
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA2FD
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA30F
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA321
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA333
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA345
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA357
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA369
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA37B
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA38D
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA39F
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA3B1
                      • Part of subcall function 738FA2CE: _free.LIBCMT ref: 738FA3C3
                    • _free.LIBCMT ref: 738F9EC7
                      • Part of subcall function 738F799F: HeapFree.KERNEL32(00000000,00000000,?,738F6B9D), ref: 738F79B5
                      • Part of subcall function 738F799F: GetLastError.KERNEL32(?,?,738F6B9D), ref: 738F79C7
                    • _free.LIBCMT ref: 738F9EE9
                    • _free.LIBCMT ref: 738F9EFE
                    • _free.LIBCMT ref: 738F9F09
                    • _free.LIBCMT ref: 738F9F2B
                    • _free.LIBCMT ref: 738F9F3E
                    • _free.LIBCMT ref: 738F9F4C
                    • _free.LIBCMT ref: 738F9F57
                    • _free.LIBCMT ref: 738F9F8F
                    • _free.LIBCMT ref: 738F9F96
                    • _free.LIBCMT ref: 738F9FB3
                    • _free.LIBCMT ref: 738F9FCB
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 165e1eebdb4aadbcddfd9635e5565d6a54cc81b7af1c9b33c118fbe2942b9e2c
                    • Instruction ID: a9524b7ce64c62ee1054af6f96c55ee54eb326a8fa6bc087edeff8a5cc696299
                    • Opcode Fuzzy Hash: 165e1eebdb4aadbcddfd9635e5565d6a54cc81b7af1c9b33c118fbe2942b9e2c
                    • Instruction Fuzzy Hash: 3731E7316047079FFB219BB9D945B5AB3FBEB00264F289829F45AD7190DF75E8808A60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7218 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d67c07ec389db9910022473c2253f2d83629d0fbf65f97f6fbcd63bf9d5588c5
                    • Instruction ID: a6ab4649ce0cac5805ab9944dae3eae1a7f8b9a8d585fbeaaf8ad610035c7b61
                    • Opcode Fuzzy Hash: d67c07ec389db9910022473c2253f2d83629d0fbf65f97f6fbcd63bf9d5588c5
                    • Instruction Fuzzy Hash: D621AB76904209AFEB41EFD8C880EDD7BBBBF08380F0095A5F5559B161DB35EA54CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F45A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 928 738f45a0-738f45f1 call 738fe987 call 738f4560 call 738f4ca7 935 738f464d-738f4650 928->935 936 738f45f3-738f4605 928->936 937 738f4652-738f465f call 738f4c90 935->937 938 738f4670-738f4679 935->938 936->938 939 738f4607-738f461e 936->939 944 738f4664-738f466d call 738f4560 937->944 941 738f4634 939->941 942 738f4620-738f462e call 738f4c40 939->942 943 738f4637-738f463c 941->943 949 738f4644-738f464b 942->949 950 738f4630 942->950 943->939 946 738f463e-738f4640 943->946 944->938 946->938 951 738f4642 946->951 949->944 953 738f467a-738f4683 950->953 954 738f4632 950->954 951->944 955 738f46bd-738f46cd call 738f4c74 953->955 956 738f4685-738f468c 953->956 954->943 962 738f46cf-738f46de call 738f4c90 955->962 963 738f46e1-738f470f call 738f4560 call 738f4c58 call 738f4150 955->963 956->955 957 738f468e-738f469d call 738fe120 956->957 965 738f469f-738f46b7 957->965 966 738f46ba 957->966 962->963 976 738f478f-738f479e 963->976 977 738f4711-738f4717 963->977 965->966 966->955 977->976 978 738f4719-738f471d 977->978 978->976 979 738f471f-738f4726 978->979 980 738f473a-738f473f 979->980 981 738f4728-738f472f 979->981 980->976 983 738f4741-738f4746 980->983 981->980 982 738f4731-738f4738 981->982 982->976 982->980 984 738f4748-738f474d 983->984 985 738f4771-738f4774 983->985 987 738f4755-738f475c 984->987 988 738f4750 call 738f479f 984->988 985->976 986 738f4776-738f477d 985->986 986->976 989 738f477f-738f478d 986->989 987->976 988->987 989->976
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 738F45D7
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 738F45DF
                    • _ValidateLocalCookies.LIBCMT ref: 738F4668
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 738F4693
                    • _ValidateLocalCookies.LIBCMT ref: 738F46E8
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm$csm
                    • API String ID: 1170836740-3733052814
                    • Opcode ID: 188a81cb03a3fb38e3e9904664782e5ce96dd6a726ca2492d23d27e94f23d379
                    • Instruction ID: 5f98a72740570f2c76286aebb839254d83d6f0a2baa23927b0fc347c66880408
                    • Opcode Fuzzy Hash: 188a81cb03a3fb38e3e9904664782e5ce96dd6a726ca2492d23d27e94f23d379
                    • Instruction Fuzzy Hash: 6851B134A0022A9FDF00DFA9C840FAD7BBBEF45314F2C815AD8169B2A1D735DA41CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F8EC3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 991 738f8ec3-738f8ecf 992 738f8f76-738f8f79 991->992 993 738f8f7f 992->993 994 738f8ed4-738f8ee5 992->994 997 738f8f81-738f8f85 993->997 995 738f8ee7-738f8eea 994->995 996 738f8ef2-738f8f0b LoadLibraryExW 994->996 998 738f8f73 995->998 999 738f8ef0 995->999 1000 738f8f5d-738f8f66 996->1000 1001 738f8f0d-738f8f16 GetLastError 996->1001 998->992 1002 738f8f6f-738f8f71 999->1002 1000->1002 1003 738f8f68-738f8f69 FreeLibrary 1000->1003 1004 738f8f4d 1001->1004 1005 738f8f18-738f8f2a call 738f6fb8 1001->1005 1002->998 1006 738f8f86-738f8f88 1002->1006 1003->1002 1008 738f8f4f-738f8f51 1004->1008 1005->1004 1011 738f8f2c-738f8f3e call 738f6fb8 1005->1011 1006->997 1008->1000 1010 738f8f53-738f8f5b 1008->1010 1010->998 1011->1004 1014 738f8f40-738f8f4b LoadLibraryExW 1011->1014 1014->1008
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 0-537541572
                    • Opcode ID: ac6b49988043b47a5a00d575a969fa9976b012367c50979433170aadab76415a
                    • Instruction ID: 7b0ff13c452dfdd1e58c763c85a3b52974e28988e913014d56d2b22a1be5d2ee
                    • Opcode Fuzzy Hash: ac6b49988043b47a5a00d575a969fa9976b012367c50979433170aadab76415a
                    • Instruction Fuzzy Hash: 3E21A532A06627AFDB1256A5CC45F4A377BDB41764F290221ED1ABB2C0E730DD00C6E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FA46D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 738FA435: _free.LIBCMT ref: 738FA45A
                    • _free.LIBCMT ref: 738FA4BB
                      • Part of subcall function 738F799F: HeapFree.KERNEL32(00000000,00000000,?,738F6B9D), ref: 738F79B5
                      • Part of subcall function 738F799F: GetLastError.KERNEL32(?,?,738F6B9D), ref: 738F79C7
                    • _free.LIBCMT ref: 738FA4C6
                    • _free.LIBCMT ref: 738FA4D1
                    • _free.LIBCMT ref: 738FA525
                    • _free.LIBCMT ref: 738FA530
                    • _free.LIBCMT ref: 738FA53B
                    • _free.LIBCMT ref: 738FA546
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 594bc71536ac1a9de237e6d71aefe758ed8c3ffb7343d6ed820c9bf440261df1
                    • Instruction ID: 8a2c4637dbfcded72fa78a76145d3438238224c663e558044be6a3ef959a5f23
                    • Opcode Fuzzy Hash: 594bc71536ac1a9de237e6d71aefe758ed8c3ffb7343d6ed820c9bf440261df1
                    • Instruction Fuzzy Hash: E2114F71640B09AFF520AFF4CC09FCBB7AF6F14750F809815B2AD6A094DA7DB6045A91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FB29C Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 738FB2E4
                    • __fassign.LIBCMT ref: 738FB4C3
                    • __fassign.LIBCMT ref: 738FB4E0
                    • WriteFile.KERNEL32(?,738F99C5,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 738FB528
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 738FB568
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 738FB614
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ConsoleErrorLast
                    • String ID:
                    • API String ID: 4031098158-0
                    • Opcode ID: b1fe690b3a89ac493843e7f9f2a445f5c9caba7f2c4ae761b1d447f28384a405
                    • Instruction ID: 590116d14fbcfaecf51380e59023c75e8880768031e8e7407a37e9bd81a1e293
                    • Opcode Fuzzy Hash: b1fe690b3a89ac493843e7f9f2a445f5c9caba7f2c4ae761b1d447f28384a405
                    • Instruction Fuzzy Hash: 03D16E75D0025A9FDF06CFE8C990AEDBBB6FF48314F28416AE456BB341D6309A46CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F49ED Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000001,?,738F4527,738F3856,738F3AF0,?,738F3D28,?,00000001,?,?,00000001,?,739046A8,0000000C,738F3E1C), ref: 738F49FB
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 738F4A09
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 738F4A22
                    • SetLastError.KERNEL32(00000000,738F3D28,?,00000001,?,?,00000001,?,739046A8,0000000C,738F3E1C,?,00000001,?), ref: 738F4A74
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 9e764df76ef54e9084f86275cb758552f10e8bf6978ada462a22cd1edeb29204
                    • Instruction ID: cf10901fac7f29b5f12df41ae4003487034edbc3fcd0dbfdcd09441b84fa64f4
                    • Opcode Fuzzy Hash: 9e764df76ef54e9084f86275cb758552f10e8bf6978ada462a22cd1edeb29204
                    • Instruction Fuzzy Hash: F6019E3374D7335FF71129FAAC86F162AABEB45678F38032BE11A460E4FB7148019258
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F820C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Windows\SysWOW64\rundll32.exe, xrefs: 738F8211
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                    • API String ID: 0-2837366778
                    • Opcode ID: 766040d2f2cdc3a00791134da35db055f12c83c1676780b40c7bc592be101eb1
                    • Instruction ID: 42007166a8569651ab1114fcef3f90eca927ef30b23587bbd3d127a6c40e00ce
                    • Opcode Fuzzy Hash: 766040d2f2cdc3a00791134da35db055f12c83c1676780b40c7bc592be101eb1
                    • Instruction Fuzzy Hash: 33213D71604A0BAFE7119EF9DC85B6B77AFAB412B4F148514F915E6190EB70FC008660
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F4D04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: api-ms-
                    • API String ID: 0-2084034818
                    • Opcode ID: c6d9277fa77cc1b4e532909127bd0d651ee2f246b84effcd8a563567ddcf7308
                    • Instruction ID: 82aaa806365df6658c3b2efce2c77ec72c21fb409f22d43d8538d38790d17fcd
                    • Opcode Fuzzy Hash: c6d9277fa77cc1b4e532909127bd0d651ee2f246b84effcd8a563567ddcf7308
                    • Instruction Fuzzy Hash: 27116A72A01637ABD7126AE58845F4A377ADF456A4F2E0522ED16E72D4D730D900C5E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F6365 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,738F6317,?,?,738F62DF,?,00000001,?), ref: 738F637A
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 738F638D
                    • FreeLibrary.KERNEL32(00000000,?,?,738F6317,?,?,738F62DF,?,00000001,?), ref: 738F63B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: dc28a0358e2624d85c543a6dc262d703b16cf63642768584d7071fbd985a61cc
                    • Instruction ID: ef4c0c0583d649144febd9de1719b0a3f09cebe0ca7021aae38ad0a434b14bb8
                    • Opcode Fuzzy Hash: dc28a0358e2624d85c543a6dc262d703b16cf63642768584d7071fbd985a61cc
                    • Instruction Fuzzy Hash: 1BF0123690251AFFDB21ABA1CD09F9D7B79EF85755F244150F906E1291DB308A00EA90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FA3CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 738FA3E4
                      • Part of subcall function 738F799F: HeapFree.KERNEL32(00000000,00000000,?,738F6B9D), ref: 738F79B5
                      • Part of subcall function 738F799F: GetLastError.KERNEL32(?,?,738F6B9D), ref: 738F79C7
                    • _free.LIBCMT ref: 738FA3F6
                    • _free.LIBCMT ref: 738FA408
                    • _free.LIBCMT ref: 738FA41A
                    • _free.LIBCMT ref: 738FA42C
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1c34733789ba2c3bc445f8e6ba767abaa27b2f269f3ca810df6d8be6c4b544c7
                    • Instruction ID: f7101638145bbd691ecd47883a4c7bbd0a8d9308e88f532445df130b0d4b060a
                    • Opcode Fuzzy Hash: 1c34733789ba2c3bc445f8e6ba767abaa27b2f269f3ca810df6d8be6c4b544c7
                    • Instruction Fuzzy Hash: 51F04F326047039BE600EBADE086F1A73FBEA14360B64B815F00ADB580CB38F8804A60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7B8F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: *?
                    • API String ID: 269201875-2564092906
                    • Opcode ID: 2ac16678b16e0a25b780da8791ccbb249bc7102ea72d03631edb619c25b3a17a
                    • Instruction ID: bdef6c86e8e12c3355d28831168858ed4a93a517d977b08e4badf07943ee2bdd
                    • Opcode Fuzzy Hash: 2ac16678b16e0a25b780da8791ccbb249bc7102ea72d03631edb619c25b3a17a
                    • Instruction Fuzzy Hash: DC612D75D0021A9FEB15CFA8C8816ADFBFAEF48350F288169F805E7344D6759A418B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F7AA3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 738F80C6: _free.LIBCMT ref: 738F80D4
                      • Part of subcall function 738F8CA0: WideCharToMultiByte.KERNEL32(?,00000000,738F9A36,00000000,00000001,738F99C5,738FBC2C,?,738F9A36,?,00000000,?,738FB99B,0000FDE9,00000000,?), ref: 738F8D42
                    • GetLastError.KERNEL32 ref: 738F7B0B
                    • __dosmaperr.LIBCMT ref: 738F7B12
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 738F7B51
                    • __dosmaperr.LIBCMT ref: 738F7B58
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: 8b751c4985a50878dfb59eff1565977310d61342b222ddc128815f860ff49382
                    • Instruction ID: e86342fe733acbdb82dccc715fdfe4061f3d1c17789cd1a35e8591ebae8c3ae1
                    • Opcode Fuzzy Hash: 8b751c4985a50878dfb59eff1565977310d61342b222ddc128815f860ff49382
                    • Instruction Fuzzy Hash: B6217F7160430BAFFB119EE99C80E5BB7AFEF412A4F148528F52597280E731DD008760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F735C Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,738FB6E2,00000000,00000001,738F9A36,?,738FBBA1,00000001,?,?,?,738F99C5,?,00000000), ref: 738F7361
                    • _free.LIBCMT ref: 738F73BE
                    • _free.LIBCMT ref: 738F73F4
                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,738FBBA1,00000001,?,?,?,738F99C5,?,00000000,00000000,73904908,0000002C,738F9A36), ref: 738F73FF
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID:
                    • API String ID: 2283115069-0
                    • Opcode ID: 72a3ab4167278a8323c3505a7fc63affe1f1b34f75a988396d088b810077d667
                    • Instruction ID: a97df98a20148399800692295e76abefe4f635c80971d50f57d8765966d99a9f
                    • Opcode Fuzzy Hash: 72a3ab4167278a8323c3505a7fc63affe1f1b34f75a988396d088b810077d667
                    • Instruction Fuzzy Hash: F8114F333447077BF7023AEE8D85F1B266BEBC16E4F754234FA168A1D0EB7588054120
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F74B3 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00000001,738F7934,738F79C5,?,?,738F6B9D), ref: 738F74B8
                    • _free.LIBCMT ref: 738F7515
                    • _free.LIBCMT ref: 738F754B
                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,738F7934,738F79C5,?,?,738F6B9D), ref: 738F7556
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID:
                    • API String ID: 2283115069-0
                    • Opcode ID: 6abd4aee884351073f55b4068b1fc2af4bd587b31c369e46074801d39d9483e2
                    • Instruction ID: 20c25c4516fbef9f393eb23c5bb0ad361a0d338d1f0a9e3b933bd9cb7622a77c
                    • Opcode Fuzzy Hash: 6abd4aee884351073f55b4068b1fc2af4bd587b31c369e46074801d39d9483e2
                    • Instruction Fuzzy Hash: D61173323447072BF6013AFE4D85F2B266BD7C57F8F244234F229861D0EF3588418120
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738FC6B6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(?,?,738F9A36,00000000,?,?,738FC110,?,00000001,?,00000001,?,738FB671,00000000,00000000,00000001), ref: 738FC6CD
                    • GetLastError.KERNEL32(?,738FC110,?,00000001,?,00000001,?,738FB671,00000000,00000000,00000001,00000000,00000001,?,738FBBC5,738F99C5), ref: 738FC6D9
                      • Part of subcall function 738FC69F: CloseHandle.KERNEL32(FFFFFFFE,738FC6E9,?,738FC110,?,00000001,?,00000001,?,738FB671,00000000,00000000,00000001,00000000,00000001), ref: 738FC6AF
                    • ___initconout.LIBCMT ref: 738FC6E9
                      • Part of subcall function 738FC661: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,738FC690,738FC0FD,00000001,?,738FB671,00000000,00000000,00000001,00000000), ref: 738FC674
                    • WriteConsoleW.KERNEL32(?,?,738F9A36,00000000,?,738FC110,?,00000001,?,00000001,?,738FB671,00000000,00000000,00000001,00000000), ref: 738FC6FE
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: f0fe5f95a5f4dda7152a3e8fb7a821112f8c0e973eff5e46384c14bf762401a6
                    • Instruction ID: d85e7e83366adf96b53538d97461ac27ad69d93927c81785aaa744a6ad46d132
                    • Opcode Fuzzy Hash: f0fe5f95a5f4dda7152a3e8fb7a821112f8c0e973eff5e46384c14bf762401a6
                    • Instruction Fuzzy Hash: 55F0F83714111ABBCB222FD6CC44F8A3F76EB492A0F145414FE1989120D7328920ABA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F6CDE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 738F6CE7
                      • Part of subcall function 738F799F: HeapFree.KERNEL32(00000000,00000000,?,738F6B9D), ref: 738F79B5
                      • Part of subcall function 738F799F: GetLastError.KERNEL32(?,?,738F6B9D), ref: 738F79C7
                    • _free.LIBCMT ref: 738F6CFA
                    • _free.LIBCMT ref: 738F6D0B
                    • _free.LIBCMT ref: 738F6D1C
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 07f59e1416d9a166b5404b3004ba68ad596d4c6cddf9d14c0d8e810b334f93f7
                    • Instruction ID: 2dcc4e4915b2b4604b5bf931b3e57b3bb3bdd1a70ef6613349ac78c4fff4fa63
                    • Opcode Fuzzy Hash: 07f59e1416d9a166b5404b3004ba68ad596d4c6cddf9d14c0d8e810b334f93f7
                    • Instruction Fuzzy Hash: 15E046738083639BF6023F6A8A00B3A7E37F7046687207666F41C0E221E739C0129AC1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 738F63F3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.4622283675.00000000738F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 738F0000, based on PE: true
                    • Associated: 00000007.00000002.4622263770.00000000738F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622303884.00000000738FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622327689.0000000073906000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000007.00000002.4622345441.0000000073908000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_738f0000_rundll32.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                    • API String ID: 0-2837366778
                    • Opcode ID: a0e892e090c0ee1787b18d619332daf1c2332732f7a63953bc803962a3a33410
                    • Instruction ID: a6e8bc223495a9fc3fa7c8dad052cd215e1680bf823065ffb40fc996814465b6
                    • Opcode Fuzzy Hash: a0e892e090c0ee1787b18d619332daf1c2332732f7a63953bc803962a3a33410
                    • Instruction Fuzzy Hash: A0417571A0071AABD712EFD9C981B9EBBBEEB99310F144266E505E7240D7719A40CB60
                    Uniqueness

                    Uniqueness Score: -1.00%