Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
install_numarkidjliveii+(1).exe

Overview

General Information

Sample name:install_numarkidjliveii+(1).exe
Analysis ID:1427202
MD5:049a333248120d695c0b344f9698de4e
SHA1:422f821ddbb9c70edd991f8f9d40f3b1e31b49db
SHA256:92cd9486c31b528a0dd4a3b83aa165454143bf8439ecfc65191a99ed2a4e34f7
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: install_numarkidjliveii+(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: install_numarkidjliveii+(1).exeStatic PE information: certificate valid
Source: install_numarkidjliveii+(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://ocsp.thawte.com0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://s2.symcb.com0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://sv.symcd.com0&
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://www.symauth.com/cps0(
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://www.symauth.com/rpa00
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://www.virtualdj.com/0/
Source: install_numarkidjliveii+(1).exeString found in binary or memory: http://www.winimage.com/zLibDll
Source: install_numarkidjliveii+(1).exeString found in binary or memory: https://d.symcb.com/cps0%
Source: install_numarkidjliveii+(1).exeString found in binary or memory: https://d.symcb.com/rpa0
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D70800_2_008D7080
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008E541E0_2_008E541E
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D5C290_2_008D5C29
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008DB02A0_2_008DB02A
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D7C700_2_008D7C70
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D6D900_2_008D6D90
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D51600_2_008D5160
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008E8A9F0_2_008E8A9F
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D2A430_2_008D2A43
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008E4F700_2_008E4F70
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: String function: 008D40B0 appears 34 times
Source: install_numarkidjliveii+(1).exe, 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinstalladdon.exeB vs install_numarkidjliveii+(1).exe
Source: install_numarkidjliveii+(1).exeBinary or memory string: OriginalFilenameinstalladdon.exeB vs install_numarkidjliveii+(1).exe
Source: install_numarkidjliveii+(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCommand line argument: %s\%s0_2_008D321A
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCommand line argument: %s\%s%s0_2_008D321A
Source: install_numarkidjliveii+(1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeFile read: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeSection loaded: wintypes.dllJump to behavior
Source: install_numarkidjliveii+(1).exeStatic PE information: certificate valid
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: install_numarkidjliveii+(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: install_numarkidjliveii+(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: install_numarkidjliveii+(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: install_numarkidjliveii+(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: install_numarkidjliveii+(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: install_numarkidjliveii+(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: install_numarkidjliveii+(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D40F6 push ecx; ret 0_2_008D4109
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeAPI coverage: 9.7 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008DD428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008DD428
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008DC6A6 mov eax, dword ptr fs:[00000030h]0_2_008DC6A6
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008E33B1 GetProcessHeap,0_2_008E33B1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D38C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008D38C3
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008DD428 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008DD428
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D3E66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008D3E66
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D3FF9 SetUnhandledExceptionFilter,0_2_008D3FF9
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D410B cpuid 0_2_008D410B
Source: C:\Users\user\Desktop\install_numarkidjliveii+(1).exeCode function: 0_2_008D3D58 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008D3D58

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
install_numarkidjliveii+(1).exe3%ReversingLabs
install_numarkidjliveii+(1).exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.virtualdj.com/0/install_numarkidjliveii+(1).exefalse
    		high
    http://www.winimage.com/zLibDllinstall_numarkidjliveii+(1).exefalse
      		high
      http://crl.thawte.com/ThawteTimestampingCA.crl0install_numarkidjliveii+(1).exefalse
        		high
        http://www.symauth.com/cps0(install_numarkidjliveii+(1).exefalse
          		high
          http://www.symauth.com/rpa00install_numarkidjliveii+(1).exefalse
            		high
            http://ocsp.thawte.com0install_numarkidjliveii+(1).exefalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1427202
            Start date and time:2024-04-17 08:53:02 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 2m 5s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:1
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:install_numarkidjliveii+(1).exe
            Detection:CLEAN
            Classification:clean5.winEXE@1/0@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 4
            • Number of non-executed functions: 35
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.864060199493046
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:install_numarkidjliveii+(1).exe
            File size:940'952 bytes
            MD5:049a333248120d695c0b344f9698de4e
            SHA1:422f821ddbb9c70edd991f8f9d40f3b1e31b49db
            SHA256:92cd9486c31b528a0dd4a3b83aa165454143bf8439ecfc65191a99ed2a4e34f7
            SHA512:1682f18ca6a2ce8cd8b2715fb981b70e794631b71fe4555535ef923400b2a0d700514f609a2cf465fca7d2c42b2e9aef5d6bfba76c7ede459a612ead6ee4c6ce
            SSDEEP:12288:N/d78kkTQDmiS97LwWU5SWtAvBqqSjJrK8w0KxNOQjVDcATASPvBLwjR45QtMYQ7:Fd785TQDmzQltekPj8iZ2BccmtWTt5r
            TLSH:0A152303318085B0D577493896F9EE389A2CB9301E65DDEF725823BA8F255D099349FF
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9.~.9.~.9.~..8..4.~..8....~..8..!.~.x.z.1.~.k.}.*.~.k.{...~.k.z.+.~.0...0.~.9...f.~.U.v.:.~.U...8.~.9...8.~.U.|.8.~.Rich9.~

            File Icon

            Icon Hash:8e1f4c4f4f1d0f06

            Static PE Info

            General

            Entrypoint:0x4038b9
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x5BD72BAE [Mon Oct 29 15:47:58 2018 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:251ebb044beda80d7d482044d8a442fa

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 22/06/2016 01:00:00 23/07/2019 00:59:59
            Subject Chain
            • CN=Atomix Productions Inc., O=Atomix Productions Inc., L=Los Angeles, S=California, C=US
            Version:3
            Thumbprint MD5:E5897BDAE0607CCFB3B5DE0B8CBE95A8
            Thumbprint SHA-1:CB8429E919FA35C08A073CF7B92629896D021F99
            Thumbprint SHA-256:AB2B1018F39AC64F6BDD21CB42A96F86036A3C25DBC28ED3ADD07B4964148240
            Serial:59E035CD9FB3F4AE7656CF5892A9112E

            Entrypoint Preview

            Instruction
            call 00007F4DB08F856Ch
            jmp 00007F4DB08F7EFFh
            push ebp
            mov ebp, esp
            push 00000000h
            call dword ptr [0041A048h]
            push dword ptr [ebp+08h]
            call dword ptr [0041A044h]
            push C0000409h
            call dword ptr [0041A04Ch]
            push eax
            call dword ptr [0041A050h]
            pop ebp
            ret
            push ebp
            mov ebp, esp
            sub esp, 00000324h
            push 00000017h
            call 00007F4DB08FC840h
            test eax, eax
            je 00007F4DB08F8087h
            push 00000002h
            pop ecx
            int 29h
            mov dword ptr [004249D8h], eax
            mov dword ptr [004249D4h], ecx
            mov dword ptr [004249D0h], edx
            mov dword ptr [004249CCh], ebx
            mov dword ptr [004249C8h], esi
            mov dword ptr [004249C4h], edi
            mov word ptr [004249F0h], ss
            mov word ptr [004249E4h], cs
            mov word ptr [004249C0h], ds
            mov word ptr [004249BCh], es
            mov word ptr [004249B8h], fs
            mov word ptr [004249B4h], gs
            pushfd
            pop dword ptr [004249E8h]
            mov eax, dword ptr [ebp+00h]
            mov dword ptr [004249DCh], eax
            mov eax, dword ptr [ebp+04h]
            mov dword ptr [004249E0h], eax
            lea eax, dword ptr [ebp+08h]
            mov dword ptr [004249ECh], eax
            mov eax, dword ptr [ebp-00000324h]
            mov dword ptr [00424928h], 00010001h

            Rich Headers

            Programming Language:
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2361c0x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x8450.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0xe3ea00x1cf8
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000x11dc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x22dc00x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x22df80x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x138.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x1885b0x18a0074c44e468a41564a545bf8045f72018aFalse0.5900618654822335COM executable for DOS6.657681839908799IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x1a0000x9d220x9e00decefa83b3104212e92e9634494844a6False0.5813637262658228data6.016711848151997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x240000x13f80xa00e30004c77286a14ea7706cb733dc6237False0.146875data1.924625714805442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x260000x84500x86002ad58a9491a82c9415bfc6aad62fc9b8False0.4777285447761194data4.831322386922661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x2f0000x11dc0x12003d564330567fa755c932abbed26ec763False0.8053385416666666data6.551172943745427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x264c80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4456188001889466
            RT_ICON0x2a6f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5252074688796681
            RT_ICON0x2cc980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5347091932457786
            RT_ICON0x2dd400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6595744680851063
            RT_GROUP_ICON0x2e1a80x3edataEnglishUnited States0.8225806451612904
            RT_VERSION0x261c00x304dataEnglishUnited States0.42357512953367876
            RT_MANIFEST0x2e1e80x261XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminatorsEnglishUnited States0.5451559934318555

            Imports

            DLLImport
            USER32.dllMessageBoxW, wsprintfW
            ADVAPI32.dllRegCloseKey, RegOpenKeyW, RegQueryValueExW
            SHELL32.dllSHCreateDirectoryExW
            KERNEL32.dllHeapSize, SetEndOfFile, GetStdHandle, WriteConsoleW, FlushFileBuffers, ReadFile, GetCommandLineW, WriteFile, SetFilePointer, CreateFileW, MultiByteToWideChar, CloseHandle, GetFileSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, DecodePointer, GetModuleFileNameW, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetFileType, HeapFree, GetConsoleCP, HeapAlloc, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetStringTypeW, GetProcessHeap

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            System Behavior

            General

            Target ID:0
            Start time:08:53:48
            Start date:17/04/2024
            Path:C:\Users\user\Desktop\install_numarkidjliveii+(1).exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\install_numarkidjliveii+(1).exe"
            Imagebase:0x8d0000
            File size:940'952 bytes
            MD5 hash:049A333248120D695C0B344F9698DE4E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:1.4%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:9.5%
              Total number of Nodes:1373
              Total number of Limit Nodes:37
              execution_graph 12052 8d2988 12054 8d2998 __fread_nolock 12052->12054 12053 8d2a14 __fread_nolock 12054->12053 12056 8dbc5d 12054->12056 12057 8e1270 12056->12057 12058 8e127d 12057->12058 12059 8e1288 12057->12059 12069 8dfbda 12058->12069 12061 8e1290 12059->12061 12067 8e1299 __dosmaperr 12059->12067 12062 8dea9c _free 20 API calls 12061->12062 12065 8e1285 12062->12065 12063 8e129e 12066 8dd6ae _free 20 API calls 12063->12066 12064 8e12c3 HeapReAlloc 12064->12065 12064->12067 12065->12053 12066->12065 12067->12063 12067->12064 12068 8e34b0 __dosmaperr 7 API calls 12067->12068 12068->12067 12070 8dfc18 12069->12070 12075 8dfbe8 __dosmaperr 12069->12075 12071 8dd6ae _free 20 API calls 12070->12071 12073 8dfc16 12071->12073 12072 8dfc03 RtlAllocateHeap 12072->12073 12072->12075 12073->12065 12074 8e34b0 __dosmaperr 7 API calls 12074->12075 12075->12070 12075->12072 12075->12074 13767 8de508 13768 8de514 ___DestructExceptionObject 13767->13768 13779 8e2203 EnterCriticalSection 13768->13779 13770 8de51b 13780 8e27fa 13770->13780 13772 8de52a 13773 8de539 13772->13773 13793 8de39c GetStartupInfoW 13772->13793 13804 8de555 13773->13804 13777 8de54a __wsopen_s 13779->13770 13781 8e2806 ___DestructExceptionObject 13780->13781 13782 8e282a 13781->13782 13783 8e2813 13781->13783 13807 8e2203 EnterCriticalSection 13782->13807 13785 8dd6ae _free 20 API calls 13783->13785 13787 8e2818 13785->13787 13786 8e2836 13792 8e2862 13786->13792 13808 8e274b 13786->13808 13788 8dd5f2 pre_c_initialization 26 API calls 13787->13788 13791 8e2822 __wsopen_s 13788->13791 13791->13772 13815 8e2889 13792->13815 13794 8de44b 13793->13794 13795 8de3b9 13793->13795 13799 8de452 13794->13799 13795->13794 13796 8e27fa 27 API calls 13795->13796 13797 8de3e2 13796->13797 13797->13794 13798 8de410 GetFileType 13797->13798 13798->13797 13800 8de459 13799->13800 13801 8de49c GetStdHandle 13800->13801 13802 8de504 13800->13802 13803 8de4af GetFileType 13800->13803 13801->13800 13802->13773 13803->13800 13819 8e224b LeaveCriticalSection 13804->13819 13806 8de55c 13806->13777 13807->13786 13809 8e1415 __dosmaperr 20 API calls 13808->13809 13810 8e275d 13809->13810 13813 8e2522 __wsopen_s 11 API calls 13810->13813 13814 8e276a 13810->13814 13811 8dea9c _free 20 API calls 13812 8e27bc 13811->13812 13812->13786 13813->13810 13814->13811 13818 8e224b LeaveCriticalSection 13815->13818 13817 8e2890 13817->13791 13818->13817 13819->13806 12077 8d1180 12078 8d118e 12077->12078 12079 8d1192 _strncpy 12077->12079 12079->12078 12080 8d11c3 12079->12080 12083 8d1006 12079->12083 12080->12078 12087 8d112f 12080->12087 12084 8d101d ___scrt_initialize_default_local_stdio_options 12083->12084 12092 8db92c 12084->12092 12088 8d113d 12087->12088 12089 8d117c 12088->12089 12728 8d9e06 12088->12728 12089->12078 12091 8d10ef _strncpy _strlen 12091->12078 12095 8da63b 12092->12095 12096 8da67b 12095->12096 12097 8da663 12095->12097 12096->12097 12099 8da683 12096->12099 12098 8dd6ae _free 20 API calls 12097->12098 12100 8da668 12098->12100 12112 8daa94 12099->12112 12102 8dd5f2 pre_c_initialization 26 API calls 12100->12102 12111 8da673 12102->12111 12105 8d3667 _ValidateLocalCookies 5 API calls 12107 8d102b 12105->12107 12107->12080 12111->12105 12113 8daab1 12112->12113 12119 8da693 12112->12119 12114 8e0511 pre_c_initialization 38 API calls 12113->12114 12113->12119 12115 8daad2 12114->12115 12140 8e0660 12115->12140 12120 8daa5f 12119->12120 12121 8daa7e 12120->12121 12122 8dd6ae _free 20 API calls 12121->12122 12123 8da70b 12122->12123 12124 8dac96 12123->12124 12293 8db795 12124->12293 12126 8dacbb 12127 8dd6ae _free 20 API calls 12126->12127 12128 8dacc0 12127->12128 12130 8dd5f2 pre_c_initialization 26 API calls 12128->12130 12129 8da716 12137 8dab17 12129->12137 12130->12129 12131 8daca6 12131->12126 12131->12129 12300 8dadef 12131->12300 12308 8db259 12131->12308 12313 8dae99 12131->12313 12318 8daec1 12131->12318 12347 8db02a 12131->12347 12138 8dea9c _free 20 API calls 12137->12138 12139 8dab27 12138->12139 12139->12111 12141 8e0673 12140->12141 12143 8daaeb 12140->12143 12141->12143 12148 8e3272 12141->12148 12144 8e068d 12143->12144 12145 8e06b5 12144->12145 12146 8e06a0 12144->12146 12145->12119 12146->12145 12279 8e1e8f 12146->12279 12149 8e327e ___DestructExceptionObject 12148->12149 12150 8e0511 pre_c_initialization 38 API calls 12149->12150 12151 8e3287 12150->12151 12155 8e32d5 __wsopen_s 12151->12155 12160 8e2203 EnterCriticalSection 12151->12160 12153 8e32a5 12161 8e32e9 12153->12161 12155->12143 12159 8dd04b _abort 38 API calls 12159->12155 12160->12153 12162 8e32f7 __cftof 12161->12162 12164 8e32b9 12161->12164 12162->12164 12168 8e3025 12162->12168 12165 8e32d8 12164->12165 12278 8e224b LeaveCriticalSection 12165->12278 12167 8e32cc 12167->12155 12167->12159 12169 8e303b 12168->12169 12171 8e30a5 12168->12171 12169->12171 12175 8e306e 12169->12175 12179 8dea9c _free 20 API calls 12169->12179 12172 8dea9c _free 20 API calls 12171->12172 12195 8e30f3 12171->12195 12173 8e30c7 12172->12173 12174 8dea9c _free 20 API calls 12173->12174 12177 8e30da 12174->12177 12176 8e3090 12175->12176 12181 8dea9c _free 20 API calls 12175->12181 12178 8dea9c _free 20 API calls 12176->12178 12180 8dea9c _free 20 API calls 12177->12180 12182 8e309a 12178->12182 12184 8e3063 12179->12184 12185 8e30e8 12180->12185 12186 8e3085 12181->12186 12187 8dea9c _free 20 API calls 12182->12187 12183 8e3161 12188 8dea9c _free 20 API calls 12183->12188 12196 8e2b9f 12184->12196 12190 8dea9c _free 20 API calls 12185->12190 12224 8e2c9d 12186->12224 12187->12171 12192 8e3167 12188->12192 12190->12195 12192->12164 12193 8e3101 12193->12183 12194 8dea9c 20 API calls _free 12193->12194 12194->12193 12236 8e3198 12195->12236 12197 8e2bb0 12196->12197 12223 8e2c99 12196->12223 12198 8e2bc1 12197->12198 12199 8dea9c _free 20 API calls 12197->12199 12200 8e2bd3 12198->12200 12202 8dea9c _free 20 API calls 12198->12202 12199->12198 12201 8e2be5 12200->12201 12203 8dea9c _free 20 API calls 12200->12203 12204 8e2bf7 12201->12204 12205 8dea9c _free 20 API calls 12201->12205 12202->12200 12203->12201 12206 8e2c09 12204->12206 12207 8dea9c _free 20 API calls 12204->12207 12205->12204 12208 8e2c1b 12206->12208 12210 8dea9c _free 20 API calls 12206->12210 12207->12206 12209 8e2c2d 12208->12209 12211 8dea9c _free 20 API calls 12208->12211 12212 8dea9c _free 20 API calls 12209->12212 12213 8e2c3f 12209->12213 12210->12208 12211->12209 12212->12213 12214 8dea9c _free 20 API calls 12213->12214 12215 8e2c51 12213->12215 12214->12215 12216 8e2c63 12215->12216 12218 8dea9c _free 20 API calls 12215->12218 12217 8e2c75 12216->12217 12219 8dea9c _free 20 API calls 12216->12219 12220 8e2c87 12217->12220 12221 8dea9c _free 20 API calls 12217->12221 12218->12216 12219->12217 12222 8dea9c _free 20 API calls 12220->12222 12220->12223 12221->12220 12222->12223 12223->12175 12225 8e2caa 12224->12225 12235 8e2d02 12224->12235 12227 8e2cba 12225->12227 12228 8dea9c _free 20 API calls 12225->12228 12226 8e2ccc 12230 8e2cde 12226->12230 12231 8dea9c _free 20 API calls 12226->12231 12227->12226 12229 8dea9c _free 20 API calls 12227->12229 12228->12227 12229->12226 12232 8e2cf0 12230->12232 12233 8dea9c _free 20 API calls 12230->12233 12231->12230 12234 8dea9c _free 20 API calls 12232->12234 12232->12235 12233->12232 12234->12235 12235->12176 12237 8e31a5 12236->12237 12241 8e31c3 12236->12241 12237->12241 12242 8e2d42 12237->12242 12240 8dea9c _free 20 API calls 12240->12241 12241->12193 12243 8e2e20 12242->12243 12244 8e2d53 12242->12244 12243->12240 12245 8e2d06 __cftof 20 API calls 12244->12245 12246 8e2d5b 12245->12246 12247 8e2d06 __cftof 20 API calls 12246->12247 12248 8e2d66 12247->12248 12249 8e2d06 __cftof 20 API calls 12248->12249 12250 8e2d71 12249->12250 12251 8e2d06 __cftof 20 API calls 12250->12251 12252 8e2d7c 12251->12252 12253 8e2d06 __cftof 20 API calls 12252->12253 12254 8e2d8a 12253->12254 12255 8dea9c _free 20 API calls 12254->12255 12256 8e2d95 12255->12256 12257 8dea9c _free 20 API calls 12256->12257 12258 8e2da0 12257->12258 12259 8dea9c _free 20 API calls 12258->12259 12260 8e2dab 12259->12260 12261 8e2d06 __cftof 20 API calls 12260->12261 12262 8e2db9 12261->12262 12263 8e2d06 __cftof 20 API calls 12262->12263 12264 8e2dc7 12263->12264 12265 8e2d06 __cftof 20 API calls 12264->12265 12266 8e2dd8 12265->12266 12267 8e2d06 __cftof 20 API calls 12266->12267 12268 8e2de6 12267->12268 12269 8e2d06 __cftof 20 API calls 12268->12269 12270 8e2df4 12269->12270 12271 8dea9c _free 20 API calls 12270->12271 12272 8e2dff 12271->12272 12273 8dea9c _free 20 API calls 12272->12273 12274 8e2e0a 12273->12274 12275 8dea9c _free 20 API calls 12274->12275 12276 8e2e15 12275->12276 12277 8dea9c _free 20 API calls 12276->12277 12277->12243 12278->12167 12280 8e1e9b ___DestructExceptionObject 12279->12280 12281 8e0511 pre_c_initialization 38 API calls 12280->12281 12283 8e1ea5 12281->12283 12284 8e1f29 __wsopen_s 12283->12284 12286 8dd04b _abort 38 API calls 12283->12286 12287 8dea9c _free 20 API calls 12283->12287 12288 8e2203 EnterCriticalSection 12283->12288 12289 8e1f20 12283->12289 12284->12145 12286->12283 12287->12283 12288->12283 12292 8e224b LeaveCriticalSection 12289->12292 12291 8e1f27 12291->12283 12292->12291 12294 8db7ad 12293->12294 12295 8db79a 12293->12295 12294->12131 12296 8dd6ae _free 20 API calls 12295->12296 12297 8db79f 12296->12297 12298 8dd5f2 pre_c_initialization 26 API calls 12297->12298 12299 8db7aa 12298->12299 12299->12131 12369 8dae0e 12300->12369 12302 8dadf4 12303 8dae0b 12302->12303 12304 8dd6ae _free 20 API calls 12302->12304 12303->12131 12305 8dadfd 12304->12305 12306 8dd5f2 pre_c_initialization 26 API calls 12305->12306 12307 8dae08 12306->12307 12307->12131 12309 8db25f 12308->12309 12310 8db269 12308->12310 12378 8dac3a 12309->12378 12310->12131 12314 8dae9f 12313->12314 12315 8daea9 12313->12315 12316 8dac3a 42 API calls 12314->12316 12315->12131 12317 8daea8 12316->12317 12317->12131 12319 8daec8 12318->12319 12320 8daee2 12318->12320 12324 8db0ae 12319->12324 12325 8db042 12319->12325 12338 8daf12 12319->12338 12321 8dd6ae _free 20 API calls 12320->12321 12320->12338 12322 8daefe 12321->12322 12326 8dd5f2 pre_c_initialization 26 API calls 12322->12326 12323 8db086 12344 8db06b 12323->12344 12346 8db07f 12323->12346 12443 8db52d 12323->12443 12324->12323 12327 8db0b5 12324->12327 12328 8db0f4 12324->12328 12325->12323 12335 8db04f 12325->12335 12331 8daf09 12326->12331 12329 8db05d 12327->12329 12330 8db0ba 12327->12330 12457 8db70a 12328->12457 12329->12344 12329->12346 12449 8db343 12329->12449 12330->12323 12334 8db0bf 12330->12334 12331->12131 12333 8db095 12333->12346 12429 8db49d 12333->12429 12339 8db0c4 12334->12339 12340 8db0d2 12334->12340 12335->12329 12335->12333 12335->12344 12338->12131 12339->12346 12433 8db6eb 12339->12433 12437 8db677 12340->12437 12344->12346 12460 8db7f2 12344->12460 12346->12131 12348 8db0ae 12347->12348 12349 8db042 12347->12349 12350 8db0b5 12348->12350 12351 8db0f4 12348->12351 12356 8db086 12348->12356 12349->12356 12357 8db04f 12349->12357 12352 8db05d 12350->12352 12353 8db0ba 12350->12353 12354 8db70a 26 API calls 12351->12354 12359 8db343 48 API calls 12352->12359 12366 8db06b 12352->12366 12368 8db07f 12352->12368 12353->12356 12360 8db0bf 12353->12360 12354->12366 12355 8db095 12364 8db49d 40 API calls 12355->12364 12355->12368 12358 8db52d 26 API calls 12356->12358 12356->12366 12356->12368 12357->12352 12357->12355 12357->12366 12358->12366 12359->12366 12361 8db0c4 12360->12361 12362 8db0d2 12360->12362 12365 8db6eb 26 API calls 12361->12365 12361->12368 12363 8db677 26 API calls 12362->12363 12363->12366 12364->12366 12365->12366 12367 8db7f2 40 API calls 12366->12367 12366->12368 12367->12368 12368->12131 12372 8dae38 12369->12372 12371 8dae1a 12371->12302 12373 8dae8e 12372->12373 12374 8dae5a 12372->12374 12373->12371 12374->12373 12375 8dd6ae _free 20 API calls 12374->12375 12376 8dae83 12375->12376 12377 8dd5f2 pre_c_initialization 26 API calls 12376->12377 12377->12373 12381 8dfc43 12378->12381 12382 8dfc5e 12381->12382 12385 8dd0fb 12382->12385 12386 8db795 26 API calls 12385->12386 12389 8dd10d 12386->12389 12387 8dac61 12387->12131 12388 8dd148 12391 8daa94 __cftof 38 API calls 12388->12391 12389->12387 12389->12388 12390 8dd122 12389->12390 12392 8dd6ae _free 20 API calls 12390->12392 12396 8dd154 12391->12396 12393 8dd127 12392->12393 12395 8dd5f2 pre_c_initialization 26 API calls 12393->12395 12395->12387 12397 8dd183 12396->12397 12403 8dd375 12396->12403 12400 8dd1ef 12397->12400 12410 8dd323 12397->12410 12398 8dd323 26 API calls 12401 8dd2b6 12398->12401 12400->12398 12401->12387 12402 8dd6ae _free 20 API calls 12401->12402 12402->12387 12404 8dd397 12403->12404 12405 8dd381 12403->12405 12425 8dd34b 12404->12425 12405->12404 12406 8dd389 12405->12406 12416 8e3db9 12406->12416 12409 8dd395 12409->12396 12411 8dd347 12410->12411 12412 8dd333 12410->12412 12411->12400 12412->12411 12413 8dd6ae _free 20 API calls 12412->12413 12414 8dd33c 12413->12414 12415 8dd5f2 pre_c_initialization 26 API calls 12414->12415 12415->12411 12417 8daa94 __cftof 38 API calls 12416->12417 12418 8e3dda 12417->12418 12419 8e4be9 __fassign 38 API calls 12418->12419 12424 8e3de4 12418->12424 12420 8e3e04 12419->12420 12423 8e2e6b 42 API calls 12420->12423 12421 8d3667 _ValidateLocalCookies 5 API calls 12422 8e3e87 12421->12422 12422->12409 12423->12424 12424->12421 12426 8dd364 12425->12426 12427 8dd357 12425->12427 12428 8e2b79 __wsopen_s 38 API calls 12426->12428 12427->12409 12428->12427 12431 8db4b5 12429->12431 12430 8db4ea 12430->12344 12431->12430 12466 8dfea4 12431->12466 12434 8db6f7 12433->12434 12435 8db52d 26 API calls 12434->12435 12436 8db709 12435->12436 12436->12344 12442 8db68c 12437->12442 12438 8dd6ae _free 20 API calls 12439 8db695 12438->12439 12440 8dd5f2 pre_c_initialization 26 API calls 12439->12440 12441 8db6a0 12440->12441 12441->12344 12442->12438 12442->12441 12444 8db53e 12443->12444 12445 8dd6ae _free 20 API calls 12444->12445 12448 8db568 12444->12448 12446 8db55d 12445->12446 12447 8dd5f2 pre_c_initialization 26 API calls 12446->12447 12447->12448 12448->12344 12450 8db359 12449->12450 12488 8da7cf 12450->12488 12452 8db3a0 12498 8e0f85 12452->12498 12456 8db439 12456->12344 12456->12456 12458 8db52d 26 API calls 12457->12458 12459 8db721 12458->12459 12459->12344 12464 8db864 12460->12464 12465 8db80f 12460->12465 12461 8dfea4 __cftof 40 API calls 12461->12465 12462 8d3667 _ValidateLocalCookies 5 API calls 12463 8db893 12462->12463 12463->12346 12464->12462 12465->12461 12465->12464 12469 8dfd83 12466->12469 12470 8dfd97 12469->12470 12471 8dfdcd 12470->12471 12472 8dfdbc 12470->12472 12481 8dfd9b 12470->12481 12474 8daa94 __cftof 38 API calls 12471->12474 12473 8dd6ae _free 20 API calls 12472->12473 12476 8dfdc1 12473->12476 12475 8dfdd8 12474->12475 12477 8dfde5 12475->12477 12478 8dfe42 WideCharToMultiByte 12475->12478 12479 8dd5f2 pre_c_initialization 26 API calls 12476->12479 12483 8dfdf3 ___scrt_fastfail 12477->12483 12485 8dfe29 ___scrt_fastfail 12477->12485 12480 8dfe72 GetLastError 12478->12480 12478->12483 12479->12481 12480->12483 12480->12485 12481->12430 12482 8dd6ae _free 20 API calls 12482->12481 12483->12481 12483->12482 12484 8dd6ae _free 20 API calls 12486 8dfe95 12484->12486 12485->12481 12485->12484 12487 8dd5f2 pre_c_initialization 26 API calls 12486->12487 12487->12481 12489 8da7eb 12488->12489 12491 8da7fa 12488->12491 12490 8dd6ae _free 20 API calls 12489->12490 12492 8da7f0 12490->12492 12491->12492 12493 8dfbda __wsopen_s 21 API calls 12491->12493 12492->12452 12494 8da821 12493->12494 12495 8da838 12494->12495 12530 8dab31 12494->12530 12497 8dea9c _free 20 API calls 12495->12497 12497->12492 12499 8e0fab 12498->12499 12500 8e0f95 12498->12500 12501 8e0fbf 12499->12501 12509 8e0fd5 12499->12509 12502 8dd6ae _free 20 API calls 12500->12502 12503 8dd6ae _free 20 API calls 12501->12503 12504 8e0f9a 12502->12504 12505 8e0fc4 12503->12505 12506 8dd5f2 pre_c_initialization 26 API calls 12504->12506 12508 8dd5f2 pre_c_initialization 26 API calls 12505->12508 12507 8db41a 12506->12507 12507->12456 12523 8dabde 12507->12523 12508->12507 12510 8e1031 12509->12510 12512 8e100f 12509->12512 12511 8e104f 12510->12511 12513 8e1054 12510->12513 12514 8e10ae 12511->12514 12515 8e1078 12511->12515 12533 8e0e59 12512->12533 12543 8e0744 12513->12543 12571 8e0a47 12514->12571 12517 8e107d 12515->12517 12518 8e1096 12515->12518 12554 8e0d91 12517->12554 12564 8e0c2d 12518->12564 12699 8dfbaa 12523->12699 12525 8dac04 12527 8dfbaa 46 API calls 12525->12527 12529 8dac0d 12527->12529 12528 8dabf0 12528->12525 12703 8df9fc 12528->12703 12529->12456 12531 8dea9c _free 20 API calls 12530->12531 12532 8dab40 12531->12532 12532->12495 12534 8e0e7f 12533->12534 12537 8e0e94 12533->12537 12535 8d3667 _ValidateLocalCookies 5 API calls 12534->12535 12536 8e0e90 12535->12536 12536->12507 12578 8dcff1 12537->12578 12540 8e0f44 12541 8dd602 pre_c_initialization 11 API calls 12540->12541 12542 8e0f50 12541->12542 12544 8e0758 12543->12544 12545 8daa94 __cftof 38 API calls 12544->12545 12546 8e076a 12545->12546 12547 8e0786 12546->12547 12548 8e0772 12546->12548 12552 8e0a47 40 API calls 12547->12552 12553 8e0781 __alldvrm ___scrt_fastfail _strrchr 12547->12553 12549 8dd6ae _free 20 API calls 12548->12549 12550 8e0777 12549->12550 12551 8dd5f2 pre_c_initialization 26 API calls 12550->12551 12551->12553 12552->12553 12553->12507 12587 8e541e 12554->12587 12558 8e0df1 12559 8e0df8 12558->12559 12560 8e0e36 12558->12560 12562 8e0e10 12558->12562 12559->12507 12641 8e0ae2 12560->12641 12638 8e0cba 12562->12638 12565 8e541e 28 API calls 12564->12565 12566 8e0c5a 12565->12566 12567 8e4e8a 26 API calls 12566->12567 12568 8e0c92 12567->12568 12569 8e0c99 12568->12569 12570 8e0cba 38 API calls 12568->12570 12569->12507 12570->12569 12572 8e541e 28 API calls 12571->12572 12573 8e0a6f 12572->12573 12574 8e4e8a 26 API calls 12573->12574 12575 8e0ab4 12574->12575 12576 8e0abb 12575->12576 12577 8e0ae2 38 API calls 12575->12577 12576->12507 12577->12576 12579 8dd00c 12578->12579 12580 8dcffe 12578->12580 12581 8dd6ae _free 20 API calls 12579->12581 12580->12579 12582 8dd023 12580->12582 12586 8dd014 12581->12586 12584 8dd01e 12582->12584 12585 8dd6ae _free 20 API calls 12582->12585 12583 8dd5f2 pre_c_initialization 26 API calls 12583->12584 12584->12534 12584->12540 12585->12586 12586->12583 12590 8e5453 12587->12590 12588 8e548f 12589 8dcff1 26 API calls 12588->12589 12591 8e677f 12589->12591 12590->12588 12597 8e54e2 12590->12597 12592 8e67ad 12591->12592 12622 8e6757 12591->12622 12593 8dd602 pre_c_initialization 11 API calls 12592->12593 12595 8e67b9 12593->12595 12594 8d3667 _ValidateLocalCookies 5 API calls 12596 8e0dbf 12594->12596 12629 8e4e8a 12596->12629 12655 8e72d0 12597->12655 12599 8e555f 12663 8e73e0 12599->12663 12601 8e5569 12603 8e57d0 12601->12603 12605 8e55ee 12601->12605 12610 8e5869 12601->12610 12602 8dbbd1 __fread_nolock 26 API calls 12611 8e59e7 ___scrt_fastfail 12602->12611 12604 8dbbd1 __fread_nolock 26 API calls 12603->12604 12603->12610 12604->12610 12612 8e5682 12605->12612 12671 8dbbd1 12605->12671 12607 8dbbd1 __fread_nolock 26 API calls 12608 8e57c8 12607->12608 12626 8e60a8 __fread_nolock ___scrt_fastfail 12608->12626 12628 8e5c45 __fread_nolock ___scrt_fastfail 12608->12628 12609 8dbbd1 __fread_nolock 26 API calls 12609->12608 12610->12602 12610->12611 12611->12607 12612->12609 12613 8e653f 12685 8e4f70 12613->12685 12615 8e5fc8 12616 8e6096 12615->12616 12617 8dbbd1 __fread_nolock 26 API calls 12615->12617 12616->12613 12618 8dbbd1 __fread_nolock 26 API calls 12616->12618 12617->12616 12618->12613 12619 8dbbd1 26 API calls __fread_nolock 12619->12626 12620 8e658b 12623 8dbbd1 __fread_nolock 26 API calls 12620->12623 12625 8e65f2 12620->12625 12621 8dbbd1 26 API calls __fread_nolock 12621->12628 12622->12594 12623->12625 12624 8e4f70 26 API calls 12624->12625 12625->12622 12625->12624 12627 8dbbd1 __fread_nolock 26 API calls 12625->12627 12626->12615 12626->12619 12627->12625 12628->12615 12628->12621 12630 8e4e97 12629->12630 12633 8e4ead 12629->12633 12631 8dd6ae _free 20 API calls 12630->12631 12637 8e4ea6 12630->12637 12632 8e4e9c 12631->12632 12634 8dd5f2 pre_c_initialization 26 API calls 12632->12634 12633->12630 12635 8e4ec9 12633->12635 12634->12637 12636 8dd6ae _free 20 API calls 12635->12636 12636->12632 12637->12558 12639 8daa94 __cftof 38 API calls 12638->12639 12640 8e0cd0 ___scrt_fastfail 12639->12640 12640->12559 12642 8e0af3 12641->12642 12643 8e0b18 12642->12643 12644 8e0b01 12642->12644 12646 8daa94 __cftof 38 API calls 12643->12646 12645 8dd6ae _free 20 API calls 12644->12645 12647 8e0b06 12645->12647 12650 8e0b24 12646->12650 12648 8dd5f2 pre_c_initialization 26 API calls 12647->12648 12649 8e0b10 12648->12649 12649->12559 12651 8dcff1 26 API calls 12650->12651 12654 8e0ba2 12651->12654 12652 8dd602 pre_c_initialization 11 API calls 12653 8e0c2c 12652->12653 12654->12652 12656 8e730b 12655->12656 12657 8e72d9 12655->12657 12659 8e7328 21 API calls 12656->12659 12657->12656 12658 8e7306 12657->12658 12661 8e79be 21 API calls 12658->12661 12660 8e731b 12659->12660 12660->12599 12662 8e79b6 12661->12662 12662->12599 12664 8e73ed 12663->12664 12666 8e842b __floor_pentium4 12663->12666 12665 8e741e 12664->12665 12664->12666 12668 8e8213 __floor_pentium4 21 API calls 12665->12668 12670 8e7468 12665->12670 12667 8e87ce __floor_pentium4 21 API calls 12666->12667 12669 8e846d __floor_pentium4 12666->12669 12667->12669 12668->12670 12669->12601 12670->12601 12672 8dbbe2 12671->12672 12681 8dbbde __fread_nolock 12671->12681 12673 8dbbe9 12672->12673 12676 8dbbfc ___scrt_fastfail 12672->12676 12674 8dd6ae _free 20 API calls 12673->12674 12675 8dbbee 12674->12675 12677 8dd5f2 pre_c_initialization 26 API calls 12675->12677 12678 8dbc2a 12676->12678 12679 8dbc33 12676->12679 12676->12681 12677->12681 12680 8dd6ae _free 20 API calls 12678->12680 12679->12681 12683 8dd6ae _free 20 API calls 12679->12683 12682 8dbc2f 12680->12682 12681->12612 12684 8dd5f2 pre_c_initialization 26 API calls 12682->12684 12683->12682 12684->12681 12686 8e4f8c 12685->12686 12687 8e4f85 12685->12687 12688 8e4fec 12686->12688 12689 8e4fbd 12686->12689 12698 8e4f96 __aulldvrm 12686->12698 12687->12620 12691 8e4ff0 12688->12691 12697 8e5039 __aulldvrm 12688->12697 12690 8dbbd1 __fread_nolock 26 API calls 12689->12690 12692 8e4fde 12690->12692 12693 8dbbd1 __fread_nolock 26 API calls 12691->12693 12692->12620 12695 8e501a 12693->12695 12694 8dbbd1 __fread_nolock 26 API calls 12696 8e50bc 12694->12696 12695->12620 12696->12620 12697->12694 12698->12620 12700 8dfbc2 12699->12700 12701 8dfbb8 12699->12701 12700->12528 12708 8dfb90 12701->12708 12704 8dfa18 12703->12704 12705 8dfa0a 12703->12705 12704->12528 12723 8df9c4 12705->12723 12711 8dfa29 12708->12711 12712 8daa94 __cftof 38 API calls 12711->12712 12713 8dfa3d 12712->12713 12714 8dfa48 12713->12714 12715 8dfa93 12713->12715 12716 8dfb73 42 API calls 12714->12716 12717 8dfaba 12715->12717 12718 8e4be9 __fassign 38 API calls 12715->12718 12722 8dfa52 12716->12722 12719 8dd6ae _free 20 API calls 12717->12719 12720 8dfac0 12717->12720 12718->12717 12719->12720 12721 8e4e3f 43 API calls 12720->12721 12721->12722 12722->12700 12724 8daa94 __cftof 38 API calls 12723->12724 12725 8df9d7 12724->12725 12726 8dd375 42 API calls 12725->12726 12727 8df9e5 12726->12727 12727->12528 12731 8d9d45 12728->12731 12730 8d9e18 12730->12091 12734 8d9d51 ___DestructExceptionObject 12731->12734 12732 8d9d5f 12733 8dd6ae _free 20 API calls 12732->12733 12735 8d9d64 12733->12735 12734->12732 12736 8d9d8c 12734->12736 12737 8dd5f2 pre_c_initialization 26 API calls 12735->12737 12738 8d9d9e 12736->12738 12739 8d9d91 12736->12739 12746 8d9d6f __wsopen_s 12737->12746 12748 8de58a 12738->12748 12740 8dd6ae _free 20 API calls 12739->12740 12740->12746 12742 8d9da7 12743 8d9dae 12742->12743 12744 8d9dbb 12742->12744 12745 8dd6ae _free 20 API calls 12743->12745 12756 8d9def 12744->12756 12745->12746 12746->12730 12749 8de596 ___DestructExceptionObject 12748->12749 12760 8e2203 EnterCriticalSection 12749->12760 12751 8de5a4 12761 8de624 12751->12761 12755 8de5d5 __wsopen_s 12755->12742 12757 8d9df3 12756->12757 12788 8dd9d8 LeaveCriticalSection 12757->12788 12759 8d9e04 12759->12746 12760->12751 12769 8de647 12761->12769 12762 8de6a0 12763 8e1415 __dosmaperr 20 API calls 12762->12763 12764 8de6a9 12763->12764 12766 8dea9c _free 20 API calls 12764->12766 12767 8de6b2 12766->12767 12770 8de5b1 12767->12770 12779 8e2522 12767->12779 12769->12762 12769->12770 12777 8dd9c4 EnterCriticalSection 12769->12777 12778 8dd9d8 LeaveCriticalSection 12769->12778 12774 8de5e0 12770->12774 12787 8e224b LeaveCriticalSection 12774->12787 12776 8de5e7 12776->12755 12777->12769 12778->12769 12780 8e2262 __dosmaperr 5 API calls 12779->12780 12781 8e2549 12780->12781 12782 8e2567 InitializeCriticalSectionAndSpinCount 12781->12782 12783 8e2552 12781->12783 12782->12783 12784 8d3667 _ValidateLocalCookies 5 API calls 12783->12784 12785 8de6d1 12784->12785 12786 8dd9c4 EnterCriticalSection 12785->12786 12786->12770 12787->12776 12788->12759 12793 8e6c80 12796 8e1e71 12793->12796 12797 8e1e7a 12796->12797 12798 8e1e83 12796->12798 12797->12798 12800 8e1d70 12797->12800 12801 8e0511 pre_c_initialization 38 API calls 12800->12801 12802 8e1d7d 12801->12802 12803 8e1e8f __cftof 38 API calls 12802->12803 12804 8e1d85 12803->12804 12820 8e1b04 12804->12820 12807 8dfbda __wsopen_s 21 API calls 12808 8e1dad 12807->12808 12809 8e1ddf 12808->12809 12827 8e1f31 12808->12827 12812 8dea9c _free 20 API calls 12809->12812 12814 8e1d9c 12812->12814 12813 8e1dda 12815 8dd6ae _free 20 API calls 12813->12815 12814->12798 12815->12809 12816 8e1e23 12816->12809 12837 8e19da 12816->12837 12817 8e1df7 12817->12816 12818 8dea9c _free 20 API calls 12817->12818 12818->12816 12821 8daa94 __cftof 38 API calls 12820->12821 12822 8e1b16 12821->12822 12823 8e1b37 12822->12823 12824 8e1b25 GetOEMCP 12822->12824 12825 8e1b4e 12823->12825 12826 8e1b3c GetACP 12823->12826 12824->12825 12825->12807 12825->12814 12826->12825 12828 8e1b04 40 API calls 12827->12828 12829 8e1f50 12828->12829 12832 8e1fa1 IsValidCodePage 12829->12832 12834 8e1f57 12829->12834 12836 8e1fc6 ___scrt_fastfail 12829->12836 12830 8d3667 _ValidateLocalCookies 5 API calls 12831 8e1dd2 12830->12831 12831->12813 12831->12817 12833 8e1fb3 GetCPInfo 12832->12833 12832->12834 12833->12834 12833->12836 12834->12830 12840 8e1bdc GetCPInfo 12836->12840 12913 8e1997 12837->12913 12839 8e19fe 12839->12809 12846 8e1c16 12840->12846 12849 8e1cc0 12840->12849 12843 8d3667 _ValidateLocalCookies 5 API calls 12845 8e1d6c 12843->12845 12845->12834 12850 8e2e6b 12846->12850 12848 8e4e3f 43 API calls 12848->12849 12849->12843 12851 8daa94 __cftof 38 API calls 12850->12851 12853 8e2e8b MultiByteToWideChar 12851->12853 12854 8e2ec9 12853->12854 12855 8e2f61 12853->12855 12858 8dfbda __wsopen_s 21 API calls 12854->12858 12861 8e2eea ___scrt_fastfail 12854->12861 12856 8d3667 _ValidateLocalCookies 5 API calls 12855->12856 12859 8e1c77 12856->12859 12857 8e2f5b 12869 8e2f88 12857->12869 12858->12861 12864 8e4e3f 12859->12864 12861->12857 12862 8e2f2f MultiByteToWideChar 12861->12862 12862->12857 12863 8e2f4b GetStringTypeW 12862->12863 12863->12857 12865 8daa94 __cftof 38 API calls 12864->12865 12866 8e4e52 12865->12866 12873 8e4c22 12866->12873 12870 8e2fa5 12869->12870 12871 8e2f94 12869->12871 12870->12855 12871->12870 12872 8dea9c _free 20 API calls 12871->12872 12872->12870 12874 8e4c3d 12873->12874 12875 8e4c63 MultiByteToWideChar 12874->12875 12879 8e4c8d 12875->12879 12887 8e4e17 12875->12887 12876 8d3667 _ValidateLocalCookies 5 API calls 12878 8e1c98 12876->12878 12877 8e4cae 12881 8e4d63 12877->12881 12882 8e4cf7 MultiByteToWideChar 12877->12882 12878->12848 12879->12877 12880 8dfbda __wsopen_s 21 API calls 12879->12880 12880->12877 12885 8e2f88 __freea 20 API calls 12881->12885 12882->12881 12883 8e4d10 12882->12883 12900 8e2584 12883->12900 12885->12887 12887->12876 12888 8e4d3a 12888->12881 12890 8e2584 11 API calls 12888->12890 12889 8e4d72 12892 8dfbda __wsopen_s 21 API calls 12889->12892 12895 8e4d93 12889->12895 12890->12881 12891 8e4e08 12894 8e2f88 __freea 20 API calls 12891->12894 12892->12895 12893 8e2584 11 API calls 12896 8e4de7 12893->12896 12894->12881 12895->12891 12895->12893 12896->12891 12897 8e4df6 WideCharToMultiByte 12896->12897 12897->12891 12898 8e4e36 12897->12898 12899 8e2f88 __freea 20 API calls 12898->12899 12899->12881 12901 8e2262 __dosmaperr 5 API calls 12900->12901 12902 8e25ab 12901->12902 12905 8e25b4 12902->12905 12908 8e260c 12902->12908 12906 8d3667 _ValidateLocalCookies 5 API calls 12905->12906 12907 8e2606 12906->12907 12907->12881 12907->12888 12907->12889 12909 8e2262 __dosmaperr 5 API calls 12908->12909 12910 8e2633 12909->12910 12911 8d3667 _ValidateLocalCookies 5 API calls 12910->12911 12912 8e25f4 LCMapStringW 12911->12912 12912->12905 12914 8e19a3 ___DestructExceptionObject 12913->12914 12921 8e2203 EnterCriticalSection 12914->12921 12916 8e19ad 12922 8e1a02 12916->12922 12920 8e19c6 __wsopen_s 12920->12839 12921->12916 12923 8dbbd1 __fread_nolock 26 API calls 12922->12923 12924 8e1a50 12923->12924 12925 8dbbd1 __fread_nolock 26 API calls 12924->12925 12926 8e1a6c 12925->12926 12927 8dbbd1 __fread_nolock 26 API calls 12926->12927 12928 8e1a8a 12927->12928 12929 8e19ba 12928->12929 12930 8dea9c _free 20 API calls 12928->12930 12931 8e19ce 12929->12931 12930->12929 12934 8e224b LeaveCriticalSection 12931->12934 12933 8e19d8 12933->12920 12934->12933 11498 8d373d 11499 8d3749 ___DestructExceptionObject 11498->11499 11528 8d3b51 11499->11528 11501 8d3750 11502 8d38a3 11501->11502 11507 8d377a 11501->11507 11613 8d3e66 IsProcessorFeaturePresent 11502->11613 11504 8d38aa 11505 8d38b0 11504->11505 11585 8dc810 11504->11585 11617 8dc7c2 11505->11617 11517 8d37b9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 11507->11517 11588 8dc535 11507->11588 11512 8d3799 11514 8d381a 11539 8d3f80 11514->11539 11516 8d3820 11543 8d321a 11516->11543 11517->11514 11596 8dc7d8 11517->11596 11523 8d3840 11524 8d3849 11523->11524 11604 8dc7b3 11523->11604 11607 8d3ce0 11524->11607 11529 8d3b5a 11528->11529 11620 8d410b IsProcessorFeaturePresent 11529->11620 11533 8d3b6b 11534 8d3b6f 11533->11534 11631 8dcf32 11533->11631 11534->11501 11537 8d3b86 11537->11501 11713 8d8640 11539->11713 11542 8d3fa6 11542->11516 11715 8e9310 11543->11715 11546 8d3260 CreateFileW 11547 8d3289 GetFileSize 11546->11547 11548 8d327c 11546->11548 11547->11548 11549 8d32a1 SetFilePointer 11547->11549 11724 8d3071 wsprintfW MessageBoxW 11548->11724 11549->11548 11551 8d32b4 11549->11551 11554 8d32c4 ReadFile FindCloseChangeNotification 11551->11554 11552 8d324b _wcschr 11552->11546 11553 8d3284 11555 8d3667 _ValidateLocalCookies 5 API calls 11553->11555 11717 8d30b6 RegOpenKeyW 11554->11717 11557 8d3661 11555->11557 11602 8d3fb6 GetModuleHandleW 11557->11602 11558 8d3648 MessageBoxW 11558->11553 11560 8d3350 MultiByteToWideChar 11560->11548 11561 8d337f wsprintfW 11560->11561 11563 8d33a8 _strlen 11561->11563 11562 8d35bd _wcsrchr 11565 8d35d4 SHCreateDirectoryExW 11562->11565 11566 8d35f0 CreateFileW 11562->11566 11563->11562 11564 8d33d2 SHCreateDirectoryExW 11563->11564 11567 8d33f9 11564->11567 11565->11566 11568 8d3619 WriteFile CloseHandle 11566->11568 11569 8d3612 11566->11569 11727 8d18ab 11567->11727 11570 8d32f0 11568->11570 11569->11568 11570->11558 11575 8d3463 MultiByteToWideChar 11576 8d3495 wsprintfW 11575->11576 11582 8d35a1 11575->11582 11578 8d341d _strlen 11576->11578 11577 8d34e9 SHCreateDirectoryExW 11577->11578 11578->11570 11578->11575 11578->11577 11578->11582 11584 8d3513 11578->11584 11735 8d22fe 11578->11735 11742 8d2fe2 11578->11742 11581 8d353d CreateFileW 11581->11582 11583 8d355d WriteFile CloseHandle 11581->11583 11582->11562 11583->11584 11584->11578 11584->11581 11584->11582 11738 8d2a43 11584->11738 11755 8dc58d 11585->11755 11590 8dc54c 11588->11590 11589 8d3667 _ValidateLocalCookies 5 API calls 11591 8d3793 11589->11591 11590->11589 11591->11512 11592 8dc4d9 11591->11592 11593 8dc508 11592->11593 11594 8d3667 _ValidateLocalCookies 5 API calls 11593->11594 11595 8dc531 11594->11595 11595->11517 11597 8dc800 pre_c_initialization _abort 11596->11597 11597->11514 11904 8e0511 GetLastError 11597->11904 11601 8dcfc6 11924 8dd04b 11601->11924 11603 8d383c 11602->11603 11603->11504 11603->11523 11605 8dc58d _abort 28 API calls 11604->11605 11606 8dc7be 11605->11606 11606->11524 11608 8d3cec 11607->11608 11612 8d3851 11608->11612 12013 8dcf44 11608->12013 11611 8d8ad0 ___vcrt_uninitialize 8 API calls 11611->11612 11612->11512 11614 8d3e7b ___scrt_fastfail 11613->11614 11615 8d3f26 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11614->11615 11616 8d3f71 ___scrt_fastfail 11615->11616 11616->11504 11618 8dc58d _abort 28 API calls 11617->11618 11619 8d38b8 11618->11619 11621 8d3b66 11620->11621 11622 8d8aa7 11621->11622 11623 8d8aac ___vcrt_initialize_winapi_thunks 11622->11623 11642 8d8d1e 11623->11642 11626 8d8aba 11626->11533 11628 8d8ac2 11629 8d8acd 11628->11629 11656 8d8d5a 11628->11656 11629->11533 11697 8e33cc 11631->11697 11634 8d8ad0 11635 8d8ad9 11634->11635 11636 8d8aea 11634->11636 11637 8d8d03 ___vcrt_uninitialize_ptd 6 API calls 11635->11637 11636->11534 11638 8d8ade 11637->11638 11639 8d8d5a ___vcrt_uninitialize_locks DeleteCriticalSection 11638->11639 11640 8d8ae3 11639->11640 11709 8d8fe3 11640->11709 11643 8d8d27 11642->11643 11645 8d8d50 11643->11645 11647 8d8ab6 11643->11647 11660 8d8f70 11643->11660 11646 8d8d5a ___vcrt_uninitialize_locks DeleteCriticalSection 11645->11646 11646->11647 11647->11626 11648 8d8cd0 11647->11648 11678 8d8ebc 11648->11678 11651 8d8ce5 11651->11628 11654 8d8d00 11654->11628 11657 8d8d84 11656->11657 11658 8d8d65 11656->11658 11657->11626 11659 8d8d6f DeleteCriticalSection 11658->11659 11659->11657 11659->11659 11665 8d8e4d 11660->11665 11662 8d8f8a 11663 8d8fa8 InitializeCriticalSectionAndSpinCount 11662->11663 11664 8d8f93 11662->11664 11663->11664 11664->11643 11666 8d8e75 11665->11666 11670 8d8e71 __crt_fast_encode_pointer 11665->11670 11666->11670 11671 8d8d89 11666->11671 11669 8d8e8f GetProcAddress 11669->11670 11670->11662 11672 8d8d98 try_get_first_available_module 11671->11672 11673 8d8db5 LoadLibraryExW 11672->11673 11675 8d8e2b FreeLibrary 11672->11675 11676 8d8e42 11672->11676 11677 8d8e03 LoadLibraryExW 11672->11677 11673->11672 11674 8d8dd0 GetLastError 11673->11674 11674->11672 11675->11672 11676->11669 11676->11670 11677->11672 11679 8d8e4d try_get_function 5 API calls 11678->11679 11680 8d8ed6 11679->11680 11681 8d8eef TlsAlloc 11680->11681 11682 8d8cda 11680->11682 11682->11651 11683 8d8f32 11682->11683 11684 8d8e4d try_get_function 5 API calls 11683->11684 11685 8d8f4c 11684->11685 11686 8d8f67 TlsSetValue 11685->11686 11687 8d8cf3 11685->11687 11686->11687 11687->11654 11688 8d8d03 11687->11688 11689 8d8d0d 11688->11689 11690 8d8d13 11688->11690 11692 8d8ef7 11689->11692 11690->11651 11693 8d8e4d try_get_function 5 API calls 11692->11693 11694 8d8f11 11693->11694 11695 8d8f29 TlsFree 11694->11695 11696 8d8f1d 11694->11696 11695->11696 11696->11690 11698 8e33e5 11697->11698 11701 8d3667 11698->11701 11700 8d3b78 11700->11537 11700->11634 11702 8d3670 11701->11702 11703 8d3672 IsProcessorFeaturePresent 11701->11703 11702->11700 11705 8d38ff 11703->11705 11708 8d38c3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11705->11708 11707 8d39e2 11707->11700 11708->11707 11710 8d9012 11709->11710 11711 8d8fec 11709->11711 11710->11636 11711->11710 11712 8d8ffc FreeLibrary 11711->11712 11712->11711 11714 8d3f93 GetStartupInfoW 11713->11714 11714->11542 11716 8d322a GetCommandLineW 11715->11716 11716->11546 11716->11552 11718 8d30dc 11717->11718 11719 8d30e0 RegQueryValueExW 11717->11719 11718->11548 11718->11560 11718->11570 11720 8d30ff 11719->11720 11723 8d312b RegCloseKey 11719->11723 11721 8d3110 RegQueryValueExW 11720->11721 11720->11723 11721->11723 11723->11718 11725 8d3667 _ValidateLocalCookies 5 API calls 11724->11725 11726 8d30b4 11725->11726 11726->11553 11730 8d18d2 11727->11730 11728 8d2f91 5 API calls 11729 8d1c97 11728->11729 11731 8d2f91 11729->11731 11730->11728 11730->11729 11732 8d2f9e 11731->11732 11733 8d2f99 11731->11733 11747 8d1e5d 11732->11747 11733->11578 11736 8d1e5d 5 API calls 11735->11736 11737 8d2322 11736->11737 11737->11578 11739 8d2a7e 11738->11739 11741 8d2a6c __fread_nolock 11738->11741 11739->11584 11741->11739 11751 8d42b0 11741->11751 11743 8d2fe9 11742->11743 11744 8d2fee 11742->11744 11743->11578 11745 8d1e5d 5 API calls 11744->11745 11746 8d3059 11744->11746 11745->11746 11746->11578 11750 8d1e98 11747->11750 11748 8d3667 _ValidateLocalCookies 5 API calls 11749 8d22fa 11748->11749 11749->11733 11750->11748 11752 8d42c1 __fread_nolock 11751->11752 11753 8d4fb4 11751->11753 11752->11753 11754 8d7080 6 API calls 11752->11754 11753->11741 11754->11752 11756 8dc599 _abort 11755->11756 11757 8dc5a0 11756->11757 11758 8dc5b2 11756->11758 11791 8dc6e7 GetModuleHandleW 11757->11791 11779 8e2203 EnterCriticalSection 11758->11779 11762 8dc657 11780 8dc697 11762->11780 11766 8dc5b9 11766->11762 11768 8dc62e 11766->11768 11801 8dcdc3 11766->11801 11769 8dc646 11768->11769 11773 8dc4d9 _abort 5 API calls 11768->11773 11774 8dc4d9 _abort 5 API calls 11769->11774 11770 8dc674 11783 8dc6a6 11770->11783 11771 8dc6a0 11804 8e9389 11771->11804 11773->11769 11774->11762 11779->11766 11807 8e224b LeaveCriticalSection 11780->11807 11782 8dc670 11782->11770 11782->11771 11808 8e268e 11783->11808 11786 8dc6d4 11789 8dc72b _abort 8 API calls 11786->11789 11787 8dc6b4 GetPEB 11787->11786 11788 8dc6c4 GetCurrentProcess TerminateProcess 11787->11788 11788->11786 11790 8dc6dc ExitProcess 11789->11790 11792 8dc5a5 11791->11792 11792->11758 11793 8dc72b GetModuleHandleExW 11792->11793 11794 8dc778 11793->11794 11795 8dc755 GetProcAddress 11793->11795 11796 8dc77e FreeLibrary 11794->11796 11797 8dc787 11794->11797 11800 8dc76a 11795->11800 11796->11797 11798 8d3667 _ValidateLocalCookies 5 API calls 11797->11798 11799 8dc5b1 11798->11799 11799->11758 11800->11794 11828 8dcafc 11801->11828 11805 8d3667 _ValidateLocalCookies 5 API calls 11804->11805 11806 8e9394 11805->11806 11806->11806 11807->11782 11809 8e26a9 11808->11809 11810 8e26b3 11808->11810 11812 8d3667 _ValidateLocalCookies 5 API calls 11809->11812 11815 8e2262 11810->11815 11813 8dc6b0 11812->11813 11813->11786 11813->11787 11814 8e26ca 11814->11809 11819 8e228e 11815->11819 11820 8e2292 __crt_fast_encode_pointer 11815->11820 11816 8e22b2 11818 8e22be GetProcAddress 11816->11818 11816->11820 11818->11820 11819->11816 11819->11820 11821 8e22fe 11819->11821 11820->11814 11822 8e231f LoadLibraryExW 11821->11822 11827 8e2314 11821->11827 11823 8e233c GetLastError 11822->11823 11824 8e2354 11822->11824 11823->11824 11825 8e2347 LoadLibraryExW 11823->11825 11826 8e236b FreeLibrary 11824->11826 11824->11827 11825->11824 11826->11827 11827->11819 11831 8dcaab 11828->11831 11830 8dcb20 11830->11768 11832 8dcab7 ___DestructExceptionObject 11831->11832 11839 8e2203 EnterCriticalSection 11832->11839 11834 8dcac5 11840 8dcb4c 11834->11840 11838 8dcae3 __wsopen_s 11838->11830 11839->11834 11841 8dcb6c 11840->11841 11845 8dcb74 11840->11845 11842 8d3667 _ValidateLocalCookies 5 API calls 11841->11842 11843 8dcad2 11842->11843 11846 8dcaf0 11843->11846 11845->11841 11849 8dea9c 11845->11849 11903 8e224b LeaveCriticalSection 11846->11903 11848 8dcafa 11848->11838 11850 8dead0 _free 11849->11850 11851 8deaa7 HeapFree 11849->11851 11850->11841 11851->11850 11852 8deabc 11851->11852 11855 8dd6ae 11852->11855 11858 8e0595 GetLastError 11855->11858 11859 8e05ae 11858->11859 11860 8e05b4 11858->11860 11877 8e2473 11859->11877 11864 8e060b SetLastError 11860->11864 11884 8e1415 11860->11884 11865 8dd6b3 GetLastError 11864->11865 11865->11850 11867 8dea9c _free 17 API calls 11869 8e05d4 11867->11869 11872 8e0602 SetLastError 11869->11872 11870 8e05ea 11898 8e0383 11870->11898 11871 8e05ce 11871->11867 11872->11865 11875 8dea9c _free 17 API calls 11876 8e05fb 11875->11876 11876->11864 11876->11872 11878 8e2262 __dosmaperr 5 API calls 11877->11878 11879 8e249a 11878->11879 11880 8e24b2 TlsGetValue 11879->11880 11881 8e24a6 11879->11881 11880->11881 11882 8d3667 _ValidateLocalCookies 5 API calls 11881->11882 11883 8e24c3 11882->11883 11883->11860 11890 8e1422 __dosmaperr 11884->11890 11885 8e1462 11887 8dd6ae _free 19 API calls 11885->11887 11886 8e144d HeapAlloc 11888 8e05c6 11886->11888 11886->11890 11887->11888 11888->11871 11891 8e24c9 11888->11891 11889 8e34b0 __dosmaperr 7 API calls 11889->11890 11890->11885 11890->11886 11890->11889 11892 8e2262 __dosmaperr 5 API calls 11891->11892 11893 8e24f0 11892->11893 11894 8e250b TlsSetValue 11893->11894 11895 8e24ff 11893->11895 11894->11895 11896 8d3667 _ValidateLocalCookies 5 API calls 11895->11896 11897 8e05e3 11896->11897 11897->11870 11897->11871 11899 8e035b __dosmaperr EnterCriticalSection LeaveCriticalSection 11898->11899 11900 8e03de 11899->11900 11901 8e030b __dosmaperr 20 API calls 11900->11901 11902 8e03f5 11901->11902 11902->11875 11903->11848 11905 8e0527 11904->11905 11906 8e052d 11904->11906 11908 8e2473 __dosmaperr 11 API calls 11905->11908 11907 8e1415 __dosmaperr 20 API calls 11906->11907 11910 8e057c SetLastError 11906->11910 11909 8e053f 11907->11909 11908->11906 11911 8e24c9 __dosmaperr 11 API calls 11909->11911 11916 8e0547 11909->11916 11910->11601 11913 8e055c 11911->11913 11912 8dea9c _free 20 API calls 11914 8e054d 11912->11914 11915 8e0563 11913->11915 11913->11916 11917 8e0588 SetLastError 11914->11917 11918 8e0383 __dosmaperr 20 API calls 11915->11918 11916->11912 11919 8dd04b _abort 35 API calls 11917->11919 11920 8e056e 11918->11920 11921 8e0594 11919->11921 11922 8dea9c _free 20 API calls 11920->11922 11923 8e0575 11922->11923 11923->11910 11923->11917 11935 8e3632 11924->11935 11928 8dd065 IsProcessorFeaturePresent 11932 8dd070 11928->11932 11929 8dd083 11930 8dc7c2 _abort 28 API calls 11929->11930 11933 8dd08d 11930->11933 11931 8dd05b 11931->11928 11931->11929 11965 8dd428 11932->11965 11971 8e35a0 11935->11971 11938 8e368d 11939 8e3699 _abort 11938->11939 11940 8e0595 __dosmaperr 20 API calls 11939->11940 11944 8e36c6 _abort 11939->11944 11947 8e36c0 _abort 11939->11947 11940->11947 11941 8e3712 11943 8dd6ae _free 20 API calls 11941->11943 11942 8e36f5 11946 8e9389 _abort 5 API calls 11942->11946 11945 8e3717 11943->11945 11951 8e373e 11944->11951 11988 8e2203 EnterCriticalSection 11944->11988 11985 8dd5f2 11945->11985 11950 8e3894 11946->11950 11947->11941 11947->11942 11947->11944 11950->11931 11952 8e379d 11951->11952 11958 8e3795 11951->11958 11962 8e37c8 11951->11962 11989 8e224b LeaveCriticalSection 11951->11989 11952->11962 11990 8e3684 11952->11990 11955 8dc7c2 _abort 28 API calls 11955->11952 11958->11955 11959 8e0511 pre_c_initialization 38 API calls 11963 8e382b 11959->11963 11961 8e3684 _abort 38 API calls 11961->11962 11993 8e384d 11962->11993 11963->11942 11964 8e0511 pre_c_initialization 38 API calls 11963->11964 11964->11942 11966 8dd444 ___scrt_fastfail 11965->11966 11967 8dd470 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11966->11967 11968 8dd541 ___scrt_fastfail 11967->11968 11969 8d3667 _ValidateLocalCookies 5 API calls 11968->11969 11970 8dd55f 11969->11970 11970->11929 11974 8e3546 11971->11974 11973 8dd050 11973->11931 11973->11938 11975 8e3552 ___DestructExceptionObject 11974->11975 11980 8e2203 EnterCriticalSection 11975->11980 11977 8e3560 11981 8e3594 11977->11981 11979 8e3587 __wsopen_s 11979->11973 11980->11977 11984 8e224b LeaveCriticalSection 11981->11984 11983 8e359e 11983->11979 11984->11983 11997 8dd577 11985->11997 11987 8dd5fe 11987->11942 11988->11951 11989->11958 11991 8e0511 pre_c_initialization 38 API calls 11990->11991 11992 8e3689 11991->11992 11992->11961 11994 8e3853 11993->11994 11996 8e381c 11993->11996 12012 8e224b LeaveCriticalSection 11994->12012 11996->11942 11996->11959 11996->11963 11998 8e0595 __dosmaperr 20 API calls 11997->11998 11999 8dd58d 11998->11999 12000 8dd5ec 11999->12000 12003 8dd59b 11999->12003 12008 8dd602 IsProcessorFeaturePresent 12000->12008 12002 8dd5f1 12004 8dd577 pre_c_initialization 26 API calls 12002->12004 12006 8d3667 _ValidateLocalCookies 5 API calls 12003->12006 12005 8dd5fe 12004->12005 12005->11987 12007 8dd5c2 12006->12007 12007->11987 12009 8dd60d 12008->12009 12010 8dd428 _abort 8 API calls 12009->12010 12011 8dd622 GetCurrentProcess TerminateProcess 12010->12011 12011->12002 12012->11996 12016 8e344f 12013->12016 12018 8e3468 12016->12018 12017 8d3667 _ValidateLocalCookies 5 API calls 12019 8d3cfa 12017->12019 12018->12017 12019->11611 12020 8dfbda 12021 8dfc18 12020->12021 12026 8dfbe8 __dosmaperr 12020->12026 12022 8dd6ae _free 20 API calls 12021->12022 12024 8dfc16 12022->12024 12023 8dfc03 RtlAllocateHeap 12023->12024 12023->12026 12026->12021 12026->12023 12027 8e34b0 12026->12027 12032 8e34f4 12027->12032 12029 8e34c6 12030 8d3667 _ValidateLocalCookies 5 API calls 12029->12030 12031 8e34f0 12030->12031 12031->12026 12033 8e3500 ___DestructExceptionObject 12032->12033 12038 8e2203 EnterCriticalSection 12033->12038 12035 8e350b 12039 8e353d 12035->12039 12037 8e3532 __wsopen_s 12037->12029 12038->12035 12042 8e224b LeaveCriticalSection 12039->12042 12041 8e3544 12041->12037 12042->12041 14358 8dc96b 14360 8dc977 ___DestructExceptionObject 14358->14360 14359 8dc9ae __wsopen_s 14360->14359 14366 8e2203 EnterCriticalSection 14360->14366 14362 8dc98b 14363 8e32e9 __cftof 20 API calls 14362->14363 14364 8dc99b 14363->14364 14367 8dc9b4 14364->14367 14366->14362 14370 8e224b LeaveCriticalSection 14367->14370 14369 8dc9bb 14369->14359 14370->14369 13660 8e03fc 13661 8e0417 13660->13661 13662 8e0407 13660->13662 13666 8e041d 13662->13666 13665 8dea9c _free 20 API calls 13665->13661 13667 8e0436 13666->13667 13668 8e0430 13666->13668 13670 8dea9c _free 20 API calls 13667->13670 13669 8dea9c _free 20 API calls 13668->13669 13669->13667 13671 8e0442 13670->13671 13672 8dea9c _free 20 API calls 13671->13672 13673 8e044d 13672->13673 13674 8dea9c _free 20 API calls 13673->13674 13675 8e0458 13674->13675 13676 8dea9c _free 20 API calls 13675->13676 13677 8e0463 13676->13677 13678 8dea9c _free 20 API calls 13677->13678 13679 8e046e 13678->13679 13680 8dea9c _free 20 API calls 13679->13680 13681 8e0479 13680->13681 13682 8dea9c _free 20 API calls 13681->13682 13683 8e0484 13682->13683 13684 8dea9c _free 20 API calls 13683->13684 13685 8e048f 13684->13685 13686 8dea9c _free 20 API calls 13685->13686 13687 8e049d 13686->13687 13692 8e02e3 13687->13692 13698 8e01ef 13692->13698 13694 8e0307 13695 8e0333 13694->13695 13711 8e0250 13695->13711 13697 8e0357 13697->13665 13699 8e01fb ___DestructExceptionObject 13698->13699 13706 8e2203 EnterCriticalSection 13699->13706 13701 8e022f 13707 8e0244 13701->13707 13702 8e0205 13702->13701 13705 8dea9c _free 20 API calls 13702->13705 13704 8e023c __wsopen_s 13704->13694 13705->13701 13706->13702 13710 8e224b LeaveCriticalSection 13707->13710 13709 8e024e 13709->13704 13710->13709 13712 8e025c ___DestructExceptionObject 13711->13712 13719 8e2203 EnterCriticalSection 13712->13719 13714 8e0266 13720 8e04c6 13714->13720 13716 8e0279 13724 8e028f 13716->13724 13718 8e0287 __wsopen_s 13718->13697 13719->13714 13721 8e04d5 __cftof 13720->13721 13723 8e04fc __cftof 13720->13723 13722 8e3025 __cftof 20 API calls 13721->13722 13721->13723 13722->13723 13723->13716 13727 8e224b LeaveCriticalSection 13724->13727 13726 8e0299 13726->13718 13727->13726 14413 8dd978 14423 8ded86 14413->14423 14417 8dd985 14418 8dec9b 20 API calls 14417->14418 14419 8dd994 DeleteCriticalSection 14418->14419 14419->14417 14420 8dd9af 14419->14420 14421 8dea9c _free 20 API calls 14420->14421 14422 8dd9ba 14421->14422 14436 8ded8f 14423->14436 14425 8dd980 14426 8e3e8b 14425->14426 14427 8e3e97 ___DestructExceptionObject 14426->14427 14456 8e2203 EnterCriticalSection 14427->14456 14429 8e3f0d 14457 8e3f22 14429->14457 14431 8e3ea2 14431->14429 14433 8e3ee1 DeleteCriticalSection 14431->14433 14434 8d9e93 67 API calls 14431->14434 14432 8e3f19 __wsopen_s 14432->14417 14435 8dea9c _free 20 API calls 14433->14435 14434->14431 14435->14431 14437 8ded9b ___DestructExceptionObject 14436->14437 14446 8e2203 EnterCriticalSection 14437->14446 14439 8dee3e 14451 8dee5e 14439->14451 14442 8dee4a __wsopen_s 14442->14425 14444 8ded3f 66 API calls 14445 8dedaa 14444->14445 14445->14439 14445->14444 14447 8dd9c4 EnterCriticalSection 14445->14447 14448 8dee34 14445->14448 14446->14445 14447->14445 14454 8dd9d8 LeaveCriticalSection 14448->14454 14450 8dee3c 14450->14445 14455 8e224b LeaveCriticalSection 14451->14455 14453 8dee65 14453->14442 14454->14450 14455->14453 14456->14431 14460 8e224b LeaveCriticalSection 14457->14460 14459 8e3f29 14459->14432 14460->14459 14461 8d3678 14462 8d3680 pre_c_initialization 14461->14462 14478 8dc852 14462->14478 14464 8d368b pre_c_initialization 14485 8d3b8a 14464->14485 14466 8d36a0 __RTC_Initialize 14476 8d36fd pre_c_initialization 14466->14476 14491 8d3d43 14466->14491 14467 8d3e66 ___scrt_fastfail 4 API calls 14468 8d3722 ___scrt_initialize_default_local_stdio_options 14467->14468 14470 8d36b9 pre_c_initialization 14470->14476 14494 8d3dfa InitializeSListHead 14470->14494 14472 8d36cf pre_c_initialization 14495 8d3e09 14472->14495 14474 8d36f2 pre_c_initialization 14501 8dc9bd 14474->14501 14476->14467 14477 8d371a 14476->14477 14479 8dc884 14478->14479 14480 8dc861 14478->14480 14479->14464 14480->14479 14481 8dd6ae _free 20 API calls 14480->14481 14482 8dc874 14481->14482 14483 8dd5f2 pre_c_initialization 26 API calls 14482->14483 14484 8dc87f 14483->14484 14484->14464 14486 8d3b9d 14485->14486 14487 8d3b99 14485->14487 14488 8d3e66 ___scrt_fastfail 4 API calls 14486->14488 14490 8d3baa pre_c_initialization ___scrt_release_startup_lock 14486->14490 14487->14466 14489 8d3c2e 14488->14489 14490->14466 14508 8d3d08 14491->14508 14494->14472 14546 8dcf56 14495->14546 14497 8d3e1a 14498 8d3e21 14497->14498 14499 8d3e66 ___scrt_fastfail 4 API calls 14497->14499 14498->14474 14500 8d3e29 14499->14500 14502 8e0511 pre_c_initialization 38 API calls 14501->14502 14504 8dc9c8 14502->14504 14503 8dca00 14503->14476 14504->14503 14505 8dd6ae _free 20 API calls 14504->14505 14506 8dc9f5 14505->14506 14507 8dd5f2 pre_c_initialization 26 API calls 14506->14507 14507->14503 14509 8d3d2c 14508->14509 14510 8d3d25 14508->14510 14517 8dce1d 14509->14517 14514 8dcdad 14510->14514 14513 8d3d2a 14513->14470 14515 8dce1d __onexit 29 API calls 14514->14515 14516 8dcdbf 14515->14516 14516->14513 14520 8dcb24 14517->14520 14523 8dca5a 14520->14523 14522 8dcb48 14522->14513 14524 8dca66 ___DestructExceptionObject 14523->14524 14531 8e2203 EnterCriticalSection 14524->14531 14526 8dca74 14532 8dcc6c 14526->14532 14528 8dca81 14542 8dca9f 14528->14542 14530 8dca92 __wsopen_s 14530->14522 14531->14526 14533 8dcc8a 14532->14533 14540 8dcc82 pre_c_initialization __crt_fast_encode_pointer 14532->14540 14534 8dcce3 14533->14534 14536 8e3339 __onexit 29 API calls 14533->14536 14533->14540 14535 8e3339 __onexit 29 API calls 14534->14535 14534->14540 14537 8dccf9 14535->14537 14538 8dccd9 14536->14538 14541 8dea9c _free 20 API calls 14537->14541 14539 8dea9c _free 20 API calls 14538->14539 14539->14534 14540->14528 14541->14540 14545 8e224b LeaveCriticalSection 14542->14545 14544 8dcaa9 14544->14530 14545->14544 14547 8dcf74 pre_c_initialization 14546->14547 14551 8dcf94 pre_c_initialization 14546->14551 14548 8dd6ae _free 20 API calls 14547->14548 14549 8dcf8a 14548->14549 14550 8dd5f2 pre_c_initialization 26 API calls 14549->14550 14550->14551 14551->14497

              Executed Functions

              Function 008D321A Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 352filewindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 8d321a-8d3249 call 8e9310 GetCommandLineW 3 8d324b-8d3259 call 8d879a 0->3 4 8d3260-8d327a CreateFileW 0->4 3->4 16 8d325b-8d325d 3->16 5 8d327c-8d327e 4->5 6 8d3289-8d329a GetFileSize 4->6 8 8d327f-8d3284 call 8d3071 5->8 9 8d329c 6->9 10 8d32a1-8d32ae SetFilePointer 6->10 19 8d3650-8d3664 call 8d3667 8->19 13 8d329e-8d329f 9->13 14 8d32b4-8d32ee call 8dbc52 ReadFile FindCloseChangeNotification call 8d30b6 10->14 15 8d32b0-8d32b2 10->15 13->8 25 8d32f0-8d32fd 14->25 26 8d3302-8d3308 14->26 15->13 16->4 27 8d3648-8d364e MessageBoxW 25->27 28 8d330c-8d330e 26->28 27->19 29 8d331c-8d331e 28->29 30 8d3310-8d3312 28->30 32 8d3320-8d3322 29->32 33 8d3327-8d332f 29->33 31 8d3314-8d331a 30->31 30->32 31->28 32->13 34 8d3338-8d3347 33->34 35 8d3331-8d3333 33->35 36 8d3349-8d334b 34->36 37 8d3350-8d3376 MultiByteToWideChar 34->37 35->13 36->13 38 8d337f-8d33b0 wsprintfW call 8da5b0 37->38 39 8d3378-8d337a 37->39 42 8d35bd-8d35d2 call 8d8861 38->42 43 8d33b6-8d33b9 38->43 39->13 49 8d35d4-8d35ed SHCreateDirectoryExW 42->49 50 8d35f0-8d3610 CreateFileW 42->50 43->42 44 8d33bf-8d33c2 43->44 44->42 46 8d33c8-8d33cc 44->46 46->42 48 8d33d2-8d340a SHCreateDirectoryExW call 8d1099 call 8d18ab 46->48 60 8d340c 48->60 61 8d3413-8d3422 call 8d2f91 48->61 49->50 52 8d3619-8d362a WriteFile CloseHandle 50->52 53 8d3612 50->53 55 8d3630-8d3646 call 8db950 52->55 53->52 55->27 60->61 64 8d342b-8d3452 call 8d22fe 61->64 65 8d3424 61->65 68 8d345f-8d3461 64->68 65->64 69 8d3454-8d3457 68->69 70 8d3463-8d348f MultiByteToWideChar 68->70 71 8d345c-8d345d 69->71 72 8d3459 69->72 73 8d3495-8d34cb wsprintfW 70->73 74 8d35b6 70->74 71->68 72->71 75 8d34cd-8d34e7 call 8da5b0 73->75 76 8d34fe-8d350d call 8d25d4 73->76 74->42 75->76 81 8d34e9-8d34f9 SHCreateDirectoryExW 75->81 82 8d35af 76->82 83 8d3513-8d353b call 8dbc52 call 8d2a43 call 8d2ed8 76->83 84 8d3580-8d358f call 8d2fe2 81->84 82->74 96 8d353d-8d355b CreateFileW 83->96 97 8d35a8 83->97 84->64 91 8d3595-8d359c call 8d1d83 84->91 91->55 98 8d355d-8d357e WriteFile CloseHandle call 8db950 96->98 99 8d35a1 96->99 97->82 98->84 99->97
              APIs
              • GetCommandLineW.KERNEL32 ref: 008D323B
              • _wcschr.LIBVCRUNTIME ref: 008D3250
              • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008D326F
              • GetFileSize.KERNEL32(00000000,00000000), ref: 008D328B
              • SetFilePointer.KERNELBASE(00000000,0002CE00,00000000,00000000), ref: 008D32A5
              • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 008D32D3
              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 008D32DA
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000800), ref: 008D3367
              • wsprintfW.USER32 ref: 008D339C
              • _strlen.LIBCMT ref: 008D33A3
              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 008D33DE
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000800), ref: 008D3480
              • wsprintfW.USER32 ref: 008D34BA
              • _strlen.LIBCMT ref: 008D34D5
              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 008D34F3
              • MessageBoxW.USER32(00000000,Installation successfull,VirtualDJ Addons Installer,00000000), ref: 008D3648
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: File$Create$ByteCharDirectoryMultiWide_strlenwsprintf$ChangeCloseCommandFindLineMessageNotificationPointerReadSize_wcschr
              • String ID: %s\%s$%s\%s%s$Installation successfull$VirtualDJ Addons Installer$VirtualDJ not found
              • API String ID: 261716316-320160432
              • Opcode ID: d12cb304d8bc1d3ea53139e0d76cfddc1bb0dea8a76e4c2ebce77ca96e6cf470
              • Instruction ID: 7841961fded17131bc77b0fc7f7fdeb737c6e5405f5c906a096509e7328666b4
              • Opcode Fuzzy Hash: d12cb304d8bc1d3ea53139e0d76cfddc1bb0dea8a76e4c2ebce77ca96e6cf470
              • Instruction Fuzzy Hash: 18B1E171508344AAE724AB249C49F7F77E8FB84B20F14461BF645D63C1EF349A488763
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DC6A6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 114 8dc6a6-8dc6b2 call 8e268e 117 8dc6d4-8dc6e0 call 8dc72b ExitProcess 114->117 118 8dc6b4-8dc6c2 GetPEB 114->118 118->117 119 8dc6c4-8dc6ce GetCurrentProcess TerminateProcess 118->119 119->117
              APIs
              • GetCurrentProcess.KERNEL32(00000003,?,008DC67C,00000003,008F3270,0000000C,008DC7D3,00000003,00000002,00000000,?,008DD08D,00000003), ref: 008DC6C7
              • TerminateProcess.KERNEL32(00000000,?,008DC67C,00000003,008F3270,0000000C,008DC7D3,00000003,00000002,00000000,?,008DD08D,00000003), ref: 008DC6CE
              • ExitProcess.KERNEL32 ref: 008DC6E0
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: 05567ba23cc0b9d523ebf483a21a27ae6257fdd3c78bd72ca953ee233d5d2597
              • Instruction ID: 8ef121d8c7e51c6cdc6b80354d521be3ede0cb75555d15d7348ffe8c63f7d902
              • Opcode Fuzzy Hash: 05567ba23cc0b9d523ebf483a21a27ae6257fdd3c78bd72ca953ee233d5d2597
              • Instruction Fuzzy Hash: F7E04631000588EFCF156F58DC48A583B69FB60B81B010118F8058A231CB35ED42CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D30B6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 102 8d30b6-8d30da RegOpenKeyW 103 8d30dc-8d30de 102->103 104 8d30e0-8d30fd RegQueryValueExW 102->104 105 8d3142-8d3144 103->105 106 8d30ff-8d3105 104->106 107 8d3132 104->107 106->107 108 8d3107-8d310e 106->108 109 8d3134 107->109 108->107 110 8d3110-8d3129 RegQueryValueExW 108->110 111 8d3136-8d3141 RegCloseKey 109->111 110->107 112 8d312b-8d312e 110->112 111->105 112->109 113 8d3130 112->113 113->111
              APIs
              • RegOpenKeyW.ADVAPI32(80000001,Software\VirtualDJ,?), ref: 008D30D2
              • RegQueryValueExW.ADVAPI32(?,HomeFolder,00000000,?,00000000,?), ref: 008D30F5
              • RegQueryValueExW.ADVAPI32(?,HomeFolder,00000000,00000000,?,00000400), ref: 008D3121
              • RegCloseKey.ADVAPI32(?), ref: 008D3139
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID: HomeFolder$Software\VirtualDJ
              • API String ID: 1586453840-3986070691
              • Opcode ID: 17029408be9027d09e44cb42f2a8bacdec41da39e4078d3d4aa337109584ede3
              • Instruction ID: 0d2bc58b1973e1d17258c025d2a7740feb1bdeae08f1f479d5003400f26fcedf
              • Opcode Fuzzy Hash: 17029408be9027d09e44cb42f2a8bacdec41da39e4078d3d4aa337109584ede3
              • Instruction Fuzzy Hash: 1B015770A41249FEEF10ABA0DC859BE77BDFB05744F10056BB902E2250E6709F499A22
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DFBDA Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 122 8dfbda-8dfbe6 123 8dfc18-8dfc23 call 8dd6ae 122->123 124 8dfbe8-8dfbea 122->124 131 8dfc25-8dfc27 123->131 126 8dfbec-8dfbed 124->126 127 8dfc03-8dfc14 RtlAllocateHeap 124->127 126->127 129 8dfbef-8dfbf6 call 8dca1f 127->129 130 8dfc16 127->130 129->123 134 8dfbf8-8dfc01 call 8e34b0 129->134 130->131 134->123 134->127
              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008E2F0F,00000000,?,008DD17C,?,00000008,?,008DFC68,?,?,?), ref: 008DFC0C
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 0fbe39e2f8082dacef507291bfe93e6882b6f39a553805d52cd1c70f0557080e
              • Instruction ID: 098b2572b88a71d60494062e69748e74de02ebb25449770fb50bc4471415e1e1
              • Opcode Fuzzy Hash: 0fbe39e2f8082dacef507291bfe93e6882b6f39a553805d52cd1c70f0557080e
              • Instruction Fuzzy Hash: 57E0A02125467D6A9B31276AAC00B5B3748FF517A5B014333FF06D63C2CA10CC61A1E2
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 008E541E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1387COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: d3be9652b63335017e6c51444c46c283f2eab9637eaa3896117d60a968016aa5
              • Instruction ID: 9057143f4a712f09316b4539fa9f72116fa6fa0cfbdc2bf543aa9ef51478e3f8
              • Opcode Fuzzy Hash: d3be9652b63335017e6c51444c46c283f2eab9637eaa3896117d60a968016aa5
              • Instruction Fuzzy Hash: 21C28B71E086688FDB25CE29DD407EAB3B5FB96359F1441EAD80DE7240E774AE818F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DD428 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 008DD520
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 008DD52A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 008DD537
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: 141f97c34426baab7715b3933f33df5b3a193812278652d476b2d9e87b2201ce
              • Instruction ID: fc55f7574ddb4ddbe634926ef8863477e6e1c87d40d8e7199aaa3a3f0420c139
              • Opcode Fuzzy Hash: 141f97c34426baab7715b3933f33df5b3a193812278652d476b2d9e87b2201ce
              • Instruction Fuzzy Hash: FA31D3749012289BCB61DF28DC88B8CBBB8FF08710F5042DAE40CA7251EB349F858F45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E4F70 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78925b750365db1a32b7e4cf676e42cc126356a11ec8d58d82cae34f46637a44
              • Instruction ID: e8ef4e6a05ed8978fed75dc4325552e198cca2a0728c4fa7be889ef32574345c
              • Opcode Fuzzy Hash: 78925b750365db1a32b7e4cf676e42cc126356a11ec8d58d82cae34f46637a44
              • Instruction Fuzzy Hash: E7023C71E006599BDF14CFA9C8806ADB7F1FF89328F25426AD919EB384D771AD418B80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D5C29 Relevance: 2.2, Strings: 1, Instructions: 908COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID: F?
              • API String ID: 0-1369233217
              • Opcode ID: 867ef7da61d40fc491219a19016a1acc295bd8629e4debac72cf331af81072fb
              • Instruction ID: ff8506cb9fd089996542f528cae26943bc9307c0de4fd9ddb9c0e6c5524ca43c
              • Opcode Fuzzy Hash: 867ef7da61d40fc491219a19016a1acc295bd8629e4debac72cf331af81072fb
              • Instruction Fuzzy Hash: A2825A71E006199FCB08CF99C4945ADBBF2FF88314B2482AED855EB341D735AA56CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E8A9F Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008E8A9A,?,?,00000008,?,?,008E873A,00000000), ref: 008E8CCC
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: ed962714485ec663a72bfc1257f5339c0af55cad4a84117a0d3f1e34550410cf
              • Instruction ID: f9d0d856de6817a0557212740ee1c15ef3162eb838cf3ecad39a0b6277d3fc82
              • Opcode Fuzzy Hash: ed962714485ec663a72bfc1257f5339c0af55cad4a84117a0d3f1e34550410cf
              • Instruction Fuzzy Hash: DEB15C71210648DFD715CF29C48AB687BE0FF46368F298658E899CF2E1C735E992CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D7080 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: c5d52a5cededb353c32e2631ea98e9ab454f1b71921f461313e5f5e25b992ee6
              • Instruction ID: 09aeaa2b8d6039cfe7037b54fe2f7c6f58a12295290746419da5aaaa6467a87e
              • Opcode Fuzzy Hash: c5d52a5cededb353c32e2631ea98e9ab454f1b71921f461313e5f5e25b992ee6
              • Instruction Fuzzy Hash: 50F16C35E042588FCF24CFA8C5906ADBBB2FF59314F24826AD81AEB391E7319D45CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D3FF9 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_00004005,008D3730), ref: 008D3FFE
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 19ec51da27ae9f70206137cc2cc65c6410fb16c16d54e8fa0b6e7c503b8a75e5
              • Instruction ID: 30fafce3fc8829363aee110dc1b32485fe51044cb446927e4f04f4f08c747898
              • Opcode Fuzzy Hash: 19ec51da27ae9f70206137cc2cc65c6410fb16c16d54e8fa0b6e7c503b8a75e5
              • Instruction Fuzzy Hash:
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DB02A Relevance: 1.5, Strings: 1, Instructions: 214COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: f8a09bf90652abba03e4c4632af07912c1671ed9223366bd2e24022b032d3914
              • Instruction ID: 87cca0820e08083330320aad6fe6d37b105f424b2791fa042497e659147db1e4
              • Opcode Fuzzy Hash: f8a09bf90652abba03e4c4632af07912c1671ed9223366bd2e24022b032d3914
              • Instruction Fuzzy Hash: 94516861600A48D7DF38496C89A6BBF73D5FF61348F1A0B1BE8A2C7382C715DE458392
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E33B1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: 6599c370f2bcc6a78b5ab630852c50ab88672c8611d5349b2ba12433142288ba
              • Instruction ID: 868e4fbc4873eaf236975959467d1152eba43547639c6b64b0f53eb1f12a504a
              • Opcode Fuzzy Hash: 6599c370f2bcc6a78b5ab630852c50ab88672c8611d5349b2ba12433142288ba
              • Instruction Fuzzy Hash: BFA02230202300CF8380CF3AAE8A30CBEE8BA03EC0B028028A002C8330EB308080CB02
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D5160 Relevance: .8, Instructions: 753COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 596ee9fa62655505517c6b7ae0fa77dd5944a8562f41b88bd58bb2ed7dd52b33
              • Instruction ID: 3c4157d1ac88ba1072d167108071629da8c24477ff4d244d5cc69de054546a2a
              • Opcode Fuzzy Hash: 596ee9fa62655505517c6b7ae0fa77dd5944a8562f41b88bd58bb2ed7dd52b33
              • Instruction Fuzzy Hash: 31626DB0E016099BDB14CF59D5806ADBBB1FF44318F2882AFD818EB342D775DA56CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D7C70 Relevance: .4, Instructions: 402COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2306200850c581002163288ffb516e111bf9a11ce1db3d96b53d584ffe79dd74
              • Instruction ID: 69cbb36cb1ece988d9136b094ecff188740e5115101664636c6e82a1f213d6d6
              • Opcode Fuzzy Hash: 2306200850c581002163288ffb516e111bf9a11ce1db3d96b53d584ffe79dd74
              • Instruction Fuzzy Hash: D7F19031A046599FCB04CF68C5906ACBBF2FF89314F2482AED895DB346D735EA46CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D2A43 Relevance: .4, Instructions: 361COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e12afa0294e1a20503a5aa9e60ff949d18333c846e0f15a4e430caf2af8c0604
              • Instruction ID: b85ff988e2bd5fa1d5cb8d38f3236870be3c25fe1e979907459119043f6b4442
              • Opcode Fuzzy Hash: e12afa0294e1a20503a5aa9e60ff949d18333c846e0f15a4e430caf2af8c0604
              • Instruction Fuzzy Hash: D9E10771A04B12AFC718CF29C880A5AF7E1FF98714F144B2AE868D7741D770A8A5CBD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D6D90 Relevance: .2, Instructions: 200COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8329af39f88002c8ceb45a87e96089768bc9a4493f9d97ca4b690f39ed16bee2
              • Instruction ID: d13bd7fe69a93cebc5a808b9bc9bf5e9b27367484c026455b6a6379d5f1095c2
              • Opcode Fuzzy Hash: 8329af39f88002c8ceb45a87e96089768bc9a4493f9d97ca4b690f39ed16bee2
              • Instruction Fuzzy Hash: 867176316201A98FDB14CF2AFCD147A33A1F789385346862AEA41CF395D635E525DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E3025 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 251 8e3025-8e3039 252 8e303b-8e3040 251->252 253 8e30a7-8e30af 251->253 252->253 254 8e3042-8e3047 252->254 255 8e30f6-8e310e call 8e3198 253->255 256 8e30b1-8e30b4 253->256 254->253 257 8e3049-8e304c 254->257 266 8e3111-8e3118 255->266 256->255 259 8e30b6-8e30f3 call 8dea9c * 4 256->259 257->253 260 8e304e-8e3056 257->260 259->255 264 8e3058-8e305b 260->264 265 8e3070-8e3078 260->265 264->265 270 8e305d-8e306f call 8dea9c call 8e2b9f 264->270 268 8e307a-8e307d 265->268 269 8e3092-8e30a6 call 8dea9c * 2 265->269 271 8e311a-8e311e 266->271 272 8e3137-8e313b 266->272 268->269 274 8e307f-8e3091 call 8dea9c call 8e2c9d 268->274 269->253 270->265 279 8e3134 271->279 280 8e3120-8e3123 271->280 275 8e313d-8e3142 272->275 276 8e3153-8e315f 272->276 274->269 283 8e3144-8e3147 275->283 284 8e3150 275->284 276->266 286 8e3161-8e316e call 8dea9c 276->286 279->272 280->279 288 8e3125-8e3133 call 8dea9c * 2 280->288 283->284 291 8e3149-8e314f call 8dea9c 283->291 284->276 288->279 291->284
              APIs
              • ___free_lconv_mon.LIBCMT ref: 008E3069
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2BBC
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2BCE
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2BE0
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2BF2
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C04
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C16
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C28
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C3A
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C4C
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C5E
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C70
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C82
                • Part of subcall function 008E2B9F: _free.LIBCMT ref: 008E2C94
              • _free.LIBCMT ref: 008E305E
                • Part of subcall function 008DEA9C: HeapFree.KERNEL32(00000000,00000000,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?), ref: 008DEAB2
                • Part of subcall function 008DEA9C: GetLastError.KERNEL32(?,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?,?), ref: 008DEAC4
              • _free.LIBCMT ref: 008E3080
              • _free.LIBCMT ref: 008E3095
              • _free.LIBCMT ref: 008E30A0
              • _free.LIBCMT ref: 008E30C2
              • _free.LIBCMT ref: 008E30D5
              • _free.LIBCMT ref: 008E30E3
              • _free.LIBCMT ref: 008E30EE
              • _free.LIBCMT ref: 008E3126
              • _free.LIBCMT ref: 008E312D
              • _free.LIBCMT ref: 008E314A
              • _free.LIBCMT ref: 008E3162
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: faee6554195e8c75a08e5ab364f709e15cd41a4c8dc84e2329fc2fac1428953a
              • Instruction ID: 4fef7737c045480e71fb359b29d42434ae51ac8237db9be32919a2815c953180
              • Opcode Fuzzy Hash: faee6554195e8c75a08e5ab364f709e15cd41a4c8dc84e2329fc2fac1428953a
              • Instruction Fuzzy Hash: 7B315E31604B469FEB21AA7ADC49B5AB7E8FF11310F51452AF458DB251DF31EE40C711
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DDFE7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 308 8ddfe7-8ddff7 309 8ddff9-8de00c call 8dd69b call 8dd6ae 308->309 310 8de011-8de013 308->310 328 8de393 309->328 311 8de019-8de01f 310->311 312 8de37b-8de388 call 8dd69b call 8dd6ae 310->312 311->312 314 8de025-8de050 311->314 329 8de38e call 8dd5f2 312->329 314->312 317 8de056-8de05f 314->317 320 8de079-8de07b 317->320 321 8de061-8de074 call 8dd69b call 8dd6ae 317->321 326 8de377-8de379 320->326 327 8de081-8de085 320->327 321->329 330 8de396-8de39b 326->330 327->326 332 8de08b-8de08f 327->332 328->330 329->328 332->321 335 8de091-8de0a8 332->335 337 8de0aa-8de0ad 335->337 338 8de0c5-8de0ce 335->338 341 8de0af-8de0b5 337->341 342 8de0b7-8de0c0 337->342 339 8de0ec-8de0f6 338->339 340 8de0d0-8de0e7 call 8dd69b call 8dd6ae call 8dd5f2 338->340 344 8de0fd-8de11b call 8dfbda call 8dea9c * 2 339->344 345 8de0f8-8de0fa 339->345 371 8de2ae 340->371 341->340 341->342 346 8de161-8de17b 342->346 375 8de11d-8de133 call 8dd6ae call 8dd69b 344->375 376 8de138-8de15e call 8dd85f 344->376 345->344 348 8de24f-8de258 call 8e3f2b 346->348 349 8de181-8de191 346->349 360 8de2cb 348->360 361 8de25a-8de26c 348->361 349->348 353 8de197-8de199 349->353 353->348 357 8de19f-8de1c5 353->357 357->348 362 8de1cb-8de1de 357->362 364 8de2cf-8de2e7 ReadFile 360->364 361->360 366 8de26e-8de27d GetConsoleMode 361->366 362->348 367 8de1e0-8de1e2 362->367 369 8de2e9-8de2ef 364->369 370 8de343-8de34e GetLastError 364->370 366->360 372 8de27f-8de283 366->372 367->348 373 8de1e4-8de20f 367->373 369->370 379 8de2f1 369->379 377 8de367-8de36a 370->377 378 8de350-8de362 call 8dd6ae call 8dd69b 370->378 381 8de2b1-8de2bb call 8dea9c 371->381 372->364 380 8de285-8de29f ReadConsoleW 372->380 373->348 382 8de211-8de224 373->382 375->371 376->346 390 8de2a7-8de2ad call 8dd678 377->390 391 8de370-8de372 377->391 378->371 387 8de2f4-8de306 379->387 388 8de2a1 GetLastError 380->388 389 8de2c0-8de2c9 380->389 381->330 382->348 383 8de226-8de228 382->383 383->348 394 8de22a-8de24a 383->394 387->381 398 8de308-8de30c 387->398 388->390 389->387 390->371 391->381 394->348 402 8de30e-8de31e call 8ddd03 398->402 403 8de325-8de330 398->403 414 8de321-8de323 402->414 408 8de33c-8de341 call 8ddb43 403->408 409 8de332 call 8dde53 403->409 415 8de337-8de33a 408->415 409->415 414->381 415->414
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3907804496
              • Opcode ID: 4849a4540b687f611245a832c40f3d4e0c93216c699c9aca91b3dd453cef7fe1
              • Instruction ID: 9a005da913eab114c8008cf7e7a36908ed836f9feb3b4f2e25fa4b4ed5d0d2bb
              • Opcode Fuzzy Hash: 4849a4540b687f611245a832c40f3d4e0c93216c699c9aca91b3dd453cef7fe1
              • Instruction Fuzzy Hash: 7DC1C174A042499FDB15EFACD881BAEBBB4FF59314F084296F444EB392C7709941CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E46EF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 416 8e46ef-8e471f call 8e4452 419 8e473a-8e4746 call 8e296c 416->419 420 8e4721-8e472c call 8dd69b 416->420 426 8e475f-8e47a8 call 8e43bd 419->426 427 8e4748-8e475d call 8dd69b call 8dd6ae 419->427 425 8e472e-8e4735 call 8dd6ae 420->425 436 8e4a11-8e4a17 425->436 434 8e47aa-8e47b3 426->434 435 8e4815-8e481e GetFileType 426->435 427->425 439 8e47ea-8e4810 GetLastError call 8dd678 434->439 440 8e47b5-8e47b9 434->440 441 8e4867-8e486a 435->441 442 8e4820-8e4851 GetLastError call 8dd678 CloseHandle 435->442 439->425 440->439 445 8e47bb-8e47e8 call 8e43bd 440->445 443 8e486c-8e4871 441->443 444 8e4873-8e4879 441->444 442->425 453 8e4857-8e4862 call 8dd6ae 442->453 448 8e487d-8e48cb call 8e28b5 443->448 444->448 449 8e487b 444->449 445->435 445->439 459 8e48cd-8e48d9 call 8e45ce 448->459 460 8e48db-8e48ff call 8e4170 448->460 449->448 453->425 459->460 467 8e4903-8e490d call 8debff 459->467 465 8e4912-8e4955 460->465 466 8e4901 460->466 469 8e4976-8e4984 465->469 470 8e4957-8e495b 465->470 466->467 467->436 473 8e4a0f 469->473 474 8e498a-8e498e 469->474 470->469 472 8e495d-8e4971 470->472 472->469 473->436 474->473 475 8e4990-8e49c3 CloseHandle call 8e43bd 474->475 478 8e49f7-8e4a0b 475->478 479 8e49c5-8e49f1 GetLastError call 8dd678 call 8e2a7e 475->479 478->473 479->478
              APIs
                • Part of subcall function 008E43BD: CreateFileW.KERNEL32(00000000,00000000,?,008E4798,?,?,00000000,?,008E4798,00000000,0000000C), ref: 008E43DA
              • GetLastError.KERNEL32 ref: 008E4803
              • __dosmaperr.LIBCMT ref: 008E480A
              • GetFileType.KERNEL32(00000000), ref: 008E4816
              • GetLastError.KERNEL32 ref: 008E4820
              • __dosmaperr.LIBCMT ref: 008E4829
              • CloseHandle.KERNEL32(00000000), ref: 008E4849
              • CloseHandle.KERNEL32(?), ref: 008E4993
              • GetLastError.KERNEL32 ref: 008E49C5
              • __dosmaperr.LIBCMT ref: 008E49CC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: f3b430b43876817c17d6d6f4c0be791b4c8f3b498a59558fd486fc7cf9f131ee
              • Instruction ID: d24f07805ce808f771964d636b4d3237987b29b8ddeab7dfb0ad12b190d217ab
              • Opcode Fuzzy Hash: f3b430b43876817c17d6d6f4c0be791b4c8f3b498a59558fd486fc7cf9f131ee
              • Instruction Fuzzy Hash: 39A1E631A101989FDF19AF68D851BAE7BA0FB07324F14115AF819EB3A1DB359C12C792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E041D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 484 8e041d-8e042e 485 8e043a-8e04c5 call 8dea9c * 9 call 8e02e3 call 8e0333 484->485 486 8e0430-8e0439 call 8dea9c 484->486 486->485
              APIs
              • _free.LIBCMT ref: 008E0431
                • Part of subcall function 008DEA9C: HeapFree.KERNEL32(00000000,00000000,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?), ref: 008DEAB2
                • Part of subcall function 008DEA9C: GetLastError.KERNEL32(?,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?,?), ref: 008DEAC4
              • _free.LIBCMT ref: 008E043D
              • _free.LIBCMT ref: 008E0448
              • _free.LIBCMT ref: 008E0453
              • _free.LIBCMT ref: 008E045E
              • _free.LIBCMT ref: 008E0469
              • _free.LIBCMT ref: 008E0474
              • _free.LIBCMT ref: 008E047F
              • _free.LIBCMT ref: 008E048A
              • _free.LIBCMT ref: 008E0498
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 94bfa12d6e014cc3854ff4bdc8f478e290144a80ca083632f0a3827a1d2757d0
              • Instruction ID: c018849bd8bc1147545ed725a43bfce980b02275284963c8819cfffd33dfdbf1
              • Opcode Fuzzy Hash: 94bfa12d6e014cc3854ff4bdc8f478e290144a80ca083632f0a3827a1d2757d0
              • Instruction Fuzzy Hash: FD11777650051AAFCB01FF59CD42CD93FA5FF14350B9285A6BA088F222D771EA509B85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DEE67 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 511 8dee67-8deec4 GetConsoleCP 512 8deeca-8deee6 511->512 513 8df007-8df019 call 8d3667 511->513 515 8deee8-8deeff 512->515 516 8def01-8def12 call 8e2b79 512->516 518 8def3b-8def4a call 8dfd69 515->518 523 8def38-8def3a 516->523 524 8def14-8def17 516->524 518->513 525 8def50-8def70 WideCharToMultiByte 518->525 523->518 526 8def1d-8def2f call 8dfd69 524->526 527 8defde-8deffd 524->527 525->513 529 8def76-8def8c WriteFile 525->529 526->513 533 8def35-8def36 526->533 527->513 531 8defff-8df005 GetLastError 529->531 532 8def8e-8def9f 529->532 531->513 532->513 534 8defa1-8defa5 532->534 533->525 535 8defa7-8defc5 WriteFile 534->535 536 8defd3-8defd6 534->536 535->531 537 8defc7-8defcb 535->537 536->512 538 8defdc 536->538 537->513 539 8defcd-8defd0 537->539 538->513 539->536
              APIs
              • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,008DF5DC,?,?,?,?,?,?), ref: 008DEEA9
              • __fassign.LIBCMT ref: 008DEF24
              • __fassign.LIBCMT ref: 008DEF3F
              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 008DEF65
              • WriteFile.KERNEL32(?,?,00000000,008DF5DC,00000000,?,?,?,?,?,?,?,?,?,008DF5DC,?), ref: 008DEF84
              • WriteFile.KERNEL32(?,?,00000001,008DF5DC,00000000,?,?,?,?,?,?,?,?,?,008DF5DC,?), ref: 008DEFBD
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: 46aba663ba08da5adc3901787d1d18ea361286660a206cb72c3a9e23c78d94af
              • Instruction ID: 8cace9714d69d64167568275546845bae6911fea49b28022ed58cdde3ec5fd4c
              • Opcode Fuzzy Hash: 46aba663ba08da5adc3901787d1d18ea361286660a206cb72c3a9e23c78d94af
              • Instruction Fuzzy Hash: EA5171719006499FDB10CFA8D885EEEBBB5FF09304F14426BE956E7392DB30A941CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D8950 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 540 8d8950-8d8995 call 8d8910 call 8d8c57 545 8d8997-8d89a9 540->545 546 8d89f6-8d89f9 540->546 547 8d8a19-8d8a22 545->547 549 8d89ab 545->549 546->547 548 8d89fb-8d8a08 call 8d8c40 546->548 554 8d8a0d-8d8a16 call 8d8910 548->554 550 8d89b0-8d89c7 549->550 552 8d89dd 550->552 553 8d89c9-8d89d7 call 8d8bf0 550->553 556 8d89e0-8d89e5 552->556 561 8d89ed-8d89f4 553->561 562 8d89d9 553->562 554->547 556->550 560 8d89e7-8d89e9 556->560 560->547 563 8d89eb 560->563 561->554 564 8d89db 562->564 565 8d8a23-8d8a2c 562->565 563->554 564->556 566 8d8a2e-8d8a35 565->566 567 8d8a66-8d8a76 call 8d8c24 565->567 566->567 568 8d8a37-8d8a46 call 8e9170 566->568 572 8d8a78-8d8a87 call 8d8c40 567->572 573 8d8a8a-8d8aa6 call 8d8910 call 8d8c08 567->573 577 8d8a48-8d8a60 568->577 578 8d8a63 568->578 572->573 577->578 578->567
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 008D897B
              • ___except_validate_context_record.LIBVCRUNTIME ref: 008D8983
              • _ValidateLocalCookies.LIBCMT ref: 008D8A11
              • __IsNonwritableInCurrentImage.LIBCMT ref: 008D8A3C
              • _ValidateLocalCookies.LIBCMT ref: 008D8A91
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: csm
              • API String ID: 1170836740-1018135373
              • Opcode ID: b46c87f0bf60328b38d86a2ea82f8f3481f0266b9900c7a94036b6ef6c48bc25
              • Instruction ID: ad0a8321d9e4cb78a10cfd032b79bba56645d4e2f0995e1893f07be22b5b7143
              • Opcode Fuzzy Hash: b46c87f0bf60328b38d86a2ea82f8f3481f0266b9900c7a94036b6ef6c48bc25
              • Instruction Fuzzy Hash: E941C434A00218EBCB10DF6CC885AAE7BA4FF45324F148257E815EB352DB31EA41CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E6F31 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d127c20d4e831c9ef6f0ddcca4dedcf82a698e73f0173ffa8af5426ae3a3ebe
              • Instruction ID: c0a0b53725d99adc546c4a0fbf00732ed14e869510017758c76e3ec09d097900
              • Opcode Fuzzy Hash: 2d127c20d4e831c9ef6f0ddcca4dedcf82a698e73f0173ffa8af5426ae3a3ebe
              • Instruction Fuzzy Hash: 2611E772504259BFDB206F7BBC44D6B3B6CFBA27B4B100225F815CA251EE30C81086A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E2D42 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 008E2D06: _free.LIBCMT ref: 008E2D2F
              • _free.LIBCMT ref: 008E2D90
                • Part of subcall function 008DEA9C: HeapFree.KERNEL32(00000000,00000000,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?), ref: 008DEAB2
                • Part of subcall function 008DEA9C: GetLastError.KERNEL32(?,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?,?), ref: 008DEAC4
              • _free.LIBCMT ref: 008E2D9B
              • _free.LIBCMT ref: 008E2DA6
              • _free.LIBCMT ref: 008E2DFA
              • _free.LIBCMT ref: 008E2E05
              • _free.LIBCMT ref: 008E2E10
              • _free.LIBCMT ref: 008E2E1B
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 563ebe20eca168fa2aad3ee1928db5ce48dfd6128f12bf5416359286e80c54b2
              • Instruction ID: c2c8ba5954c0e5fd71ada257afe6cf175454d123c557a837e424c9eba38549fa
              • Opcode Fuzzy Hash: 563ebe20eca168fa2aad3ee1928db5ce48dfd6128f12bf5416359286e80c54b2
              • Instruction Fuzzy Hash: 46119031600B4AA6D520BB75CC07FCB7BAEFF03310F404915B299EA162D734B5049682
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E4C22 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008DB439,008DB439,?,?,?,008E4E73,00000001,00000001,FDE85006), ref: 008E4C7C
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008E4E73,00000001,00000001,FDE85006,?,?,?), ref: 008E4D02
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,FDE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008E4DFC
              • __freea.LIBCMT ref: 008E4E09
                • Part of subcall function 008DFBDA: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008E2F0F,00000000,?,008DD17C,?,00000008,?,008DFC68,?,?,?), ref: 008DFC0C
              • __freea.LIBCMT ref: 008E4E12
              • __freea.LIBCMT ref: 008E4E37
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID:
              • API String ID: 1414292761-0
              • Opcode ID: 1289d23bcd5459c88ca099f6a670a0cef8b24a0b64e04421ce8b7f834176a062
              • Instruction ID: dbe78a722311551f24623ef2cbc33bd4b3636866ce51c3256abe17406d1943f7
              • Opcode Fuzzy Hash: 1289d23bcd5459c88ca099f6a670a0cef8b24a0b64e04421ce8b7f834176a062
              • Instruction Fuzzy Hash: B851247260029BABDB298F66CC41EBF77A9FB46760F250229FD18D7140DB74DC50C6A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E0511 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: 532a84aab81c4cdce3203be90e9551914930620a30db3120ea598db8f207a941
              • Instruction ID: a15579c58ae179111156ba3fa561bcbc6e9cd3f194fd36a7154ae0bd211579da
              • Opcode Fuzzy Hash: 532a84aab81c4cdce3203be90e9551914930620a30db3120ea598db8f207a941
              • Instruction Fuzzy Hash: 23F0F932140A8167C601733E7C0AF3B2B29FFD3B21B210525F924E62D1EFB48A419D76
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DC72B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008DC6DC,00000003,?,008DC67C,00000003,008F3270,0000000C,008DC7D3,00000003,00000002), ref: 008DC74B
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008DC75E
              • FreeLibrary.KERNEL32(00000000,?,?,?,008DC6DC,00000003,?,008DC67C,00000003,008F3270,0000000C,008DC7D3,00000003,00000002,00000000), ref: 008DC781
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 8ab5dd66cb0b2d49f1a4bf0fe84cf86fb72da40eda1dcfa6c7a41d6fa3ce856d
              • Instruction ID: 3eb8c8ed522b82152561be9a3f747b1ac574ec474049e3ac749127c6dee9da94
              • Opcode Fuzzy Hash: 8ab5dd66cb0b2d49f1a4bf0fe84cf86fb72da40eda1dcfa6c7a41d6fa3ce856d
              • Instruction Fuzzy Hash: 8FF04430600548FBCB159F65DC49BAD7FB8FF05B12F000265F905E6290DB759E84CA51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DCC6C Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 3abe85f8d80c0f4a13e561e8822f3202ea706edd9d7fff178cdbfcb7c021ee85
              • Instruction ID: ebcc045a7076580d3239aaf1b030fea7b3fe249a289153d15ee9c378a3f74314
              • Opcode Fuzzy Hash: 3abe85f8d80c0f4a13e561e8822f3202ea706edd9d7fff178cdbfcb7c021ee85
              • Instruction Fuzzy Hash: 8941D232A006159FCB20DF78C981A5AB7A6FF89714F25466AE615EB341EB31AD01CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E0595 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,?,008DD6B3,008E1467,?,008E053F,00000001,00000364,?,008DAAD2,?,?,?,008DA693,?), ref: 008E059A
              • _free.LIBCMT ref: 008E05CF
              • _free.LIBCMT ref: 008E05F6
              • SetLastError.KERNEL32(00000000), ref: 008E0603
              • SetLastError.KERNEL32(00000000), ref: 008E060C
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: 7d89bdfb743a4519c5811dce37b1a8d4a6450b5edf0dacbc2d6bba2e083b1ed3
              • Instruction ID: 5cd09448a772e489c96e50827dae1d09c7f05c39f4dbca2fd5b788e06bb15934
              • Opcode Fuzzy Hash: 7d89bdfb743a4519c5811dce37b1a8d4a6450b5edf0dacbc2d6bba2e083b1ed3
              • Instruction Fuzzy Hash: 4D014932144B81B7C212773A6C85E3B272DFFE37657310925F815E62A1EFB089414836
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E2C9D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 008E2CB5
                • Part of subcall function 008DEA9C: HeapFree.KERNEL32(00000000,00000000,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?), ref: 008DEAB2
                • Part of subcall function 008DEA9C: GetLastError.KERNEL32(?,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?,?), ref: 008DEAC4
              • _free.LIBCMT ref: 008E2CC7
              • _free.LIBCMT ref: 008E2CD9
              • _free.LIBCMT ref: 008E2CEB
              • _free.LIBCMT ref: 008E2CFD
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: a043f64c768c434a87806fdd4b25e298dd2af7217005b0a252755006a9b5ca53
              • Instruction ID: 8bfcc0151d1d073cb89558ef8b308dff2b088b313153061f1a25a5c467f7662d
              • Opcode Fuzzy Hash: a043f64c768c434a87806fdd4b25e298dd2af7217005b0a252755006a9b5ca53
              • Instruction Fuzzy Hash: EFF01D32514692AB8620FB69FD86C2B77EDFB057607A5191BF408DB620CB30FC80CA64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DCEBB Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 008DCED9
                • Part of subcall function 008DEA9C: HeapFree.KERNEL32(00000000,00000000,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?), ref: 008DEAB2
                • Part of subcall function 008DEA9C: GetLastError.KERNEL32(?,?,008E2D34,?,00000000,?,00000000,?,008E2D5B,?,00000007,?,?,008E31BD,?,?), ref: 008DEAC4
              • _free.LIBCMT ref: 008DCEEB
              • _free.LIBCMT ref: 008DCEFE
              • _free.LIBCMT ref: 008DCF0F
              • _free.LIBCMT ref: 008DCF20
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 9e1f10ab278d43f32865096f4239d4a8c627d79dc08d93222cae0ab956c3a01b
              • Instruction ID: 66181d2862a1b2492b7105685b2e64dac40eea5ff0244a12efcb24e8ccd57ef2
              • Opcode Fuzzy Hash: 9e1f10ab278d43f32865096f4239d4a8c627d79dc08d93222cae0ab956c3a01b
              • Instruction Fuzzy Hash: 2DF017B0811E229BC721BF38EC02D2A3FA4F7157247921217F214DA371DB312991DAD2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008DBF5F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\install_numarkidjliveii+(1).exe,00000104), ref: 008DBF9A
              • _free.LIBCMT ref: 008DC065
              • _free.LIBCMT ref: 008DC06F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\install_numarkidjliveii+(1).exe
              • API String ID: 2506810119-2219621482
              • Opcode ID: 6df442fc5ddd8aedbd07c95f8583d6833b560b3e27af3a47c526205b71dcef52
              • Instruction ID: 3992e5f09124604c1e620dba706d3e70bfd3e9536ff28dcf44928ce2244180ea
              • Opcode Fuzzy Hash: 6df442fc5ddd8aedbd07c95f8583d6833b560b3e27af3a47c526205b71dcef52
              • Instruction Fuzzy Hash: 69317C71A00619EFCB21DFA9DC81DAEBBB8FB95710B104267E504D7311DBB09E40CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D3071 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24windowCOMMON
              Download Yara Rule
              APIs
              • wsprintfW.USER32 ref: 008D308B
              • MessageBoxW.USER32(00000000,?,VirtualDJ Addons Installer,00000010), ref: 008D30A1
              Strings
              • VirtualDJ Addons Installer, xrefs: 008D3099
              • Installation error %i, xrefs: 008D3085
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: Messagewsprintf
              • String ID: Installation error %i$VirtualDJ Addons Installer
              • API String ID: 300413163-227196857
              • Opcode ID: 10a90d38367356d6fd73cdbe1f6ebc9f9eadf1782d3fc34a0f7fbb3db0e72123
              • Instruction ID: 74328524ae3cf0c1f00df2cfeda364d24775b4c3f7ea38ba8dc794f7997a6404
              • Opcode Fuzzy Hash: 10a90d38367356d6fd73cdbe1f6ebc9f9eadf1782d3fc34a0f7fbb3db0e72123
              • Instruction Fuzzy Hash: 06E0127065020CABD704DBB8DD46F6E77A8FB04704F500159BA12E62C1D660FB049A5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E0744 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: 83d04518bf0ef92ce44114796b77fbdc83d101adb180938118fe2ce886ac70b4
              • Instruction ID: c35481dd957f906e67f83fdbfbd2b9c8260c519a3fb7084942b50103baa86b95
              • Opcode Fuzzy Hash: 83d04518bf0ef92ce44114796b77fbdc83d101adb180938118fe2ce886ac70b4
              • Instruction Fuzzy Hash: 80A134719043DA9FEB21DE1AC8817AEBFA4FF12310F184969D484DB283C6B49981CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E6FF8 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 15cc362db32fb1decc200f5f50eefc8380887b6e3b728c414eaa1e4b39dc5fe3
              • Instruction ID: 9ac563deaf07b228600992d39d155c7fa066b922a297e2491118ca71efb14ed8
              • Opcode Fuzzy Hash: 15cc362db32fb1decc200f5f50eefc8380887b6e3b728c414eaa1e4b39dc5fe3
              • Instruction Fuzzy Hash: E7411D31704784ABDB25BBBE9C85A6E3765FF57330F140326F418D6292DA34894056E3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E2E6B Relevance: 6.1, APIs: 4, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008DFC68,?,00000000,?,00000001,?,?,00000001,008DFC68,?), ref: 008E2EB8
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008E2F41
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008DD17C,?), ref: 008E2F53
              • __freea.LIBCMT ref: 008E2F5C
                • Part of subcall function 008DFBDA: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008E2F0F,00000000,?,008DD17C,?,00000008,?,008DFC68,?,?,?), ref: 008DFC0C
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID:
              • API String ID: 2652629310-0
              • Opcode ID: 64df73c31387f51b735d7374963219d16c33d636f8434c483bcc78d0e1b7231f
              • Instruction ID: 9f35e10a227e2b9c3eab3daf6e1d4fbf61d1679020a8df0a9af654e27f86bf37
              • Opcode Fuzzy Hash: 64df73c31387f51b735d7374963219d16c33d636f8434c483bcc78d0e1b7231f
              • Instruction Fuzzy Hash: C631F032A0025AABCF258F6ADC85DAE7BB8FB01710F040269FC09DB250EB35DD55CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008E22FE Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008DA693,00000000,00000000,?,008E22A5,008DA693,00000000,00000000,00000000,?,008E24F0,00000006,FlsSetValue), ref: 008E2330
              • GetLastError.KERNEL32(?,008E22A5,008DA693,00000000,00000000,00000000,?,008E24F0,00000006,FlsSetValue,008EEEC4,FlsSetValue,00000000,00000364,?,008E05E3), ref: 008E233C
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008E22A5,008DA693,00000000,00000000,00000000,?,008E24F0,00000006,FlsSetValue,008EEEC4,FlsSetValue,00000000), ref: 008E234A
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: 86993ca23a26da0aa5d28080fc141cc8568eb8e72d44876b3ce0024a0a9464e9
              • Instruction ID: 0756b200d40dfef9909fc07db69e03a2ef774339b837cbe67daaae846337cd7b
              • Opcode Fuzzy Hash: 86993ca23a26da0aa5d28080fc141cc8568eb8e72d44876b3ce0024a0a9464e9
              • Instruction Fuzzy Hash: A601FC326016A6DBCB258A7AAC849577B9CFF06BA47210620FE05D7350D734E801CEE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008D112F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1675608255.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true
              • Associated: 00000000.00000002.1675591922.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675630855.00000000008EA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675657126.00000000008F4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1675673425.00000000008F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_8d0000_install_numarkidjliveii+(1).jbxd
              Similarity
              • API ID:
              • String ID: r+b
              • API String ID: 0-2113443889
              • Opcode ID: 309239fb8f670160530669ef56da222a4f27fe49fb36dda4a3675442633757f8
              • Instruction ID: 1b9662ea0a4975208d8a9ecea53985bcc23a2c6026c9221eb050d628e30206fe
              • Opcode Fuzzy Hash: 309239fb8f670160530669ef56da222a4f27fe49fb36dda4a3675442633757f8
              • Instruction Fuzzy Hash: C611A171214259BBDF055AAC9C49BAA37D8FF49314B10872BFB09CA342DB30CD1087A1
              Uniqueness

              Uniqueness Score: -1.00%