Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ENDIDEV.exe

Overview

General Information

Sample name:ENDIDEV.exe
Analysis ID:1427668
MD5:4b4106cbe0cbf4ca771a185abaf54362
SHA1:b0e595390c77b313a08a81df366a2ba3f8e683b4
SHA256:5d529ebadf935d071cd64d97ab459aa12766af1063cb2fc067cff5c118dff2fa
Tags:exeKamruiredline
Infos:

Detection

PureLog Stealer, RedLine
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ENDIDEV.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\ENDIDEV.exe" MD5: 4B4106CBE0CBF4CA771A185ABAF54362)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ENDIDEV.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    ENDIDEV.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 46 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.ENDIDEV.exe.49f0000.8.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.ENDIDEV.exe.358d590.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.ENDIDEV.exe.2110f8e.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.ENDIDEV.exe.49f0000.8.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.ENDIDEV.exe.2110086.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Click to see the 17 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: ENDIDEV.exeReversingLabs: Detection: 50%
                        Machine Learning detection for sample
                        Source: ENDIDEV.exeJoe Sandbox ML: detected
                        Source: ENDIDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: ENDIDEV.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00408C600_2_00408C60
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040DC110_2_0040DC11
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00407C3F0_2_00407C3F
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00418CCC0_2_00418CCC
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00406CA00_2_00406CA0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004028B00_2_004028B0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00408C600_2_00408C60
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004182440_2_00418244
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004016500_2_00401650
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00402F200_2_00402F20
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004193C40_2_004193C4
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004187880_2_00418788
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00402F890_2_00402F89
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00402B900_2_00402B90
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004073A00_2_004073A0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_023614B50_2_023614B5
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_023614930_2_02361493
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_02360DA00_2_02360DA0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_02360D910_2_02360D91
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_055904700_2_05590470
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_055904800_2_05590480
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: String function: 0040E1D8 appears 43 times
                        Source: ENDIDEV.exe, 00000000.00000003.1693799935.00000000006D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000003.1693601906.00000000006D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000000.1692701756.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ENDIDEV.exe
                        Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $kq,\\StringFileInfo\\040904B0\\OriginalFilename vs ENDIDEV.exe
                        Source: ENDIDEV.exeBinary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
                        Source: ENDIDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: ENDIDEV.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal80.troj.evad.winEXE@1/1@0/0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCommand line argument: 08A0_2_00413780
                        Source: ENDIDEV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\ENDIDEV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ENDIDEV.exeReversingLabs: Detection: 50%
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: ENDIDEV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: ENDIDEV.exeStatic PE information: real checksum: 0x23bfb should be: 0x37016
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_023644EB push edi; iretd 0_2_023644EE
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_023650DF push esp; ret 0_2_023650F1
                        Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeMemory allocated: 2270000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeMemory allocated: 22C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-14605
                        Source: C:\Users\user\Desktop\ENDIDEV.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                        Source: C:\Users\user\Desktop\ENDIDEV.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                        Source: C:\Users\user\Desktop\ENDIDEV.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: GetLocaleInfoA,0_2_00417A20
                        Source: C:\Users\user\Desktop\ENDIDEV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ENDIDEV.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                        Source: C:\Users\user\Desktop\ENDIDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: ENDIDEV.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE

                        Remote Access Functionality

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: ENDIDEV.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Masquerading                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Native API                        		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                        Disable or Modify Tools                        		LSASS Memory3
                        Security Software Discovery                        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                        Virtualization/Sandbox Evasion                        		Security Account Manager31
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Deobfuscate/Decode Files or Information                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                        Obfuscated Files or Information                        		LSA Secrets23
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Software Packing                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ENDIDEV.exe50%ReversingLabsWin32.Spyware.RedLine
                        ENDIDEV.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1427668
                        Start date and time:2024-04-17 23:12:11 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 38s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:ENDIDEV.exe
                        Detection:MAL
                        Classification:mal80.troj.evad.winEXE@1/1@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 91%
                        • Number of executed functions: 20
                        • Number of non-executed functions: 31
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • VT rate limit hit for: ENDIDEV.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\ENDIDEV.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):410
                        Entropy (8bit):5.361827289088002
                        Encrypted:false
                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                        MD5:64A2247B3C640AB3571D192DF2079FCF
                        SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                        SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                        SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.202929389670869
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:ENDIDEV.exe
                        File size:189'440 bytes
                        MD5:4b4106cbe0cbf4ca771a185abaf54362
                        SHA1:b0e595390c77b313a08a81df366a2ba3f8e683b4
                        SHA256:5d529ebadf935d071cd64d97ab459aa12766af1063cb2fc067cff5c118dff2fa
                        SHA512:c268a4419b178bebc57bf9814e01c276b3c3f52115273a0a2921c8fcc9da07806fe85c14590f56b4729dd06a028d4ba59dc100a1b1aeb7f62f5abf3e832516e6
                        SSDEEP:3072:fDKW1LgppLRHMY0TBfJvjcTp5XGGnH/K+Q9jCL:fDKW1Lgbdl0TBBvjc/L9Q5y
                        TLSH:4304AD2171C0C1B3C4BB113444E6CA799A7A70714B7A95DBB6DD2BBA6F103E1A3362CD
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................@@......PE..L...t..P..........#........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x40cd2f
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

                        Entrypoint Preview

                        Instruction
                        call 00007F3EC926FF96h
                        jmp 00007F3EC926A159h
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        sub esp, 20h
                        mov eax, dword ptr [ebp+08h]
                        push esi
                        push edi
                        push 00000008h
                        pop ecx
                        mov esi, 0041F058h
                        lea edi, dword ptr [ebp-20h]
                        rep movsd
                        mov dword ptr [ebp-08h], eax
                        mov eax, dword ptr [ebp+0Ch]
                        pop edi
                        mov dword ptr [ebp-04h], eax
                        pop esi
                        test eax, eax
                        je 00007F3EC926A2BEh
                        test byte ptr [eax], 00000008h
                        je 00007F3EC926A2B9h
                        mov dword ptr [ebp-0Ch], 01994000h
                        lea eax, dword ptr [ebp-0Ch]
                        push eax
                        push dword ptr [ebp-10h]
                        push dword ptr [ebp-1Ch]
                        push dword ptr [ebp-20h]
                        call dword ptr [0041B000h]
                        leave
                        retn 0008h
                        ret
                        mov eax, 00413563h
                        mov dword ptr [004228E4h], eax
                        mov dword ptr [004228E8h], 00412C4Ah
                        mov dword ptr [004228ECh], 00412BFEh
                        mov dword ptr [004228F0h], 00412C37h
                        mov dword ptr [004228F4h], 00412BA0h
                        mov dword ptr [004228F8h], eax
                        mov dword ptr [004228FCh], 004134DBh
                        mov dword ptr [00422900h], 00412BBCh
                        mov dword ptr [00422904h], 00412B1Eh
                        mov dword ptr [00422908h], 00412AABh
                        ret
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        call 00007F3EC926A24Bh
                        call 00007F3EC9270AD0h
                        cmp dword ptr [ebp+00h], 00000000h

                        Rich Headers

                        Programming Language:
                        • [ASM] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [C++] VS2008 build 21022
                        • [ C ] VS2008 build 21022
                        • [LNK] VS2008 build 21022

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000xc3d4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x197180x19800f4b6343c60c0999f3ed02db451989ddbFalse0.5789388020833334data6.748541276302234IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x260000xc3d40xc400c7b1b55dbee35268a85dbcda224e6b7aFalse0.9874242665816326data7.977892137480352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_RCDATA0x261240xbdb6data1.000432401268377
                        RT_RCDATA0x31edc0x20data1.34375
                        RT_VERSION0x31efc0x2ecdata0.4358288770053476
                        RT_MANIFEST0x321e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                        ole32.dllOleInitialize
                        OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:23:13:04
                        Start date:17/04/2024
                        Path:C:\Users\user\Desktop\ENDIDEV.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\ENDIDEV.exe"
                        Imagebase:0x400000
                        File size:189'440 bytes
                        MD5 hash:4B4106CBE0CBF4CA771A185ABAF54362
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:6.1%
                          Dynamic/Decrypted Code Coverage:3.5%
                          Signature Coverage:5%
                          Total number of Nodes:1273
                          Total number of Limit Nodes:49
                          execution_graph 14510 5591118 14511 5591133 14510->14511 14514 55912fe 14511->14514 14512 5591140 14515 55915f7 GetCurrentThreadId 14514->14515 14517 559163d 14515->14517 14517->14512 14518 5591698 14519 55916dc 14518->14519 14520 55916e6 EnumThreadWindows 14518->14520 14519->14520 14521 5591718 14520->14521 14546 5591a28 14547 5591a6d MessageBoxW 14546->14547 14549 5591ab4 14547->14549 14550 2360bc4 14551 2360bcd 14550->14551 14554 236e0c0 14551->14554 14552 2360be7 14555 236e123 14554->14555 14556 236e237 GetActiveWindow 14555->14556 14557 236e265 14555->14557 14556->14557 14557->14552 14522 236f6b0 DuplicateHandle 14523 236f746 14522->14523 14524 2369370 14525 23693b0 FindCloseChangeNotification 14524->14525 14527 23693e1 14525->14527 14558 236f060 14559 236f0a6 GetCurrentProcess 14558->14559 14561 236f0f1 14559->14561 14562 236f0f8 GetCurrentThread 14559->14562 14561->14562 14563 236f135 GetCurrentProcess 14562->14563 14564 236f12e 14562->14564 14565 236f16b GetCurrentThreadId 14563->14565 14564->14563 14567 236f1c4 14565->14567 14568 40cbf7 14569 40cc08 14568->14569 14603 40d534 HeapCreate 14569->14603 14572 40cc46 14605 41087e GetModuleHandleW 14572->14605 14576 40cc57 __RTC_Initialize 14639 411a15 14576->14639 14577 40cbb4 _fast_error_exit 63 API calls 14577->14576 14579 40cc66 14580 40cc72 GetCommandLineA 14579->14580 14779 40e79a 14579->14779 14654 412892 14580->14654 14587 40cc97 14693 41255f 14587->14693 14588 40e79a __amsg_exit 63 API calls 14588->14587 14592 40e79a __amsg_exit 63 API calls 14594 40cca8 14592->14594 14593 40ccb0 14595 40ccbb 14593->14595 14596 40e79a __amsg_exit 63 API calls 14593->14596 14708 40e859 14594->14708 14714 4019f0 OleInitialize 14595->14714 14596->14595 14598 40ccd8 14599 40ccea 14598->14599 14768 40ea0a 14598->14768 14786 40ea36 14599->14786 14602 40ccef __close 14604 40cc3a 14603->14604 14604->14572 14771 40cbb4 14604->14771 14606 410892 14605->14606 14607 410899 14605->14607 14789 40e76a 14606->14789 14608 410a01 14607->14608 14609 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14607->14609 14848 410598 14608->14848 14612 4108ec TlsAlloc 14609->14612 14615 40cc4c 14612->14615 14616 41093a TlsSetValue 14612->14616 14615->14576 14615->14577 14616->14615 14617 41094b 14616->14617 14793 40ea54 14617->14793 14622 41046e __encode_pointer 6 API calls 14623 41096b 14622->14623 14624 41046e __encode_pointer 6 API calls 14623->14624 14625 41097b 14624->14625 14626 41046e __encode_pointer 6 API calls 14625->14626 14627 41098b 14626->14627 14810 40d564 14627->14810 14634 4104e9 __decode_pointer 6 API calls 14635 4109df 14634->14635 14635->14608 14636 4109e6 14635->14636 14830 4105d5 14636->14830 14638 4109ee GetCurrentThreadId 14638->14615 15154 40e1d8 14639->15154 14641 411a21 GetStartupInfoA 14642 411cba __calloc_crt 63 API calls 14641->14642 14648 411a42 14642->14648 14643 411c60 __close 14643->14579 14644 411bdd GetStdHandle 14649 411ba7 14644->14649 14645 411c42 SetHandleCount 14645->14643 14646 411cba __calloc_crt 63 API calls 14646->14648 14647 411bef GetFileType 14647->14649 14648->14643 14648->14646 14648->14649 14651 411b2a 14648->14651 14649->14643 14649->14644 14649->14645 14649->14647 14652 41389c __mtinitlocknum InitializeCriticalSectionAndSpinCount 14649->14652 14650 411b53 GetFileType 14650->14651 14651->14643 14651->14649 14651->14650 14653 41389c __mtinitlocknum InitializeCriticalSectionAndSpinCount 14651->14653 14652->14649 14653->14651 14655 4128b0 GetEnvironmentStringsW 14654->14655 14656 4128cf 14654->14656 14657 4128b8 14655->14657 14659 4128c4 GetLastError 14655->14659 14656->14657 14658 412968 14656->14658 14660 4128eb GetEnvironmentStringsW 14657->14660 14661 4128fa WideCharToMultiByte 14657->14661 14662 412971 GetEnvironmentStrings 14658->14662 14663 40cc82 14658->14663 14659->14656 14660->14661 14660->14663 14666 41295d FreeEnvironmentStringsW 14661->14666 14667 41292e 14661->14667 14662->14663 14668 412981 14662->14668 14680 4127d7 14663->14680 14666->14663 14670 411c75 __malloc_crt 63 API calls 14667->14670 14669 411c75 __malloc_crt 63 API calls 14668->14669 14671 41299b 14669->14671 14672 412934 14670->14672 14673 4129a2 FreeEnvironmentStringsA 14671->14673 14674 4129ae _realloc 14671->14674 14672->14666 14675 41293c WideCharToMultiByte 14672->14675 14673->14663 14678 4129b8 FreeEnvironmentStringsA 14674->14678 14676 412956 14675->14676 14677 41294e 14675->14677 14676->14666 14679 40b6b5 ___free_lconv_num 63 API calls 14677->14679 14678->14663 14679->14676 14681 4127f1 GetModuleFileNameA 14680->14681 14682 4127ec 14680->14682 14684 412818 14681->14684 15161 41446b 14682->15161 15155 41263d 14684->15155 14687 40cc8c 14687->14587 14687->14588 14688 412854 14689 411c75 __malloc_crt 63 API calls 14688->14689 14690 41285a 14689->14690 14690->14687 14691 41263d _parse_cmdline 73 API calls 14690->14691 14692 412874 14691->14692 14692->14687 14694 412568 14693->14694 14696 41256d _strlen 14693->14696 14695 41446b ___initmbctable 107 API calls 14694->14695 14695->14696 14697 411cba __calloc_crt 63 API calls 14696->14697 14700 40cc9d 14696->14700 14703 4125a2 _strlen 14697->14703 14698 412600 14699 40b6b5 ___free_lconv_num 63 API calls 14698->14699 14699->14700 14700->14592 14700->14594 14701 411cba __calloc_crt 63 API calls 14701->14703 14702 412626 14704 40b6b5 ___free_lconv_num 63 API calls 14702->14704 14703->14698 14703->14700 14703->14701 14703->14702 14705 40ef42 _strcpy_s 63 API calls 14703->14705 14706 4125e7 14703->14706 14704->14700 14705->14703 14706->14703 14707 40e61c __invoke_watson 10 API calls 14706->14707 14707->14706 14709 40e867 __IsNonwritableInCurrentImage 14708->14709 15572 413586 14709->15572 14711 40e885 __initterm_e 14713 40e8a4 __IsNonwritableInCurrentImage __initterm 14711->14713 15576 40d2bd 14711->15576 14713->14593 14715 401ab9 14714->14715 15676 40b99e 14715->15676 14717 401abf 14718 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 14717->14718 14748 402467 14717->14748 14719 401dc3 FindCloseChangeNotification GetModuleHandleA 14718->14719 14727 401c55 14718->14727 15689 401650 14719->15689 14721 401e8b FindResourceA LoadResource LockResource SizeofResource 14722 40b84d _malloc 63 API calls 14721->14722 14723 401ebf 14722->14723 15691 40af66 14723->15691 14725 401c9c CloseHandle 14725->14598 14726 401ecb _memset 14728 401efc SizeofResource 14726->14728 14727->14725 14731 401cf9 Module32Next 14727->14731 14729 401f1c 14728->14729 14730 401f5f 14728->14730 14729->14730 15729 401560 14729->15729 14732 401f92 _memset 14730->14732 14734 401560 __VEC_memcpy 14730->14734 14731->14719 14742 401d0f 14731->14742 14735 401fa2 FreeResource 14732->14735 14734->14732 14736 40b84d _malloc 63 API calls 14735->14736 14737 401fbb SizeofResource 14736->14737 14738 401fe5 _memset 14737->14738 14739 4020aa LoadLibraryA 14738->14739 14740 401650 14739->14740 14741 40216c GetProcAddress 14740->14741 14744 4021aa 14741->14744 14741->14748 14742->14725 14743 401dad Module32Next 14742->14743 14743->14719 14743->14742 14744->14748 15703 4018f0 14744->15703 14746 40243f 14747 40b6b5 ___free_lconv_num 63 API calls 14746->14747 14746->14748 14747->14748 14748->14598 14749 4021f1 14749->14746 15715 401870 14749->15715 14751 402269 VariantInit 14752 401870 76 API calls 14751->14752 14753 40228b VariantInit 14752->14753 14754 4022a7 14753->14754 14755 4022d9 SafeArrayCreate SafeArrayAccessData 14754->14755 15720 40b350 14755->15720 14758 40232c 14759 402354 SafeArrayDestroy 14758->14759 14767 40235b 14758->14767 14759->14767 14760 402392 SafeArrayCreateVector 14761 4023a4 14760->14761 14762 4023bc VariantClear VariantClear 14761->14762 15722 4019a0 14762->15722 14765 40242e 14766 4019a0 66 API calls 14765->14766 14766->14746 14767->14760 15986 40e8de 14768->15986 14770 40ea1b 14770->14599 14772 40cbc2 14771->14772 14773 40cbc7 14771->14773 14774 40ec4d __FF_MSGBANNER 63 API calls 14772->14774 14775 40eaa2 __NMSG_WRITE 63 API calls 14773->14775 14774->14773 14776 40cbcf 14775->14776 14777 40e7ee __mtinitlocknum 4 API calls 14776->14777 14778 40cbd9 14777->14778 14778->14572 14780 40ec4d __FF_MSGBANNER 63 API calls 14779->14780 14781 40e7a4 14780->14781 14782 40eaa2 __NMSG_WRITE 63 API calls 14781->14782 14783 40e7ac 14782->14783 14784 4104e9 __decode_pointer 6 API calls 14783->14784 14785 40cc71 14784->14785 14785->14580 14787 40e8de _doexit 63 API calls 14786->14787 14788 40ea41 14787->14788 14788->14602 14790 40e775 Sleep GetModuleHandleW 14789->14790 14791 40e793 14790->14791 14792 40e797 14790->14792 14791->14790 14791->14792 14792->14607 14854 4104e0 14793->14854 14795 40ea5c __init_pointers __initp_misc_winsig 14857 41393d 14795->14857 14798 41046e __encode_pointer 6 API calls 14799 40ea98 14798->14799 14800 41046e TlsGetValue 14799->14800 14801 4104a7 GetModuleHandleW 14800->14801 14802 410486 14800->14802 14803 4104c2 GetProcAddress 14801->14803 14804 4104b7 14801->14804 14802->14801 14805 410490 TlsGetValue 14802->14805 14807 41049f 14803->14807 14806 40e76a __crt_waiting_on_module_handle 2 API calls 14804->14806 14809 41049b 14805->14809 14808 4104bd 14806->14808 14807->14622 14808->14803 14808->14807 14809->14801 14809->14807 14811 40d56f 14810->14811 14813 40d59d 14811->14813 14860 41389c 14811->14860 14813->14608 14814 4104e9 TlsGetValue 14813->14814 14815 410501 14814->14815 14816 410522 GetModuleHandleW 14814->14816 14815->14816 14819 41050b TlsGetValue 14815->14819 14817 410532 14816->14817 14818 41053d GetProcAddress 14816->14818 14820 40e76a __crt_waiting_on_module_handle 2 API calls 14817->14820 14821 41051a 14818->14821 14823 410516 14819->14823 14822 410538 14820->14822 14821->14608 14824 411cba 14821->14824 14822->14818 14822->14821 14823->14816 14823->14821 14826 411cc3 14824->14826 14827 4109c5 14826->14827 14828 411ce1 Sleep 14826->14828 14865 40e231 14826->14865 14827->14608 14827->14634 14829 411cf6 14828->14829 14829->14826 14829->14827 15133 40e1d8 14830->15133 14832 4105e1 GetModuleHandleW 14833 4105f1 14832->14833 14834 4105f7 14832->14834 14835 40e76a __crt_waiting_on_module_handle 2 API calls 14833->14835 14836 410633 14834->14836 14837 41060f GetProcAddress GetProcAddress 14834->14837 14835->14834 14838 40d6e0 __lock 59 API calls 14836->14838 14837->14836 14839 410652 InterlockedIncrement 14838->14839 15134 4106aa 14839->15134 14842 40d6e0 __lock 59 API calls 14843 410673 14842->14843 15137 4145d2 InterlockedIncrement 14843->15137 14845 410691 15149 4106b3 14845->15149 14847 41069e __close 14847->14638 14849 4105a2 14848->14849 14853 4105ae 14848->14853 14850 4104e9 __decode_pointer 6 API calls 14849->14850 14850->14853 14851 4105d0 14851->14851 14852 4105c2 TlsFree 14852->14851 14853->14851 14853->14852 14855 41046e __encode_pointer 6 API calls 14854->14855 14856 4104e7 14855->14856 14856->14795 14858 41046e __encode_pointer 6 API calls 14857->14858 14859 40ea8e 14858->14859 14859->14798 14864 40e1d8 14860->14864 14862 4138a8 InitializeCriticalSectionAndSpinCount 14863 4138ec __close 14862->14863 14863->14811 14864->14862 14866 40e23d __close 14865->14866 14867 40e255 14866->14867 14873 40e274 _memset 14866->14873 14878 40bfc1 14867->14878 14871 40e2e6 HeapAlloc 14871->14873 14872 40e26a __close 14872->14826 14873->14871 14873->14872 14884 40d6e0 14873->14884 14891 40def2 14873->14891 14897 40e32d 14873->14897 14900 40d2e3 14873->14900 14903 4106bc GetLastError 14878->14903 14880 40bfc6 14881 40e744 14880->14881 14882 4104e9 __decode_pointer 6 API calls 14881->14882 14883 40e754 __invoke_watson 14882->14883 14885 40d6f5 14884->14885 14886 40d708 EnterCriticalSection 14884->14886 14928 40d61d 14885->14928 14886->14873 14888 40d6fb 14888->14886 14889 40e79a __amsg_exit 62 API calls 14888->14889 14890 40d707 14889->14890 14890->14886 14893 40df20 14891->14893 14892 40dfc2 14892->14873 14893->14892 14896 40dfb9 14893->14896 15121 40da59 14893->15121 14896->14892 15128 40db09 14896->15128 15132 40d606 LeaveCriticalSection 14897->15132 14899 40e334 14899->14873 14901 4104e9 __decode_pointer 6 API calls 14900->14901 14902 40d2f3 14901->14902 14902->14873 14917 410564 TlsGetValue 14903->14917 14906 410729 SetLastError 14906->14880 14907 411cba __calloc_crt 60 API calls 14908 4106e7 14907->14908 14908->14906 14909 4104e9 __decode_pointer 6 API calls 14908->14909 14910 410701 14909->14910 14911 410720 14910->14911 14912 410708 14910->14912 14922 40b6b5 14911->14922 14913 4105d5 __initptd 60 API calls 14912->14913 14915 410710 GetCurrentThreadId 14913->14915 14915->14906 14916 410726 14916->14906 14918 410594 14917->14918 14919 410579 14917->14919 14918->14906 14918->14907 14920 4104e9 __decode_pointer 6 API calls 14919->14920 14921 410584 TlsSetValue 14920->14921 14921->14918 14923 40b6c1 __close 14922->14923 14924 40b73d __close 14923->14924 14925 40b714 HeapFree 14923->14925 14924->14916 14925->14924 14926 40b727 14925->14926 14927 40bfc1 __chsize_nolock 62 API calls 14926->14927 14927->14924 14929 40d629 __close 14928->14929 14943 40d64f 14929->14943 14954 40ec4d 14929->14954 14936 40d680 14938 40d6e0 __lock 63 API calls 14936->14938 14937 40d671 14940 40bfc1 __chsize_nolock 63 API calls 14937->14940 14942 40d687 14938->14942 14941 40d65f __close 14940->14941 14941->14888 14944 40d6bb 14942->14944 14945 40d68f 14942->14945 14943->14941 15000 411c75 14943->15000 14947 40b6b5 ___free_lconv_num 63 API calls 14944->14947 14946 41389c __mtinitlocknum InitializeCriticalSectionAndSpinCount 14945->14946 14948 40d69a 14946->14948 14949 40d6ac 14947->14949 14948->14949 14951 40b6b5 ___free_lconv_num 63 API calls 14948->14951 15005 40d6d7 14949->15005 14952 40d6a6 14951->14952 14953 40bfc1 __chsize_nolock 63 API calls 14952->14953 14953->14949 15008 413d5b 14954->15008 14957 40ec61 14959 40eaa2 __NMSG_WRITE 63 API calls 14957->14959 14962 40d63e 14957->14962 14958 413d5b __set_error_mode 63 API calls 14958->14957 14960 40ec79 14959->14960 14961 40eaa2 __NMSG_WRITE 63 API calls 14960->14961 14961->14962 14963 40eaa2 14962->14963 14964 40eab6 14963->14964 14965 413d5b __set_error_mode 60 API calls 14964->14965 14996 40d645 14964->14996 14966 40ead8 14965->14966 14967 40ec16 GetStdHandle 14966->14967 14968 413d5b __set_error_mode 60 API calls 14966->14968 14969 40ec24 _strlen 14967->14969 14967->14996 14970 40eae9 14968->14970 14972 40ec3d WriteFile 14969->14972 14969->14996 14970->14967 14971 40eafb 14970->14971 14971->14996 15014 40ef42 14971->15014 14972->14996 14975 40eb31 GetModuleFileNameA 14977 40eb4f 14975->14977 14981 40eb72 _strlen 14975->14981 14979 40ef42 _strcpy_s 60 API calls 14977->14979 14980 40eb5f 14979->14980 14980->14981 14983 40e61c __invoke_watson 10 API calls 14980->14983 14982 40ebb5 14981->14982 15030 411da6 14981->15030 15039 413ce7 14982->15039 14983->14981 14987 40ebd9 14990 413ce7 _strcat_s 60 API calls 14987->14990 14989 40e61c __invoke_watson 10 API calls 14989->14987 14991 40ebed 14990->14991 14993 40e61c __invoke_watson 10 API calls 14991->14993 14995 40ebfe 14991->14995 14992 40e61c __invoke_watson 10 API calls 14992->14982 14993->14995 15048 413b7e 14995->15048 14997 40e7ee 14996->14997 15086 40e7c3 GetModuleHandleW 14997->15086 15002 411c7e 15000->15002 15003 40d66a 15002->15003 15004 411c95 Sleep 15002->15004 15090 40b84d 15002->15090 15003->14936 15003->14937 15004->15002 15120 40d606 LeaveCriticalSection 15005->15120 15007 40d6de 15007->14941 15009 413d6a 15008->15009 15010 40ec54 15009->15010 15011 40bfc1 __chsize_nolock 63 API calls 15009->15011 15010->14957 15010->14958 15012 413d8d 15011->15012 15013 40e744 __close 6 API calls 15012->15013 15013->15010 15015 40ef53 15014->15015 15016 40ef5a 15014->15016 15015->15016 15019 40ef80 15015->15019 15017 40bfc1 __chsize_nolock 63 API calls 15016->15017 15022 40ef5f 15017->15022 15018 40e744 __close 6 API calls 15020 40eb1d 15018->15020 15019->15020 15021 40bfc1 __chsize_nolock 63 API calls 15019->15021 15020->14975 15023 40e61c 15020->15023 15021->15022 15022->15018 15075 40ba30 15023->15075 15025 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15026 40e725 GetCurrentProcess TerminateProcess 15025->15026 15028 40e719 __invoke_watson 15025->15028 15077 40ce09 15026->15077 15028->15026 15029 40e742 15029->14975 15035 411db8 15030->15035 15031 411dbc 15032 40eba2 15031->15032 15033 40bfc1 __chsize_nolock 63 API calls 15031->15033 15032->14982 15032->14992 15034 411dd8 15033->15034 15036 40e744 __close 6 API calls 15034->15036 15035->15031 15035->15032 15037 411e02 15035->15037 15036->15032 15037->15032 15038 40bfc1 __chsize_nolock 63 API calls 15037->15038 15038->15034 15040 413cff 15039->15040 15042 413cf8 15039->15042 15041 40bfc1 __chsize_nolock 63 API calls 15040->15041 15047 413d04 15041->15047 15042->15040 15044 413d33 15042->15044 15043 40e744 __close 6 API calls 15045 40ebc8 15043->15045 15044->15045 15046 40bfc1 __chsize_nolock 63 API calls 15044->15046 15045->14987 15045->14989 15046->15047 15047->15043 15049 4104e0 _doexit 6 API calls 15048->15049 15050 413b8e 15049->15050 15051 413ba1 LoadLibraryA 15050->15051 15053 413c29 15050->15053 15052 413bb6 GetProcAddress 15051->15052 15064 413ccb 15051->15064 15054 413bcc 15052->15054 15052->15064 15057 4104e9 __decode_pointer 6 API calls 15053->15057 15072 413c53 15053->15072 15058 41046e __encode_pointer 6 API calls 15054->15058 15055 4104e9 __decode_pointer 6 API calls 15055->15064 15056 4104e9 __decode_pointer 6 API calls 15065 413c96 15056->15065 15059 413c46 15057->15059 15060 413bd2 GetProcAddress 15058->15060 15061 4104e9 __decode_pointer 6 API calls 15059->15061 15062 41046e __encode_pointer 6 API calls 15060->15062 15061->15072 15063 413be7 GetProcAddress 15062->15063 15066 41046e __encode_pointer 6 API calls 15063->15066 15064->14996 15069 4104e9 __decode_pointer 6 API calls 15065->15069 15071 413c7e 15065->15071 15067 413bfc GetProcAddress 15066->15067 15068 41046e __encode_pointer 6 API calls 15067->15068 15070 413c11 15068->15070 15069->15071 15070->15053 15073 413c1b GetProcAddress 15070->15073 15071->15055 15072->15056 15072->15071 15074 41046e __encode_pointer 6 API calls 15073->15074 15074->15053 15076 40ba3c __VEC_memzero 15075->15076 15076->15025 15078 40ce11 15077->15078 15079 40ce13 IsDebuggerPresent 15077->15079 15078->15029 15085 4138fc 15079->15085 15082 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 15083 413723 __invoke_watson 15082->15083 15084 41372b GetCurrentProcess TerminateProcess 15082->15084 15083->15084 15084->15029 15085->15082 15087 40e7d7 GetProcAddress 15086->15087 15088 40e7ec ExitProcess 15086->15088 15087->15088 15089 40e7e7 CorExitProcess 15087->15089 15089->15088 15091 40b900 15090->15091 15092 40b85f 15090->15092 15093 40d2e3 __calloc_impl 6 API calls 15091->15093 15095 40b870 15092->15095 15100 40b8bc RtlAllocateHeap 15092->15100 15102 40b8f8 15092->15102 15103 40b8ec 15092->15103 15104 40d2e3 __calloc_impl 6 API calls 15092->15104 15106 40b8f1 15092->15106 15108 40b7fe 15092->15108 15094 40b906 15093->15094 15096 40bfc1 __chsize_nolock 62 API calls 15094->15096 15095->15092 15097 40ec4d __FF_MSGBANNER 62 API calls 15095->15097 15098 40eaa2 __NMSG_WRITE 62 API calls 15095->15098 15101 40e7ee __mtinitlocknum 4 API calls 15095->15101 15096->15102 15097->15095 15098->15095 15100->15092 15101->15095 15102->15002 15105 40bfc1 __chsize_nolock 62 API calls 15103->15105 15104->15092 15105->15106 15107 40bfc1 __chsize_nolock 62 API calls 15106->15107 15107->15102 15109 40b80a __close 15108->15109 15110 40b83b __close 15109->15110 15111 40d6e0 __lock 63 API calls 15109->15111 15110->15092 15112 40b820 15111->15112 15113 40def2 ___sbh_alloc_block 5 API calls 15112->15113 15114 40b82b 15113->15114 15116 40b844 15114->15116 15119 40d606 LeaveCriticalSection 15116->15119 15118 40b84b 15118->15110 15119->15118 15120->15007 15122 40daa0 HeapAlloc 15121->15122 15123 40da6c HeapReAlloc 15121->15123 15124 40da8a 15122->15124 15126 40dac3 VirtualAlloc 15122->15126 15123->15124 15125 40da8e 15123->15125 15124->14896 15125->15122 15126->15124 15127 40dadd HeapFree 15126->15127 15127->15124 15129 40db20 VirtualAlloc 15128->15129 15131 40db67 15129->15131 15131->14892 15132->14899 15133->14832 15152 40d606 LeaveCriticalSection 15134->15152 15136 41066c 15136->14842 15138 4145f0 InterlockedIncrement 15137->15138 15139 4145f3 15137->15139 15138->15139 15140 414600 15139->15140 15141 4145fd InterlockedIncrement 15139->15141 15142 41460a InterlockedIncrement 15140->15142 15143 41460d 15140->15143 15141->15140 15142->15143 15144 414617 InterlockedIncrement 15143->15144 15146 41461a 15143->15146 15144->15146 15145 414633 InterlockedIncrement 15145->15146 15146->15145 15147 414643 InterlockedIncrement 15146->15147 15148 41464e InterlockedIncrement 15146->15148 15147->15146 15148->14845 15153 40d606 LeaveCriticalSection 15149->15153 15151 4106ba 15151->14847 15152->15136 15153->15151 15154->14641 15157 41265c 15155->15157 15159 4126c9 15157->15159 15165 416836 15157->15165 15158 4127c7 15158->14687 15158->14688 15159->15158 15160 416836 73 API calls _parse_cmdline 15159->15160 15160->15159 15162 414474 15161->15162 15163 41447b 15161->15163 15387 4142d1 15162->15387 15163->14681 15168 4167e3 15165->15168 15171 40ec86 15168->15171 15172 40ec99 15171->15172 15178 40ece6 15171->15178 15179 410735 15172->15179 15175 40ecc6 15175->15178 15199 413fcc 15175->15199 15178->15157 15180 4106bc __getptd_noexit 63 API calls 15179->15180 15181 41073d 15180->15181 15182 40e79a __amsg_exit 63 API calls 15181->15182 15183 40ec9e 15181->15183 15182->15183 15183->15175 15184 414738 15183->15184 15185 414744 __close 15184->15185 15186 410735 __getptd 63 API calls 15185->15186 15187 414749 15186->15187 15188 414777 15187->15188 15190 41475b 15187->15190 15189 40d6e0 __lock 63 API calls 15188->15189 15191 41477e 15189->15191 15192 410735 __getptd 63 API calls 15190->15192 15215 4146fa 15191->15215 15196 414760 15192->15196 15197 41476e __close 15196->15197 15198 40e79a __amsg_exit 63 API calls 15196->15198 15197->15175 15198->15197 15200 413fd8 __close 15199->15200 15201 410735 __getptd 63 API calls 15200->15201 15202 413fdd 15201->15202 15203 40d6e0 __lock 63 API calls 15202->15203 15204 413fef 15202->15204 15205 41400d 15203->15205 15207 413ffd __close 15204->15207 15209 40e79a __amsg_exit 63 API calls 15204->15209 15206 414056 15205->15206 15210 414024 InterlockedDecrement 15205->15210 15211 41403e InterlockedIncrement 15205->15211 15383 414067 15206->15383 15207->15178 15209->15207 15210->15211 15212 41402f 15210->15212 15211->15206 15212->15211 15213 40b6b5 ___free_lconv_num 63 API calls 15212->15213 15214 41403d 15213->15214 15214->15211 15216 414730 15215->15216 15217 4146fe 15215->15217 15223 4147a2 15216->15223 15217->15216 15218 4145d2 ___addlocaleref 8 API calls 15217->15218 15219 414711 15218->15219 15219->15216 15226 414661 15219->15226 15382 40d606 LeaveCriticalSection 15223->15382 15225 4147a9 15225->15196 15227 414672 InterlockedDecrement 15226->15227 15228 4146f5 15226->15228 15229 414687 InterlockedDecrement 15227->15229 15230 41468a 15227->15230 15228->15216 15240 414489 15228->15240 15229->15230 15231 414694 InterlockedDecrement 15230->15231 15232 414697 15230->15232 15231->15232 15233 4146a1 InterlockedDecrement 15232->15233 15234 4146a4 15232->15234 15233->15234 15235 4146ae InterlockedDecrement 15234->15235 15236 4146b1 15234->15236 15235->15236 15237 4146ca InterlockedDecrement 15236->15237 15238 4146da InterlockedDecrement 15236->15238 15239 4146e5 InterlockedDecrement 15236->15239 15237->15236 15238->15236 15239->15228 15241 41450d 15240->15241 15249 4144a0 15240->15249 15242 40b6b5 ___free_lconv_num 63 API calls 15241->15242 15269 41455a 15241->15269 15243 41452e 15242->15243 15246 40b6b5 ___free_lconv_num 63 API calls 15243->15246 15245 4144d4 15247 4144f5 15245->15247 15259 40b6b5 ___free_lconv_num 63 API calls 15245->15259 15253 414541 15246->15253 15255 40b6b5 ___free_lconv_num 63 API calls 15247->15255 15249->15241 15249->15245 15252 40b6b5 ___free_lconv_num 63 API calls 15249->15252 15250 4145c6 15256 40b6b5 ___free_lconv_num 63 API calls 15250->15256 15251 40b6b5 ___free_lconv_num 63 API calls 15254 414581 15251->15254 15257 4144c9 15252->15257 15258 40b6b5 ___free_lconv_num 63 API calls 15253->15258 15254->15250 15265 40b6b5 63 API calls ___free_lconv_num 15254->15265 15260 414502 15255->15260 15261 4145cc 15256->15261 15270 417841 15257->15270 15263 41454f 15258->15263 15264 4144ea 15259->15264 15266 40b6b5 ___free_lconv_num 63 API calls 15260->15266 15261->15216 15267 40b6b5 ___free_lconv_num 63 API calls 15263->15267 15286 4177fc 15264->15286 15265->15254 15266->15241 15267->15269 15269->15254 15294 417667 15269->15294 15271 4178cb 15270->15271 15272 41784e 15270->15272 15271->15245 15273 41785f 15272->15273 15274 40b6b5 ___free_lconv_num 63 API calls 15272->15274 15275 417871 15273->15275 15276 40b6b5 ___free_lconv_num 63 API calls 15273->15276 15274->15273 15277 417883 15275->15277 15278 40b6b5 ___free_lconv_num 63 API calls 15275->15278 15276->15275 15279 417895 15277->15279 15281 40b6b5 ___free_lconv_num 63 API calls 15277->15281 15278->15277 15280 4178a7 15279->15280 15282 40b6b5 ___free_lconv_num 63 API calls 15279->15282 15283 4178b9 15280->15283 15284 40b6b5 ___free_lconv_num 63 API calls 15280->15284 15281->15279 15282->15280 15283->15271 15285 40b6b5 ___free_lconv_num 63 API calls 15283->15285 15284->15283 15285->15271 15287 41783d 15286->15287 15288 417809 15286->15288 15287->15247 15289 417819 15288->15289 15290 40b6b5 ___free_lconv_num 63 API calls 15288->15290 15291 41782b 15289->15291 15292 40b6b5 ___free_lconv_num 63 API calls 15289->15292 15290->15289 15291->15287 15293 40b6b5 ___free_lconv_num 63 API calls 15291->15293 15292->15291 15293->15287 15295 41457a 15294->15295 15296 417678 15294->15296 15295->15251 15297 40b6b5 ___free_lconv_num 63 API calls 15296->15297 15298 417680 15297->15298 15299 40b6b5 ___free_lconv_num 63 API calls 15298->15299 15300 417688 15299->15300 15301 40b6b5 ___free_lconv_num 63 API calls 15300->15301 15302 417690 15301->15302 15303 40b6b5 ___free_lconv_num 63 API calls 15302->15303 15304 417698 15303->15304 15305 40b6b5 ___free_lconv_num 63 API calls 15304->15305 15306 4176a0 15305->15306 15307 40b6b5 ___free_lconv_num 63 API calls 15306->15307 15308 4176a8 15307->15308 15309 40b6b5 ___free_lconv_num 63 API calls 15308->15309 15310 4176af 15309->15310 15311 40b6b5 ___free_lconv_num 63 API calls 15310->15311 15312 4176b7 15311->15312 15313 40b6b5 ___free_lconv_num 63 API calls 15312->15313 15314 4176bf 15313->15314 15315 40b6b5 ___free_lconv_num 63 API calls 15314->15315 15316 4176c7 15315->15316 15317 40b6b5 ___free_lconv_num 63 API calls 15316->15317 15318 4176cf 15317->15318 15319 40b6b5 ___free_lconv_num 63 API calls 15318->15319 15320 4176d7 15319->15320 15321 40b6b5 ___free_lconv_num 63 API calls 15320->15321 15322 4176df 15321->15322 15323 40b6b5 ___free_lconv_num 63 API calls 15322->15323 15324 4176e7 15323->15324 15325 40b6b5 ___free_lconv_num 63 API calls 15324->15325 15326 4176ef 15325->15326 15327 40b6b5 ___free_lconv_num 63 API calls 15326->15327 15328 4176f7 15327->15328 15329 40b6b5 ___free_lconv_num 63 API calls 15328->15329 15330 417702 15329->15330 15331 40b6b5 ___free_lconv_num 63 API calls 15330->15331 15332 41770a 15331->15332 15333 40b6b5 ___free_lconv_num 63 API calls 15332->15333 15334 417712 15333->15334 15335 40b6b5 ___free_lconv_num 63 API calls 15334->15335 15336 41771a 15335->15336 15337 40b6b5 ___free_lconv_num 63 API calls 15336->15337 15338 417722 15337->15338 15339 40b6b5 ___free_lconv_num 63 API calls 15338->15339 15340 41772a 15339->15340 15341 40b6b5 ___free_lconv_num 63 API calls 15340->15341 15342 417732 15341->15342 15343 40b6b5 ___free_lconv_num 63 API calls 15342->15343 15344 41773a 15343->15344 15345 40b6b5 ___free_lconv_num 63 API calls 15344->15345 15346 417742 15345->15346 15347 40b6b5 ___free_lconv_num 63 API calls 15346->15347 15348 41774a 15347->15348 15349 40b6b5 ___free_lconv_num 63 API calls 15348->15349 15350 417752 15349->15350 15351 40b6b5 ___free_lconv_num 63 API calls 15350->15351 15352 41775a 15351->15352 15353 40b6b5 ___free_lconv_num 63 API calls 15352->15353 15354 417762 15353->15354 15355 40b6b5 ___free_lconv_num 63 API calls 15354->15355 15356 41776a 15355->15356 15357 40b6b5 ___free_lconv_num 63 API calls 15356->15357 15358 417772 15357->15358 15359 40b6b5 ___free_lconv_num 63 API calls 15358->15359 15360 41777a 15359->15360 15361 40b6b5 ___free_lconv_num 63 API calls 15360->15361 15362 417788 15361->15362 15363 40b6b5 ___free_lconv_num 63 API calls 15362->15363 15364 417793 15363->15364 15365 40b6b5 ___free_lconv_num 63 API calls 15364->15365 15366 41779e 15365->15366 15367 40b6b5 ___free_lconv_num 63 API calls 15366->15367 15368 4177a9 15367->15368 15369 40b6b5 ___free_lconv_num 63 API calls 15368->15369 15370 4177b4 15369->15370 15371 40b6b5 ___free_lconv_num 63 API calls 15370->15371 15372 4177bf 15371->15372 15373 40b6b5 ___free_lconv_num 63 API calls 15372->15373 15374 4177ca 15373->15374 15375 40b6b5 ___free_lconv_num 63 API calls 15374->15375 15376 4177d5 15375->15376 15377 40b6b5 ___free_lconv_num 63 API calls 15376->15377 15378 4177e0 15377->15378 15379 40b6b5 ___free_lconv_num 63 API calls 15378->15379 15380 4177eb 15379->15380 15381 40b6b5 ___free_lconv_num 63 API calls 15380->15381 15381->15295 15382->15225 15386 40d606 LeaveCriticalSection 15383->15386 15385 41406e 15385->15204 15386->15385 15388 4142dd __close 15387->15388 15389 410735 __getptd 63 API calls 15388->15389 15390 4142e6 15389->15390 15391 413fcc _LocaleUpdate::_LocaleUpdate 65 API calls 15390->15391 15392 4142f0 15391->15392 15418 414070 15392->15418 15395 411c75 __malloc_crt 63 API calls 15396 414311 15395->15396 15397 414430 __close 15396->15397 15425 4140ec 15396->15425 15397->15163 15400 414341 InterlockedDecrement 15402 414351 15400->15402 15403 414362 InterlockedIncrement 15400->15403 15401 41443d 15401->15397 15405 414450 15401->15405 15408 40b6b5 ___free_lconv_num 63 API calls 15401->15408 15402->15403 15407 40b6b5 ___free_lconv_num 63 API calls 15402->15407 15403->15397 15404 414378 15403->15404 15404->15397 15410 40d6e0 __lock 63 API calls 15404->15410 15406 40bfc1 __chsize_nolock 63 API calls 15405->15406 15406->15397 15409 414361 15407->15409 15408->15405 15409->15403 15412 41438c InterlockedDecrement 15410->15412 15413 414408 15412->15413 15414 41441b InterlockedIncrement 15412->15414 15413->15414 15416 40b6b5 ___free_lconv_num 63 API calls 15413->15416 15435 414432 15414->15435 15417 41441a 15416->15417 15417->15414 15419 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15418->15419 15420 414084 15419->15420 15421 4140ad 15420->15421 15422 41408f GetOEMCP 15420->15422 15423 41409f 15421->15423 15424 4140b2 GetACP 15421->15424 15422->15423 15423->15395 15423->15397 15424->15423 15426 414070 getSystemCP 75 API calls 15425->15426 15427 41410c 15426->15427 15428 414117 setSBCS 15427->15428 15431 41415b IsValidCodePage 15427->15431 15433 414180 _memset __setmbcp_nolock 15427->15433 15429 40ce09 __setmbcp_nolock 5 API calls 15428->15429 15430 4142cf 15429->15430 15430->15400 15430->15401 15431->15428 15432 41416d GetCPInfo 15431->15432 15432->15428 15432->15433 15438 413e39 GetCPInfo 15433->15438 15571 40d606 LeaveCriticalSection 15435->15571 15437 414439 15437->15397 15439 413e6d _memset 15438->15439 15447 413f1f 15438->15447 15448 417625 15439->15448 15443 40ce09 __setmbcp_nolock 5 API calls 15445 413fca 15443->15445 15445->15433 15446 417426 ___crtLCMapStringA 98 API calls 15446->15447 15447->15443 15449 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15448->15449 15450 417638 15449->15450 15458 41746b 15450->15458 15453 417426 15454 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15453->15454 15455 417439 15454->15455 15524 417081 15455->15524 15459 4174b7 15458->15459 15460 41748c GetStringTypeW 15458->15460 15461 41759e 15459->15461 15464 4174a4 15459->15464 15462 4174ac GetLastError 15460->15462 15460->15464 15486 417a20 GetLocaleInfoA 15461->15486 15462->15459 15463 4174f0 MultiByteToWideChar 15466 417598 15463->15466 15471 41751d 15463->15471 15464->15463 15464->15466 15467 40ce09 __setmbcp_nolock 5 API calls 15466->15467 15469 413eda 15467->15469 15469->15453 15470 4175ef GetStringTypeA 15470->15466 15475 41760a 15470->15475 15472 40b84d _malloc 63 API calls 15471->15472 15476 417532 _memset __crtGetStringTypeA_stat 15471->15476 15472->15476 15474 41756b MultiByteToWideChar 15478 417581 GetStringTypeW 15474->15478 15479 417592 15474->15479 15480 40b6b5 ___free_lconv_num 63 API calls 15475->15480 15476->15466 15476->15474 15478->15479 15482 4147ae 15479->15482 15480->15466 15483 4147ba 15482->15483 15484 4147cb 15482->15484 15483->15484 15485 40b6b5 ___free_lconv_num 63 API calls 15483->15485 15484->15466 15485->15484 15487 417a53 15486->15487 15488 417a4e 15486->15488 15517 416f54 15487->15517 15490 40ce09 __setmbcp_nolock 5 API calls 15488->15490 15491 4175c2 15490->15491 15491->15466 15491->15470 15492 417a69 15491->15492 15493 417aa9 GetCPInfo 15492->15493 15494 417b33 15492->15494 15495 417ac0 15493->15495 15496 417b1e MultiByteToWideChar 15493->15496 15497 40ce09 __setmbcp_nolock 5 API calls 15494->15497 15495->15496 15498 417ac6 GetCPInfo 15495->15498 15496->15494 15501 417ad9 _strlen 15496->15501 15499 4175e3 15497->15499 15498->15496 15500 417ad3 15498->15500 15499->15466 15499->15470 15500->15496 15500->15501 15502 40b84d _malloc 63 API calls 15501->15502 15504 417b0b _memset __crtGetStringTypeA_stat 15501->15504 15502->15504 15503 417b68 MultiByteToWideChar 15505 417b80 15503->15505 15506 417b9f 15503->15506 15504->15494 15504->15503 15508 417ba4 15505->15508 15509 417b87 WideCharToMultiByte 15505->15509 15507 4147ae __freea 63 API calls 15506->15507 15507->15494 15510 417bc3 15508->15510 15511 417baf WideCharToMultiByte 15508->15511 15509->15506 15512 411cba __calloc_crt 63 API calls 15510->15512 15511->15506 15511->15510 15513 417bcb 15512->15513 15513->15506 15514 417bd4 WideCharToMultiByte 15513->15514 15514->15506 15515 417be6 15514->15515 15516 40b6b5 ___free_lconv_num 63 API calls 15515->15516 15516->15506 15520 41a354 15517->15520 15521 41a36d 15520->15521 15522 41a125 strtoxl 87 API calls 15521->15522 15523 416f65 15522->15523 15523->15488 15525 4170a2 LCMapStringW 15524->15525 15528 4170bd 15524->15528 15526 4170c5 GetLastError 15525->15526 15525->15528 15526->15528 15527 4172bb 15530 417a20 ___ansicp 87 API calls 15527->15530 15528->15527 15529 417117 15528->15529 15531 417130 MultiByteToWideChar 15529->15531 15553 4172b2 15529->15553 15533 4172e3 15530->15533 15537 41715d 15531->15537 15531->15553 15532 40ce09 __setmbcp_nolock 5 API calls 15534 413efa 15532->15534 15535 4173d7 LCMapStringA 15533->15535 15536 4172fc 15533->15536 15533->15553 15534->15446 15570 417333 15535->15570 15538 417a69 ___convertcp 70 API calls 15536->15538 15543 40b84d _malloc 63 API calls 15537->15543 15550 417176 __crtGetStringTypeA_stat 15537->15550 15544 41730e 15538->15544 15539 4171ae MultiByteToWideChar 15540 4171c7 LCMapStringW 15539->15540 15541 4172a9 15539->15541 15540->15541 15545 4171e8 15540->15545 15548 4147ae __freea 63 API calls 15541->15548 15542 4173fe 15551 40b6b5 ___free_lconv_num 63 API calls 15542->15551 15542->15553 15543->15550 15547 417318 LCMapStringA 15544->15547 15544->15553 15549 4171f1 15545->15549 15555 41721a 15545->15555 15546 40b6b5 ___free_lconv_num 63 API calls 15546->15542 15556 41733a 15547->15556 15547->15570 15548->15553 15549->15541 15552 417203 LCMapStringW 15549->15552 15550->15539 15550->15553 15551->15553 15552->15541 15553->15532 15554 417269 LCMapStringW 15558 417281 WideCharToMultiByte 15554->15558 15559 4172a3 15554->15559 15561 417235 __crtGetStringTypeA_stat 15555->15561 15562 40b84d _malloc 63 API calls 15555->15562 15557 41734b _memset __crtGetStringTypeA_stat 15556->15557 15560 40b84d _malloc 63 API calls 15556->15560 15564 417389 LCMapStringA 15557->15564 15557->15570 15558->15559 15563 4147ae __freea 63 API calls 15559->15563 15560->15557 15561->15541 15561->15554 15562->15561 15563->15541 15566 4173a9 15564->15566 15568 4173a5 15564->15568 15567 417a69 ___convertcp 70 API calls 15566->15567 15567->15568 15569 4147ae __freea 63 API calls 15568->15569 15569->15570 15570->15542 15570->15546 15571->15437 15574 41358c 15572->15574 15573 41046e __encode_pointer 6 API calls 15573->15574 15574->15573 15575 4135a4 15574->15575 15575->14711 15579 40d281 15576->15579 15578 40d2ca 15578->14713 15580 40d28d __close 15579->15580 15587 40e806 15580->15587 15586 40d2ae __close 15586->15578 15588 40d6e0 __lock 63 API calls 15587->15588 15589 40d292 15588->15589 15590 40d196 15589->15590 15591 4104e9 __decode_pointer 6 API calls 15590->15591 15592 40d1aa 15591->15592 15593 4104e9 __decode_pointer 6 API calls 15592->15593 15594 40d1ba 15593->15594 15595 40d23d 15594->15595 15610 40e56a 15594->15610 15607 40d2b7 15595->15607 15597 41046e __encode_pointer 6 API calls 15600 40d232 15597->15600 15598 40d1fc 15598->15595 15603 411d06 __realloc_crt 73 API calls 15598->15603 15604 40d212 15598->15604 15599 40d1d8 15599->15598 15606 40d224 15599->15606 15623 411d06 15599->15623 15602 41046e __encode_pointer 6 API calls 15600->15602 15602->15595 15603->15604 15604->15595 15605 41046e __encode_pointer 6 API calls 15604->15605 15605->15606 15606->15597 15672 40e80f 15607->15672 15611 40e576 __close 15610->15611 15612 40e5a3 15611->15612 15613 40e586 15611->15613 15615 40e5e4 HeapSize 15612->15615 15617 40d6e0 __lock 63 API calls 15612->15617 15614 40bfc1 __chsize_nolock 63 API calls 15613->15614 15616 40e58b 15614->15616 15620 40e59b __close 15615->15620 15618 40e744 __close 6 API calls 15616->15618 15619 40e5b3 ___sbh_find_block 15617->15619 15618->15620 15628 40e604 15619->15628 15620->15599 15625 411d0f 15623->15625 15626 411d4e 15625->15626 15627 411d2f Sleep 15625->15627 15632 40e34f 15625->15632 15626->15598 15627->15625 15631 40d606 LeaveCriticalSection 15628->15631 15630 40e5df 15630->15615 15630->15620 15631->15630 15633 40e35b __close 15632->15633 15634 40e370 15633->15634 15635 40e362 15633->15635 15637 40e383 15634->15637 15638 40e377 15634->15638 15636 40b84d _malloc 63 API calls 15635->15636 15653 40e36a __close _realloc 15636->15653 15646 40e4f5 15637->15646 15667 40e390 _realloc ___sbh_resize_block ___sbh_find_block 15637->15667 15639 40b6b5 ___free_lconv_num 63 API calls 15638->15639 15639->15653 15640 40e528 15641 40d2e3 __calloc_impl 6 API calls 15640->15641 15644 40e52e 15641->15644 15642 40d6e0 __lock 63 API calls 15642->15667 15643 40e4fa HeapReAlloc 15643->15646 15643->15653 15645 40bfc1 __chsize_nolock 63 API calls 15644->15645 15645->15653 15646->15640 15646->15643 15647 40e54c 15646->15647 15648 40d2e3 __calloc_impl 6 API calls 15646->15648 15650 40e542 15646->15650 15649 40bfc1 __chsize_nolock 63 API calls 15647->15649 15647->15653 15648->15646 15651 40e555 GetLastError 15649->15651 15654 40bfc1 __chsize_nolock 63 API calls 15650->15654 15651->15653 15653->15625 15656 40e4c3 15654->15656 15655 40e41b HeapAlloc 15655->15667 15656->15653 15658 40e4c8 GetLastError 15656->15658 15657 40e470 HeapReAlloc 15657->15667 15658->15653 15659 40def2 ___sbh_alloc_block 5 API calls 15659->15667 15660 40e4db 15660->15653 15663 40bfc1 __chsize_nolock 63 API calls 15660->15663 15661 40d2e3 __calloc_impl 6 API calls 15661->15667 15662 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 15662->15667 15664 40e4e8 15663->15664 15664->15651 15664->15653 15665 40e4be 15666 40bfc1 __chsize_nolock 63 API calls 15665->15666 15666->15656 15667->15640 15667->15642 15667->15653 15667->15655 15667->15657 15667->15659 15667->15660 15667->15661 15667->15662 15667->15665 15668 40e493 15667->15668 15671 40d606 LeaveCriticalSection 15668->15671 15670 40e49a 15670->15667 15671->15670 15675 40d606 LeaveCriticalSection 15672->15675 15674 40d2bc 15674->15586 15675->15674 15677 40b9aa __close _strnlen 15676->15677 15678 40b9b8 15677->15678 15682 40b9ec 15677->15682 15679 40bfc1 __chsize_nolock 63 API calls 15678->15679 15680 40b9bd 15679->15680 15681 40e744 __close 6 API calls 15680->15681 15687 40b9cd __close 15681->15687 15683 40d6e0 __lock 63 API calls 15682->15683 15684 40b9f3 15683->15684 15733 40b917 15684->15733 15687->14717 15690 4017cc _realloc 15689->15690 15690->14721 15693 40af70 15691->15693 15692 40b84d _malloc 63 API calls 15692->15693 15693->15692 15694 40af8a 15693->15694 15695 40d2e3 __calloc_impl 6 API calls 15693->15695 15698 40af8c std::bad_alloc::bad_alloc 15693->15698 15694->14726 15695->15693 15700 40d2bd __cinit 74 API calls 15698->15700 15702 40afb2 15698->15702 15700->15702 15701 40afca 15947 40af49 15702->15947 15704 401903 lstrlenA 15703->15704 15705 4018fc 15703->15705 15959 4017e0 15704->15959 15705->14749 15708 401940 GetLastError 15710 40194b MultiByteToWideChar 15708->15710 15711 40198d 15708->15711 15709 401996 15709->14749 15712 4017e0 73 API calls 15710->15712 15711->15709 15967 401030 GetLastError 15711->15967 15714 401970 MultiByteToWideChar 15712->15714 15714->15711 15716 40af66 75 API calls 15715->15716 15717 40187c 15716->15717 15718 401885 SysAllocString 15717->15718 15719 4018a4 15717->15719 15718->15719 15719->14751 15721 40231a SafeArrayUnaccessData 15720->15721 15721->14758 15723 4019aa InterlockedDecrement 15722->15723 15728 4019df VariantClear 15722->15728 15724 4019b8 15723->15724 15723->15728 15725 4019c2 SysFreeString 15724->15725 15726 4019c9 15724->15726 15724->15728 15725->15726 15976 40aec0 15726->15976 15728->14765 15730 401571 15729->15730 15732 401582 15729->15732 15982 40afe0 15730->15982 15732->14729 15734 40b930 15733->15734 15735 40b92c 15733->15735 15734->15735 15737 40b942 _strlen 15734->15737 15742 40eeab 15734->15742 15739 40ba18 15735->15739 15737->15735 15752 40edfb 15737->15752 15946 40d606 LeaveCriticalSection 15739->15946 15741 40ba1f 15741->15687 15745 40eec6 15742->15745 15750 40ef2b 15742->15750 15743 40eecc WideCharToMultiByte 15743->15745 15743->15750 15744 411cba __calloc_crt 63 API calls 15744->15745 15745->15743 15745->15744 15746 40eeef WideCharToMultiByte 15745->15746 15745->15750 15751 40b6b5 ___free_lconv_num 63 API calls 15745->15751 15755 414d44 15745->15755 15746->15745 15747 40ef37 15746->15747 15748 40b6b5 ___free_lconv_num 63 API calls 15747->15748 15748->15750 15750->15737 15751->15745 15847 40ed0d 15752->15847 15756 414d76 15755->15756 15757 414d59 15755->15757 15758 414dd4 15756->15758 15801 417e7e 15756->15801 15759 40bfc1 __chsize_nolock 63 API calls 15757->15759 15761 40bfc1 __chsize_nolock 63 API calls 15758->15761 15760 414d5e 15759->15760 15763 40e744 __close 6 API calls 15760->15763 15788 414d6e 15761->15788 15763->15788 15765 414db5 15767 414e12 15765->15767 15768 414de7 15765->15768 15770 414dcb 15765->15770 15767->15788 15812 414c98 15767->15812 15773 411c75 __malloc_crt 63 API calls 15768->15773 15768->15788 15771 40eeab ___wtomb_environ 120 API calls 15770->15771 15774 414dd0 15771->15774 15776 414df7 15773->15776 15774->15758 15774->15767 15775 414e8f 15777 414f7a 15775->15777 15782 414e98 15775->15782 15776->15767 15781 411c75 __malloc_crt 63 API calls 15776->15781 15776->15788 15779 40b6b5 ___free_lconv_num 63 API calls 15777->15779 15778 414e41 15780 40b6b5 ___free_lconv_num 63 API calls 15778->15780 15779->15788 15784 414e4b 15780->15784 15781->15767 15783 411d54 __recalloc_crt 74 API calls 15782->15783 15782->15788 15785 414e51 _strlen 15783->15785 15784->15785 15816 411d54 15784->15816 15785->15788 15789 411cba __calloc_crt 63 API calls 15785->15789 15800 414f5e 15785->15800 15787 40b6b5 ___free_lconv_num 63 API calls 15787->15788 15788->15745 15790 414efb _strlen 15789->15790 15791 40ef42 _strcpy_s 63 API calls 15790->15791 15790->15800 15792 414f14 15791->15792 15793 414f28 SetEnvironmentVariableA 15792->15793 15794 40e61c __invoke_watson 10 API calls 15792->15794 15795 414f49 15793->15795 15796 414f52 15793->15796 15797 414f25 15794->15797 15798 40bfc1 __chsize_nolock 63 API calls 15795->15798 15799 40b6b5 ___free_lconv_num 63 API calls 15796->15799 15797->15793 15798->15796 15799->15800 15800->15787 15800->15788 15821 417dc2 15801->15821 15803 414d89 15803->15758 15803->15765 15804 414cea 15803->15804 15805 414cfb 15804->15805 15810 414d3b 15804->15810 15805->15805 15806 411cba __calloc_crt 63 API calls 15805->15806 15807 414d12 15806->15807 15808 414d24 15807->15808 15809 40e79a __amsg_exit 63 API calls 15807->15809 15808->15810 15828 417d6d 15808->15828 15809->15808 15810->15765 15815 414ca6 15812->15815 15813 414ccd 15813->15775 15813->15778 15814 40edfb __fassign 107 API calls 15814->15815 15815->15813 15815->15814 15819 411d5d 15816->15819 15818 411da0 15818->15785 15819->15818 15820 411d81 Sleep 15819->15820 15836 40b783 15819->15836 15820->15819 15822 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15821->15822 15823 417dd6 15822->15823 15824 40bfc1 __chsize_nolock 63 API calls 15823->15824 15827 417df4 __mbschr_l 15823->15827 15825 417de4 15824->15825 15826 40e744 __close 6 API calls 15825->15826 15826->15827 15827->15803 15829 417d7e _strlen 15828->15829 15835 417d7a 15828->15835 15830 40b84d _malloc 63 API calls 15829->15830 15831 417d91 15830->15831 15832 40ef42 _strcpy_s 63 API calls 15831->15832 15831->15835 15833 417da3 15832->15833 15834 40e61c __invoke_watson 10 API calls 15833->15834 15833->15835 15834->15835 15835->15808 15837 40b792 15836->15837 15838 40b7ba 15836->15838 15837->15838 15839 40b79e 15837->15839 15840 40e56a __msize 64 API calls 15838->15840 15843 40b7cf 15838->15843 15842 40bfc1 __chsize_nolock 63 API calls 15839->15842 15840->15843 15841 40e34f _realloc 72 API calls 15846 40b7b3 _memset 15841->15846 15844 40b7a3 15842->15844 15843->15841 15845 40e744 __close 6 API calls 15844->15845 15845->15846 15846->15819 15848 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15847->15848 15849 40ed21 15848->15849 15850 40ed42 15849->15850 15851 40ed75 15849->15851 15863 40ed2a 15849->15863 15852 40bfc1 __chsize_nolock 63 API calls 15850->15852 15853 40ed99 15851->15853 15854 40ed7f 15851->15854 15855 40ed47 15852->15855 15857 40eda1 15853->15857 15858 40edb5 15853->15858 15856 40bfc1 __chsize_nolock 63 API calls 15854->15856 15859 40e744 __close 6 API calls 15855->15859 15860 40ed84 15856->15860 15865 414b9e 15857->15865 15885 414b5c 15858->15885 15859->15863 15864 40e744 __close 6 API calls 15860->15864 15863->15737 15864->15863 15866 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15865->15866 15867 414bb2 15866->15867 15868 414bd3 15867->15868 15870 414c06 15867->15870 15883 414bbb 15867->15883 15869 40bfc1 __chsize_nolock 63 API calls 15868->15869 15871 414bd8 15869->15871 15872 414c10 15870->15872 15873 414c2a 15870->15873 15876 40e744 __close 6 API calls 15871->15876 15877 40bfc1 __chsize_nolock 63 API calls 15872->15877 15874 414c34 15873->15874 15875 414c49 15873->15875 15890 417c1d 15874->15890 15879 414b5c ___crtCompareStringA 96 API calls 15875->15879 15876->15883 15880 414c15 15877->15880 15881 414c63 15879->15881 15882 40e744 __close 6 API calls 15880->15882 15881->15883 15884 40bfc1 __chsize_nolock 63 API calls 15881->15884 15882->15883 15883->15863 15884->15883 15886 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15885->15886 15887 414b6f 15886->15887 15906 4147ec 15887->15906 15891 417c33 15890->15891 15902 417c58 ___ascii_strnicmp 15890->15902 15892 40ec86 _LocaleUpdate::_LocaleUpdate 73 API calls 15891->15892 15893 417c3e 15892->15893 15894 417c43 15893->15894 15896 417c78 15893->15896 15895 40bfc1 __chsize_nolock 63 API calls 15894->15895 15898 417c48 15895->15898 15897 417c82 15896->15897 15905 417caa 15896->15905 15899 40bfc1 __chsize_nolock 63 API calls 15897->15899 15900 40e744 __close 6 API calls 15898->15900 15901 417c87 15899->15901 15900->15902 15903 40e744 __close 6 API calls 15901->15903 15902->15883 15903->15902 15904 4168fc 98 API calls __tolower_l 15904->15905 15905->15902 15905->15904 15907 414818 CompareStringW 15906->15907 15910 41482f strncnt 15906->15910 15908 41483b GetLastError 15907->15908 15907->15910 15908->15910 15909 40ce09 __setmbcp_nolock 5 API calls 15912 414b5a 15909->15912 15911 414a95 15910->15911 15914 4148a4 15910->15914 15927 414881 15910->15927 15913 417a20 ___ansicp 87 API calls 15911->15913 15912->15863 15915 414abb 15913->15915 15916 414962 MultiByteToWideChar 15914->15916 15919 4148e6 GetCPInfo 15914->15919 15914->15927 15917 414b1c CompareStringA 15915->15917 15920 417a69 ___convertcp 70 API calls 15915->15920 15915->15927 15924 414982 15916->15924 15916->15927 15918 414b3a 15917->15918 15917->15927 15922 40b6b5 ___free_lconv_num 63 API calls 15918->15922 15923 4148f7 15919->15923 15919->15927 15921 414ae0 15920->15921 15921->15927 15928 417a69 ___convertcp 70 API calls 15921->15928 15925 414b40 15922->15925 15923->15916 15923->15927 15929 40b84d _malloc 63 API calls 15924->15929 15937 41499f __crtGetStringTypeA_stat 15924->15937 15930 40b6b5 ___free_lconv_num 63 API calls 15925->15930 15926 4149d9 MultiByteToWideChar 15931 4149f2 MultiByteToWideChar 15926->15931 15932 414a83 15926->15932 15927->15909 15933 414b01 15928->15933 15929->15937 15930->15927 15931->15932 15939 414a09 15931->15939 15934 4147ae __freea 63 API calls 15932->15934 15935 414b16 15933->15935 15936 414b0a 15933->15936 15934->15927 15935->15917 15938 40b6b5 ___free_lconv_num 63 API calls 15936->15938 15937->15926 15937->15927 15938->15927 15941 414a1f __crtGetStringTypeA_stat 15939->15941 15942 40b84d _malloc 63 API calls 15939->15942 15940 414a53 MultiByteToWideChar 15943 414a66 CompareStringW 15940->15943 15944 414a7d 15940->15944 15941->15932 15941->15940 15942->15941 15943->15944 15945 4147ae __freea 63 API calls 15944->15945 15945->15932 15946->15741 15953 40d0f5 15947->15953 15950 40cd39 15951 40cd62 15950->15951 15952 40cd6e RaiseException 15950->15952 15951->15952 15952->15701 15954 40af59 15953->15954 15955 40d115 _strlen 15953->15955 15954->15950 15955->15954 15956 40b84d _malloc 63 API calls 15955->15956 15957 40d128 15956->15957 15957->15954 15958 40ef42 _strcpy_s 63 API calls 15957->15958 15958->15954 15960 4017e9 15959->15960 15962 40b783 __recalloc 73 API calls 15960->15962 15965 401844 15960->15965 15966 40182d 15960->15966 15962->15966 15963 40b6b5 ___free_lconv_num 63 API calls 15963->15965 15964 40186d MultiByteToWideChar 15964->15708 15964->15709 15965->15964 15969 40b743 15965->15969 15966->15963 15966->15965 15968 40103a 15967->15968 15970 40e231 __calloc_impl 63 API calls 15969->15970 15971 40b75d 15970->15971 15972 40b779 15971->15972 15973 40bfc1 __chsize_nolock 63 API calls 15971->15973 15972->15965 15974 40b770 15973->15974 15974->15972 15975 40bfc1 __chsize_nolock 63 API calls 15974->15975 15975->15972 15977 40b6b5 __close 15976->15977 15978 40b73d __close 15977->15978 15979 40b714 HeapFree 15977->15979 15978->15728 15979->15978 15980 40b727 15979->15980 15981 40bfc1 __chsize_nolock 63 API calls 15980->15981 15981->15978 15983 40aff8 15982->15983 15984 40b01f __VEC_memcpy 15983->15984 15985 40b027 15983->15985 15984->15985 15985->15732 15987 40e8ea __close 15986->15987 15988 40d6e0 __lock 63 API calls 15987->15988 15989 40e8f1 15988->15989 15990 40e9ba __initterm 15989->15990 15991 40e91d 15989->15991 16005 40e9f5 15990->16005 15993 4104e9 __decode_pointer 6 API calls 15991->15993 15995 40e928 15993->15995 15997 40e9aa __initterm 15995->15997 15999 4104e9 __decode_pointer 6 API calls 15995->15999 15996 40e9f2 __close 15996->14770 15997->15990 16004 40e93d 15999->16004 16000 40e9e9 16001 40e7ee __mtinitlocknum 4 API calls 16000->16001 16001->15996 16002 4104e9 6 API calls __decode_pointer 16002->16004 16003 4104e0 6 API calls _doexit 16003->16004 16004->15997 16004->16002 16004->16003 16006 40e9d6 16005->16006 16007 40e9fb 16005->16007 16006->15996 16009 40d606 LeaveCriticalSection 16006->16009 16010 40d606 LeaveCriticalSection 16007->16010 16009->16000 16010->16006 14528 2360d78 14529 2360d81 14528->14529 14532 23621b2 14528->14532 14535 2365332 14528->14535 14538 23690f0 14532->14538 14537 23690f0 VirtualProtect 14535->14537 14536 2365353 14537->14536 14540 2369103 14538->14540 14542 23691a0 14540->14542 14543 23691e8 VirtualProtect 14542->14543 14545 23621d4 14543->14545

                          Executed Functions

                          Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 26 401ed6-401eed call 40ba30 7->26 27 401eef 7->27 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 34 401cd0-401cd4 24->34 30 401ef3-401f1a call 401300 SizeofResource 26->30 27->30 41 401f1c-401f2f 30->41 42 401f5f-401f69 30->42 35 401cf0-401cf2 34->35 36 401cd6-401cd8 34->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 48 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->48 49 401f77-401f8d call 401560 43->49 44->43 45->34 45->39 46->7 50 401d0f 46->50 47->42 48->5 85 4021aa-4021c0 48->85 49->48 54 401d10-401d2e call 401650 50->54 61 401d30-401d34 54->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 65 401d55-401d57 63->65 67 401d3a-401d40 64->67 68 401d4c-401d4e 64->68 65->25 69 401d5d-401d7b call 401650 65->69 67->63 71 401d42-401d4a 67->71 68->65 76 401d80-401d84 69->76 71->61 71->68 78 401da0-401da2 76->78 79 401d86-401d88 76->79 84 401da5-401da7 78->84 82 401d8a-401d90 79->82 83 401d9c-401d9e 79->83 82->78 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->76 86->83 87->7 87->54 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 61d006 122->154 155 40234e call 61d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 61d006 135->152 153 402390 call 61d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004019FD
                          • _getenv.LIBCMT ref: 00401ABA
                          • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                          • Module32First.KERNEL32 ref: 00401C48
                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                          • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                          • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
                          • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                          • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                          • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                          • LockResource.KERNEL32(00000000), ref: 00401EA7
                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                          • _malloc.LIBCMT ref: 00401EBA
                          • _memset.LIBCMT ref: 00401EDD
                          • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                          • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                          • API String ID: 2366190142-2962942730
                          • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                          • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                          • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                          • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 156 40cbf7-40cc06 157 40cc08-40cc14 156->157 158 40cc2f 156->158 157->158 159 40cc16-40cc1d 157->159 160 40cc33-40cc3d call 40d534 158->160 159->158 161 40cc1f-40cc2d 159->161 164 40cc47-40cc4e call 41087e 160->164 165 40cc3f-40cc46 call 40cbb4 160->165 161->160 170 40cc50-40cc57 call 40cbb4 164->170 171 40cc58-40cc68 call 4129c9 call 411a15 164->171 165->164 170->171 178 40cc72-40cc8e GetCommandLineA call 412892 call 4127d7 171->178 179 40cc6a-40cc71 call 40e79a 171->179 186 40cc90-40cc97 call 40e79a 178->186 187 40cc98-40cc9f call 41255f 178->187 179->178 186->187 192 40cca1-40cca8 call 40e79a 187->192 193 40cca9-40ccb3 call 40e859 187->193 192->193 198 40ccb5-40ccbb call 40e79a 193->198 199 40ccbc-40cce2 call 4019f0 193->199 198->199 204 40cce4-40cce5 call 40ea0a 199->204 205 40ccea-40cd2e call 40ea36 call 40e21d 199->205 204->205
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                          • String ID:
                          • API String ID: 2598563909-0
                          • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                          • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                          • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                          • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 212 4018f0-4018fa 213 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 212->213 214 4018fc-401900 212->214 217 401940-401949 GetLastError 213->217 218 401996-40199a 213->218 219 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 217->219 220 40198d-40198f 217->220 219->220 220->218 222 401991 call 401030 220->222 222->218
                          APIs
                          • lstrlenA.KERNEL32(?), ref: 00401906
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                          • GetLastError.KERNEL32 ref: 00401940
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                          • String ID:
                          • API String ID: 3322701435-0
                          • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                          • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                          • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                          • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0236F060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 225 236f060-236f0ef GetCurrentProcess 229 236f0f1-236f0f7 225->229 230 236f0f8-236f12c GetCurrentThread 225->230 229->230 231 236f135-236f169 GetCurrentProcess 230->231 232 236f12e-236f134 230->232 234 236f172-236f18a 231->234 235 236f16b-236f171 231->235 232->231 238 236f193-236f1c2 GetCurrentThreadId 234->238 235->234 239 236f1c4-236f1ca 238->239 240 236f1cb-236f22d 238->240 239->240
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0236F0DE
                          • GetCurrentThread.KERNEL32 ref: 0236F11B
                          • GetCurrentProcess.KERNEL32 ref: 0236F158
                          • GetCurrentThreadId.KERNEL32 ref: 0236F1B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 2edde62c20050b1f0299c18b1bfe17da59a5e8431514c0746db1ec305329eb5b
                          • Instruction ID: 60e3b9ca4c439a1a2aa9b00eb14cfabd88668afc9ca25b7dc5a1c5aeee420e3b
                          • Opcode Fuzzy Hash: 2edde62c20050b1f0299c18b1bfe17da59a5e8431514c0746db1ec305329eb5b
                          • Instruction Fuzzy Hash: 305145B49002098FDB54DFAAD548BEEBBF5EB88314F20C05DD019A7360DB38A985CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 246 40af66-40af6e 247 40af7d-40af88 call 40b84d 246->247 250 40af70-40af7b call 40d2e3 247->250 251 40af8a-40af8b 247->251 250->247 254 40af8c-40af98 250->254 255 40afb3-40afca call 40af49 call 40cd39 254->255 256 40af9a-40afb2 call 40aefc call 40d2bd 254->256 256->255
                          APIs
                          • _malloc.LIBCMT ref: 0040AF80
                            • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                            • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                            • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                          • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                            • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                          • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                          • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                          • String ID:
                          • API String ID: 1411284514-0
                          • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                          • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                          • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                          • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0236E0C0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 265 236e0c0-236e142 269 236e386-236e3b9 265->269 270 236e148-236e16d 265->270 276 236e3c0-236e3f5 269->276 275 236e173-236e198 270->275 270->276 283 236e19e-236e1ae 275->283 284 236e3fc-236e431 275->284 276->284 289 236e1b4-236e1b8 283->289 290 236e438-236e464 283->290 284->290 291 236e1c6-236e1cb 289->291 292 236e1ba-236e1c0 289->292 295 236e46b-236e4a9 290->295 296 236e1cd-236e1d3 291->296 297 236e1d9-236e1df 291->297 292->291 292->295 298 236e4b0-236e4ee 295->298 296->297 296->298 300 236e1f0-236e204 297->300 301 236e1e1-236e1e9 297->301 334 236e4f5-236e57e 298->334 312 236e206-236e208 300->312 313 236e20a 300->313 301->300 316 236e20f-236e227 312->316 313->316 319 236e231-236e235 316->319 320 236e229-236e22f 316->320 322 236e237-236e263 GetActiveWindow 319->322 323 236e278-236e281 319->323 320->319 321 236e284-236e291 320->321 331 236e293-236e2a9 call 236dc88 321->331 332 236e2d1-236e300 call 236dc94 321->332 326 236e265-236e26b 322->326 327 236e26c-236e276 322->327 323->321 326->327 327->321 343 236e2ab-236e2c2 331->343 344 236e2c8-236e2ce 331->344 345 236e305-236e334 332->345 360 236e580-236e589 334->360 361 236e58b 334->361 343->334 343->344 344->332 345->269 362 236e58d-236e593 360->362 361->362
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ActiveWindow
                          • String ID: Hoq$Hoq
                          • API String ID: 2558294473-3106737575
                          • Opcode ID: aae9847c787e91f2b6984565065f77a550b02b5b547bffc8ea0d222ab638f80b
                          • Instruction ID: 3888038a94964d23dc071ddf63ec04d5fa0d9e1484d71b5be4b21163472a09d5
                          • Opcode Fuzzy Hash: aae9847c787e91f2b6984565065f77a550b02b5b547bffc8ea0d222ab638f80b
                          • Instruction Fuzzy Hash: 59C18070B002599FCB44AFB4D4587AE7BEBEF88300F148428E406EB799DE349D46CB59
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 363 40e7ee-40e7f6 call 40e7c3 365 40e7fb-40e7ff ExitProcess 363->365
                          APIs
                          • ___crtCorExitProcess.LIBCMT ref: 0040E7F6
                            • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                            • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                            • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                          • ExitProcess.KERNEL32 ref: 0040E7FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ExitProcess$AddressHandleModuleProc___crt
                          • String ID:
                          • API String ID: 2427264223-0
                          • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                          • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
                          • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                          • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 055912FE Relevance: 1.9, APIs: 1, Instructions: 400threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 470 55912fe-559163b GetCurrentThreadId 474 559163d-5591643 470->474 475 5591644-5591685 call 5591194 470->475 474->475
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0559162A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: 37ee59c197c3456938d4ca9e2015173dc2b9d4b708eaaa5e69509358eacefe3b
                          • Instruction ID: 6d6798d2d5d9c14457137e2b2c4dce834f55459f059902c54d80208789cd96fe
                          • Opcode Fuzzy Hash: 37ee59c197c3456938d4ca9e2015173dc2b9d4b708eaaa5e69509358eacefe3b
                          • Instruction Fuzzy Hash: A83168B09042898FDB01DF99D850BDEBFF0FF4A314F19859AD445AB252D338A948CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0236F6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 480 236f6b0-236f744 DuplicateHandle 481 236f746-236f74c 480->481 482 236f74d-236f76a 480->482 481->482
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236F737
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: e654078b4da5c87c63de8bfbe872076103db6026c5ed47d6516ca901b9d89686
                          • Instruction ID: 2d428213078ecff372c979db537b7b3b4b50b4d6453d48c56363c68fc085f797
                          • Opcode Fuzzy Hash: e654078b4da5c87c63de8bfbe872076103db6026c5ed47d6516ca901b9d89686
                          • Instruction Fuzzy Hash: 4021F5B5900258DFDB10CFAAD584ADEFFF8EB48310F14801AE958A3310C374A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05591690 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 485 5591690-55916da 487 55916dc-55916e4 485->487 488 55916e6-5591716 EnumThreadWindows 485->488 487->488 489 5591718-559171e 488->489 490 559171f-559174c 488->490 489->490
                          APIs
                          • EnumThreadWindows.USER32(?,00000000,?), ref: 05591709
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID: EnumThreadWindows
                          • String ID:
                          • API String ID: 2941952884-0
                          • Opcode ID: e77b37565f16406ab4bc283cb858a3ea5ebd317e53e39def87fca63cfe76ab43
                          • Instruction ID: 409ae52bc1bd17df1693b50ac3eacf69bf1c24322cf931bcaa28fa3cb81d3cc6
                          • Opcode Fuzzy Hash: e77b37565f16406ab4bc283cb858a3ea5ebd317e53e39def87fca63cfe76ab43
                          • Instruction Fuzzy Hash: 962158B1D0021A8FDB14DF9AC944BEEFBF8FB88320F14842AD455A3250D778A945CF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05591A20 Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 494 5591a20-5591a6b 496 5591a6d-5591a70 494->496 497 5591a73-5591a77 494->497 496->497 498 5591a79-5591a7c 497->498 499 5591a7f-5591ab2 MessageBoxW 497->499 498->499 500 5591abb-5591acf 499->500 501 5591ab4-5591aba 499->501 501->500
                          APIs
                          • MessageBoxW.USER32(?,00000000,00000000,?), ref: 05591AA5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: 8ef10ebc8d07f455abea4d3452b904581b34d474db64155612935faa6553a307
                          • Instruction ID: 62d1aaeb841f342c6dcb2151f8797108043b8de672e8ce9bbcb8603f667558b1
                          • Opcode Fuzzy Hash: 8ef10ebc8d07f455abea4d3452b904581b34d474db64155612935faa6553a307
                          • Instruction Fuzzy Hash: 7F2143B6C003599FCB14CF9AC884ACEFBF5FB48310F10852AD859A7600C375A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05591698 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 503 5591698-55916da 504 55916dc-55916e4 503->504 505 55916e6-5591716 EnumThreadWindows 503->505 504->505 506 5591718-559171e 505->506 507 559171f-559174c 505->507 506->507
                          APIs
                          • EnumThreadWindows.USER32(?,00000000,?), ref: 05591709
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID: EnumThreadWindows
                          • String ID:
                          • API String ID: 2941952884-0
                          • Opcode ID: 05d88867c123d6dae41c109621e7496e0825e745c524f9e9bf5bded3d07b3c11
                          • Instruction ID: de260f988a10729c2bfe713a9bd8898966175055cd1e1ed0249e768bde9cda5e
                          • Opcode Fuzzy Hash: 05d88867c123d6dae41c109621e7496e0825e745c524f9e9bf5bded3d07b3c11
                          • Instruction Fuzzy Hash: 6C2138B5D0025A8FDB14CF9AC944BEEFBF8FB88320F14842AD455A3250D778A945CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05591A28 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 511 5591a28-5591a6b 512 5591a6d-5591a70 511->512 513 5591a73-5591a77 511->513 512->513 514 5591a79-5591a7c 513->514 515 5591a7f-5591ab2 MessageBoxW 513->515 514->515 516 5591abb-5591acf 515->516 517 5591ab4-5591aba 515->517 517->516
                          APIs
                          • MessageBoxW.USER32(?,00000000,00000000,?), ref: 05591AA5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Message
                          • String ID:
                          • API String ID: 2030045667-0
                          • Opcode ID: d261f6f8eccba89e96775f2982898a600ef76a1f6002dfbda5e2a5fd4b115011
                          • Instruction ID: 6c7691f061e93a3fa95a7aa0f86be674e02b54d120ea996cc0ad2ef4f75679c0
                          • Opcode Fuzzy Hash: d261f6f8eccba89e96775f2982898a600ef76a1f6002dfbda5e2a5fd4b115011
                          • Instruction Fuzzy Hash: 892102B5D003599FCB14CF9AC884ADEFBF5FB88310F14852ED819A7600C379A944CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023691A0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02369214
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 219e5eb9002ab0b64c505c9663076bcdca7469bd8e4d29c92945b4770367a821
                          • Instruction ID: c202123d3eb13a685bb06a641368e60428a4ab38f2610122ed54f4d86aa8a388
                          • Opcode Fuzzy Hash: 219e5eb9002ab0b64c505c9663076bcdca7469bd8e4d29c92945b4770367a821
                          • Instruction Fuzzy Hash: ED1106B1D002499FCB10DFAAC584BEEFBF8EF48320F10842AD559A7254C774A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02369370 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 023693D2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 7256fea947fb01ca2b56807ceff914d9becf6569d6011823adbda87f91571f21
                          • Instruction ID: be1d6db684d6959b891657bbc422c05966b51c3af1f1121fad675b2b1fcd6ac7
                          • Opcode Fuzzy Hash: 7256fea947fb01ca2b56807ceff914d9becf6569d6011823adbda87f91571f21
                          • Instruction Fuzzy Hash: 0C113AB1D003488FCB10DFAAC5457EEFBF8EB88324F24841AD559A7254C774A944CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                          • SysAllocString.OLEAUT32 ref: 00401898
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: AllocString_malloc
                          • String ID:
                          • API String ID: 959018026-0
                          • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                          • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                          • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                          • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: CreateHeap
                          • String ID:
                          • API String ID: 10892065-0
                          • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                          • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                          • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                          • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • _doexit.LIBCMT ref: 0040EA16
                            • Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
                            • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
                            • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
                            • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
                            • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
                            • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
                            • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
                            • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __decode_pointer$__initterm$__lock_doexit
                          • String ID:
                          • API String ID: 1597249276-0
                          • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                          • Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
                          • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                          • Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0061D006 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741007907.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_61d000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4284b90ef368dd9586893eb6c63385756d3651330f7a0249a0423da8efeb5a5c
                          • Instruction ID: 5137a4b88aa16b022e65b4a2a99963ad44f8b5205cbe72a41c28fd5ac7cd6242
                          • Opcode Fuzzy Hash: 4284b90ef368dd9586893eb6c63385756d3651330f7a0249a0423da8efeb5a5c
                          • Instruction Fuzzy Hash: BC018C6140E3C09FD7128B258C94B92BFB4EF53224F1DC0CBD9888F2A3C2698849C772
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0061D01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741007907.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_61d000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d634bf500ffd0796879390d3997dcf7a71a8a338f6bad833bc6f2b416ab1cb1b
                          • Instruction ID: edb598eb998b1376df9eaf7440a3cb4a9608f1043077a3547db29d352fac87c9
                          • Opcode Fuzzy Hash: d634bf500ffd0796879390d3997dcf7a71a8a338f6bad833bc6f2b416ab1cb1b
                          • Instruction Fuzzy Hash: 4901A771408340AAE7108E29CD84BE7BFD9EF59325F1CC529ED484A286C279D8C6D6B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004136F4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                          • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                          • TerminateProcess.KERNEL32(00000000), ref: 00413737
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                          • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                          • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                          • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$@$PA
                          • API String ID: 0-3039612711
                          • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                          • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                          • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                          • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02360D91 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'kq$4'kq
                          • API String ID: 0-4171853269
                          • Opcode ID: d8583e1f7e53b41c0b0cfbeced2d55715dcaeea400ee8d1efd75208351f0ab07
                          • Instruction ID: 06a386793c9fde340dd56feb745b2359786a3f701197cee29f01a0e2c273f90d
                          • Opcode Fuzzy Hash: d8583e1f7e53b41c0b0cfbeced2d55715dcaeea400ee8d1efd75208351f0ab07
                          • Instruction Fuzzy Hash: 556195B0E006448FD749EF3AE94069ABBE3BBC9300B14D879C0459B379EB71554AEB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02360DA0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'kq$4'kq
                          • API String ID: 0-4171853269
                          • Opcode ID: 5be5141fa822a33c3d62e4911700f31f2d03e95b17de448d8dc04c17dd47753c
                          • Instruction ID: a261928a33a790b942ad3bade16172335f3ecd56ce4a13999c8593ab8f4d8c3f
                          • Opcode Fuzzy Hash: 5be5141fa822a33c3d62e4911700f31f2d03e95b17de448d8dc04c17dd47753c
                          • Instruction Fuzzy Hash: 455175B0E006448FD749EF7AE94068ABBE3BBC9300F14D879D0459B378EB70560AEB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32 ref: 0040ADD0
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Heap$FreeProcess
                          • String ID:
                          • API String ID: 3859560861-0
                          • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                          • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                          • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                          • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                          • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                          • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                          • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02361493 Relevance: 1.0, Instructions: 954COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3bf5ce07eda6f5155be1d35b764d81d3e6e9c3b2d640612da73bb007b3f38094
                          • Instruction ID: 08c548f9a7ae24d5621434bd13c0f2707b98353be509b322048fdebd62c3def4
                          • Opcode Fuzzy Hash: 3bf5ce07eda6f5155be1d35b764d81d3e6e9c3b2d640612da73bb007b3f38094
                          • Instruction Fuzzy Hash: 51829D5254D2C25BD7630B7808FA2E6BFF9DC9762836D45DECDC00A903E10AA96BC749
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023614B5 Relevance: .9, Instructions: 942COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1741647022.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2360000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8a3e35c8d33ff60b25802142ee7f27827d643c02fbe1d2328a2e08b07504ef5
                          • Instruction ID: 6daecfa445e0b1e7a7f81e1df08638009abea2e9e1383dced8e1e2c42df577b4
                          • Opcode Fuzzy Hash: f8a3e35c8d33ff60b25802142ee7f27827d643c02fbe1d2328a2e08b07504ef5
                          • Instruction Fuzzy Hash: 71829E5254D2C25BD7630B7808FA2E6BFF9DC9763836D45DECDC00A903E10AA96BC749
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00407C3F Relevance: .8, Instructions: 783COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                          • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                          • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                          • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004073A0 Relevance: .6, Instructions: 633COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                          • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                          • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                          • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                          • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                          • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                          • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05590480 Relevance: .3, Instructions: 315COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 617f611b1172d44893c77dafc90a5ef68c0e75f14ccfc0cf791ba04316d95eb1
                          • Instruction ID: 49155264d5a53b6a0f58d742e1279a822c1cce739941fdf4d1672bf5ae8b22b0
                          • Opcode Fuzzy Hash: 617f611b1172d44893c77dafc90a5ef68c0e75f14ccfc0cf791ba04316d95eb1
                          • Instruction Fuzzy Hash: 871293F0C817498AD310CF65E94C1893BA1BB49318BD07E19D2616B3E5EBB4166EEF4C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05590470 Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1743069291.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5590000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6be8c8b84ff4e258e2d91fa1236dcddde40e0a6f4b4accd00d1853a92abfffb4
                          • Instruction ID: 2a72158f2dd00c1e2ea912b471ff352666c75283a604a4ec2861a1ee924768e3
                          • Opcode Fuzzy Hash: 6be8c8b84ff4e258e2d91fa1236dcddde40e0a6f4b4accd00d1853a92abfffb4
                          • Instruction Fuzzy Hash: FCC12EB0C807498BD710CF25E9481897BB1BB49318F947E19D1616B3E4FBB416AEEF48
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402B90 Relevance: .2, Instructions: 212COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                          • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                          • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                          • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004028B0 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                          • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                          • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                          • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00401650 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                          • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                          • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                          • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402F20 Relevance: .1, Instructions: 103COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                          • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                          • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                          • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402F89 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                          • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                          • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                          • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                          • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,005818C0), ref: 004170C5
                          • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                          • _malloc.LIBCMT ref: 0041718A
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                          • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                          • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                          • _malloc.LIBCMT ref: 0041724C
                          • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                          • __freea.LIBCMT ref: 004172A4
                          • __freea.LIBCMT ref: 004172AD
                          • ___ansicp.LIBCMT ref: 004172DE
                          • ___convertcp.LIBCMT ref: 00417309
                          • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                          • _malloc.LIBCMT ref: 00417362
                          • _memset.LIBCMT ref: 00417384
                          • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                          • ___convertcp.LIBCMT ref: 004173BA
                          • __freea.LIBCMT ref: 004173CF
                          • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                          • String ID:
                          • API String ID: 3809854901-0
                          • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                          • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                          • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                          • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                          • _malloc.LIBCMT ref: 004057DE
                            • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                            • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                            • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                          • _malloc.LIBCMT ref: 00405842
                          • _malloc.LIBCMT ref: 00405906
                          • _malloc.LIBCMT ref: 00405930
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: _malloc$AllocateHeap
                          • String ID: 1.2.3
                          • API String ID: 680241177-2310465506
                          • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                          • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                          • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                          • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                          • String ID:
                          • API String ID: 3886058894-0
                          • Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
                          • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                          • Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
                          • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • __lock_file.LIBCMT ref: 0040C6C8
                          • __fileno.LIBCMT ref: 0040C6D6
                          • __fileno.LIBCMT ref: 0040C6E2
                          • __fileno.LIBCMT ref: 0040C6EE
                          • __fileno.LIBCMT ref: 0040C6FE
                            • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                            • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                          • String ID: 'B
                          • API String ID: 2805327698-2787509829
                          • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                          • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                          • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                          • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00414744
                            • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                            • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                          • __getptd.LIBCMT ref: 0041475B
                          • __amsg_exit.LIBCMT ref: 00414769
                          • __lock.LIBCMT ref: 00414779
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                          • String ID: @.B
                          • API String ID: 3521780317-470711618
                          • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                          • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                          • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                          • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00413FD8
                            • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                            • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                          • __amsg_exit.LIBCMT ref: 00413FF8
                          • __lock.LIBCMT ref: 00414008
                          • InterlockedDecrement.KERNEL32(?), ref: 00414025
                          • InterlockedIncrement.KERNEL32(00581660), ref: 00414050
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                          • String ID:
                          • API String ID: 4271482742-0
                          • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                          • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                          • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                          • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __calloc_crt
                          • String ID: P$B$`$B
                          • API String ID: 3494438863-235554963
                          • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                          • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                          • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                          • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: IsProcessorFeaturePresent$KERNEL32
                          • API String ID: 1646373207-3105848591
                          • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                          • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                          • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                          • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___addlocaleref.LIBCMT ref: 0041470C
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                            • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                          • ___removelocaleref.LIBCMT ref: 00414717
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                            • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                          • ___freetlocinfo.LIBCMT ref: 0041472B
                            • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                            • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                            • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                          • String ID: @.B
                          • API String ID: 467427115-470711618
                          • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                          • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                          • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                          • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __fileno.LIBCMT ref: 0040C77C
                          • __locking.LIBCMT ref: 0040C791
                            • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                            • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __decode_pointer__fileno__getptd_noexit__locking
                          • String ID:
                          • API String ID: 2395185920-0
                          • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                          • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                          • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                          • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: _fseek_malloc_memset
                          • String ID:
                          • API String ID: 208892515-0
                          • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                          • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                          • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                          • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                          • __isleadbyte_l.LIBCMT ref: 00415307
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                          • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                          • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                          • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1740704952.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1740692412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740729501.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740745337.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_ENDIDEV.jbxd
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                          • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                          • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
                          Uniqueness

                          Uniqueness Score: -1.00%