Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MneP65rGYh.exe

Overview

General Information

Sample name:MneP65rGYh.exe
renamed because original name is a hash value
Original sample name:6e68cb9b06c134b242d25249c90107a63dceb73c.exe
Analysis ID:1466695
MD5:8c6088cd4ff4b8ad208e28f7a860af92
SHA1:6e68cb9b06c134b242d25249c90107a63dceb73c
SHA256:e8570fcecdef82bae672d0ff8bf40119b273f51be6f36f058d46a493b1cd7571
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality to inject code into remote processes
Contains functionality to dynamically determine API calls
Detected potential crypto function
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MneP65rGYh.exe (PID: 4348 cmdline: "C:\Users\user\Desktop\MneP65rGYh.exe" MD5: 8C6088CD4FF4B8AD208E28F7A860AF92)
    • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: MneP65rGYh.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00404270 _splitpath,FindFirstFileA,_splitpath,_makepath,GetFileAttributesA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,FindNextFileA,FindClose,0_2_00404270
Source: MneP65rGYh.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: MneP65rGYh.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: MneP65rGYh.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: MneP65rGYh.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: MneP65rGYh.exe, ConDrv.0.drString found in binary or memory: http://www.verydoc.com
Source: MneP65rGYh.exeString found in binary or memory: http://www.verydoc.com)
Source: MneP65rGYh.exeString found in binary or memory: http://www.verydoc.com)Error
Source: MneP65rGYh.exeString found in binary or memory: http://www.verydoc.com)b
Source: MneP65rGYh.exe, ConDrv.0.drString found in binary or memory: http://www.verypdf.com
Source: MneP65rGYh.exeString found in binary or memory: http://www.verypdf.com/artprint/ghostscript.exe
Source: MneP65rGYh.exeString found in binary or memory: http://www.verypdf.com/artprint/ghostscript.exeCan
Source: MneP65rGYh.exeString found in binary or memory: http://www.verypdf.comCan
Source: MneP65rGYh.exeString found in binary or memory: http://www.verypdf.comThe
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00409B500_2_00409B50
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_004044700_2_00404470
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_004098C00_2_004098C0
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_004076C00_2_004076C0
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_0047C5D00_2_0047C5D0
Source: MneP65rGYh.exe, 00000000.00000003.1652542621.0000000002B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Source: MneP65rGYh.exe, 00000000.00000000.1651135848.0000000000860000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Source: MneP65rGYh.exeBinary or memory string: OriginalFilenameVeryDOC XPS to PDF Converter vs MneP65rGYh.exe
Source: MneP65rGYh.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: sus23.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: MneP65rGYh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MneP65rGYh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exeFile read: C:\Users\user\Desktop\MneP65rGYh.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\MneP65rGYh.exe "C:\Users\user\Desktop\MneP65rGYh.exe"
Source: C:\Users\user\Desktop\MneP65rGYh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MneP65rGYh.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exeSection loaded: msvcp60.dllJump to behavior
Source: MneP65rGYh.exeStatic file information: File size 4587520 > 1048576
Source: MneP65rGYh.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x39d000
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00401380 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00401380
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_004ADEB0 push eax; ret 0_2_004ADEDE
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_004031A0 GetSystemDirectoryA,GetPrivateProfileStringA,_splitpath,printf,WritePrivateProfileStringA,printf,GetProfileIntA,_itoa,WriteProfileStringA,printf,printf,ShellExecuteA,_splitpath,_makepath,strstr,strstr,_fullpath,strstr,_fullpath,strstr,strstr,_fullpath,printf,WritePrivateProfileStringA,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,printf,0_2_004031A0
Source: C:\Users\user\Desktop\MneP65rGYh.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\MneP65rGYh.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00404270 _splitpath,FindFirstFileA,_splitpath,_makepath,GetFileAttributesA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,FindNextFileA,FindClose,0_2_00404270
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00401380 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00401380
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\MneP65rGYh.exeCode function: 0_2_00401540 _stricmp,sprintf,VirtualProtectEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,0_2_00401540

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1466695 Sample: MneP65rGYh.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 23 5 MneP65rGYh.exe 1 2->5         started        signatures3 10 Contains functionality to inject code into remote processes 5->10 8 conhost.exe 5->8         started        process4

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MneP65rGYh.exe0%ReversingLabs
MneP65rGYh.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.aiim.org/pdfa/ns/property#0%Avira URL Cloudsafe
http://www.verydoc.com)0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/id/0%Avira URL Cloudsafe
http://www.verypdf.comCan0%Avira URL Cloudsafe
http://www.verypdf.comThe0%Avira URL Cloudsafe
http://www.verydoc.com)b0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/schema#0%Avira URL Cloudsafe
http://www.verydoc.com0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/extension/0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/id/0%VirustotalBrowse
http://www.verypdf.com/artprint/ghostscript.exeCan0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/schema#0%VirustotalBrowse
http://www.aiim.org/pdfa/ns/property#0%VirustotalBrowse
http://www.verypdf.com0%Avira URL Cloudsafe
http://www.verydoc.com0%VirustotalBrowse
http://www.verydoc.com)Error0%Avira URL Cloudsafe
http://www.verypdf.com/artprint/ghostscript.exe0%Avira URL Cloudsafe
http://www.aiim.org/pdfa/ns/extension/0%VirustotalBrowse
http://www.verypdf.com/artprint/ghostscript.exe0%VirustotalBrowse
http://www.verypdf.com/artprint/ghostscript.exeCan0%VirustotalBrowse
http://www.verypdf.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.aiim.org/pdfa/ns/property#MneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verypdf.comTheMneP65rGYh.exefalse
  • Avira URL Cloud: safe
unknown
http://www.verypdf.comCanMneP65rGYh.exefalse
  • Avira URL Cloud: safe
unknown
http://www.verydoc.com)MneP65rGYh.exefalse
  • Avira URL Cloud: safe
unknown
http://www.aiim.org/pdfa/ns/id/MneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verydoc.com)bMneP65rGYh.exefalse
  • Avira URL Cloud: safe
unknown
http://www.aiim.org/pdfa/ns/schema#MneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verydoc.comMneP65rGYh.exe, ConDrv.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.aiim.org/pdfa/ns/extension/MneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verypdf.com/artprint/ghostscript.exeCanMneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verypdf.comMneP65rGYh.exe, ConDrv.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.verydoc.com)ErrorMneP65rGYh.exefalse
  • Avira URL Cloud: safe
unknown
http://www.verypdf.com/artprint/ghostscript.exeMneP65rGYh.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466695
Start date and time:2024-07-03 09:42:55 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:MneP65rGYh.exe
renamed because original name is a hash value
Original Sample Name:6e68cb9b06c134b242d25249c90107a63dceb73c.exe
Detection:SUS
Classification:sus23.evad.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 5
  • Number of non-executed functions: 36
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\MneP65rGYh.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):3230
Entropy (8bit):4.945502162197307
Encrypted:false
SSDEEP:48:Awi0stmqAXdUFDK3ER8s/UVwn4HfAnFc5F6nZGyXhxFfXpjhthnktkEYEz:vpstM+FW3ER8sMy+24oFv7E
MD5:31F6098ADAC0DAE450AC1457C90EEA48
SHA1:8824D11441168A4BFA0FB50AD105BEA91898EC39
SHA-256:D7DC973D8CA27ED99EDC832E1F8EBF8A67D4FA055767AB92CDC2E879E5BCAD9C
SHA-512:1EDB462C573C5120807A7136437835B609799ADE638CFF8377831AC914D5B265B854C31D79FD33AFC76CC4F5478D31DEB5CFAEF93B92BD84BD61E2B9B7164F78
Malicious:false
Reputation:low
Preview:XPS to PDF Converter Command Line v2.0..XPS to PDF Converter does convert XPS files to PDF, EPS, PS, BMP, TIFF, JPEG, PNG, PCX, etc. formats...http://www.verypdf.com..http://www.verydoc.com..Email: support@verydoc.com..Release Date: Apr 9 2013..Usage: xps2pdf [options] <xps-file> [<out-file>].. -producer <string> : Set 'producer' to PDF file.. -creator <string> : Set 'creator' to PDF file.. -subject <string> : Set 'subject' to PDF file.. -title <string> : Set 'title' to PDF file.. -author <string> : Set 'author' to PDF file.. -keywords <string> : Set 'keywords' to PDF file.. -openpwd <string> : Set 'open password' to PDF file.. -ownerpwd <string> : Set 'owner password' to PDF file.. -keylen <int> : Key length (40 or 128 bit).. -keylen 0: 40 bit RC4 encryption (Acrobat 3 or higher).. -keylen 1: 128 bit RC4 encryption (Acrobat 5 or higher).. -keylen 2: 128 bit AES encryption (Acrobat 7 or higher).. -permission <int>

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):7.8385672002475
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.42%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:MneP65rGYh.exe
File size:4'587'520 bytes
MD5:8c6088cd4ff4b8ad208e28f7a860af92
SHA1:6e68cb9b06c134b242d25249c90107a63dceb73c
SHA256:e8570fcecdef82bae672d0ff8bf40119b273f51be6f36f058d46a493b1cd7571
SHA512:695b7a7b0b98a1dc8c7bff72488311bb1aec05beda77ba8e1b0c82fbeed4925c066d070f88f2a33056c0d37c22efc488e86a9a7164622736f97f60c630503bb7
SSDEEP:98304:3V4YIKjvZCE9CTXI2hQnleYPCPBVWqbp/DGMESIVhHCJ:pnTZCh4NlHuuU7GMESI
TLSH:F1261202E2C710F0DA06257125A7FB37AA389A795B055B9BE370FD7DB8237B0653214B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].`.<.3.<.3.<.3. .3.<.3. .3.<.3~#.3.<.3.#.3.<.3.<.3}<.3~#.3.<.3.:.3.<.3~#.3.<.3Rich.<.3........................PE..L....}cQ...

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x4adf34
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x51637D87 [Tue Apr 9 02:31:35 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a85e91b05b5a4a224f385a09d1bcd73a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004BA508h
push 004AE0ACh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [004B425Ch]
pop ecx
or dword ptr [0085F1D8h], FFFFFFFFh
or dword ptr [0085F1DCh], FFFFFFFFh
call dword ptr [004B4258h]
mov ecx, dword ptr [0085F1D0h]
mov dword ptr [eax], ecx
call dword ptr [004B4254h]
mov ecx, dword ptr [0085F1CCh]
mov dword ptr [eax], ecx
mov eax, dword ptr [004B4250h]
mov eax, dword ptr [eax]
mov dword ptr [0085F1D4h], eax
call 00007F390CBC999Eh
cmp dword ptr [0085E4D8h], 00000000h
jne 00007F390CBC989Eh
push 004AE0A8h
call dword ptr [004B424Ch]
pop ecx
call 00007F390CBC996Fh
push 004C2030h
push 004C202Ch
call 00007F390CBC995Ah
mov eax, dword ptr [0085F1C8h]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [0085F1C4h]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [004B4244h]
push 004C2028h
push 004C2000h
call 00007F390CBC9927h

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [C++] VS98 (6.0) build 8168
  • [RES] VS98 (6.0) cvtres build 1720
  • [LNK] VS98 (6.0) imp/exp build 8168

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc1ce00x17c.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc02680xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4600000x538.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb40000x344.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb29450xb3000cda8fb8f91795aee61d1582e3112368dFalse0.47047262351606145data6.536669535491083IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb40000xde5c0xe000bc4d53f4c390e9c8517ec92ab51aa90dFalse0.4257114955357143data5.553352918623029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xc20000x39d1e00x39d0007ae0533c6b029059fa54e1f3a2967794unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x4600000x5380x1000fcc804c6e0d5e4664e2235529fa78580False0.114990234375data1.3496578629899674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x4600600x4d8dataChineseChina0.3379032258064516

Imports

DLLImport
KERNEL32.dllDeleteFileA, GetTempFileNameA, GetTempPathA, FindClose, FindNextFileA, FindFirstFileA, WriteProfileStringA, CreatePipe, WritePrivateProfileStringA, GetPrivateProfileStringA, GetFileAttributesA, GetExitCodeProcess, GetStartupInfoA, OutputDebugStringA, CopyFileA, CreateProcessA, GetThreadContext, ReadProcessMemory, VirtualQueryEx, GetModuleHandleA, GetModuleFileNameA, VirtualFree, PeekNamedPipe, ReadFile, WaitForSingleObject, Sleep, VirtualProtectEx, WriteProcessMemory, SetThreadContext, ResumeThread, CloseHandle, GetSystemDirectoryA, TerminateProcess, VirtualAlloc, LoadLibraryA, GetProcAddress, GetProfileIntA, GetFullPathNameA, GetCommandLineA, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, MultiByteToWideChar, WideCharToMultiByte, SetEnvironmentVariableA, GetCurrentProcessId, GetTickCount, GetPrivateProfileIntA, GetCurrentProcess, GetTimeZoneInformation, GetLastError, GetEnvironmentVariableA, FreeLibrary
USER32.dllReleaseDC, MessageBoxA, GetActiveWindow, MessageBoxW, GetDC
SHELL32.dllShellExecuteA
MSVCP60.dll?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Xlen@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, ?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD1@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z, ?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z, ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z, ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBDI@Z, ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIID@Z, ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z, ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ, ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIABV12@II@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
MSVCRT.dll??1exception@@UAE@XZ, fputc, isalnum, wprintf, fgetc, qsort, _putenv, wcslen, _strlwr, strrchr, isxdigit, isspace, floor, ceil, _CIpow, islower, tolower, isupper, realloc, toupper, _purecall, getenv, strcspn, _CIacos, _CIasin, isalpha, __dllonexit, _onexit, _exit, _XcptFilter, exit, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, ??1type_info@@UAE@XZ, _controlfp, strncmp, getc, ungetc, ftell, _iob, fprintf, fputs, fflush, _ftol, fscanf, strtok, sscanf, _tzset, time, localtime, strchr, fseek, fwrite, _fullpath, fopen, _filelength, fclose, malloc, fread, free, _splitpath, strstr, _makepath, sprintf, isdigit, atoi, atof, strncpy, printf, __CxxFrameHandler, ??2@YAPAXI@Z, memmove, _CxxThrowException, _stricmp, _fileno, _itoa, _strupr, _strnicmp, vprintf, _strdup
GDI32.dllEnumFontFamiliesExA, CreateFontIndirectA, SelectObject, GetFontData, DeleteObject, GetTextCharset, EnumFontFamiliesA
ADVAPI32.dllRegCloseKey, RegOpenKeyExA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegQueryValueExA, RegEnumKeyA

Exports

NameOrdinalAddress
?PDFTools_ClearAllLayerPrintFlag@@YGHXZ10x40b6c0
?PDFTools_DemoPDFFile@@YGHPBD00H@Z20x40a120
?PDFTools_ExtractPages@@YGHPAD00@Z30x40b250
?PDFTools_MergePDFFiles@@YGHPAD0@Z40x40b290
?PDFTools_RemoveMetadata@@YGHPBD@Z50x40b5e0
?PDFTools_RunCmdCode@@YGHPBD0HQAPBD1@Z60x40a140
?PDFTools_SetLayerPrintFlag@@YGHPBDH@Z70x40b690

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:43:43
Start date:03/07/2024
Path:C:\Users\user\Desktop\MneP65rGYh.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\MneP65rGYh.exe"
Imagebase:0x400000
File size:4'587'520 bytes
MD5 hash:8C6088CD4FF4B8AD208E28F7A860AF92
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:03:43:43
Start date:03/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.2%
    Total number of Nodes:842
    Total number of Limit Nodes:8
    execution_graph 2407 403180 2410 4030a0 fopen 2407->2410 2409 40318a 2411 4030c0 _fileno _filelength 2410->2411 2412 4030bc 2410->2412 2413 4030e7 malloc fread fclose 2411->2413 2414 4030d7 fclose 2411->2414 2412->2409 2415 403109 2413->2415 2416 40310f 2413->2416 2414->2409 2415->2409 2417 40311b free 2416->2417 2417->2409 2516 40a140 2517 40a15f 2516->2517 2520 40e400 _tzset time localtime 2517->2520 2519 40a168 2522 40e577 2520->2522 2521 40e672 GetFileAttributesA 2523 40e690 2521->2523 2524 40e682 GetActiveWindow MessageBoxW 2521->2524 2522->2521 2525 40e66d GetActiveWindow MessageBoxW 2522->2525 2523->2519 2524->2523 2525->2521 2526 40b6c0 2527 40e400 8 API calls 2526->2527 2528 40b6c5 2527->2528 2535 40deb0 _tzset time localtime 2528->2535 2531 4369a5 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II 2531->2531 2532 4369c8 2531->2532 2533 4369e2 2532->2533 2541 436950 2532->2541 2536 40e027 2535->2536 2537 40e0d7 GetFileAttributesA 2536->2537 2538 40e0d2 GetActiveWindow MessageBoxW 2536->2538 2539 40b6cf 2537->2539 2540 40e0e7 GetActiveWindow MessageBoxW 2537->2540 2538->2537 2539->2531 2539->2532 2540->2539 2542 436968 2541->2542 2543 43695a 2541->2543 2542->2532 2543->2542 2545 4ade80 free 2543->2545 2545->2542 3116 405000 _tzset time localtime 3117 40516a 3116->3117 3120 405198 3116->3120 3118 405210 3117->3118 3119 405173 3117->3119 3122 405215 3118->3122 3123 4051ee 3118->3123 3124 40517b GetActiveWindow MessageBoxW 3119->3124 3131 4051a0 3119->3131 3121 4051bf 3120->3121 3120->3123 3120->3131 3125 40527e 3121->3125 3129 4051d1 GetActiveWindow MessageBoxW 3121->3129 3122->3125 3127 40521a GetActiveWindow MessageBoxW 3122->3127 3123->3125 3128 4051ff 3123->3128 3123->3131 3126 405268 GetActiveWindow MessageBoxW 3126->3125 3128->3125 3130 405241 GetActiveWindow MessageBoxW 3128->3130 3131->3125 3131->3126 3132 406c00 3135 4ade80 free 3132->3135 3134 406c0a 3135->3134 2546 45f540 2547 45f56a 2546->2547 2550 45f599 2546->2550 2548 45f571 2547->2548 2549 45f583 2547->2549 2547->2550 2551 45f5bb 2547->2551 2557 45f600 ??2@YAPAXI 2548->2557 2562 46be20 2549->2562 2552 46be20 2 API calls 2551->2552 2552->2550 2555 45f579 2558 45f633 2557->2558 2559 45f64b 2557->2559 2565 466560 2558->2565 2559->2555 2561 45f63b 2561->2555 2568 46bbe0 2562->2568 2564 45f58c 2566 46657d 2565->2566 2567 46658a ??2@YAPAXI 2565->2567 2566->2567 2567->2561 2569 46bbfe 2568->2569 2570 46bc0f malloc 2568->2570 2569->2564 2570->2569 2571 46bc1d _CxxThrowException 2570->2571 2571->2564 3136 46d280 3138 46d283 3136->3138 3139 46d2ac 3138->3139 3140 46d299 3138->3140 3142 46c820 3138->3142 3140->3139 3141 46c820 2 API calls 3140->3141 3141->3139 3143 46c875 3142->3143 3144 46c833 3142->3144 3143->3138 3144->3143 3146 45f6a0 3144->3146 3147 45f6b2 3146->3147 3154 45f735 3146->3154 3148 45f757 3147->3148 3149 45f6b9 3147->3149 3150 45f709 3147->3150 3153 45f6dd 3147->3153 3147->3154 3151 46be00 free 3148->3151 3149->3154 3166 4665c0 3149->3166 3150->3154 3177 45f160 3150->3177 3151->3154 3153->3154 3170 45faa0 3153->3170 3154->3144 3162 45f6d1 3162->3144 3164 45f6fd 3164->3144 3165 45f729 3165->3144 3185 4ade80 free 3166->3185 3168 45f6cb 3169 4ade80 free 3168->3169 3169->3162 3171 45faad 3170->3171 3175 45fac5 3170->3175 3174 45f6a0 2 API calls 3171->3174 3171->3175 3172 46be00 free 3173 45f6f7 3172->3173 3176 4ade80 free 3173->3176 3174->3171 3175->3172 3176->3164 3178 45f196 3177->3178 3182 45f16d 3177->3182 3179 46be00 free 3178->3179 3180 45f1a0 3179->3180 3184 4ade80 free 3180->3184 3181 46be00 free 3181->3182 3182->3178 3182->3181 3183 45f6a0 2 API calls 3182->3183 3183->3182 3184->3165 3185->3168 2418 405290 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 2419 4053d8 2418->2419 2420 4053f3 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 2419->2420 2421 4053ed ?_Xlen@std@ 2419->2421 2423 40542d _tzset time localtime 2419->2423 2420->2419 2422 40540b ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 2420->2422 2421->2420 2422->2419 2428 405468 2423->2428 2424 40551c 2427 40552f 2424->2427 2429 4ade80 free 2424->2429 2425 40550a GetActiveWindow MessageBoxA 2425->2424 2428->2424 2428->2425 2429->2427 2572 403e50 2573 403f02 2572->2573 2574 403e66 2572->2574 2574->2573 2575 403e6f _splitpath _stricmp 2574->2575 2576 403eaa _stricmp 2575->2576 2581 403ef1 2575->2581 2577 403ee9 2576->2577 2578 403ebd _stricmp 2576->2578 2579 403c90 20 API calls 2577->2579 2578->2577 2580 403ed0 2578->2580 2579->2581 2584 403c90 2580->2584 2583 403ed8 2585 403e2a 2584->2585 2586 403cba 2584->2586 2585->2583 2586->2585 2587 403cc2 _splitpath strchr 2586->2587 2588 403d12 2587->2588 2589 403d14 _makepath 2587->2589 2588->2589 2598 404270 _splitpath FindFirstFileA 2589->2598 2591 403dff 2620 4ade80 free 2591->2620 2592 403d7f 2597 403dc1 2592->2597 2607 403b50 2592->2607 2595 403e09 2595->2583 2597->2591 2619 4ade80 free 2597->2619 2599 404436 FindClose 2598->2599 2605 4042f2 2598->2605 2601 40444b 2599->2601 2600 4042fa _splitpath _makepath GetFileAttributesA 2602 404422 FindNextFileA 2600->2602 2600->2605 2601->2592 2602->2605 2603 40436c ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 2604 4043a1 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 2603->2604 2603->2605 2604->2605 2605->2599 2605->2600 2605->2602 2605->2603 2621 4ade80 free 2605->2621 2608 403b5a 2607->2608 2609 403b74 GetFileAttributesA 2608->2609 2610 403b68 2608->2610 2611 403b80 2609->2611 2612 403b8c fopen 2609->2612 2610->2592 2611->2592 2613 403ba1 2612->2613 2614 403bab fread 2612->2614 2613->2592 2615 403bdb fclose 2614->2615 2616 403bf1 2614->2616 2615->2592 2617 403c75 fclose 2616->2617 2618 403c58 fseek fwrite 2616->2618 2617->2592 2618->2617 2619->2597 2620->2595 2621->2605 2622 406ed0 2623 407028 2622->2623 2627 406ef2 ??2@YAPAXI 2622->2627 2634 4070fc 2623->2634 2635 40703b 2623->2635 2624 4071d1 2625 407071 2628 40709b 2625->2628 2632 4073a0 5 API calls 2625->2632 2626 40712b 2631 40718a 2626->2631 2637 407148 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II 2626->2637 2640 406f40 2627->2640 2641 406f58 2627->2641 2628->2624 2633 4070b3 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II 2628->2633 2629 4073a0 5 API calls 2629->2634 2630 4073a0 5 API calls 2630->2635 2631->2624 2638 4071a2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II 2631->2638 2632->2625 2633->2633 2639 4070e2 2633->2639 2634->2624 2634->2626 2634->2629 2635->2625 2635->2630 2637->2631 2637->2637 2638->2624 2638->2638 2640->2641 2651 4073a0 2640->2651 2642 406f7e 2641->2642 2645 4073a0 5 API calls 2641->2645 2644 406fb5 2642->2644 2648 4073a0 5 API calls 2642->2648 2646 406fcd 2644->2646 2661 402d40 2644->2661 2645->2641 2667 4ade80 free 2646->2667 2648->2642 2650 406fd6 2652 4073d0 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II 2651->2652 2653 4074e2 2651->2653 2654 40741e 2652->2654 2653->2640 2655 407424 ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II 2654->2655 2658 40744d 2654->2658 2655->2640 2656 4074a8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 2656->2653 2657 4074b7 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 2656->2657 2657->2653 2658->2656 2660 407469 2658->2660 2660->2640 2662 402d4d 2661->2662 2663 402d5b 2661->2663 2662->2663 2668 4ade80 free 2662->2668 2666 402d88 2663->2666 2669 4ade80 free 2663->2669 2666->2644 2667->2650 2668->2663 2669->2666 3186 40b290 3187 40b2be 3186->3187 3198 40b460 3186->3198 3188 40b2e0 malloc 3187->3188 3187->3198 3189 40b308 strtok 3188->3189 3188->3198 3190 40b416 free 3189->3190 3191 40b437 3190->3191 3192 40b42c 3190->3192 3194 40b456 3191->3194 3195 407500 free 3191->3195 3192->3191 3193 40b480 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 3192->3193 3197 40b4d9 3193->3197 3199 4ade80 free 3194->3199 3195->3191 3199->3198 3200 40b690 3201 40e400 8 API calls 3200->3201 3202 40b695 3201->3202 3203 40deb0 8 API calls 3202->3203 3204 40b69f 3203->3204 2670 4117d0 2671 411802 fclose 2670->2671 2672 41180c 2670->2672 2671->2672 2673 41181e 2672->2673 2697 4ade80 free 2672->2697 2698 410d40 _tzset time localtime 2673->2698 2676 41182c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 2677 41186c 2676->2677 2714 4ade80 free 2677->2714 2679 411875 2715 458790 2679->2715 2684 411a02 2685 411a10 2684->2685 2735 4ade80 free 2684->2735 2686 411a46 2685->2686 2736 4ade80 free 2685->2736 2687 411a73 2686->2687 2737 4ade80 free 2686->2737 2689 411aa0 2687->2689 2738 4ade80 free 2687->2738 2694 411acd 2689->2694 2739 4ade80 free 2689->2739 2695 411afa 2694->2695 2740 4ade80 free 2694->2740 2697->2673 2699 410eaa 2698->2699 2702 410ed8 2698->2702 2700 410f50 2699->2700 2701 410eb3 2699->2701 2705 410f55 2700->2705 2706 410f2e 2700->2706 2707 410ebb GetActiveWindow MessageBoxW 2701->2707 2713 410ee0 2701->2713 2704 410eff 2702->2704 2702->2706 2702->2713 2703 410fbe 2703->2676 2704->2703 2711 410f11 GetActiveWindow MessageBoxW 2704->2711 2705->2703 2710 410f5a GetActiveWindow MessageBoxW 2705->2710 2706->2703 2708 410f3f 2706->2708 2706->2713 2707->2676 2708->2703 2712 410f81 GetActiveWindow MessageBoxW 2708->2712 2709 410fa8 GetActiveWindow MessageBoxW 2709->2703 2710->2676 2711->2676 2712->2676 2713->2703 2713->2709 2714->2679 2716 4587b0 2715->2716 2717 45879f 2715->2717 2756 4ade80 free 2716->2756 2717->2716 2741 4617c0 2717->2741 2720 411891 2721 456e50 2720->2721 2722 456e75 2721->2722 2724 456e83 2721->2724 2722->2724 2765 4ade80 free 2722->2765 2725 456eb0 2724->2725 2766 4ade80 free 2724->2766 2729 456edd 2725->2729 2767 4ade80 free 2725->2767 2727 456f57 2769 4ade80 free 2727->2769 2732 456f0a 2729->2732 2768 4ade80 free 2729->2768 2732->2727 2734 461910 free 2732->2734 2733 4118a1 18 API calls 2733->2684 2733->2685 2734->2732 2735->2685 2736->2686 2737->2687 2738->2689 2739->2694 2740->2695 2757 4ade80 free 2741->2757 2743 4617f5 2744 461816 2743->2744 2758 4ade80 free 2743->2758 2745 461863 2744->2745 2759 461910 2744->2759 2762 4ade80 free 2745->2762 2750 46186c 2751 4618dc 2750->2751 2752 461910 free 2750->2752 2763 4ade80 free 2751->2763 2755 46189e ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 2752->2755 2754 4618e5 2754->2717 2755->2750 2755->2751 2756->2720 2757->2743 2758->2744 2764 4ade80 free 2759->2764 2761 461849 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 2761->2744 2761->2745 2762->2750 2763->2754 2764->2761 2765->2724 2766->2725 2767->2729 2768->2732 2769->2733 2770 466450 ??2@YAPAXI 2771 46f950 2772 46f978 2771->2772 2777 46bcd0 2772->2777 2774 46f9e0 2775 46bcd0 11 API calls 2774->2775 2776 46f9f1 2775->2776 2778 46bd02 2777->2778 2779 46bcef 2777->2779 2780 46bd39 _CxxThrowException 2778->2780 2785 46bd1f 2778->2785 2779->2774 2781 46bda3 2780->2781 2782 46bd7f 2780->2782 2784 46bddf _CxxThrowException 2781->2784 2789 46bdc0 2781->2789 2783 46bd8d 2782->2783 2792 46be00 2782->2792 2783->2774 2786 46bbe0 2 API calls 2785->2786 2788 46bd25 2786->2788 2788->2774 2795 46bc50 2789->2795 2791 46bdcb 2791->2774 2793 46be10 2792->2793 2794 46be08 free 2792->2794 2793->2783 2794->2793 2796 46bc90 2795->2796 2797 46bc6d 2795->2797 2800 46bca5 malloc 2796->2800 2801 46bc99 realloc 2796->2801 2798 46bc75 free 2797->2798 2799 46bc7f 2797->2799 2798->2799 2799->2791 2802 46bcae 2800->2802 2801->2802 2802->2799 2803 46bcb2 _CxxThrowException 2802->2803 2808 46bcd0 2803->2808 2804 46bcef 2804->2791 2805 46bd39 _CxxThrowException 2806 46bda3 2805->2806 2807 46bd7f 2805->2807 2810 46bddf _CxxThrowException 2806->2810 2815 46bdc0 2806->2815 2809 46bd8d 2807->2809 2813 46be00 free 2807->2813 2808->2804 2808->2805 2811 46bd1f 2808->2811 2809->2791 2812 46bbe0 2 API calls 2811->2812 2814 46bd25 2812->2814 2813->2809 2814->2791 2816 46bc50 3 API calls 2815->2816 2817 46bdcb 2816->2817 2817->2791 3205 466210 3206 466228 3205->3206 3207 46621b 3205->3207 3209 46623f 3206->3209 3235 477c20 3206->3235 3225 477530 3207->3225 3221 466256 3209->3221 3261 460270 3209->3261 3217 46626d fclose 3219 466277 3217->3219 3220 4665c0 free 3219->3220 3224 46628b 3219->3224 3222 466285 3220->3222 3221->3217 3221->3219 3273 4ade80 free 3222->3273 3230 477537 3225->3230 3233 466222 3225->3233 3228 477563 3228->3233 3286 4742f0 3228->3286 3230->3228 3274 477740 3230->3274 3285 4ade80 free 3230->3285 3234 4ade80 free 3233->3234 3234->3206 3236 477c69 3235->3236 3244 477c2b 3235->3244 3237 45f6a0 2 API calls 3236->3237 3240 477c75 3237->3240 3238 477c57 3239 46be00 free 3238->3239 3241 477c60 3239->3241 3242 45f6a0 2 API calls 3240->3242 3245 46be00 free 3241->3245 3246 477c7d 3242->3246 3244->3238 3301 4791e0 3244->3301 3311 4ade80 free 3244->3311 3245->3236 3249 4665c0 free 3246->3249 3254 477c91 3246->3254 3248 45f6a0 2 API calls 3251 477c9c 3248->3251 3250 477c8b 3249->3250 3312 4ade80 free 3250->3312 3253 45f6a0 2 API calls 3251->3253 3255 477ca4 3253->3255 3254->3248 3256 45f6a0 2 API calls 3255->3256 3257 477cac 3256->3257 3258 45f6a0 2 API calls 3257->3258 3259 466239 3258->3259 3260 4ade80 free 3259->3260 3260->3209 3262 46be00 free 3261->3262 3263 46027c 3262->3263 3264 45f6a0 2 API calls 3263->3264 3265 460287 3264->3265 3266 46be00 free 3265->3266 3268 460294 3265->3268 3266->3268 3267 4602ab 3272 4ade80 free 3267->3272 3268->3267 3329 4600c0 3268->3329 3272->3221 3273->3224 3290 4778b0 3274->3290 3277 477755 3279 45f6a0 2 API calls 3277->3279 3278 46be00 free 3278->3277 3280 47776d 3279->3280 3281 45f6a0 2 API calls 3280->3281 3282 477775 3281->3282 3283 45f6a0 2 API calls 3282->3283 3284 47777d 3283->3284 3284->3230 3285->3230 3287 46be00 free 3286->3287 3288 4742f8 3287->3288 3289 4ade80 free 3288->3289 3289->3233 3291 477748 3290->3291 3297 4778bb 3290->3297 3291->3277 3291->3278 3292 4778e7 3292->3291 3293 4742f0 free 3292->3293 3294 4778f4 3293->3294 3300 4ade80 free 3294->3300 3295 477740 2 API calls 3295->3297 3297->3292 3297->3295 3299 4ade80 free 3297->3299 3299->3297 3300->3291 3302 4791eb 3301->3302 3310 4791f8 3301->3310 3313 478eb0 3302->3313 3303 45f6a0 2 API calls 3305 479203 3303->3305 3307 45f6a0 2 API calls 3305->3307 3309 47920b 3307->3309 3309->3244 3310->3303 3311->3244 3312->3254 3314 45f6a0 2 API calls 3313->3314 3315 478ebe 3314->3315 3316 45f6a0 2 API calls 3315->3316 3317 478ec9 3316->3317 3318 45f6a0 2 API calls 3317->3318 3319 478ed4 3318->3319 3320 45f6a0 2 API calls 3319->3320 3321 478edf 3320->3321 3322 45f6a0 2 API calls 3321->3322 3323 478eea 3322->3323 3324 45f6a0 2 API calls 3323->3324 3325 478ef5 3324->3325 3326 45f6a0 2 API calls 3325->3326 3327 478f00 3326->3327 3328 4ade80 free 3327->3328 3328->3310 3332 4600ca 3329->3332 3335 4600f8 3329->3335 3330 46be00 free 3331 460105 3330->3331 3337 4ade80 free 3331->3337 3334 45f6a0 2 API calls 3332->3334 3336 4600ee 3332->3336 3334->3332 3335->3330 3338 4ade80 free 3336->3338 3337->3267 3338->3335 2818 473650 2819 473679 2818->2819 2820 47368e ??2@YAPAXI 2819->2820 2827 4736e2 2819->2827 2821 4736a5 2820->2821 2823 4736bd 2820->2823 2828 46e070 2821->2828 2823->2827 2832 46e130 2823->2832 2829 46e0ac 2828->2829 2831 46e0f7 2828->2831 2830 46bbe0 2 API calls 2829->2830 2829->2831 2830->2831 2831->2823 2833 46be00 free 2832->2833 2834 46e139 2833->2834 2835 4ade80 free 2834->2835 2835->2827 2430 4031a0 GetSystemDirectoryA 2431 4031d8 GetPrivateProfileStringA _splitpath 2430->2431 2462 401ae0 2431->2462 2435 4038fd 2436 403957 6 API calls 2435->2436 2439 402960 6 API calls 2435->2439 2466 401bc0 2436->2466 2438 4036e2 2441 40373c 2438->2441 2477 402960 2438->2477 2444 403923 2439->2444 2442 4037a3 2441->2442 2443 403744 GetProfileIntA 2441->2443 2445 403ac2 2442->2445 2451 4037e4 2442->2451 2452 40383f _splitpath _makepath 2442->2452 2446 403813 printf ShellExecuteA 2443->2446 2447 403764 2443->2447 2444->2436 2448 40392a WritePrivateProfileStringA printf 2444->2448 2447->2446 2450 40376c _itoa WriteProfileStringA printf 2447->2450 2448->2436 2450->2442 2454 40388d strstr 2451->2454 2452->2454 2453 403708 2453->2441 2455 40370f WritePrivateProfileStringA printf 2453->2455 2456 4038c3 strstr 2454->2456 2457 4038a8 strstr 2454->2457 2455->2441 2459 4038d2 strstr 2456->2459 2460 4038ed 2456->2460 2457->2456 2458 4038b7 _fullpath 2457->2458 2458->2456 2459->2460 2461 4038e1 _fullpath 2459->2461 2461->2460 2463 401afe 2462->2463 2464 401b7f 2462->2464 2463->2464 2485 401d40 2463->2485 2464->2435 2464->2438 2467 401bd2 2466->2467 2468 401bec printf 2466->2468 2467->2468 2469 401c14 printf 2468->2469 2470 401c09 printf 2468->2470 2471 401ca0 20 API calls 2469->2471 2472 401c24 printf 2469->2472 2470->2469 2471->2445 2473 401c4d printf 2472->2473 2475 401c81 printf 2473->2475 2476 401c8c printf 2473->2476 2475->2476 2476->2471 2476->2472 2478 402984 atoi atoi 2477->2478 2479 40297c 2477->2479 2480 4029c5 atoi atoi 2478->2480 2481 4029bb 2478->2481 2479->2453 2482 4029f5 2480->2482 2483 4029ff atoi atoi 2480->2483 2481->2453 2482->2453 2484 402a2f 2483->2484 2484->2453 2486 401d65 2485->2486 2487 401e38 printf 2485->2487 2488 401df9 2486->2488 2489 401d7a 2486->2489 2490 401dbf 2486->2490 2494 401d6c 2486->2494 2487->2494 2491 401e02 strncpy 2488->2491 2488->2494 2489->2494 2499 401e90 2489->2499 2490->2494 2504 401ed0 2490->2504 2491->2494 2494->2463 2494->2494 2496 401dd5 2496->2494 2497 401ddc atof 2496->2497 2497->2494 2498 401d9f atoi 2498->2494 2500 401e9c isdigit 2499->2500 2502 401d94 2500->2502 2503 401eb5 isdigit 2500->2503 2502->2494 2502->2498 2503->2502 2503->2503 2505 401edc isdigit 2504->2505 2507 401f08 isdigit 2505->2507 2508 401ef8 isdigit 2505->2508 2510 401f1c isdigit 2507->2510 2512 401f2c 2507->2512 2508->2507 2508->2508 2510->2510 2510->2512 2511 401f68 2511->2496 2512->2511 2513 401f48 isdigit 2512->2513 2514 401f56 2513->2514 2515 401f59 isdigit 2513->2515 2514->2496 2515->2511 2515->2515 2836 4023e0 _splitpath _stricmp 2837 402477 _stricmp 2836->2837 2841 4024db 2836->2841 2839 402491 _stricmp 2837->2839 2837->2841 2838 4026e3 sprintf 2840 402725 2838->2840 2845 402754 2838->2845 2839->2841 2842 4024ab _stricmp 2839->2842 2843 40272f sprintf 2840->2843 2840->2845 2841->2838 2842->2841 2846 4024c5 _stricmp 2842->2846 2843->2845 2844 40278d 2848 402892 sprintf 2844->2848 2849 40279b _splitpath strstr 2844->2849 2845->2844 2847 402768 sprintf 2845->2847 2846->2841 2850 40251c _stricmp 2846->2850 2847->2844 2854 4028bd sprintf 2848->2854 2852 40283a _makepath sprintf 2849->2852 2853 40280b 2849->2853 2850->2841 2851 402573 _stricmp 2850->2851 2851->2841 2855 4025ca _stricmp 2851->2855 2852->2854 2853->2852 2860 401ff0 2854->2860 2855->2841 2858 4025ee _stricmp 2855->2858 2857 4028ff GetFileAttributesA 2858->2841 2859 402612 _stricmp 2858->2859 2859->2838 2859->2841 2861 401ffa 2860->2861 2862 40200d 2861->2862 2867 406070 2861->2867 2864 402024 2862->2864 2917 401950 2862->2917 2864->2857 2868 4060c4 ??2@YAPAXI 2867->2868 2872 406126 2867->2872 2878 4060e8 2868->2878 2871 4063e4 2875 4068e0 2 API calls 2871->2875 2873 406199 ??2@YAPAXI 2872->2873 2874 4061f5 2872->2874 2885 4061b4 2873->2885 2877 4062d8 ??2@YAPAXI 2874->2877 2880 406334 2874->2880 2876 406403 2875->2876 2879 4068e0 2 API calls 2876->2879 2888 4062f3 2877->2888 2933 4ade80 free 2878->2933 2881 406422 2879->2881 2936 4068e0 2880->2936 2883 4068e0 2 API calls 2881->2883 2884 406441 2883->2884 2886 4068e0 2 API calls 2884->2886 2934 4ade80 free 2885->2934 2887 406460 2886->2887 2890 4068e0 2 API calls 2887->2890 2935 4ade80 free 2888->2935 2891 40647f 2890->2891 2893 4068e0 2 API calls 2891->2893 2894 40649e 2893->2894 2895 4068e0 2 API calls 2894->2895 2896 4064bd 2895->2896 2897 4068e0 2 API calls 2896->2897 2898 4064dc 2897->2898 2899 4068e0 2 API calls 2898->2899 2900 4064fb 2899->2900 2901 4068e0 2 API calls 2900->2901 2902 40651a 2901->2902 2903 4068e0 2 API calls 2902->2903 2904 406539 2903->2904 2905 4068e0 2 API calls 2904->2905 2906 406558 2905->2906 2907 4068e0 2 API calls 2906->2907 2908 406577 2907->2908 2909 4068e0 2 API calls 2908->2909 2910 406596 2909->2910 2911 4068e0 2 API calls 2910->2911 2912 4065b5 2911->2912 2943 406630 2912->2943 2914 4065ec 2948 4ade80 free 2914->2948 2916 406609 2916->2862 2951 4010d0 2917->2951 2919 4019b3 2931 401a57 2919->2931 2960 401540 2919->2960 2920 401a77 CloseHandle 2921 401a7a 2920->2921 2923 401a83 CloseHandle 2921->2923 2924 401a86 2921->2924 2923->2924 2926 401a8b CloseHandle 2924->2926 2927 401a8e 2924->2927 2925 4019eb VirtualFree VirtualFree 2928 401a19 2925->2928 2925->2931 2926->2927 2927->2857 2982 4017a0 2928->2982 2931->2920 2931->2921 2933->2872 2934->2874 2935->2880 2937 406907 ??2@YAPAXI 2936->2937 2939 4069e9 2936->2939 2941 406944 2937->2941 2939->2871 2939->2939 2949 4ade80 free 2941->2949 2942 40699e 2942->2871 2946 40664b 2943->2946 2944 4066b3 2944->2914 2945 40673e ??2@YAPAXI 2945->2946 2946->2944 2946->2945 2950 4ade80 free 2946->2950 2948->2916 2949->2942 2950->2946 2952 40125b 2951->2952 2953 4010df 2951->2953 2952->2919 2953->2952 2954 401146 VirtualAlloc 2953->2954 2955 401251 2954->2955 2958 401166 memmove 2954->2958 2955->2919 2957 4011bd 2957->2955 2959 4011f1 memmove 2957->2959 2958->2957 2959->2957 2996 401270 2960->2996 2962 401571 2963 40157e 2962->2963 3000 4013d0 CreatePipe 2962->3000 2963->2925 2965 4015c4 2966 401785 2965->2966 2969 4015f1 VirtualProtectEx 2965->2969 2973 40160b 2965->2973 3010 4ade80 free 2966->3010 2968 40178b 2968->2925 2970 40167b 2969->2970 2971 401692 WriteProcessMemory WriteProcessMemory 2970->2971 2972 40175c TerminateProcess CloseHandle CloseHandle 2970->2972 2974 4016d0 SetThreadContext ResumeThread CloseHandle 2971->2974 2975 40172d TerminateProcess CloseHandle CloseHandle 2971->2975 2972->2966 2973->2970 3005 401380 LoadLibraryA 2973->3005 2974->2966 2975->2966 2979 40162a VirtualAllocEx 2980 401645 2979->2980 2980->2970 2980->2971 2981 40165a VirtualAllocEx 2980->2981 2981->2970 2981->2972 2983 4017aa 2982->2983 2984 40193d 2983->2984 2985 4017c8 PeekNamedPipe 2983->2985 2984->2931 2995 4ade80 free 2984->2995 2985->2984 2991 401806 2985->2991 2986 4018f3 WaitForSingleObject 2986->2984 2988 401905 Sleep 2986->2988 2987 40181a ReadFile 2987->2984 2987->2991 2990 40190d PeekNamedPipe 2988->2990 2989 401862 ?_Xlen@std@ 2989->2991 2990->2984 2990->2991 2991->2986 2991->2987 2991->2989 2991->2990 2992 40187c ?_Xlen@std@ 2991->2992 2993 4018b0 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 2991->2993 2994 4018c0 ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 2991->2994 2992->2991 2993->2990 2994->2991 2995->2931 2997 401275 2996->2997 2998 401305 2997->2998 2999 40127d ??2@YAPAXI GetModuleFileNameA 2997->2999 2998->2962 2999->2962 3001 401450 3000->3001 3002 40145c CreateProcessA 3000->3002 3001->2965 3003 40152e 3002->3003 3004 4014ae GetThreadContext ReadProcessMemory VirtualQueryEx 3002->3004 3003->2965 3004->3003 3006 401395 GetProcAddress 3005->3006 3007 4013bf 3005->3007 3008 4013a5 3006->3008 3009 4013b8 FreeLibrary 3006->3009 3007->2979 3007->2980 3008->3009 3009->3007 3010->2968 3011 40b5e0 3014 411420 20 API calls 3011->3014 3013 40b605 3018 456d10 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 3014->3018 3016 411690 3017 4116a0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ??2@YAPAXI 3016->3017 3017->3013 3019 456de5 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 3018->3019 3020 456dc1 3018->3020 3021 456e09 3019->3021 3020->3019 3021->3016 3339 45f4a0 ??2@YAPAXI 3340 45f4d9 3339->3340 3341 4662a0 3343 4662bb 3341->3343 3342 4662e0 strncmp 3342->3343 3344 466300 3342->3344 3343->3342 3349 4662fe 3343->3349 3345 466350 printf 3344->3345 3347 466311 strtok 3344->3347 3346 46635e 3345->3346 3347->3345 3348 466328 atof 3347->3348 3348->3349 3349->3345 3349->3346 2386 405570 _tzset time localtime 2387 405708 2386->2387 2388 4056da 2386->2388 2390 405710 2387->2390 2391 40573e 2387->2391 2389 405850 2388->2389 2392 4056eb GetActiveWindow MessageBoxW 2388->2392 2390->2389 2394 405721 GetActiveWindow MessageBoxW 2390->2394 2393 4057ba 2391->2393 2395 40577c 2391->2395 2396 40574e 2391->2396 2393->2389 2399 40583a GetActiveWindow MessageBoxW 2393->2399 2397 4057b2 2395->2397 2398 405784 2395->2398 2396->2389 2400 40575f GetActiveWindow MessageBoxW 2396->2400 2397->2393 2401 4057d5 2397->2401 2402 4057fb 2397->2402 2398->2389 2403 405795 GetActiveWindow MessageBoxW 2398->2403 2399->2389 2401->2389 2405 4057de GetActiveWindow MessageBoxW 2401->2405 2402->2393 2404 405803 2402->2404 2404->2389 2406 40580c GetActiveWindow MessageBoxW 2404->2406 3022 404470 3023 4044a0 3022->3023 3041 404595 3022->3041 3024 4044aa _splitpath _stricmp 3023->3024 3023->3041 3025 404552 _stricmp 3024->3025 3026 4045b3 3024->3026 3025->3026 3029 404565 3025->3029 3027 4045c0 _splitpath strstr 3026->3027 3028 404742 GetFileAttributesA 3026->3028 3030 404619 3027->3030 3031 4045f9 sprintf 3027->3031 3033 404752 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 3028->3033 3034 4047de _splitpath strstr 3028->3034 3032 40458b 3029->3032 3056 407500 3029->3056 3039 404675 _makepath _makepath 3030->3039 3031->3039 3062 4ade80 free 3032->3062 3035 404784 3033->3035 3037 404840 3034->3037 3038 404843 _makepath 3034->3038 3044 4047c3 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 3035->3044 3037->3038 3042 404270 10 API calls 3038->3042 3043 404270 10 API calls 3039->3043 3045 404738 3042->3045 3043->3045 3044->3045 3045->3032 3046 4048f2 _splitpath _stricmp 3045->3046 3047 4048dc ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 3045->3047 3048 404931 _stricmp 3046->3048 3053 404944 3046->3053 3047->3047 3049 4048ed 3047->3049 3048->3053 3054 404983 3048->3054 3049->3046 3050 4049cb 3076 4ade80 free 3050->3076 3053->3054 3063 404070 GetFileAttributesA 3053->3063 3054->3050 3075 4ade80 free 3054->3075 3057 407518 3056->3057 3058 40750a 3056->3058 3059 40754a 3057->3059 3078 4ade80 free 3057->3078 3058->3057 3077 4ade80 free 3058->3077 3059->3029 3062->3041 3064 40409a _splitpath 3063->3064 3065 40408d 3063->3065 3079 402a60 3064->3079 3065->3053 3067 4040da DeleteFileA GetModuleFileNameA _splitpath _makepath 3068 40417b 3067->3068 3069 4041c6 sprintf 3068->3069 3071 404257 3068->3071 3083 403f10 3069->3083 3071->3053 3072 404216 GetFileAttributesA 3073 404239 DeleteFileA CopyFileA DeleteFileA 3072->3073 3074 40422c 3072->3074 3073->3071 3074->3053 3075->3054 3076->3041 3077->3057 3078->3059 3080 402a77 GetTempPathA GetTempFileNameA DeleteFileA 3079->3080 3081 402a6e 3079->3081 3082 402ab5 3080->3082 3081->3067 3082->3067 3084 403f23 3083->3084 3085 403f2f OutputDebugStringA OutputDebugStringA GetStartupInfoA 3083->3085 3084->3072 3086 403f99 CreateProcessA 3085->3086 3088 404000 3086->3088 3089 40400c 3086->3089 3088->3072 3090 404010 3089->3090 3091 40401b WaitForSingleObject 3089->3091 3090->3072 3092 404064 3091->3092 3093 40402c GetExitCodeProcess 3091->3093 3092->3072 3094 404040 3093->3094 3095 40404c CloseHandle CloseHandle 3093->3095 3094->3072 3095->3092 3350 402db0 3351 403087 3350->3351 3352 402dc9 3350->3352 3352->3351 3353 402dd7 _splitpath GetFileAttributesA 3352->3353 3354 402e11 3353->3354 3355 402e38 _makepath 3353->3355 3354->3355 3357 402e15 3354->3357 3355->3357 3356 402f0e _splitpath 3356->3357 3357->3351 3357->3356 3358 402fec ?_Xlen@std@ 3357->3358 3359 40301e ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 3357->3359 3360 403036 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 3357->3360 3361 403040 ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 3357->3361 3358->3357 3359->3357 3360->3361 3361->3357 3096 466670 3097 466682 ??2@YAPAXI 3096->3097 3101 4666b1 3096->3101 3099 46675d 3097->3099 3100 466707 ??2@YAPAXI 3102 466725 3100->3102 3101->3099 3101->3100 3104 4ade80 free 3102->3104 3104->3099 3105 46f170 3106 46f199 3105->3106 3107 46f1ae ??2@YAPAXI 3106->3107 3110 46f202 3106->3110 3108 46f1c5 3107->3108 3111 46f1dd 3107->3111 3109 46e070 2 API calls 3108->3109 3109->3111 3111->3110 3112 46e130 free 3111->3112 3113 46f1fc 3112->3113 3115 4ade80 free 3113->3115 3115->3110 3362 46c5b0 3363 46c5cf 3362->3363 3364 46c5bb 3362->3364 3363->3364 3370 46c820 2 API calls 3363->3370 3365 45f6a0 2 API calls 3364->3365 3366 46c629 3365->3366 3367 46c64b 3366->3367 3371 46c8a0 3366->3371 3369 46c65d 3370->3364 3373 46c8bf 3371->3373 3372 46c820 2 API calls 3372->3373 3373->3372 3374 46c8f4 3373->3374 3376 46c912 3373->3376 3374->3369 3375 46c820 2 API calls 3375->3376 3376->3375 3377 46cfc3 printf 3376->3377 3380 46cfc1 3376->3380 3377->3380 3378 46be20 2 API calls 3379 46d013 3378->3379 3379->3369 3380->3378 3380->3379 3381 4adf34 __set_app_type __p__fmode __p__commode 3382 4adfa2 3381->3382 3386 4ae096 _controlfp 3382->3386 3384 4adfbc _initterm __getmainargs _initterm __p___initenv 3385 405860 3384->3385 3386->3384

    Executed Functions

    Function 004031A0 Relevance: 149.3, APIs: 47, Strings: 38, Instructions: 556stringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • %s C:\in.xps C:\out.png, xrefs: 00403AA9
    • XPS to PDF Converter does convert XPS files to PDF, EPS, PS, BMP, TIFF, JPEG, PNG, PCX, etc. formats., xrefs: 0040395E
    • Email: support@verydoc.com, xrefs: 00403973
    • %s C:\in.xps C:\out.jpg, xrefs: 00403A9A
    • %s -linearize C:\in.xps C:\out.pdf, xrefs: 004039D4
    • Release Date: Apr 9 2013, xrefs: 0040397A
    • %s C:\in.xps C:\out.bmp, xrefs: 00403A7C
    • regcode, xrefs: 00403264, 00403722, 0040393D
    • The trial version has expired, please purchase a full version from http://www.verydoc.com web site., xrefs: 00403813
    • http://www.verypdf.com, xrefs: 00403965
    • %s C:\in.xps C:\out.tif, xrefs: 00403A8B
    • %s -xres 600 -yres 600 -bitcount 1 C:\in.xps C:\out.tif, xrefs: 00403A4F
    • %s -xres 600 -yres 600 C:\in.xps C:\out.jpg, xrefs: 00403A10
    • %s -producer "Test Producer" -creator "Test Creator" -subject "Test Subject" C:\in.xps C:\out.pdf, xrefs: 004039C2
    • \, xrefs: 004031CE
    • xps2pdf.ini, xrefs: 00403214
    • %s C:\in\*.xps C:\out\*.pdf, xrefs: 004039B3
    • Trial, xrefs: 00403745, 00403781
    • %s -width 1024 -height 768 C:\in.xps C:\out-%%04d.jpg, xrefs: 00403A2E
    • %s C:\in.xps C:\out.pcx, xrefs: 00403AB8
    • %s C:\in.xps C:\out.pdf, xrefs: 004039A4
    • %s C:\in.xps C:\out.eps, xrefs: 00403A6D
    • Examples:, xrefs: 00403995
    • open, xrefs: 00403826
    • XPS to PDF Converter Command Line v2.0, xrefs: 00403957
    • %s -xres 600 -yres 600 -bitcount 1 C:\in.xps C:\out-%%04d.tif, xrefs: 00403A3D
    • <xps-file> [<out-file>], xrefs: 00403986
    • for /r D:\test %%F in (*.xps) do "%s" "%%F" "%%~dpnF.pdf", xrefs: 004039F2
    • %s -xres 600 -yres 600 C:\in.xps C:\out-%%04d.jpg, xrefs: 00403A1F
    • %s -ownerpwd 123 -keylen 2 -permission 128 C:\in.xps C:\out.pdf, xrefs: 004039E3
    • for %%F IN (D:\test\*.xps) DO "%s" "%%F" "%%~dpnF.pdf", xrefs: 00403A01
    • Thank you for choosing our product., xrefs: 00403732, 0040394D
    • http://www.verypdf.com, xrefs: 00403821
    • .pdf, xrefs: 0040386A
    • %s C:\in.xps C:\out.ps, xrefs: 00403A5E
    • http://www.verydoc.com, xrefs: 0040396C
    • xps2pdf, xrefs: 00403269, 00403727, 0040374A, 00403786, 00403942, 0040398B
    • You have %d time to evaluate this product, you may purchase a full version from http://www.verydoc.com web site., xrefs: 00403799
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: printf$Profile$Stringstrstr$PrivateWrite$_fullpath_splitpath$DirectoryExecuteShellSystem_itoa_makepath
    • String ID: %s -linearize C:\in.xps C:\out.pdf$ %s -ownerpwd 123 -keylen 2 -permission 128 C:\in.xps C:\out.pdf$ %s -producer "Test Producer" -creator "Test Creator" -subject "Test Subject" C:\in.xps C:\out.pdf$ %s -width 1024 -height 768 C:\in.xps C:\out-%%04d.jpg$ %s -xres 600 -yres 600 -bitcount 1 C:\in.xps C:\out-%%04d.tif$ %s -xres 600 -yres 600 -bitcount 1 C:\in.xps C:\out.tif$ %s -xres 600 -yres 600 C:\in.xps C:\out-%%04d.jpg$ %s -xres 600 -yres 600 C:\in.xps C:\out.jpg$ %s C:\in.xps C:\out.bmp$ %s C:\in.xps C:\out.eps$ %s C:\in.xps C:\out.jpg$ %s C:\in.xps C:\out.pcx$ %s C:\in.xps C:\out.pdf$ %s C:\in.xps C:\out.png$ %s C:\in.xps C:\out.ps$ %s C:\in.xps C:\out.tif$ %s C:\in\*.xps C:\out\*.pdf$ for %%F IN (D:\test\*.xps) DO "%s" "%%F" "%%~dpnF.pdf"$ for /r D:\test %%F in (*.xps) do "%s" "%%F" "%%~dpnF.pdf"$.pdf$<xps-file> [<out-file>]$Email: support@verydoc.com$Examples:$Release Date: Apr 9 2013$Thank you for choosing our product.$The trial version has expired, please purchase a full version from http://www.verydoc.com web site.$Trial$XPS to PDF Converter Command Line v2.0$XPS to PDF Converter does convert XPS files to PDF, EPS, PS, BMP, TIFF, JPEG, PNG, PCX, etc. formats.$You have %d time to evaluate this product, you may purchase a full version from http://www.verydoc.com web site.$\$http://www.verydoc.com$http://www.verypdf.com$http://www.verypdf.com$open$regcode$xps2pdf$xps2pdf.ini
    • API String ID: 2805151382-3433409666
    • Opcode ID: 31d3900e62bc650ff9b38b101e6d7934c867903dcb353cce8dfff103371366b9
    • Instruction ID: 414524d786352ad04f1279fe909b3fe453781379bc67237a6aed979414bf94f9
    • Opcode Fuzzy Hash: 31d3900e62bc650ff9b38b101e6d7934c867903dcb353cce8dfff103371366b9
    • Instruction Fuzzy Hash: A1223BB15083849FDB34DF64C885AEFBBE9FBC5304F01492EE98997680DBB05608CB56
    Function 00405570 Relevance: 68.4, APIs: 17, Strings: 22, Instructions: 183windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ActiveMessageWindow$_tzsetlocaltimetime
    • String ID: -$1$9$@$C$I$d$e$f$g$h$i$m$n$o$o$p$p$r$r$t$v
    • API String ID: 1242371391-2262430594
    • Opcode ID: 3d1a9c2b3eb101e9659e879b8003ad0ad45bcfe5bd05ff05f6aff4ea344cff22
    • Instruction ID: a423e8fb22662c803515dcb97eb8befc53bf21a1c66e84a740cdc109ca34cb61
    • Opcode Fuzzy Hash: 3d1a9c2b3eb101e9659e879b8003ad0ad45bcfe5bd05ff05f6aff4ea344cff22
    • Instruction Fuzzy Hash: 96617C30518300D6DB24AB60D948B2F77E5EFE4704F50AD2EF648A76A0E3BD85488B1F
    Function 00405290 Relevance: 38.7, APIs: 9, Strings: 13, Instructions: 186windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 74 405290-4053d3 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 75 4053d8-4053eb 74->75 76 4053f3-405409 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z 75->76 77 4053ed ?_Xlen@std@@YAXXZ 75->77 78 405427-40542b 76->78 79 40540b-405421 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z 76->79 77->76 78->75 80 40542d-405466 _tzset time localtime 78->80 79->78 81 405475-40547b 80->81 82 405468-40546b 80->82 83 40548b-405491 81->83 84 40547d-405480 81->84 85 405471-405473 82->85 86 40551c-405522 82->86 89 4054a1-4054a7 83->89 90 405493-405496 83->90 84->86 88 405486-405489 84->88 87 4054df 85->87 91 405553-405567 86->91 92 405524-405529 86->92 87->86 93 4054e1-4054e7 87->93 88->87 95 4054a9-4054ac 89->95 96 4054bd-4054c3 89->96 90->86 94 40549c-40549f 90->94 97 405549-405550 call 4ade80 92->97 98 40552b-40552d 92->98 99 4054e9 93->99 100 40550a-405516 GetActiveWindow MessageBoxA 93->100 94->87 101 4054b3-4054b6 95->101 102 4054ae-4054b1 95->102 103 4054c5-4054c8 96->103 104 4054cf-4054d5 96->104 97->91 98->97 105 40552f-405548 98->105 108 405505 99->108 100->86 101->86 109 4054b8-4054bb 101->109 102->87 103->86 110 4054ca-4054cd 103->110 111 4054d7-4054da 104->111 112 4054eb-4054f1 104->112 108->100 109->87 110->87 111->86 113 4054dc 111->113 112->86 114 4054f3-4054f6 112->114 113->87 114->86 115 4054f8-4054fb 114->115 115->86 116 4054fd-405503 115->116 116->100 116->108
    APIs
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004052BD
    • ?_Xlen@std@@YAXXZ.MSVCP60 ref: 004053ED
    • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00405401
    • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00405421
    • _tzset.MSVCRT ref: 0040542D
    • time.MSVCRT ref: 00405438
    • localtime.MSVCRT ref: 00405443
    • GetActiveWindow.USER32 ref: 0040550F
    • MessageBoxA.USER32(00000000), ref: 00405516
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ActiveEos@?$basic_string@Grow@?$basic_string@MessageTidy@?$basic_string@WindowXlen@std@@_tzsetlocaltimetime
    • String ID: ($)$b$c$d$e$f$g$h$i$m$t$v
    • API String ID: 2188903234-1125730296
    • Opcode ID: 9d64bcec0d0555f1ef9e13d1f181ee15e50eaff38c611879879ec79ce7e87e26
    • Instruction ID: bdc7ba6b3a63216be77900c1b3a8d13fc41b41091bb5e99e96519839fe620f4e
    • Opcode Fuzzy Hash: 9d64bcec0d0555f1ef9e13d1f181ee15e50eaff38c611879879ec79ce7e87e26
    • Instruction Fuzzy Hash: D2717AB09087409FDB20CF14D98476FBBE1EBD5704F20492EE58997791D73E98488F1A
    Function 00401BC0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 117 401bc0-401bd0 118 401bd2-401bde 117->118 119 401bec-401c07 printf 117->119 120 401be0 118->120 121 401be2-401bea 118->121 122 401c14-401c22 printf 119->122 123 401c09-401c11 printf 119->123 120->121 121->118 121->119 124 401ca0-401ca4 122->124 125 401c24-401c4b printf 122->125 123->122 126 401c69 125->126 127 401c4d 125->127 128 401c6e-401c7f printf 126->128 127->126 129 401c62-401c67 127->129 130 401c54-401c59 127->130 131 401c5b-401c60 127->131 132 401c81-401c89 printf 128->132 133 401c8c-401c9e printf 128->133 129->128 130->128 131->128 132->133 133->124 133->125
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: printf
    • String ID: %s$ %s$ <fp>$ <int>$ <string>$%-*s$: %s$Usage: %s [options]
    • API String ID: 3524737521-1998836345
    • Opcode ID: 5f951afb3e1b3a78b86266bfbce880e665d072b337505111d5c2e22220858d82
    • Instruction ID: 8f0281580ed440a43b5f69ed7d71926f2ca364087f30789447a5fe9804074ad5
    • Opcode Fuzzy Hash: 5f951afb3e1b3a78b86266bfbce880e665d072b337505111d5c2e22220858d82
    • Instruction Fuzzy Hash: AF21B8687842005BE2289A699E81E3772D4FE84751B24013FFE45E33D1EAF9ED14C17E
    Function 004030A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: _filelength_filenofclosefopen
    • String ID: www.verypdf.com
    • API String ID: 1636337091-232608753
    • Opcode ID: 8b0095b0b9cecf5217297308adad0b8dfa158f825b3306cc56ea184fe65bd29f
    • Instruction ID: d4ef748315e11b45e52e77df67e0852b663392ae351a6eea3029a1a6fbac3df1
    • Opcode Fuzzy Hash: 8b0095b0b9cecf5217297308adad0b8dfa158f825b3306cc56ea184fe65bd29f
    • Instruction Fuzzy Hash: 3901D87770112067CA203BF9BC4D99F3A5CDAC47B3B010376F905D2243D7394911A2E9

    Non-executed Functions

    Function 00404470 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 443stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 325 404470-40449a 326 4044a0-4044a4 325->326 327 404598 325->327 326->327 329 4044aa-404550 _splitpath _stricmp 326->329 328 40459a-4045b2 327->328 330 404552-404563 _stricmp 329->330 331 4045b3-4045ba 329->331 330->331 334 404565-40457a 330->334 332 4045c0-4045f7 _splitpath strstr 331->332 333 404742-40474c GetFileAttributesA 331->333 335 404619-404673 332->335 336 4045f9-404617 sprintf 332->336 339 404752-404782 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z 333->339 340 4047de-40483e _splitpath strstr 333->340 337 40457c-404589 call 407500 334->337 338 40458f-404595 call 4ade80 334->338 346 404675-40473d _makepath * 2 call 404270 335->346 336->346 353 40458b 337->353 338->327 341 404784-4047a2 339->341 342 4047a6-4047d9 call 406c10 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 339->342 344 404840 340->344 345 404843-4048ae _makepath call 404270 340->345 341->342 357 4048b1-4048bb 342->357 344->345 345->357 346->357 353->338 358 4048c9-4048d6 357->358 359 4048bd-4048c7 357->359 358->338 361 4048dc-4048eb ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 358->361 359->358 360 4048f2-40492f _splitpath _stricmp 359->360 362 404931-404942 _stricmp 360->362 363 404944-40494d 360->363 361->361 364 4048ed 361->364 362->363 365 404983 362->365 366 40494f-404955 363->366 364->360 367 404987-40498d 365->367 366->367 368 404957-404962 366->368 370 4049cf-4049da call 4ade80 367->370 371 40498f-404992 367->371 368->367 369 404964-40496a 368->369 372 404971-404981 call 404070 369->372 373 40496c 369->373 370->328 375 404994-404998 371->375 372->366 373->372 378 4049b7-4049c9 375->378 379 40499a-4049a2 375->379 378->375 380 4049cb 378->380 382 4049a4-4049a6 379->382 383 4049ae-4049b4 call 4ade80 379->383 380->370 382->383 385 4049a8-4049ac 382->385 383->378 385->378
    APIs
    • _splitpath.MSVCRT ref: 00404537
    • _stricmp.MSVCRT(?,.tif), ref: 00404549
    • _stricmp.MSVCRT(?,.tiff), ref: 0040455C
    • _splitpath.MSVCRT ref: 004045DB
    • strstr.MSVCRT ref: 004045EA
    • sprintf.MSVCRT ref: 0040460B
    • _makepath.MSVCRT ref: 0040469D
    • _makepath.MSVCRT ref: 00404724
    • GetFileAttributesA.KERNEL32(?), ref: 00404743
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040475F
    • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 0040477A
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000001,?,?,00000001), ref: 004047D1
    • _splitpath.MSVCRT ref: 004047F9
    • strstr.MSVCRT ref: 00404833
    • _makepath.MSVCRT ref: 00404896
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004048E0
    • _splitpath.MSVCRT ref: 00404912
    • _stricmp.MSVCRT(?,.tiff), ref: 00404928
    • _stricmp.MSVCRT(?,.tif), ref: 0040493B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@_splitpath_stricmp$Tidy@?$basic_string@_makepath$strstr$AttributesFileGrow@?$basic_string@sprintf
    • String ID: .tif$.tiff$_0001
    • API String ID: 1753013735-2571157196
    • Opcode ID: 83aec03868be5e51ec043ae929e8a577e9cf0347db75e46058ebc171254d6421
    • Instruction ID: e42260733386b315d99d0323b2475e13e19da158a777da0b69db26b2d2764b30
    • Opcode Fuzzy Hash: 83aec03868be5e51ec043ae929e8a577e9cf0347db75e46058ebc171254d6421
    • Instruction Fuzzy Hash: C9E1E6B25043445BC724CF68C840AEFB7D9ABD4314F440B3EF69A972D1DA74AA09C756
    Function 00401540 Relevance: 21.2, APIs: 14, Instructions: 197injectionthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00401270: ??2@YAPAXI@Z.MSVCRT ref: 00401285
      • Part of subcall function 00401270: GetModuleFileNameA.KERNEL32(00000000,00000001,000003E8,00000000), ref: 004012A8
    • VirtualProtectEx.KERNEL32(?,?,?,00000040,?), ref: 00401603
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004016B4
    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 004016CA
    • SetThreadContext.KERNEL32(?,?), ref: 0040170B
    • ResumeThread.KERNEL32(?), ref: 00401716
    • CloseHandle.KERNEL32(?), ref: 00401721
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: MemoryProcessThreadWrite$??2@CloseContextFileHandleModuleNameProtectResumeVirtual
    • String ID:
    • API String ID: 3420630705-0
    • Opcode ID: df3ca9b077f4061e93ca331a42c96e42bee05c06ff052d3bf4c64f3a58e69430
    • Instruction ID: ccfc9a73a09ad6c84b836c72e8612cf1264e0cd94fdcc01b75dc0edc42e9ddd8
    • Opcode Fuzzy Hash: df3ca9b077f4061e93ca331a42c96e42bee05c06ff052d3bf4c64f3a58e69430
    • Instruction Fuzzy Hash: F6615EB52083019FD314DF55DD80E6BB7E9ABC8714F044E2DFA89A3291D734E905CB6A
    Function 00404270 Relevance: 13.6, APIs: 9, Instructions: 150fileCOMMON
    Download Yara Rule
    APIs
    • _splitpath.MSVCRT ref: 004042B4
    • FindFirstFileA.KERNEL32(?,?), ref: 004042D6
    • _splitpath.MSVCRT ref: 0040431F
    • _makepath.MSVCRT ref: 00404347
    • GetFileAttributesA.KERNEL32(?), ref: 00404355
    • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 00404397
    • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?), ref: 004043BE
    • FindNextFileA.KERNEL32(00000000,?), ref: 0040442B
      • Part of subcall function 004ADE80: free.MSVCRT(?,0040B460,?), ref: 004ADE84
    • FindClose.KERNEL32(00000000), ref: 00404437
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: FileFind$D@2@@std@@D@std@@U?$char_traits@V?$allocator@_splitpath$AttributesCloseEos@?$basic_string@FirstGrow@?$basic_string@Next_makepathfree
    • String ID:
    • API String ID: 2748218397-0
    • Opcode ID: 55051aa08321a33d060aed57f9d1a2006d17080b404dd220aabdc1923b36cdaf
    • Instruction ID: 060c5f7d8eed2660c2082f763541f343aa94eb4e8ea00f510a85563cdf314c9f
    • Opcode Fuzzy Hash: 55051aa08321a33d060aed57f9d1a2006d17080b404dd220aabdc1923b36cdaf
    • Instruction Fuzzy Hash: 7A51C8B25083419FC724DF54C884AEFB7E8FBC4314F444A2EF69A93291DB35A909CB56
    Function 00401380 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ntdll.dll,?,?,00401623,?,?), ref: 00401389
    • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 0040139B
    • FreeLibrary.KERNEL32(00000000), ref: 004013B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID: ZwUnmapViewOfSection$ntdll.dll
    • API String ID: 145871493-452462277
    • Opcode ID: 0f7143351a44be2d25ff5254b38d994eeecf7f4248714b1141925054a4c1a15a
    • Instruction ID: b3090bead8828f7d2e526d8a9f99c7e616d203af9b0ecd7a25b1da5d673cd557
    • Opcode Fuzzy Hash: 0f7143351a44be2d25ff5254b38d994eeecf7f4248714b1141925054a4c1a15a
    • Instruction Fuzzy Hash: 39E0123A204321A7826157659C48E2B66699AC5F61315432AFA55E3391DA78880286A9
    Function 0047C5D0 Relevance: 1.0, Instructions: 996COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 010d08c3a8b57542c6bf016d174a916d2b23c9b648a2daba6828f7f246a7788b
    • Instruction ID: 06edf0ea0b7c1820ad70f567812020dc4ffefa7a3903f2d268a680014d11eccc
    • Opcode Fuzzy Hash: 010d08c3a8b57542c6bf016d174a916d2b23c9b648a2daba6828f7f246a7788b
    • Instruction Fuzzy Hash: 20628237B44B154BD308CE5E8C80199F7D3ABC8364B5F863DD9A9D7306DEB4A8178A90
    Function 004076C0 Relevance: .7, Instructions: 707COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2053251dc5a4f90ddde86c6db0896f37c1dfa008dc6e091fc047eec73c244043
    • Instruction ID: 16a494a18fa6a7c5318b3a5e21844f4711aa976d046973f8f668944fdc8fa322
    • Opcode Fuzzy Hash: 2053251dc5a4f90ddde86c6db0896f37c1dfa008dc6e091fc047eec73c244043
    • Instruction Fuzzy Hash: FC4270B16083018BDB18CF19C490B2BBBE2FFD5304F14856EE8959B386D779E945CB86
    Function 004098C0 Relevance: .3, Instructions: 256COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
    • Instruction ID: cce2678e84bd176208fd704590413b6b77fe47af4802828d05a1a2eac8e065f0
    • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
    • Instruction Fuzzy Hash: BB71513375558207EB2DCE3E8CA02BBAAD34FC522432EC87E94DAC7756EC7998165204
    Function 00409B50 Relevance: .2, Instructions: 220COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fd12ea2fe3a5ea11844835f6bcfda481cceab0f71dd3d9b5386d86b08dcd42ff
    • Instruction ID: d8da13396cf2fd119b9393682881a74e14010b4e80a042d1e77c7d3a6327e846
    • Opcode Fuzzy Hash: fd12ea2fe3a5ea11844835f6bcfda481cceab0f71dd3d9b5386d86b08dcd42ff
    • Instruction Fuzzy Hash: C1819032B145824BDB58CF2DECD062BB7B3EBCD310B1A863DD68687356C930E8158758
    Function 004023E0 Relevance: 98.4, APIs: 21, Strings: 35, Instructions: 399stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 143 4023e0-402471 _splitpath _stricmp 144 402676-402680 143->144 145 402477-40248b _stricmp 143->145 146 402682-40268a 144->146 147 4026e3-402723 sprintf 144->147 145->144 148 402491-4024a5 _stricmp 145->148 146->147 151 402691-40269a 146->151 152 4026b2-4026bb 146->152 153 4026a7-4026b0 146->153 154 40269c-4026a5 146->154 155 4026bd-4026c1 146->155 149 402754-40275c 147->149 150 402725-40272d 147->150 156 40263a-402669 148->156 157 4024ab-4024bf _stricmp 148->157 160 40278d-402795 149->160 161 40275e-402766 149->161 150->149 159 40272f-402751 sprintf 150->159 158 4026c6-4026e1 151->158 152->158 153->158 154->158 155->158 156->147 162 40266b-402674 156->162 157->156 163 4024c5-4024d9 _stricmp 157->163 158->147 159->149 165 402892-4028ba sprintf 160->165 166 40279b-402809 _splitpath strstr 160->166 161->160 164 402768-40278a sprintf 161->164 162->158 167 4024db-4024e2 163->167 168 40251c-402530 _stricmp 163->168 164->160 175 4028bd-402924 sprintf call 401ff0 GetFileAttributesA 165->175 173 40283a-402890 _makepath sprintf 166->173 174 40280b-402838 166->174 169 4024e4-4024e7 167->169 170 40250e-402517 167->170 171 402532-402539 168->171 172 402573-402587 _stricmp 168->172 176 402500-402509 169->176 177 4024e9-4024ec 169->177 170->158 178 402565-40256e 171->178 179 40253b-40253e 171->179 180 402589-402590 172->180 181 4025ca-4025de _stricmp 172->181 173->175 174->173 176->158 177->147 184 4024f2-4024fb 177->184 178->158 187 402540-402543 179->187 188 402557-402560 179->188 189 402592-402595 180->189 190 4025bc-4025c5 180->190 185 4025e0-4025e9 181->185 186 4025ee-402602 _stricmp 181->186 184->158 185->158 191 402612-402626 _stricmp 186->191 192 402604-40260d 186->192 187->147 193 402549-402552 187->193 188->158 194 402597-40259a 189->194 195 4025ae-4025b7 189->195 190->158 191->147 197 40262c-402635 191->197 192->158 193->158 194->147 196 4025a0-4025a9 194->196 195->158 196->158 197->158
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: _stricmpsprintf$_splitpath$AttributesFile_makepathstrstr
    • String ID: "%s"$ -g%dx%d$ -r%dx%d$ -sOutputFile="%s"$-sDEVICE=%s -dNOPAUSE$.bmp$.eps$.jpeg$.jpg$.pcx$.pdf$.png$.ps$.tif$.tiff$_%04d$bmp16m$bmp256$bmpmono$epswrite$jpeg$jpeggray$pcx24b$pcx256$pcxmono$pdfwrite$png16m$png256$pngmono$pswrite$tiff12nc$tiff24nc$tiffg32d$tiffg4$tiffgray
    • API String ID: 2961985632-404252592
    • Opcode ID: a9e9f070e99cddcafe8c992f0afea8e19960cff4f68e5666413e60d31b19ed62
    • Instruction ID: 8845db00a6050b88875e905af038d1d68bf1a3f050d966996c58e10f1e215f01
    • Opcode Fuzzy Hash: a9e9f070e99cddcafe8c992f0afea8e19960cff4f68e5666413e60d31b19ed62
    • Instruction Fuzzy Hash: 55D11C315043025BC728DE24CD44ABF77DAAFC4350F144F3EE94A972D1EAB4DA0987A9
    Function 00410D40 Relevance: 61.4, APIs: 13, Strings: 22, Instructions: 156windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 227 410d40-410ea8 _tzset time localtime 228 410ed8-410ede 227->228 229 410eaa-410ead 227->229 232 410ee0-410ee3 228->232 233 410ef7-410efd 228->233 230 410f50-410f53 229->230 231 410eb3-410eb5 229->231 238 410f55-410f58 230->238 239 410f77-410f7a 230->239 240 410fa3-410fa6 231->240 241 410ebb-410ed7 GetActiveWindow MessageBoxW 231->241 234 410ee9-410eec 232->234 235 410fbe-410fc4 232->235 236 410eff-410f02 233->236 237 410f2e-410f34 233->237 234->235 244 410ef2 234->244 236->235 245 410f08-410f0b 236->245 237->235 247 410f3a-410f3d 237->247 238->235 248 410f5a-410f76 GetActiveWindow MessageBoxW 238->248 242 410f7c 239->242 243 410f9e-410fa1 239->243 240->235 246 410fa8-410fb8 GetActiveWindow MessageBoxW 240->246 249 410f7f 242->249 243->235 243->240 244->246 245->235 250 410f11-410f2d GetActiveWindow MessageBoxW 245->250 246->235 251 410f44-410f47 247->251 252 410f3f-410f42 247->252 249->235 253 410f81-410f9d GetActiveWindow MessageBoxW 249->253 251->235 254 410f49-410f4c 251->254 252->249 254->235 255 410f4e 254->255 255->246
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ActiveMessageWindow$_tzsetlocaltimetime
    • String ID: -$1$9$@$C$I$d$e$f$g$h$i$m$n$o$o$p$p$r$r$t$v
    • API String ID: 1242371391-2262430594
    • Opcode ID: ffc58dbf5a04bf35ec91219158fd675d4d4fbd49f9ad05992dbda25e61f8a3b0
    • Instruction ID: f6618954e4728fe48110b6c040e6338b1a099277a79d1f28f4f5a055f5a0a173
    • Opcode Fuzzy Hash: ffc58dbf5a04bf35ec91219158fd675d4d4fbd49f9ad05992dbda25e61f8a3b0
    • Instruction Fuzzy Hash: 9C51473052830096DB24CF60D949A6FB7E5EFA4704F50691EF688876A0E3FAC5C9871F
    Function 00405000 Relevance: 61.4, APIs: 13, Strings: 22, Instructions: 156windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 405000-405168 _tzset time localtime 199 405198-40519e 198->199 200 40516a-40516d 198->200 203 4051a0-4051a3 199->203 204 4051b7-4051bd 199->204 201 405210-405213 200->201 202 405173-405175 200->202 207 405215-405218 201->207 208 405237-40523a 201->208 209 405263-405266 202->209 210 40517b-405197 GetActiveWindow MessageBoxW 202->210 211 4051a9-4051ac 203->211 212 40527e-405284 203->212 205 4051ee-4051f4 204->205 206 4051bf-4051c2 204->206 205->212 215 4051fa-4051fd 205->215 206->212 213 4051c8-4051cb 206->213 207->212 216 40521a-405236 GetActiveWindow MessageBoxW 207->216 217 40523c 208->217 218 40525e-405261 208->218 209->212 214 405268-405278 GetActiveWindow MessageBoxW 209->214 211->212 219 4051b2 211->219 213->212 220 4051d1-4051ed GetActiveWindow MessageBoxW 213->220 214->212 221 405204-405207 215->221 222 4051ff-405202 215->222 223 40523f 217->223 218->209 218->212 219->214 221->212 225 405209-40520c 221->225 222->223 223->212 224 405241-40525d GetActiveWindow MessageBoxW 223->224 225->212 226 40520e 225->226 226->214
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ActiveMessageWindow$_tzsetlocaltimetime
    • String ID: -$1$9$@$C$I$d$e$f$g$h$i$m$n$o$o$p$p$r$r$t$v
    • API String ID: 1242371391-2262430594
    • Opcode ID: ffc58dbf5a04bf35ec91219158fd675d4d4fbd49f9ad05992dbda25e61f8a3b0
    • Instruction ID: cb4b5269df0a7fd77329580686c37fdc3fed47c5a98604be0c06c976f5d8d160
    • Opcode Fuzzy Hash: ffc58dbf5a04bf35ec91219158fd675d4d4fbd49f9ad05992dbda25e61f8a3b0
    • Instruction Fuzzy Hash: 08515E3051830096DB24CB60D848B1FB7F5EFE5704F50696EF689972A0E37AC5488B1F
    Function 0040E400 Relevance: 50.9, APIs: 8, Strings: 21, Instructions: 175windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 40e400-40e575 _tzset time localtime 257 40e596-40e59c 256->257 258 40e577-40e57a 256->258 261 40e5bd-40e5c3 257->261 262 40e59e-40e5a1 257->262 259 40e580-40e582 258->259 260 40e672-40e680 GetFileAttributesA 258->260 259->260 263 40e588-40e591 259->263 264 40e690-40e698 260->264 265 40e682-40e68e GetActiveWindow MessageBoxW 260->265 267 40e610-40e613 261->267 268 40e5c5-40e5cb 261->268 262->260 266 40e5a7-40e5a9 262->266 270 40e66d-40e670 GetActiveWindow MessageBoxW 263->270 265->264 266->260 271 40e5af-40e5b8 266->271 267->260 269 40e615-40e617 267->269 272 40e5ec-40e5f2 268->272 273 40e5cd-40e5d0 268->273 269->260 277 40e619 269->277 270->260 271->270 275 40e5f4-40e5f7 272->275 276 40e608-40e60e 272->276 273->260 274 40e5d6-40e5d8 273->274 274->260 278 40e5de-40e5e7 274->278 275->260 279 40e5f9-40e5fb 275->279 276->267 280 40e61b-40e621 276->280 281 40e664-40e66c 277->281 278->270 279->260 282 40e5fd-40e606 279->282 283 40e623-40e626 280->283 284 40e637-40e63d 280->284 281->270 282->270 283->260 285 40e628-40e62a 283->285 286 40e653-40e659 284->286 287 40e63f-40e642 284->287 285->260 290 40e62c-40e635 285->290 286->260 289 40e65b-40e65e 286->289 287->260 288 40e644-40e646 287->288 288->260 291 40e648-40e651 288->291 289->260 292 40e660-40e662 289->292 290->270 291->270 292->260 292->281
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ActiveMessageWindow$AttributesFile_tzsetlocaltimetime
    • String ID: -$1$9$@$C$C:\verydoc$I$d$e$f$g$h$i$m$n$o$o$p$p$t$v
    • API String ID: 402509611-1472302704
    • Opcode ID: ad8449b0935989483dd2f6d02d022fb99b5ec95a02896c43d2fadf4a8a574ebb
    • Instruction ID: 28b0a24f277d874af975f2660445b337e57f7df45bebfc2a78c72048754a4a11
    • Opcode Fuzzy Hash: ad8449b0935989483dd2f6d02d022fb99b5ec95a02896c43d2fadf4a8a574ebb
    • Instruction Fuzzy Hash: 5251916052C34096DB24CB51D850B2FA3A5EFF4704F545D2EF288AB6E0E3BE85448B1F
    Function 0040DEB0 Relevance: 50.9, APIs: 8, Strings: 21, Instructions: 156windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 293 40deb0-40e025 _tzset time localtime 294 40e042-40e048 293->294 295 40e027-40e02a 293->295 296 40e05a-40e060 294->296 297 40e04a-40e04d 294->297 298 40e095-40e098 295->298 299 40e02c-40e02e 295->299 302 40e062-40e065 296->302 303 40e077-40e07d 296->303 300 40e053-40e056 297->300 301 40e0d7-40e0e5 GetFileAttributesA 297->301 304 40e0aa-40e0ad 298->304 305 40e09a-40e09d 298->305 306 40e0c4-40e0c7 299->306 307 40e034-40e03d 299->307 300->301 312 40e058 300->312 316 40e0f5-40e0fd 301->316 317 40e0e7-40e0f3 GetActiveWindow MessageBoxW 301->317 302->301 313 40e067-40e06a 302->313 303->301 315 40e07f-40e082 303->315 310 40e0bf-40e0c2 304->310 311 40e0af 304->311 305->301 308 40e09f-40e0a8 305->308 306->301 314 40e0c9-40e0d1 306->314 309 40e0d2-40e0d5 GetActiveWindow MessageBoxW 307->309 308->309 309->301 310->301 310->306 318 40e0b2 311->318 312->314 313->301 319 40e06c-40e075 313->319 314->309 320 40e084-40e087 315->320 321 40e089-40e08c 315->321 317->316 318->301 322 40e0b4-40e0bd 318->322 319->309 320->318 321->301 323 40e08e-40e091 321->323 322->309 323->301 324 40e093 323->324 324->314
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ActiveMessageWindow$AttributesFile_tzsetlocaltimetime
    • String ID: -$1$9$@$C$C:\verypdf$I$d$e$f$g$h$i$m$n$o$o$p$p$t$v
    • API String ID: 402509611-1253292400
    • Opcode ID: 83c8ea0956d8dd75a34149f8dc09497a8bc577a0bb88ca7cd92619dc71f959b6
    • Instruction ID: 3a4a1bb07d97f1a5a9625a7d0934232e6c3390e796b019b8d0e2b608cfd9eca4
    • Opcode Fuzzy Hash: 83c8ea0956d8dd75a34149f8dc09497a8bc577a0bb88ca7cd92619dc71f959b6
    • Instruction Fuzzy Hash: 4351292052C35096DB24CF52C84462FB7A5EFE4714F146D2EF288AB2A0E3F9C558875F
    Function 00411420 Relevance: 33.2, APIs: 22, Instructions: 231COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0041144E
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00411462
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0041147B
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411490
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004114A5
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004114BA
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004114D2
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004114EA
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411502
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041151A
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411532
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041154A
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411562
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041157A
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411592
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004115AA
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004115C2
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004115DA
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041162A
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041167A
      • Part of subcall function 00456D10: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000001), ref: 00456D54
      • Part of subcall function 00456D10: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00456DB7
      • Part of subcall function 00456D10: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 00456DFF
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004116D0
    • ??2@YAPAXI@Z.MSVCRT ref: 00411714
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$Grow@?$basic_string@$??2@
    • String ID:
    • API String ID: 2603275286-0
    • Opcode ID: 8b2f1962adbda18c9c37a2b88c23a7084c4c78f1675ae875ac3de1924033bfea
    • Instruction ID: 967bfa9340c35f11ad8e09fe879a70fcd403247740a9d172da7da2c95623164c
    • Opcode Fuzzy Hash: 8b2f1962adbda18c9c37a2b88c23a7084c4c78f1675ae875ac3de1924033bfea
    • Instruction Fuzzy Hash: 81C10A7440AB859EC7228F3E84546D6FFE4AF6A708F84499DE0DA43302CA35754DCB6A
    Function 004117D0 Relevance: 31.7, APIs: 21, Instructions: 244COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 392 4117d0-411800 393 411802-411809 fclose 392->393 394 41180c-411816 392->394 393->394 395 411821-411a00 call 410fd0 call 410d40 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 call 44ae70 call 4ade80 call 458790 call 456e50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 18 394->395 396 411818-41181e call 4ade80 394->396 411 411a02-411a0a 395->411 412 411a1f-411a36 395->412 396->395 415 411a16-411a1c call 4ade80 411->415 416 411a0c-411a0e 411->416 413 411a55-411a63 412->413 414 411a38-411a40 412->414 419 411a82-411a90 413->419 420 411a65-411a6d 413->420 417 411a42-411a44 414->417 418 411a4c-411a52 call 4ade80 414->418 415->412 416->415 421 411a10-411a14 416->421 417->418 426 411a46-411a4a 417->426 418->413 423 411a92-411a9a 419->423 424 411aaf-411abd 419->424 428 411a79-411a7f call 4ade80 420->428 429 411a6f-411a71 420->429 421->412 430 411aa6-411aac call 4ade80 423->430 431 411a9c-411a9e 423->431 432 411adc-411aea 424->432 433 411abf-411ac7 424->433 426->413 428->419 429->428 435 411a73-411a77 429->435 430->424 431->430 437 411aa0-411aa4 431->437 441 411b09-411b22 432->441 442 411aec-411af4 432->442 439 411ad3-411ad9 call 4ade80 433->439 440 411ac9-411acb 433->440 435->419 437->424 439->432 440->439 445 411acd-411ad1 440->445 447 411b00-411b06 call 4ade80 442->447 448 411af6-411af8 442->448 445->432 447->441 448->447 449 411afa-411afe 448->449 449->441
    APIs
    • fclose.MSVCRT ref: 00411803
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 0041183C
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411846
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004118AE
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004118C1
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004118D4
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004118E7
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004118FA
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041190D
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411920
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411933
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411946
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411959
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041196C
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041197F
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00411992
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004119A5
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004119B8
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004119CB
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004119DE
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004119F1
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@$fclose
    • String ID:
    • API String ID: 1785820745-0
    • Opcode ID: 95505bb293e22e6dd73d2ab301ae7b639542eebcc126812f016d9763b86e33ee
    • Instruction ID: 0c3faa5cdb7c2ca7d1e3c8c20623330c6c9f2c4379950a14a28dc588948f675c
    • Opcode Fuzzy Hash: 95505bb293e22e6dd73d2ab301ae7b639542eebcc126812f016d9763b86e33ee
    • Instruction Fuzzy Hash: D9A1C370408B809FD310DF29C498BDAFBE0BF65304F44492EE1DA87392DB796189CB66
    Function 00404070 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 160fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetFileAttributesA.KERNEL32(?,00000000,00000000,?,00000001), ref: 00404082
    • _splitpath.MSVCRT ref: 004040BE
    • DeleteFileA.KERNEL32(?), ref: 004040EB
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00404114
    • _splitpath.MSVCRT ref: 0040413F
    • _makepath.MSVCRT ref: 0040415A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: File$_splitpath$AttributesDeleteModuleName_makepath
    • String ID: "%s\tiffcp.dll" -c %s "%s" "%s"$\$jpeg:r:50$lzw:2$packbits
    • API String ID: 49922033-2234308380
    • Opcode ID: 593052161162cfc3747ba8ed0da0228b76e2fca3f1250d3a30f263b55c6e8e50
    • Instruction ID: 356ff91ab2197189671ce0ec5a26d17c9aa1eb1ece580074e74ae5a2abb10037
    • Opcode Fuzzy Hash: 593052161162cfc3747ba8ed0da0228b76e2fca3f1250d3a30f263b55c6e8e50
    • Instruction Fuzzy Hash: 4A51E5B21183455BE734CB74DC44EEB77E8FBC4324F404A2EF659931D1DA74AA088BA6
    Function 00402DB0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 256COMMON
    Download Yara Rule
    APIs
    • _splitpath.MSVCRT ref: 00402DFC
    • GetFileAttributesA.KERNEL32(?), ref: 00402E06
    • _makepath.MSVCRT ref: 00402E4E
    • _splitpath.MSVCRT ref: 00402F2C
    • ?_Xlen@std@@YAXXZ.MSVCP60 ref: 00402FEC
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00403022
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040303A
    • ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60 ref: 00403043
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@_splitpath$AttributesCopy@?$basic_string@FileXlen@std@@_makepath
    • String ID: .pdf$\
    • API String ID: 632869359-513609365
    • Opcode ID: 9a42a6ae4cfb2224f5e9818f280d71072075f7b0c2d64604579d3a2be6b6eed2
    • Instruction ID: 0a3238c35b13aa641e791d010ee873c95d3e9fe3d2b8827c7afbe1c1901aa95f
    • Opcode Fuzzy Hash: 9a42a6ae4cfb2224f5e9818f280d71072075f7b0c2d64604579d3a2be6b6eed2
    • Instruction Fuzzy Hash: 7D81F5312046044FCB28CE38C9446AFBBD6FBC8321F54472EF96A972D5DAB49E09D785
    Function 00403F10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132processCOMMON
    Download Yara Rule
    APIs
    • OutputDebugStringA.KERNEL32(?,?,packbits,?), ref: 00403F37
    • OutputDebugStringA.KERNEL32(004C20C0), ref: 00403F3E
    • GetStartupInfoA.KERNEL32(?), ref: 00403F45
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 00403FF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: DebugOutputString$CreateInfoProcessStartup
    • String ID: packbits
    • API String ID: 1314224435-3494338899
    • Opcode ID: 474489288b3ded77bb960541771ba3c92867713893343b0eb0165c74b647c9f2
    • Instruction ID: bccbe83ec8ad4f64d8e7a228a2dfc2ec35c7d3d8f67ade7a6b4608eb14acbe08
    • Opcode Fuzzy Hash: 474489288b3ded77bb960541771ba3c92867713893343b0eb0165c74b647c9f2
    • Instruction Fuzzy Hash: B641E23251860497D324AA78AC08B6B3BD4EBC0331F14472EB6A5A36D1DEB9D9048389
    Function 00403B50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesA.KERNEL32(?,00000000,00000000,00000000,00403DB8,?,?), ref: 00403B75
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: r+b
    • API String ID: 3188754299-2113443889
    • Opcode ID: c2cafe9f4b03cf09bbd31cdbd653ed1035e52b1e9871a9891d05e0c08d934421
    • Instruction ID: ec2d9b01edb907a54698676250e75b3031577df92fcbc2a463223da3a80d976a
    • Opcode Fuzzy Hash: c2cafe9f4b03cf09bbd31cdbd653ed1035e52b1e9871a9891d05e0c08d934421
    • Instruction Fuzzy Hash: 73313A766042006BE7109F68EC44BDB77DCEBC0365F440939FD41E2281D3BDEA4996A5
    Function 004ADF34 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
    • String ID: 0 L
    • API String ID: 4012487245-834934171
    • Opcode ID: 0aaebd9f0467ab333afef3e1b317710f4179f77e11e2e26c554b2c70020a855b
    • Instruction ID: eb6e4f4a364a3467163a33b43998b99b21edb9d4d13bfdd7d377d53c08f1214f
    • Opcode Fuzzy Hash: 0aaebd9f0467ab333afef3e1b317710f4179f77e11e2e26c554b2c70020a855b
    • Instruction Fuzzy Hash: D9216D35940708EFCB159FA5DC45F9A7BB4FB49321F10026AF621A32A1CBB85400CB28
    Function 004017A0 Relevance: 13.6, APIs: 9, Instructions: 143pipesleepfileCOMMON
    Download Yara Rule
    APIs
    • PeekNamedPipe.KERNEL32(?,759A5200,00000001,00401A41,759A5200,00000000,74DEF4C0,00000000,759A5200,00000000,00401A41,?,00000000,?), ref: 004017F8
    • ReadFile.KERNEL32(?,?,00001FFF,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040182A
    • ?_Xlen@std@@YAXXZ.MSVCP60 ref: 00401862
    • ?_Xlen@std@@YAXXZ.MSVCP60 ref: 0040187C
    • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004018B3
    • ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60 ref: 004018C3
    • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,759B6A90,?), ref: 004018FB
    • Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,759B6A90,?), ref: 00401907
    • PeekNamedPipe.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040192F
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@NamedPeekPipeU?$char_traits@V?$allocator@Xlen@std@@$Copy@?$basic_string@Eos@?$basic_string@FileObjectReadSingleSleepWait
    • String ID:
    • API String ID: 3561635000-0
    • Opcode ID: 4eb4d4faf713956c52b486160bd93e22445c1e785a4647d4f1ba4345efd4c8b5
    • Instruction ID: 1d3c05a668f47802fcb9b8a79645857809b7357ec879c37bae5a234d636e540f
    • Opcode Fuzzy Hash: 4eb4d4faf713956c52b486160bd93e22445c1e785a4647d4f1ba4345efd4c8b5
    • Instruction Fuzzy Hash: 184114716043059FCB10DFA4C894AAFB7E9FF84700F04862EF545A72A1D7349A45CB96
    Function 00403E50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _splitpath.MSVCRT ref: 00403E8B
    • _stricmp.MSVCRT(?,.pdf), ref: 00403EA1
    • _stricmp.MSVCRT(?,.ps), ref: 00403EB4
    • _stricmp.MSVCRT(?,.eps), ref: 00403EC7
      • Part of subcall function 00403C90: _splitpath.MSVCRT ref: 00403CF8
      • Part of subcall function 00403C90: strchr.MSVCRT ref: 00403D05
      • Part of subcall function 00403C90: _makepath.MSVCRT ref: 00403D67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: _stricmp$_splitpath$_makepathstrchr
    • String ID: .eps$.pdf$.ps
    • API String ID: 772880148-3027222533
    • Opcode ID: 6582ea2a9fe180f07ead7adfee962810e07fe43d56c928a2b0a9a1230d393311
    • Instruction ID: 3b6a113f01b81ece2e80cc2d0090dc9647a68f2254179d222798134ab969455b
    • Opcode Fuzzy Hash: 6582ea2a9fe180f07ead7adfee962810e07fe43d56c928a2b0a9a1230d393311
    • Instruction Fuzzy Hash: 3A11063660030027D721EB28EC06BEB779C9F84709F49093AF984A22C1F678D708C6E6
    Function 00406ED0 Relevance: 10.8, APIs: 7, Instructions: 293COMMON
    Download Yara Rule
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00406F23
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000001), ref: 004070C0
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,00000000,?,?,?,?,00000001), ref: 004070D5
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040716A
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,00000001), ref: 00407180
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000001), ref: 004071AF
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,00000000,?,?,?,?,00000001), ref: 004071C4
      • Part of subcall function 004073A0: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004AE5BA,000000FF,0040711E,?,?,?,?), ref: 004073EE
      • Part of subcall function 004073A0: ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z.MSVCP60(?,?), ref: 00407428
      • Part of subcall function 004073A0: ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z.MSVCP60(00000000,00000000), ref: 00407434
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: V12@$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@$?erase@?$basic_string@$??2@
    • String ID:
    • API String ID: 2389209611-0
    • Opcode ID: 1d1474d9c831335c235b8a8de8753684c4198c491523b18e6eb9c5d63691a018
    • Instruction ID: d2c51ccafbb61d0a8d1d41c67ce667427306003095ff011d9c73c6c5a8337875
    • Opcode Fuzzy Hash: 1d1474d9c831335c235b8a8de8753684c4198c491523b18e6eb9c5d63691a018
    • Instruction Fuzzy Hash: 30A1A072A043159BD724CF58D88091AB3E5FBD8348F05463EEC89A7381E635EE45CB9A
    Function 004662A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66stringCOMMON
    Download Yara Rule
    APIs
    • strncmp.MSVCRT(?,%PDF-,00000005,?,?,?,?,00000000,00000000,759A3E40), ref: 004662EC
    • strtok.MSVCRT ref: 0046631B
    • atof.MSVCRT ref: 00466329
    • printf.MSVCRT ref: 00466355
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: atofprintfstrncmpstrtok
    • String ID: $%PDF-
    • API String ID: 988301235-975034857
    • Opcode ID: e24b6dd4152c6c5bd16ff680cf9dac59880fe4b90f0ce99c8d61b4b8ee396015
    • Instruction ID: 3dd83a93aa736baafe8dacb25730dbac3a57783f161b0a61923b90fc8634ff9b
    • Opcode Fuzzy Hash: e24b6dd4152c6c5bd16ff680cf9dac59880fe4b90f0ce99c8d61b4b8ee396015
    • Instruction Fuzzy Hash: A611547040060197D714AB15DC08756BB65FB81308F06427AED8693381E738D99ACBDF
    Function 00401ED0 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: isdigit
    • String ID:
    • API String ID: 2326231117-0
    • Opcode ID: 60c00e8278ea46490b1d1241db07f47bd5a7746c8de3ff6ea237da61e585b56e
    • Instruction ID: bf1899cb2cbe18935d201863086d121460cc36989dd8b145f8a66d2ed4a54357
    • Opcode Fuzzy Hash: 60c00e8278ea46490b1d1241db07f47bd5a7746c8de3ff6ea237da61e585b56e
    • Instruction Fuzzy Hash: 37110F5460429602D7351E7D5C603FB6BD95F9A384B1D187FDCC6D13B2E728C8834799
    Function 00401D40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
    Download Yara Rule
    APIs
    Strings
    • Internal error in arg table, xrefs: 00401E38
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: atofatoiprintfstrncpy
    • String ID: Internal error in arg table
    • API String ID: 1107543075-1247339655
    • Opcode ID: ebcdb0d5adedc88893c59189c203bd0b425cac8923df43c62cd944a51624aadd
    • Instruction ID: 8fb7a7babbdb97d1b008bc4dcf72dc82b9bcd7885594177b92052bab69221686
    • Opcode Fuzzy Hash: ebcdb0d5adedc88893c59189c203bd0b425cac8923df43c62cd944a51624aadd
    • Instruction Fuzzy Hash: 9F4168746042058FD714CF09D884A2AB3E5EF88348F14497EE946AB3A2E735FD15CB9A
    Function 0040B290 Relevance: 7.6, APIs: 5, Instructions: 132stringCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 0040B2F3
    • strtok.MSVCRT ref: 0040B366
    • free.MSVCRT(00000000), ref: 0040B417
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040B48E
    • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 0040B4B0
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Tidy@?$basic_string@freemallocstrtok
    • String ID:
    • API String ID: 2176922576-0
    • Opcode ID: 26c5f27b9e6efd413c3a0a88655038eb30d5c8852549a12ed06ed8e485949906
    • Instruction ID: 2e1fd6ab694a47d1cec78fb17f306f405d751c2347367ece4bdf5aa7685c52fb
    • Opcode Fuzzy Hash: 26c5f27b9e6efd413c3a0a88655038eb30d5c8852549a12ed06ed8e485949906
    • Instruction Fuzzy Hash: 0041F6325087505BD724CF28984476BBBD4FB94720F08463EF996A33D2DB399A0587DA
    Function 004073A0 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
    Download Yara Rule
    APIs
    • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004AE5BA,000000FF,0040711E,?,?,?,?), ref: 004073EE
    • ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z.MSVCP60(?,?), ref: 00407428
    • ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z.MSVCP60(00000000,00000000), ref: 00407434
    • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 004074AD
    • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?), ref: 004074DC
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$?erase@?$basic_string@$?assign@?$basic_string@Eos@?$basic_string@Grow@?$basic_string@
    • String ID:
    • API String ID: 2637273222-0
    • Opcode ID: d9461b8a90823655f37b6779114df2c26adf9e27c03b66aacf3e699d951c6870
    • Instruction ID: 0e9d29c43e0d07c90d5eae1c50270cf2c8d73e6c7a3ecad1311c950229bc0cd9
    • Opcode Fuzzy Hash: d9461b8a90823655f37b6779114df2c26adf9e27c03b66aacf3e699d951c6870
    • Instruction Fuzzy Hash: 1541FF71A047149FCB10CF19D88462AFBE5FB89B20F54866EE4969B782C739B840CF95
    Function 00402960 Relevance: 7.6, APIs: 6, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: atoi
    • String ID:
    • API String ID: 657269090-0
    • Opcode ID: d2123832f1a8c52c94a62844c1ce174896a0ca6102f15e293967ca181ad8b44e
    • Instruction ID: 0881bd5c8ed529200f3103d333997cffe6f4a0e026c382f75707106a00061f58
    • Opcode Fuzzy Hash: d2123832f1a8c52c94a62844c1ce174896a0ca6102f15e293967ca181ad8b44e
    • Instruction Fuzzy Hash: 7531D42628C3C50AC211EA7C6C504EFBBD099D5124F4C49AEE8C592B52E45ED60D97B3
    Function 004013D0 Relevance: 7.6, APIs: 5, Instructions: 110processpipethreadCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00401446
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,759A5200), ref: 0040149E
    • GetThreadContext.KERNEL32(?,?), ref: 004014E6
    • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 00401508
    • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040151B
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: CreateProcess$ContextMemoryPipeQueryReadThreadVirtual
    • String ID:
    • API String ID: 163994867-0
    • Opcode ID: 81df26d2361b5115e4c8c8f62fdc057eedba5c2a0e7420c9e700fa2f8cd5fd08
    • Instruction ID: 3e561b77f22e1ab68817afa8e29549a213a557ebaa8e953025eb20865e0283dc
    • Opcode Fuzzy Hash: 81df26d2361b5115e4c8c8f62fdc057eedba5c2a0e7420c9e700fa2f8cd5fd08
    • Instruction Fuzzy Hash: A141B3B56083409FD720CF19D884B9BBBE8FFC9714F104A2DF68997250E774A904CB66
    Function 0046C8A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID:
    • String ID: false$null$true
    • API String ID: 0-2913297407
    • Opcode ID: 92f99944cde564c17e3363808e0690481d70207aebc76287d35bdf4d1d0543ff
    • Instruction ID: 868ca1f96c4e96348d174acbc1981e6aa36624554adfd7e32512457824bd0c9a
    • Opcode Fuzzy Hash: 92f99944cde564c17e3363808e0690481d70207aebc76287d35bdf4d1d0543ff
    • Instruction Fuzzy Hash: D451D875F482814BD7305F349890377BBD25F66328F28466BD8D587391F22E9C4A835B
    Function 00402A60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON
    Download Yara Rule
    APIs
    • GetTempPathA.KERNEL32(00000104,00000001,00000000,00000001), ref: 00402A83
    • GetTempFileNameA.KERNEL32(?,pdf,00000000,?), ref: 00402A9D
    • DeleteFileA.KERNEL32(?), ref: 00402AA4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: FileTemp$DeleteNamePath
    • String ID: pdf
    • API String ID: 4264162788-250665868
    • Opcode ID: 023f2158c969e2e22aa94951f53a5e58ce9e612471d8f8958542ca6d179a31f9
    • Instruction ID: c7f73016603dfe6e43bac4e5a430485eaf113a181f0c37b864235308ba565665
    • Opcode Fuzzy Hash: 023f2158c969e2e22aa94951f53a5e58ce9e612471d8f8958542ca6d179a31f9
    • Instruction Fuzzy Hash: F501D8353042041BD32C963C9D86AAB76D9EBC0730F54072EBA26C32D1EEF99C048258
    Function 00401950 Relevance: 6.4, APIs: 5, Instructions: 117COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004010D0: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,00000000,?,?,759B6A90,?,?,?,00000000,004AE0C9,000000FF,00402040), ref: 00401152
      • Part of subcall function 004010D0: memmove.MSVCRT ref: 0040118F
    • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,?,?,?,?,?,?,?,759B6A90), ref: 00401A05
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,759B6A90), ref: 00401A12
      • Part of subcall function 004017A0: PeekNamedPipe.KERNEL32(?,759A5200,00000001,00401A41,759A5200,00000000,74DEF4C0,00000000,759A5200,00000000,00401A41,?,00000000,?), ref: 004017F8
      • Part of subcall function 004017A0: ReadFile.KERNEL32(?,?,00001FFF,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040182A
      • Part of subcall function 004017A0: ?_Xlen@std@@YAXXZ.MSVCP60 ref: 00401862
      • Part of subcall function 004017A0: ?_Xlen@std@@YAXXZ.MSVCP60 ref: 0040187C
      • Part of subcall function 004017A0: PeekNamedPipe.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040192F
    • CloseHandle.KERNEL32(?,?,?,?,?,759B6A90,?,?,?,00000000,004AE0C9,000000FF,00402040,00000000,00000000,?), ref: 00401A78
    • CloseHandle.KERNEL32(?,?,?,?,?,759B6A90,?,?,?,00000000,004AE0C9,000000FF,00402040,00000000,00000000,?), ref: 00401A84
    • CloseHandle.KERNEL32(759B6A90,?,?,?,?,759B6A90,?,?,?,00000000,004AE0C9,000000FF,00402040,00000000,00000000,?), ref: 00401A8C
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: CloseHandleVirtual$FreeNamedPeekPipeXlen@std@@$AllocFileReadmemmove
    • String ID:
    • API String ID: 2271705680-0
    • Opcode ID: 34aeba48f5e238310010526f481e6bd7df2ce2db8c0077093600bceb6d11f079
    • Instruction ID: 2b83a2cacf0b3dae08702ec695c83ff8fc4493fa096e3be888531872321d735c
    • Opcode Fuzzy Hash: 34aeba48f5e238310010526f481e6bd7df2ce2db8c0077093600bceb6d11f079
    • Instruction Fuzzy Hash: 42414EB2509340AFC214DF698C8096BB7E9AFC9724F544B2DF5A9A32E0D234D9058B56
    Function 004617C0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004ADE80: free.MSVCRT(?,0040B460,?), ref: 004ADE84
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00461852
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004618A8
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004618B8
    • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004618CB
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@$free
    • String ID:
    • API String ID: 2125866546-0
    • Opcode ID: 6feb9ff44419a107a5fe18d0df87d25f81d790087f4832145791d867ec4504db
    • Instruction ID: 6ef75159af93bae3b41bb84e892ce69b2bff235913e128174daafd5175a86f4a
    • Opcode Fuzzy Hash: 6feb9ff44419a107a5fe18d0df87d25f81d790087f4832145791d867ec4504db
    • Instruction Fuzzy Hash: E8417DB1804B41AFC310DF1AC48464AFBE0BF58714F840B2EE59993B51D739A9A4CBDA
    Function 0046BC50 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • free.MSVCRT(?,00000000,004B1E98,000000FF,0046BDCB,00000000,00000000,?,?,00000000,004B1ED8,000000FF,?,004BE2D8,00000000,00000000), ref: 0046BC76
    • realloc.MSVCRT ref: 0046BC9A
    • malloc.MSVCRT ref: 0046BCA5
    • _CxxThrowException.MSVCRT(?,004BE2D8), ref: 0046BCC8
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ExceptionThrowfreemallocrealloc
    • String ID:
    • API String ID: 3717235083-0
    • Opcode ID: 08d4c4f37fc8607a8446c2040470e6fbd66776beda9e025450079fb1223b7153
    • Instruction ID: c6687472bfaaa110d3c09a4cdb9ed843d53c584a6ae74aec2a3230988e933e15
    • Opcode Fuzzy Hash: 08d4c4f37fc8607a8446c2040470e6fbd66776beda9e025450079fb1223b7153
    • Instruction Fuzzy Hash: BE11C1716487829BC714CF28DD41B2B77E4FB84B10F144A2EF855D3781E728C508C6AB
    Function 00401270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00401285
    • GetModuleFileNameA.KERNEL32(00000000,00000001,000003E8,00000000), ref: 004012A8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1653196105.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1653183547.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653245975.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653261617.00000000004C2000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653471724.0000000000858000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653487980.000000000085C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653500386.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1653513339.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_MneP65rGYh.jbxd
    Similarity
    • API ID: ??2@FileModuleName
    • String ID: @ L
    • API String ID: 1856688432-1698004427
    • Opcode ID: 8260b90045a4677d557c90c6995dcfbb0b999a30246c8c98ede8c7f4ff3f553f
    • Instruction ID: 516c3719773dbf30858149e0532437f5edbf7bcea64df1e3768bc9dbe486f979
    • Opcode Fuzzy Hash: 8260b90045a4677d557c90c6995dcfbb0b999a30246c8c98ede8c7f4ff3f553f
    • Instruction Fuzzy Hash: 2001F13270080407DB2C847D5C6662B69C7EBD4371F68033EBB2BCB2E5DEA98D098214