Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ocs.exe

Overview

General Information

Sample name:ocs.exe
Analysis ID:1559382
MD5:725da9f8ec7b0b8316dae970f35590ef
SHA1:81bc4602c202fc735785e99f338e8e73861b5113
SHA256:c047c39f77e0313414d81b081d2c80efd1295bb2b1a57faa0f911d43e22bc8be
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • ocs.exe (PID: 3200 cmdline: "C:\Users\user\Desktop\ocs.exe" MD5: 725DA9F8EC7B0B8316DAE970F35590EF)
    • cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • runasspc.exe (PID: 2924 cmdline: runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
      • runasspc.exe (PID: 2704 cmdline: runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
      • runasspc.exe (PID: 5624 cmdline: runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
      • runasspc.exe (PID: 5508 cmdline: runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
      • runasspc.exe (PID: 320 cmdline: runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.0% probability
Source: ocs.exeJoe Sandbox ML: detected
Source: ocs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00405E80 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#533,#350,#540,#860,#540,#540,#540,#540,#540,#540,#5194,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#823,#823,#823,#2915,#5448,#5448,#3790,#1997,#3337,#3337,#3337,#3337,time,time,#2818,#860,#940,#4129,#858,#800,#6778,#6663,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,_mbscmp,_mbscmp,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#922,#5194,#800,#1997,_mbscmp,#540,#540,GetCurrentDirectoryA,#860,#941,#922,#858,#800,#5194,#1997,#858,#800,#800,_mbscmp,#922,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,GetLogicalDriveStringsA,#860,#860,#858,#6648,#926,#858,#800,#922,#5194,#800,lstrlenA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$ba4_2_00405E80
Source: ocs.exe, OcsAgentSetup.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: OcsAgentSetup.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ocs.exe, OcsAgentSetup.exe.0.drString found in binary or memory: http://www.ocsinventory-ng.org
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,strncmp,GetFocus,SendMessageA,GetPropA,0_2_00405D3C
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00405B1F GetPropA,DefFrameProcA,SetLastError,NtdllDefWindowProc_A,0_2_00405B1F
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_00407E1A
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A,0_2_00404714
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00407190 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,#540,#926,#922,#924,#924,#922,#858,#800,#800,#800,#800,#800,MessageBoxA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#2915,MultiByteToWideChar,MultiByteToWideChar,_mbscmp,#2915,GetComputerNameA,#5572,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#858,#2915,MultiByteToWideChar,_mbscmp,_mbscmp,_mbscmp,_mbscmp,GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,#800,#800,_mbscmp,_mbscmp,_mbscmp,#6663,#6648,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#2514,#656,#641,#2915,MultiByteToWideChar,#656,#641,CreateProcessWithLogonW,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,GetLastError,#2818,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#924,#922,#924,#858,#800,#800,#800,#800,#800,#2915,MultiByteToWideChar,CreateProcessWithLogonW,#800,#800,#800,WaitForSingleObject,WaitForSingleObject,#2915,TerminateProcess,#800,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV24_2_00407190
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_004069600_2_00406960
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_004231730_2_00423173
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040E9300_2_0040E930
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040D9C00_2_0040D9C0
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040E2400_2_0040E240
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00424A510_2_00424A51
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00406C100_2_00406C10
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040EC300_2_0040EC30
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040E6300_2_0040E630
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040DE800_2_0040DE80
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_0040EE900_2_0040EE90
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004024104_2_00402410
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004014A04_2_004014A0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004019604_2_00401960
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004029704_2_00402970
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004021104_2_00402110
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00401D204_2_00401D20
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_004027104_2_00402710
Source: ocs.exeBinary or memory string: OriginalFilename vs ocs.exe
Source: ocs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ocs.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9993838396633768
Source: classification engineClassification label: mal48.winEXE@15/8@0/0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00402C10 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#860,#860,#540,GetLastError,GetLastError,#2818,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#939,#800,#800,MessageBoxA,#800,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#924,#922,#939,#800,#800,#800,MessageBoxA,#800,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#941,MessageBoxA,#800,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic4_2_00402C10
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00408990 WaitForSingleObject,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,CreateToolhelp32Snapshot,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,Process32First,CloseHandle,Process32Next,CloseHandle,4_2_00408990
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_004020C9 FindResourceA,LoadResource,SizeofResource,0_2_004020C9
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Users\user\Desktop\ocs.exeFile created: C:\Users\user\AppData\Local\Temp\A3BE.tmpJump to behavior
Source: C:\Users\user\Desktop\ocs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
Source: C:\Users\user\Desktop\ocs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ocs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ocs.exe "C:\Users\user\Desktop\ocs.exe"
Source: C:\Users\user\Desktop\ocs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet
Source: C:\Users\user\Desktop\ocs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quietJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ocs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: ocs.exeStatic file information: File size 1454592 > 1048576
Source: ocs.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x162a00
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,0_2_00405EB2
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\ocs.exeFile created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeJump to dropped file
Source: C:\Users\user\Desktop\ocs.exeFile created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exeJump to dropped file
Source: C:\Users\user\Desktop\ocs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ocs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ocs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exeJump to dropped file
Source: C:\Users\user\Desktop\ocs.exe TID: 3372Thread sleep count: 93 > 30Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00405E80 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#533,#350,#540,#860,#540,#540,#540,#540,#540,#540,#5194,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#823,#823,#823,#2915,#5448,#5448,#3790,#1997,#3337,#3337,#3337,#3337,time,time,#2818,#860,#940,#4129,#858,#800,#6778,#6663,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,#6663,#4129,#858,#800,#6648,_mbscmp,_mbscmp,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,#922,#5194,#800,#1997,_mbscmp,#540,#540,GetCurrentDirectoryA,#860,#941,#922,#858,#800,#5194,#1997,#858,#800,#800,_mbscmp,#922,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#800,#800,#800,#800,#800,#800,#800,#798,GetLogicalDriveStringsA,#860,#860,#858,#6648,#926,#858,#800,#922,#5194,#800,lstrlenA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$ba4_2_00405E80
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeAPI call chain: ExitProcess graph end nodegraph_4-1458
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,0_2_00405EB2
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00403B70
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00403CC0 SetUnhandledExceptionFilter,0_2_00403CC0
Source: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exeCode function: 4_2_00407190 _mbscmp,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,#540,#926,#922,#924,#924,#922,#858,#800,#800,#800,#800,#800,MessageBoxA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#2915,MultiByteToWideChar,MultiByteToWideChar,_mbscmp,#2915,GetComputerNameA,#5572,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#858,#2915,MultiByteToWideChar,_mbscmp,_mbscmp,_mbscmp,_mbscmp,GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,#800,#800,_mbscmp,_mbscmp,_mbscmp,#6663,#6648,#2915,MultiByteToWideChar,#2915,MultiByteToWideChar,_mbscmp,#2514,#656,#641,#2915,MultiByteToWideChar,#656,#641,CreateProcessWithLogonW,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,#540,GetLastError,#2818,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z,#926,#922,#924,#922,#924,#858,#800,#800,#800,#800,#800,#2915,MultiByteToWideChar,CreateProcessWithLogonW,#800,#800,#800,WaitForSingleObject,WaitForSingleObject,#2915,TerminateProcess,#800,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z,?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV24_2_00407190
Source: C:\Users\user\Desktop\ocs.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quietJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quietJump to behavior
Source: C:\Users\user\Desktop\ocs.exeCode function: 0_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA,0_2_00403CD7
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
1
Valid Accounts
1
Native API
1
Valid Accounts
1
Valid Accounts
1
Valid Accounts
1
Input Capture
1
Virtualization/Sandbox Evasion
Remote Services1
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting
1
Exploitation for Privilege Escalation
1
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop Protocol1
Archive Collected Data
Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading
1
Access Token Manipulation
1
Access Token Manipulation
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Process Injection
11
Process Injection
NTDS2
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading
1
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559382 Sample: ocs.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 48 24 Machine Learning detection for sample 2->24 26 AI detected suspicious sample 2->26 7 ocs.exe 6 2->7         started        process3 file4 20 C:\Users\user\AppData\Local\...\runasspc.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\...\OcsAgentSetup.exe, PE32 7->22 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 runasspc.exe 1 10->14         started        16 runasspc.exe 1 10->16         started        18 3 other processes 10->18

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ocs.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\A3BE.tmp\OcsAgentSetup.exe5%ReversingLabs
C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.ocsinventory-ng.org0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_Errorocs.exe, OcsAgentSetup.exe.0.drfalse
    high
    http://nsis.sf.net/NSIS_ErrorErrorOcsAgentSetup.exe.0.drfalse
      high
      http://www.ocsinventory-ng.orgocs.exe, OcsAgentSetup.exe.0.drfalse
      • Avira URL Cloud: safe
      unknown
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1559382
      Start date and time:2024-11-20 13:17:23 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 4s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:12
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:ocs.exe
      Detection:MAL
      Classification:mal48.winEXE@15/8@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 98%
      • Number of executed functions: 21
      • Number of non-executed functions: 56
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.65.92
      • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: ocs.exe
      No simulations
      No context
      No context
      No context
      No context
      No context
      Process:C:\Users\user\Desktop\ocs.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:dropped
      Size (bytes):1411754
      Entropy (8bit):7.992246724895325
      Encrypted:true
      SSDEEP:24576:BTR8/w+ZyocpBfZISwHWSscEsCK7ltJk0J7yOmpSPst4PW+aRVsCUEkSOIT:9Rizc1ISwHEc9CKBtJxA4PXXa3JUv+
      MD5:E80DF9439AB058DB7BFAAF673C4E6F10
      SHA1:58164ECE556FAC3049545D3FD1DF881C9803C495
      SHA-256:02BC0030A5FE05B44A6FFF9760C312F73766B6A04B3527B68F9F3A4BEDFB2DB3
      SHA-512:9382954DEFF028E2EFB8AE2D89C2DDA9484CB0ABB8D58FC6553D87641B21A11805A0C71539ECBF3DF38BFCA1F3A272AB3DDB43D5BC36FAC975E47640EC0FE51F
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 5%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................\..........<2.......p....@..........................0...............................................s...........6...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....6.......8...v..............@..@................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Users\user\Desktop\ocs.exe
      File Type:PE32 executable (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):77824
      Entropy (8bit):5.9545164774404675
      Encrypted:false
      SSDEEP:1536:cMr0X46Cu8QPBHjmyylTN9S4A3eT8npW:cy046Cu8wBHjmXCi8npW
      MD5:85848267B79C1BF176EEFF46EA4B3537
      SHA1:A80E727454A00DFA711D1A4CC9A1DBEE20501147
      SHA-256:524CA04561A0420973E00EB6831C4F33F5FBCC58EF71C1AC0B77C0C0BAD69713
      SHA-512:5FE40B21047527C5F7A96FECBF3BEED4E487790C9CD973A125FAC32FCA255B011092626B2AC411930CF243B2BCC9A3C602445C98A53F0A393FF6B2D2BADAC8DE
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.f.............z...............n.......n.......n.......x.......x................U....................Rich............................PE..L...H..K............................".............@..........................0....................................................... ...............................................................................................................text............................... ..`.rdata...X.......`..................@..@.data...x...........................@....rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................
      Process:C:\Users\user\Desktop\ocs.exe
      File Type:DOS batch file, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):938
      Entropy (8bit):5.288076112390791
      Encrypted:false
      SSDEEP:12:pyFe6XVAyFe6Xg2NPcyFe6XxFyFe6XWQUcyFe6XtiqR:pMWMrcMfMKQUcMBiq
      MD5:83902E28B0AFAC3F862ECF1CAD0A7709
      SHA1:709DAE951E4E0CF093FB2CC7E7152345F80ECBE9
      SHA-256:30A3302CD829FF93F261D2FF5493881DFAD5D70AB2F508B95924A88A17A71921
      SHA-512:A72F4C1D2320BD7E9BEE38205D3F4852D3CAC883B0271D1C76B3105B4EDEE9B41CFA5FA21DD77D46965E60DAAD5579AA1E2435B0FFBADCC6BE48A42C401BB56D
      Malicious:false
      Reputation:low
      Preview:@echo off..runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet..runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet..runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet..runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet..runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet..exit
      Process:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):349
      Entropy (8bit):4.270993527672736
      Encrypted:false
      SSDEEP:6:IomFL2SKIRv9euB90UQAP9jzbUi1ovdnybX4p9WMq5RQ1:IomFL2STRVhbrQYzlohyz4pP
      MD5:2AB60142E6C1877C88DA6AAF7DDC6F0D
      SHA1:5BFF5488A81E23F86849AFB8CD24A3C8528C4421
      SHA-256:619DDAFEF60FA38F76B7102E821ED60E4FA3DE3BC399DD4819FDDBB08B20E8C3
      SHA-512:6C0B3B2F2BAD93708D13312573D0CB43504BC525CF5EC34D2F933DB4D6237F530F5B96A9269366E9097949440208E2920B9C9220504620363B8EAF0CF71C7C08
      Malicious:false
      Reputation:low
      Preview:.. *************--> RUNASSPC <--**************.. * FOR PRIVATE USE *.. * Commercial use license at: *.. * www.robotronic.de/orderen.php *.. *******************************************....Errorcode: 1326..Logon failure: unknown user name or bad password...username: Administrator..domainname: 536720....
      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
      Entropy (8bit):7.999673760379866
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.39%
      • UPX compressed Win32 Executable (30571/9) 0.30%
      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      File name:ocs.exe
      File size:1'454'592 bytes
      MD5:725da9f8ec7b0b8316dae970f35590ef
      SHA1:81bc4602c202fc735785e99f338e8e73861b5113
      SHA256:c047c39f77e0313414d81b081d2c80efd1295bb2b1a57faa0f911d43e22bc8be
      SHA512:ecd54963a9ffa12008d9dbaac11a30b50c3df32e375c1bf9b3601506e2d23bcbdfa603f131ba81c2d063f79b66f1b84d2fcb7785b2eaa6e47fe0dda46f3bd8d6
      SSDEEP:24576:/hypkdgOkBg/7u7JHSIDT5J0//uJvrSwvRgL/bEdxTvehry04Q/lcSNOtYMIuY4k:/h4dOkBgyHhxJkuBSwKL4nwrUQ/lbJF5
      TLSH:7C65333497EB1E82DB1D05BF42A761C887F2A0EC980E158C3FA441634F5F596E2BBD25
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..L...............2.0.......... .............@........................................................................
      Icon Hash:00928e8e8686b000
      Entrypoint:0x57dd20
      Entrypoint Section:UPX1
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x4CD7F727 [Mon Nov 8 13:12:07 2010 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:1d88d597200c0081784c27940d743ec5
      Instruction
      pushad
      mov esi, 0041C015h
      lea edi, dword ptr [esi-0001B015h]
      push edi
      mov ebp, esp
      lea ebx, dword ptr [esp-00003E80h]
      xor eax, eax
      push eax
      cmp esp, ebx
      jne 00007F9820C7F8BDh
      inc esi
      inc esi
      push ebx
      push 00178988h
      push edi
      add ebx, 04h
      push ebx
      push 00161D01h
      push esi
      add ebx, 04h
      push ebx
      push eax
      mov dword ptr [ebx], 00020003h
      nop
      nop
      nop
      nop
      nop
      push ebp
      push edi
      push esi
      push ebx
      sub esp, 7Ch
      mov edx, dword ptr [esp+00000090h]
      mov dword ptr [esp+74h], 00000000h
      mov byte ptr [esp+73h], 00000000h
      mov ebp, dword ptr [esp+0000009Ch]
      lea eax, dword ptr [edx+04h]
      mov dword ptr [esp+78h], eax
      mov eax, 00000001h
      movzx ecx, byte ptr [edx+02h]
      mov ebx, eax
      shl ebx, cl
      mov ecx, ebx
      dec ecx
      mov dword ptr [esp+6Ch], ecx
      movzx ecx, byte ptr [edx+01h]
      shl eax, cl
      dec eax
      mov dword ptr [esp+68h], eax
      mov eax, dword ptr [esp+000000A8h]
      movzx esi, byte ptr [edx]
      mov dword ptr [ebp+00h], 00000000h
      mov dword ptr [esp+60h], 00000000h
      mov dword ptr [eax], 00000000h
      mov eax, 00000300h
      mov dword ptr [esp+64h], esi
      mov dword ptr [esp+5Ch], 00000001h
      mov dword ptr [esp+58h], 00000001h
      mov dword ptr [esp+54h], 00000001h
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x17f3dc0x220.rsrc
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x17f0000x3dc.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      UPX00x10000x1b0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      UPX10x1c0000x1630000x162a002e95b468fd72927733b79d82a3fbb98eFalse0.9993838396633768data7.999818594479577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x17f0000x10000x600dd3a3fbfb1714752ea2771292be65115False0.4928385416666667data4.8603841620156665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_RCDATA0xc1740x3aaempty0
      RT_RCDATA0xc5200x16baaaempty0
      RT_RCDATA0x177fcc0x2ddata1.2444444444444445
      RT_RCDATA0x177ffc0x9data1.8888888888888888
      RT_RCDATA0x1780080x6data2.3333333333333335
      RT_MANIFEST0x17f1780x263XML 1.0 document, ASCII text0.5319148936170213
      DLLImport
      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
      COMCTL32.dllInitCommonControls
      GDI32.dllSetBkColor
      MSVCRT.dllmemset
      OLE32.dllCoInitialize
      SHELL32.dllShellExecuteExA
      SHLWAPI.dllPathQuoteSpacesA
      USER32.dllIsChild
      No network behavior found

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Click to jump to process

      Target ID:0
      Start time:07:18:11
      Start date:20/11/2024
      Path:C:\Users\user\Desktop\ocs.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\ocs.exe"
      Imagebase:0x400000
      File size:1'454'592 bytes
      MD5 hash:725DA9F8EC7B0B8316DAE970F35590EF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Target ID:2
      Start time:07:18:12
      Start date:20/11/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\A3BE.tmp\start.bat" "
      Imagebase:0x790000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:3
      Start time:07:18:12
      Start date:20/11/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6d64d0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:4
      Start time:07:18:12
      Start date:20/11/2024
      Path:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      Wow64 process (32bit):true
      Commandline:runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"mitro,1916" /quiet
      Imagebase:0x400000
      File size:77'824 bytes
      MD5 hash:85848267B79C1BF176EEFF46EA4B3537
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Antivirus matches:
      • Detection: 0%, ReversingLabs
      Reputation:low
      Has exited:true

      Target ID:6
      Start time:07:18:15
      Start date:20/11/2024
      Path:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      Wow64 process (32bit):true
      Commandline:runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"bk0906!!" /quiet
      Imagebase:0x400000
      File size:77'824 bytes
      MD5 hash:85848267B79C1BF176EEFF46EA4B3537
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Target ID:7
      Start time:07:18:15
      Start date:20/11/2024
      Path:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      Wow64 process (32bit):true
      Commandline:runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"Abello" /quiet
      Imagebase:0x400000
      File size:77'824 bytes
      MD5 hash:85848267B79C1BF176EEFF46EA4B3537
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Target ID:8
      Start time:07:18:15
      Start date:20/11/2024
      Path:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      Wow64 process (32bit):true
      Commandline:runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"tSyDqvEwA6UL" /quiet
      Imagebase:0x400000
      File size:77'824 bytes
      MD5 hash:85848267B79C1BF176EEFF46EA4B3537
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Target ID:9
      Start time:07:18:15
      Start date:20/11/2024
      Path:C:\Users\user\AppData\Local\Temp\A3BE.tmp\runasspc.exe
      Wow64 process (32bit):true
      Commandline:runasspc.exe /program:"ocsagentsetup.exe /S /SERVER:192.168.32.7 /PNUM:80 /NP /NOSPLASH /NoOcs_ContactLnk /NOW" /domain:"localhost" /user:"Administrator" /password:"&9brASEt-eYe" /quiet
      Imagebase:0x400000
      File size:77'824 bytes
      MD5 hash:85848267B79C1BF176EEFF46EA4B3537
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Reset < >

        Execution Graph

        Execution Coverage:5.3%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:5.1%
        Total number of Nodes:782
        Total number of Limit Nodes:5
        execution_graph 9042 401bd0 9049 403b0b 9042->9049 9046 401bda 9056 404a13 9046->9056 9048 401be9 9050 403ad4 9049->9050 9051 403aeb 9050->9051 9052 403add CloseHandle 9050->9052 9053 403af4 HeapFree 9051->9053 9054 401bd5 9051->9054 9052->9051 9053->9054 9055 403cc0 SetUnhandledExceptionFilter 9054->9055 9055->9046 9057 404a23 9056->9057 9058 404a4d 9057->9058 9063 404925 9057->9063 9060 404a7b 9058->9060 9061 404a62 HeapFree 9058->9061 9062 404a6d HeapFree 9058->9062 9060->9048 9061->9062 9062->9060 9064 40493d 9063->9064 9065 404947 GetWindow 9064->9065 9066 404a0e 9064->9066 9067 404962 RemovePropA RemovePropA 9065->9067 9068 404955 9065->9068 9066->9057 9070 404980 RevokeDragDrop 9067->9070 9071 404988 9067->9071 9068->9067 9069 40495b SetActiveWindow 9068->9069 9069->9067 9070->9071 9072 4049a1 sprintf UnregisterClassA 9071->9072 9073 40498f SendMessageA 9071->9073 9074 4049d3 9072->9074 9073->9074 9076 4049f2 9074->9076 9077 4049da HeapFree DestroyAcceleratorTable 9074->9077 9078 404a00 9076->9078 9079 4049f9 DeleteObject 9076->9079 9077->9076 9081 4066bb 9078->9081 9079->9078 9082 4066e2 9081->9082 9083 4066c7 9081->9083 9087 40681d 9082->9087 9083->9082 9084 4066cc memset 9083->9084 9086 4066ec 9084->9086 9086->9066 9088 40682e HeapFree 9087->9088 9088->9086 9090 401000 memset GetModuleHandleA HeapCreate 9091 401044 9090->9091 9362 407470 HeapCreate RtlAllocateHeap 9091->9362 9093 401049 9363 406807 HeapCreate 9093->9363 9095 40104e 9364 406040 9095->9364 9103 401062 9382 40393b 9103->9382 9105 401067 9385 403694 6F781CD0 CoInitialize 9105->9385 9107 40106c 9386 403ef0 RtlAllocateHeap 9107->9386 9115 4010bf GetUserDefaultLangID VerLanguageNameA CharLowerA 9399 403de0 9115->9399 9117 4010fc 9403 4030f0 9117->9403 9121 401113 9122 40112a 9121->9122 9123 4011ff 9121->9123 9584 403108 9122->9584 9124 403108 4 API calls 9123->9124 9126 40120f 9124->9126 9128 403108 4 API calls 9126->9128 9130 40121f 9128->9130 9129 403108 4 API calls 9131 40114a 9129->9131 9132 403108 4 API calls 9130->9132 9133 403108 4 API calls 9131->9133 9134 40122f 9132->9134 9135 40115a 9133->9135 9136 403108 4 API calls 9134->9136 9137 403108 4 API calls 9135->9137 9139 40123f 9136->9139 9138 40116a 9137->9138 9140 403108 4 API calls 9138->9140 9141 403108 4 API calls 9139->9141 9142 40117a 9140->9142 9143 40124f 9141->9143 9144 403108 4 API calls 9142->9144 9145 403108 4 API calls 9143->9145 9146 40118a 9144->9146 9147 40125f 9145->9147 9149 403108 4 API calls 9146->9149 9148 403108 4 API calls 9147->9148 9150 40126f 9148->9150 9151 40119a 9149->9151 9152 403108 4 API calls 9150->9152 9153 403108 4 API calls 9151->9153 9154 40127f 9152->9154 9155 4011aa 9153->9155 9156 403108 4 API calls 9154->9156 9157 403108 4 API calls 9155->9157 9158 40128f 9156->9158 9159 4011ba 9157->9159 9160 403108 4 API calls 9158->9160 9161 403108 4 API calls 9159->9161 9162 40129f 9160->9162 9163 4011ca 9161->9163 9164 403108 4 API calls 9162->9164 9165 403108 4 API calls 9163->9165 9166 4012af 9164->9166 9167 4011da 9165->9167 9168 403108 4 API calls 9166->9168 9169 403108 4 API calls 9167->9169 9171 4012bf 9168->9171 9170 4011ea 9169->9170 9172 403108 4 API calls 9170->9172 9173 403108 4 API calls 9171->9173 9174 4011fa 9172->9174 9173->9174 9407 403cd7 GetVersionExA 9174->9407 9177 4012f6 9412 403b70 9177->9412 9178 4012db 9587 4036a2 9178->9587 9181 401302 9418 403a66 9181->9418 9183 401bbb ExitProcess HeapDestroy ExitProcess 9185 4013a1 9422 4020c9 9185->9422 9189 4013b5 9429 401bf4 9189->9429 9190 4013cc 9191 4036a2 16 API calls 9190->9191 9193 4012f1 9191->9193 9193->9183 9195 4020c9 6 API calls 9196 4013fc 9195->9196 9197 401400 9196->9197 9198 401426 9196->9198 9199 403de0 RtlReAllocateHeap 9197->9199 9200 4036a2 16 API calls 9198->9200 9201 401418 9199->9201 9200->9193 9203 4030f0 2 API calls 9201->9203 9202 401325 9202->9185 9204 4074f0 strlen RtlReAllocateHeap 9202->9204 9206 4030f0 RtlAllocateHeap RtlReAllocateHeap 9202->9206 9594 403a18 9202->9594 9205 401424 9203->9205 9204->9202 9207 4020c9 6 API calls 9205->9207 9206->9202 9208 401456 9207->9208 9209 40147a 9208->9209 9210 40145a 9208->9210 9211 4036a2 16 API calls 9209->9211 9212 4020c9 6 API calls 9210->9212 9211->9193 9213 4014aa 9212->9213 9214 4020c9 6 API calls 9213->9214 9215 4014dc 9214->9215 9216 4020c9 6 API calls 9215->9216 9217 40150e 9216->9217 9218 40176d 9217->9218 9600 404de6 9217->9600 9220 403de0 RtlReAllocateHeap 9218->9220 9222 401785 9220->9222 9224 4030f0 2 API calls 9222->9224 9226 401791 9224->9226 9228 403de0 RtlReAllocateHeap 9226->9228 9229 4017a9 9228->9229 9231 4030f0 2 API calls 9229->9231 9233 4017b5 9231->9233 9235 4020c9 6 API calls 9233->9235 9237 4017c5 9235->9237 9239 401a3c 9237->9239 9241 403a18 3 API calls 9237->9241 9462 4074f0 9239->9462 9243 4017de 9241->9243 9246 403de0 RtlReAllocateHeap 9243->9246 9244 401a4d 9247 4074f0 2 API calls 9244->9247 9256 4017fc 9246->9256 9248 401a57 9247->9248 9250 4074f0 2 API calls 9248->9250 9249 4015dc _rmdir 9249->9183 9251 401a62 9250->9251 9252 4030f0 2 API calls 9251->9252 9254 401a6e 9252->9254 9253 4015cc 9253->9249 9255 401613 9253->9255 9260 40165c 9253->9260 9631 40505e 9253->9631 9466 406170 9254->9466 9634 4045fc 9255->9634 9256->9239 9257 401833 9256->9257 9681 405dd5 9257->9681 9261 4045fc 4 API calls 9260->9261 9265 40166d 9261->9265 9263 401a7e 9267 401a82 9263->9267 9268 401a9e 9263->9268 9264 401624 9269 4030f0 2 API calls 9264->9269 9270 4030f0 2 API calls 9265->9270 9266 401846 9685 4036f8 9266->9685 9476 406250 9267->9476 9274 405ea0 DeleteFileA 9268->9274 9273 401630 9269->9273 9275 401679 9270->9275 9278 404925 13 API calls 9273->9278 9279 401aa9 9274->9279 9280 404925 13 API calls 9275->9280 9276 401861 9281 4030f0 2 API calls 9276->9281 9277 401a92 9483 405fd0 9277->9483 9283 40163a 9278->9283 9284 40203d 7 API calls 9279->9284 9280->9283 9290 40186d 9281->9290 9285 40168f 9283->9285 9286 401aae 9284->9286 9640 406860 9285->9640 9287 4036a2 16 API calls 9286->9287 9288 401ac4 _rmdir 9287->9288 9288->9183 9289 401a9c 9293 401af6 9289->9293 9491 402130 9289->9491 9291 4019dd 9290->9291 9295 4074f0 2 API calls 9290->9295 9294 403a79 4 API calls 9291->9294 9299 4074f0 2 API calls 9293->9299 9298 4019f6 9294->9298 9300 401891 9295->9300 9302 405e15 2 API calls 9298->9302 9303 401b0d 9299->9303 9304 4030f0 2 API calls 9300->9304 9301 403de0 RtlReAllocateHeap 9305 4016cb 9301->9305 9306 401a0a 9302->9306 9307 4074f0 2 API calls 9303->9307 9315 40189d 9304->9315 9310 401714 9305->9310 9311 4016e6 9305->9311 9308 405e90 SetCurrentDirectoryA 9306->9308 9309 401b18 9307->9309 9312 401a1e _rmdir 9308->9312 9543 402779 9309->9543 9317 4020c9 6 API calls 9310->9317 9316 4036a2 16 API calls 9311->9316 9312->9183 9314 4018b7 9707 406230 9314->9707 9315->9314 9319 402130 56 API calls 9315->9319 9321 4016fc _rmdir 9316->9321 9322 401724 9317->9322 9319->9314 9321->9183 9646 401d57 9322->9646 9326 4019af 9330 406170 7 API calls 9326->9330 9329 405fd0 5 API calls 9333 4018d9 9329->9333 9334 4019bf 9330->9334 9336 4074f0 2 API calls 9333->9336 9334->9291 9339 406250 6 API calls 9334->9339 9335 401b68 9575 405e15 9335->9575 9338 4018f5 9336->9338 9342 4074f0 2 API calls 9338->9342 9340 4019d3 9339->9340 9343 405fd0 5 API calls 9340->9343 9345 4018ff 9342->9345 9343->9291 9347 4074f0 2 API calls 9345->9347 9348 40190a 9347->9348 9349 4074f0 2 API calls 9348->9349 9350 401914 9349->9350 9351 4074f0 2 API calls 9350->9351 9352 40191f 9351->9352 9353 4036a2 16 API calls 9352->9353 9354 40193a 9353->9354 9354->9326 9355 401950 9354->9355 9356 403a79 4 API calls 9355->9356 9357 401969 9356->9357 9358 405e15 2 API calls 9357->9358 9359 40197d 9358->9359 9360 405e90 SetCurrentDirectoryA 9359->9360 9361 401991 _rmdir 9360->9361 9361->9183 9362->9093 9363->9095 9710 4066f1 RtlAllocateHeap RtlAllocateHeap 9364->9710 9366 401053 9367 404ab3 9366->9367 9711 4066f1 RtlAllocateHeap RtlAllocateHeap 9367->9711 9369 404ac1 9712 406434 RtlAllocateHeap 9369->9712 9372 405082 9373 406434 RtlAllocateHeap 9372->9373 9374 401058 9373->9374 9375 4040e0 RtlInitializeCriticalSection GetStockObject 9374->9375 9714 4066f1 RtlAllocateHeap RtlAllocateHeap 9375->9714 9377 40410b 9378 406434 RtlAllocateHeap 9377->9378 9379 404121 memset 9378->9379 9380 40105d 9379->9380 9381 403d90 HeapCreate 9380->9381 9381->9103 9383 406434 RtlAllocateHeap 9382->9383 9384 403946 RtlInitializeCriticalSection 9383->9384 9384->9105 9385->9107 9715 40645c RtlAllocateHeap 9386->9715 9389 403060 9390 4010a6 9389->9390 9391 403065 9389->9391 9394 4030a0 RtlAllocateHeap 9390->9394 9393 403087 HeapFree 9391->9393 9717 403128 9391->9717 9393->9390 9395 4010b5 9394->9395 9396 403dc0 9395->9396 9397 403dc8 RtlAllocateHeap 9396->9397 9398 403dda 9396->9398 9397->9115 9398->9115 9400 403dea 9399->9400 9721 407750 9400->9721 9402 403df7 9402->9117 9724 407580 9403->9724 9405 401108 9406 403e30 HeapFree 9405->9406 9406->9121 9408 403cfe 9407->9408 9409 4012d4 9407->9409 9408->9409 9410 403d18 GetVersionExA 9408->9410 9409->9177 9409->9178 9410->9409 9411 403d32 9410->9411 9411->9409 9413 403b90 9412->9413 9414 403b98 9413->9414 9415 403bba SetUnhandledExceptionFilter 9413->9415 9416 403ba1 SetUnhandledExceptionFilter 9414->9416 9417 403bab SetUnhandledExceptionFilter 9414->9417 9415->9181 9416->9417 9417->9181 9419 403a71 9418->9419 9728 403957 9419->9728 9733 403100 9422->9733 9425 4020f6 LoadResource SizeofResource 9426 40211a 9425->9426 9736 407550 9426->9736 9430 403dc0 RtlAllocateHeap 9429->9430 9431 401c04 9430->9431 9742 405eb2 9431->9742 9433 401c13 9434 4030f0 2 API calls 9433->9434 9435 401c1d GetTempFileNameA 9434->9435 9749 403e50 9435->9749 9438 4030f0 2 API calls 9439 401c4f 9438->9439 9755 403e30 HeapFree 9439->9755 9441 401c57 9442 405ea0 DeleteFileA 9441->9442 9443 401c62 9442->9443 9756 405f13 9443->9756 9446 405dd5 2 API calls 9447 401c79 9446->9447 9448 4030f0 2 API calls 9447->9448 9449 401c85 9448->9449 9450 401cdb 9449->9450 9454 4074f0 2 API calls 9449->9454 9455 401cf8 9449->9455 9451 4074f0 2 API calls 9450->9451 9452 401cec 9451->9452 9453 4030f0 2 API calls 9452->9453 9453->9455 9456 401cc4 9454->9456 9457 407550 HeapFree 9455->9457 9458 4074f0 2 API calls 9456->9458 9459 4013ca 9457->9459 9460 401ccf 9458->9460 9459->9195 9461 4030f0 2 API calls 9460->9461 9461->9450 9463 40751e 9462->9463 9464 4074ff strlen 9462->9464 9463->9244 9465 407750 RtlReAllocateHeap 9464->9465 9465->9463 9761 40662c 9466->9761 9469 4061c6 9471 406211 9469->9471 9472 4061ca RtlAllocateHeap 9469->9472 9470 4061ad CreateFileA 9470->9469 9470->9471 9474 406224 9471->9474 9475 4066bb 2 API calls 9471->9475 9473 4061ff 9472->9473 9473->9263 9474->9263 9475->9474 9477 406260 9476->9477 9478 406298 9476->9478 9477->9478 9479 4062a0 9477->9479 9480 406285 9477->9480 9478->9277 9479->9479 9481 4062a9 WriteFile 9479->9481 9480->9480 9769 406330 9480->9769 9481->9277 9484 405fda 9483->9484 9485 406022 9483->9485 9484->9485 9486 405ff3 9484->9486 9487 40600c CloseHandle 9484->9487 9485->9289 9489 405f90 WriteFile 9486->9489 9488 4066bb 2 API calls 9487->9488 9488->9485 9490 405ff9 HeapFree 9489->9490 9490->9487 9492 402137 9491->9492 9492->9492 9493 403100 2 API calls 9492->9493 9494 402150 9493->9494 9495 405e90 SetCurrentDirectoryA 9494->9495 9499 402163 9495->9499 9497 4030f0 RtlAllocateHeap RtlReAllocateHeap 9497->9499 9498 4074f0 2 API calls 9498->9499 9499->9497 9499->9498 9501 4021ea 9499->9501 9783 403220 9499->9783 9500 4023bb 9810 4035d0 9500->9810 9501->9500 9505 4030f0 RtlAllocateHeap RtlReAllocateHeap 9501->9505 9506 406230 9 API calls 9501->9506 9509 405fd0 5 API calls 9501->9509 9510 406170 7 API calls 9501->9510 9519 4074f0 strlen RtlReAllocateHeap 9501->9519 9537 4036a2 16 API calls 9501->9537 9540 40230a 9501->9540 9541 4022ec 9501->9541 9505->9501 9506->9501 9507 4023f1 9508 4022f1 9507->9508 9511 4074f0 2 API calls 9507->9511 9513 407550 HeapFree 9508->9513 9509->9501 9510->9501 9512 40242d 9511->9512 9514 4074f0 2 API calls 9512->9514 9515 40249d 9513->9515 9517 402437 9514->9517 9518 407550 HeapFree 9515->9518 9520 4074f0 2 API calls 9517->9520 9521 4024a6 9518->9521 9519->9501 9523 402440 9520->9523 9524 407550 HeapFree 9521->9524 9522 405fd0 5 API calls 9522->9540 9525 4074f0 2 API calls 9523->9525 9526 4024af 9524->9526 9528 40244a 9525->9528 9529 407550 HeapFree 9526->9529 9530 4074f0 2 API calls 9528->9530 9531 4024b8 9529->9531 9533 402455 9530->9533 9531->9293 9532 4074f0 2 API calls 9532->9540 9534 4036a2 16 API calls 9533->9534 9536 402470 9534->9536 9535 4030f0 2 API calls 9535->9540 9536->9508 9539 40203d 7 API calls 9536->9539 9537->9501 9539->9508 9540->9501 9540->9522 9540->9532 9540->9535 9791 4062d0 9540->9791 9798 403fa3 9540->9798 9802 406960 9540->9802 9542 40203d 7 API calls 9541->9542 9542->9508 9544 402780 9543->9544 9544->9544 9545 403100 2 API calls 9544->9545 9546 402799 9545->9546 9547 403100 2 API calls 9546->9547 9548 4027a6 9547->9548 9549 403100 2 API calls 9548->9549 9550 4027b3 ShellExecuteEx 9549->9550 9551 4027fa Sleep GetExitCodeProcess 9550->9551 9552 402819 9551->9552 9552->9551 9553 402825 9552->9553 9554 407550 HeapFree 9553->9554 9555 40283a 9554->9555 9556 407550 HeapFree 9555->9556 9557 402843 9556->9557 9558 407550 HeapFree 9557->9558 9559 401b39 9558->9559 9560 40203d 9559->9560 9561 401b44 9560->9561 9562 40204a 9560->9562 9567 405ea0 9561->9567 9562->9561 9563 406960 5 API calls 9562->9563 9565 402083 9563->9565 9564 402098 DeleteFileA 9564->9561 9565->9564 9566 405ea0 DeleteFileA 9565->9566 9566->9564 9568 405ea7 DeleteFileA 9567->9568 9569 401b4f 9567->9569 9568->9569 9570 403a79 9569->9570 9571 407750 RtlReAllocateHeap 9570->9571 9572 403a8b GetModuleFileNameA strcmp 9571->9572 9573 403aae memmove 9572->9573 9574 403ac2 9572->9574 9573->9574 9574->9335 9578 405e25 9575->9578 9576 407750 RtlReAllocateHeap 9577 405e62 9576->9577 9579 401b7c 9577->9579 9580 405e76 strncpy 9577->9580 9578->9576 9581 405e90 9579->9581 9580->9579 9582 405e97 SetCurrentDirectoryA 9581->9582 9583 401b90 _rmdir 9581->9583 9582->9583 9583->9183 9830 407650 9584->9830 9586 40113a 9586->9129 9837 4038b5 9587->9837 9592 4038b5 12 API calls 9593 4036cb 9592->9593 9593->9193 9595 403a2b 9594->9595 9596 403957 GetCommandLineA 9595->9596 9597 403a40 9596->9597 9598 407750 RtlReAllocateHeap 9597->9598 9599 403a4e strncpy 9598->9599 9599->9202 9855 404b03 9600->9855 9602 40153f 9603 4042bd 9602->9603 9879 4041cf 9603->9879 9606 4043ae 9607 4043bf 9606->9607 9608 404422 CreateWindowExA 9607->9608 9609 4043cf memset 9607->9609 9611 404472 9608->9611 9612 40158b 9608->9612 9609->9608 9613 40662c 2 API calls 9611->9613 9616 4045b3 9612->9616 9614 404480 SetWindowLongA 9613->9614 9615 4047bb 4 API calls 9614->9615 9615->9612 9893 4044f0 9616->9893 9619 404e09 9621 404e23 9619->9621 9620 4015c2 9627 4045d3 9620->9627 9621->9620 9622 404eb2 RtlReAllocateHeap 9621->9622 9623 404e8f RtlAllocateHeap 9621->9623 9624 404ea1 9621->9624 9622->9624 9623->9624 9625 404f06 DestroyAcceleratorTable 9624->9625 9626 404f0d CreateAcceleratorTableA 9624->9626 9625->9626 9626->9620 9629 4045da 9627->9629 9628 4045f3 SetFocus 9630 4045f9 9628->9630 9629->9628 9629->9630 9630->9253 9903 404f24 9631->9903 9635 40460c 9634->9635 9636 40461c 9635->9636 9637 404625 GetWindowTextLengthA 9635->9637 9636->9264 9638 407750 RtlReAllocateHeap 9637->9638 9639 40463b GetWindowTextA strlen 9638->9639 9639->9636 9641 40686d 9640->9641 9929 4073b0 9641->9929 9643 406890 9644 407750 RtlReAllocateHeap 9643->9644 9645 4016ad 9644->9645 9645->9301 9647 401d5f 9646->9647 9647->9647 9648 403100 2 API calls 9647->9648 9649 401d78 9648->9649 9932 403110 9649->9932 9652 4030a0 RtlAllocateHeap 9653 401d9f 9652->9653 9654 403110 HeapFree 9653->9654 9655 401db7 9654->9655 9656 4030a0 RtlAllocateHeap 9655->9656 9657 401dc6 9656->9657 9658 403110 HeapFree 9657->9658 9659 401dde 9658->9659 9660 4030a0 RtlAllocateHeap 9659->9660 9661 401ded 9660->9661 9935 4024c0 9661->9935 9664 4024c0 5 API calls 9665 401e11 9664->9665 9666 4024c0 5 API calls 9665->9666 9676 401e25 9666->9676 9667 401fa9 9668 407550 HeapFree 9667->9668 9669 402017 9668->9669 9670 403110 HeapFree 9669->9670 9671 402021 9670->9671 9672 403110 HeapFree 9671->9672 9674 40202a 9672->9674 9673 403dc0 RtlAllocateHeap 9673->9676 9675 403110 HeapFree 9674->9675 9678 402033 9675->9678 9676->9667 9676->9673 9677 401f72 _rmdir 9676->9677 9953 403ec0 9676->9953 9679 4036a2 16 API calls 9677->9679 9678->9218 9679->9676 9682 407750 RtlReAllocateHeap 9681->9682 9683 405de7 GetCurrentDirectoryA 9682->9683 9684 405df7 9683->9684 9684->9266 9686 40370d CoInitialize 9685->9686 9687 40371e memset LoadLibraryA 9685->9687 9686->9687 9688 403834 9687->9688 9689 403748 strncpy strlen 9687->9689 9691 407750 RtlReAllocateHeap 9688->9691 9692 40378d GetProcAddress 9689->9692 9693 40377f 9689->9693 9697 40383d 9691->9697 9694 40390d 3 API calls 9692->9694 9693->9692 9695 4037ac 9694->9695 9696 4038b5 12 API calls 9695->9696 9698 4037cd 9696->9698 9697->9276 9699 4038b5 12 API calls 9698->9699 9700 4037de 9699->9700 9701 4037e3 GetProcAddress 9700->9701 9702 403826 FreeLibrary 9700->9702 9703 407750 RtlReAllocateHeap 9701->9703 9702->9688 9702->9697 9704 4037f8 CoTaskMemFree strlen 9703->9704 9704->9702 9706 40381e 9704->9706 9706->9702 9960 406060 9707->9960 9709 4018c7 9709->9326 9709->9329 9710->9366 9711->9369 9713 404ad4 LoadIconA LoadCursorA 9712->9713 9713->9372 9714->9377 9716 401087 9715->9716 9716->9389 9718 403188 9717->9718 9720 403139 9717->9720 9718->9391 9719 40316e HeapFree 9719->9720 9720->9718 9720->9719 9722 4077a2 9721->9722 9723 40776f RtlReAllocateHeap 9721->9723 9722->9402 9723->9722 9725 4075b3 RtlReAllocateHeap 9724->9725 9726 407597 RtlAllocateHeap 9724->9726 9727 4075d4 9725->9727 9726->9727 9727->9405 9732 40642d 9728->9732 9730 403969 GetCommandLineA 9731 401307 GetModuleHandleA 9730->9731 9731->9185 9731->9202 9732->9730 9739 407600 9733->9739 9735 4020d9 FindResourceA 9735->9425 9735->9426 9737 40755b HeapFree 9736->9737 9738 4013b1 9736->9738 9737->9738 9738->9189 9738->9190 9740 407647 9739->9740 9741 40760a strlen RtlAllocateHeap 9739->9741 9740->9735 9741->9740 9743 407750 RtlReAllocateHeap 9742->9743 9744 405ec5 GetTempPathA LoadLibraryA 9743->9744 9745 405ee2 GetProcAddress 9744->9745 9748 405f00 9744->9748 9746 405ef2 GetLongPathNameA 9745->9746 9747 405ef9 FreeLibrary 9745->9747 9746->9747 9747->9748 9748->9433 9750 403e5d 9749->9750 9751 407750 RtlReAllocateHeap 9750->9751 9752 403e7a 9751->9752 9753 403e80 memcpy 9752->9753 9754 401c43 9752->9754 9753->9754 9754->9438 9755->9441 9757 405f22 strncpy strlen 9756->9757 9758 401c6d 9756->9758 9759 405f52 CreateDirectoryA 9757->9759 9758->9446 9759->9758 9762 406636 9761->9762 9763 40664d 9761->9763 9767 4067da RtlAllocateHeap 9762->9767 9765 406657 RtlReAllocateHeap 9763->9765 9766 406185 CreateFileA 9763->9766 9765->9766 9766->9469 9766->9470 9768 4067f0 9767->9768 9768->9766 9770 406365 9769->9770 9771 406345 SetFilePointer 9769->9771 9772 406370 9770->9772 9773 4063de 9770->9773 9771->9770 9775 4063a3 9772->9775 9777 406389 memcpy 9772->9777 9780 405f90 9773->9780 9775->9478 9777->9478 9778 40640b memcpy 9778->9478 9779 4063eb WriteFile 9779->9478 9781 405fa1 WriteFile 9780->9781 9782 405fc5 9780->9782 9781->9782 9782->9778 9782->9779 9784 40322e 9783->9784 9785 403292 9784->9785 9788 403287 strncpy 9784->9788 9786 407750 RtlReAllocateHeap 9785->9786 9787 403299 9786->9787 9789 4032aa 9787->9789 9790 40329f strncpy 9787->9790 9788->9785 9789->9499 9790->9789 9792 406324 9791->9792 9793 4062e0 9791->9793 9792->9540 9793->9792 9794 406312 WriteFile 9793->9794 9795 406304 9793->9795 9794->9792 9796 406330 5 API calls 9795->9796 9797 40630c 9796->9797 9797->9540 9817 4064a1 9798->9817 9801 403fcd 9801->9540 9803 406973 CreateFileA 9802->9803 9804 406b14 9802->9804 9803->9804 9805 40699c RtlAllocateHeap 9803->9805 9804->9540 9806 406b0c CloseHandle 9805->9806 9808 4069be 9805->9808 9806->9804 9807 4069c0 ReadFile 9807->9808 9808->9807 9808->9808 9809 406afb HeapFree 9808->9809 9809->9806 9822 403440 9810->9822 9812 4023dd 9813 4035f0 9812->9813 9814 4035fd 9813->9814 9815 407750 RtlReAllocateHeap 9814->9815 9816 403664 9815->9816 9816->9507 9818 406526 RtlAllocateHeap 9817->9818 9821 403fb2 memset 9817->9821 9820 406567 RtlAllocateHeap 9818->9820 9818->9821 9820->9821 9821->9801 9823 40344f 9822->9823 9824 407750 RtlReAllocateHeap 9823->9824 9826 403496 9824->9826 9825 40358c 9825->9812 9826->9825 9826->9826 9827 403500 RtlAllocateHeap 9826->9827 9829 403520 9826->9829 9827->9829 9828 403579 HeapFree 9828->9825 9829->9825 9829->9828 9831 407661 strlen 9830->9831 9832 4076ca 9830->9832 9833 407694 RtlReAllocateHeap 9831->9833 9834 407678 RtlAllocateHeap 9831->9834 9835 4076d2 HeapFree 9832->9835 9836 4076b5 9832->9836 9833->9836 9834->9836 9835->9836 9836->9586 9838 4038bc EnumWindows 9837->9838 9839 4038cd 9837->9839 9843 4036aa 9838->9843 9847 40384e GetWindowThreadProcessId GetCurrentThreadId 9838->9847 9840 4038da GetCurrentThreadId 9839->9840 9839->9843 9840->9839 9841 4038e9 EnableWindow 9840->9841 9842 40681d HeapFree 9841->9842 9842->9839 9844 40390d GetForegroundWindow 9843->9844 9845 4036bb MessageBoxA 9844->9845 9846 40391e GetWindowThreadProcessId GetCurrentProcessId 9844->9846 9845->9592 9846->9845 9848 4038ac 9847->9848 9849 40386c IsWindowVisible 9847->9849 9849->9848 9850 403877 IsWindowEnabled 9849->9850 9850->9848 9851 403882 GetForegroundWindow 9850->9851 9851->9848 9852 40388c EnableWindow 9851->9852 9853 4067da RtlAllocateHeap 9852->9853 9854 4038a1 GetCurrentThreadId 9853->9854 9854->9848 9856 40662c 2 API calls 9855->9856 9857 404b24 sprintf 9856->9857 9859 404b55 9857->9859 9860 404b5c memset RegisterClassA 9857->9860 9859->9860 9861 404bb6 AdjustWindowRect 9860->9861 9863 404c25 9861->9863 9864 404c73 9863->9864 9865 404c3c GetSystemMetrics 9863->9865 9868 404cc9 CreateWindowExA 9864->9868 9871 404c89 GetWindowRect 9864->9871 9872 404c7f GetActiveWindow 9864->9872 9866 404c49 9865->9866 9867 404c4c GetSystemMetrics 9865->9867 9866->9867 9875 404c63 9867->9875 9869 404d01 SetPropA 9868->9869 9870 404dbc UnregisterClassA 9868->9870 9873 404d17 ShowWindow 9869->9873 9874 404d39 RtlAllocateHeap CreateAcceleratorTableA 9869->9874 9876 4066bb 2 API calls 9870->9876 9871->9875 9872->9868 9872->9871 9873->9874 9877 404daa 9874->9877 9875->9868 9876->9877 9877->9602 9880 4041e0 9879->9880 9881 4041f0 memset 9880->9881 9882 404243 CreateWindowExA 9880->9882 9881->9882 9884 404291 9882->9884 9885 401563 9882->9885 9886 40662c 2 API calls 9884->9886 9885->9606 9887 40429f 9886->9887 9889 4047bb 9887->9889 9890 4047cd 9889->9890 9891 4047dc SetWindowLongA SetWindowLongA SetPropA SendMessageA 9890->9891 9892 40482d 9891->9892 9892->9885 9894 404502 9893->9894 9895 404514 memset 9894->9895 9896 40454b CreateWindowExA 9894->9896 9895->9896 9898 4015ae 9896->9898 9899 40458f 9896->9899 9898->9619 9900 40662c 2 API calls 9899->9900 9901 40459d 9900->9901 9902 4047bb 4 API calls 9901->9902 9902->9898 9904 404f38 9903->9904 9905 404f69 9904->9905 9906 404f50 HeapFree 9904->9906 9907 404f5a HeapFree 9904->9907 9908 404fa3 9905->9908 9909 404f74 HeapFree 9905->9909 9906->9907 9907->9905 9910 404ff3 GetMessageA 9908->9910 9911 404fac PeekMessageA 9908->9911 9915 404f9b 9909->9915 9912 404ffd GetActiveWindow 9910->9912 9911->9912 9913 404fbe 9911->9913 9921 405d3c GetKeyState 9912->9921 9913->9915 9916 404fca MsgWaitForMultipleObjects 9913->9916 9915->9253 9916->9915 9918 404fe2 PeekMessageA 9916->9918 9917 40500b 9919 40501f TranslateMessage DispatchMessageA 9917->9919 9920 40500f TranslateAccelerator 9917->9920 9918->9912 9918->9915 9919->9915 9920->9915 9920->9919 9922 405d50 GetKeyState 9921->9922 9923 405daa GetPropA 9921->9923 9922->9923 9924 405d58 GetKeyState 9922->9924 9925 405dbc 9923->9925 9924->9923 9926 405d60 GetKeyState 9924->9926 9925->9917 9926->9923 9927 405d68 GetFocus GetClassNameA strncmp 9926->9927 9927->9923 9928 405d94 GetFocus SendMessageA 9927->9928 9928->9923 9928->9925 9930 4073c0 9929->9930 9931 407455 memset 9930->9931 9931->9643 9933 403115 HeapFree 9932->9933 9934 401d90 9932->9934 9933->9934 9934->9652 9936 4024c8 9935->9936 9936->9936 9937 403100 2 API calls 9936->9937 9938 4024e1 9937->9938 9939 403110 HeapFree 9938->9939 9940 4024f9 9939->9940 9941 4030a0 RtlAllocateHeap 9940->9941 9942 402508 9941->9942 9943 403110 HeapFree 9942->9943 9944 402520 9943->9944 9945 4030a0 RtlAllocateHeap 9944->9945 9946 40252f 9945->9946 9947 407550 HeapFree 9946->9947 9948 40275c 9947->9948 9949 403110 HeapFree 9948->9949 9950 402766 9949->9950 9951 403110 HeapFree 9950->9951 9952 401dfd 9951->9952 9952->9664 9954 403ec8 9953->9954 9955 403eeb 9953->9955 9956 403ed1 RtlReAllocateHeap 9954->9956 9957 403ee3 9954->9957 9955->9676 9956->9676 9958 403dc0 RtlAllocateHeap 9957->9958 9959 403ee8 9958->9959 9959->9676 9961 40662c 2 API calls 9960->9961 9962 406077 9961->9962 9963 40609a 9962->9963 9964 40607e CreateFileA 9962->9964 9966 4060bc 9963->9966 9967 40609f CreateFileA 9963->9967 9965 4060f9 9964->9965 9969 406149 9965->9969 9971 406106 RtlAllocateHeap 9965->9971 9966->9965 9968 4060c1 CreateFileA 9966->9968 9967->9965 9968->9965 9970 4060e3 CreateFileA 9968->9970 9972 40615c 9969->9972 9974 4066bb 2 API calls 9969->9974 9970->9965 9973 40613b 9971->9973 9972->9709 9973->9709 9974->9972

        Control-flow Graph

        APIs
          • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(02300000,00000001,02300700,000040FF), ref: 00407797
        • GetTempPathA.KERNEL32(00000104,00000000,00000104,004013CA,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
        • LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405ED6
        • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
        • GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA), ref: 00405EF5
        • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405EFA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTemp
        • String ID: GetLongPathNameA$Kernel32.DLL
        • API String ID: 752937943-822094646
        • Opcode ID: 2ee994cbced775828cbb784a7e8bc6389ef974a6875798f7d5984685419f755b
        • Instruction ID: 2fdf95b4f3bb88d5f25b72bcecc505d16b40b69b5bc7ba3a5d03bddc1f48918c
        • Opcode Fuzzy Hash: 2ee994cbced775828cbb784a7e8bc6389ef974a6875798f7d5984685419f755b
        • Instruction Fuzzy Hash: A5F0BE322012146BC32127B5AD4CF6B3A6CDB82791B04003AFA04B3282CABD9C1182BE

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 347 406960-40696d 348 406973-406996 CreateFileA 347->348 349 406b15-406b1d 347->349 350 406b14 348->350 351 40699c-4069b8 RtlAllocateHeap 348->351 350->349 352 406b0c-406b13 CloseHandle 351->352 353 4069be-4069bf 351->353 352->350 354 4069c0-4069df ReadFile 353->354 355 4069e5-4069ea 354->355 356 406ace-406ad0 354->356 357 4069f0-406ac0 355->357 358 406ad2-406aed 356->358 359 406aef-406af5 356->359 357->357 360 406ac6-406aca 357->360 358->358 358->359 359->354 361 406afb-406b0b HeapFree 359->361 360->356 361->352
        APIs
        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 00406987
        • RtlAllocateHeap.NTDLL(02330000,00000000,00001000), ref: 004069AA
        • ReadFile.KERNELBASE(00000000,00000000,00001000,?,00000000,?,?,00000000,00000000), ref: 004069CE
        • HeapFree.KERNEL32(02330000,00000000,00000000,?,?,00000000,00000000), ref: 00406B05
        • CloseHandle.KERNELBASE(00000000,?,00000000,00000000), ref: 00406B0D
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: FileHeap$AllocateCloseCreateFreeHandleRead
        • String ID:
        • API String ID: 873069550-0
        • Opcode ID: 3652f549abcd2857d86857aab28a77ee2e5e896dfda86d6c962bdceb55ecb8e0
        • Instruction ID: ff62adfd02c82ff6d2fb6992739edd60424dd107fe33d02030225fc65b1a4817
        • Opcode Fuzzy Hash: 3652f549abcd2857d86857aab28a77ee2e5e896dfda86d6c962bdceb55ecb8e0
        • Instruction Fuzzy Hash: D9417A326403910BD3149F74EDDAB773760EB46301F09823AEB82A62D2D67D9514DB18

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 401000-401124 memset GetModuleHandleA HeapCreate call 403000 call 407470 call 406807 call 406040 call 404ab3 call 4040e0 call 403d90 call 40393b call 403694 call 403ef0 call 403060 call 4030a0 call 403dc0 GetUserDefaultLangID VerLanguageNameA CharLowerA call 403de0 call 4030f0 call 403e30 call 4074c0 35 40112a-4011fa call 403108 * 13 0->35 36 4011ff-4012ca call 403108 * 13 0->36 88 4012cf-4012d9 call 403cd7 35->88 36->88 91 4012f6-401323 call 403b70 call 403a66 GetModuleHandleA 88->91 92 4012db-401bb6 call 4036a2 88->92 101 4013a1-4013b3 call 4020c9 91->101 102 401325 91->102 99 401bbb-401bcb ExitProcess HeapDestroy ExitProcess 92->99 108 4013b5-4013fe call 401bf4 call 4020c9 101->108 109 4013cc-4013e7 call 4036a2 101->109 103 40132f-40133c 102->103 103->101 105 40133e-40139f call 403a18 call 4030f0 call 4074f0 * 3 call 4030f0 103->105 105->103 122 401400-401458 call 403de0 call 4030f0 call 4020c9 108->122 123 401426-401441 call 4036a2 108->123 109->99 140 40147a-401495 call 4036a2 122->140 141 40145a-4014ac call 4020c9 122->141 123->99 140->99 147 4014cc-4014de call 4020c9 141->147 148 4014ae-4014c7 141->148 151 4014e0-4014f9 147->151 152 4014fe-401510 call 4020c9 147->152 148->147 151->152 155 401516-4015c7 call 404de6 call 4042bd call 4043ae call 4045b3 call 404e09 call 4045d3 152->155 156 40176d-4017c7 call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020c9 152->156 182 4015cc-4015da call 40505e 155->182 177 401a3c-401a80 call 4074f0 * 3 call 4030f0 call 406170 156->177 178 4017cd-401815 call 403a18 call 403de0 call 4074c0 156->178 224 401a82-401ae9 call 406250 call 405fd0 call 4074c0 177->224 225 401a9e-401ad7 call 405ea0 call 40203d call 4036a2 _rmdir 177->225 204 401817-401820 178->204 205 401829 178->205 191 4015f9-401601 182->191 192 4015dc-4015ef _rmdir 182->192 193 401642-40164a 191->193 194 401603-401611 call 405066 191->194 192->99 199 401689-40168a 193->199 200 40164c-40165a call 405074 193->200 208 401613-40163d call 4045fc call 4030f0 call 404925 194->208 209 40163f-401640 194->209 199->182 216 401688 200->216 217 40165c-401686 call 4045fc call 4030f0 call 404925 200->217 204->205 210 401822-401827 204->210 212 40182b-40182d 205->212 245 40168f-4016e4 call 4031f0 call 406860 call 403de0 call 4074c0 208->245 209->199 210->212 212->177 213 401833-40187a call 405dd5 call 4036f8 call 4030f0 call 4074c0 212->213 256 401880-4018aa call 4074f0 call 4030f0 call 4074c0 213->256 257 4019dd-401a37 call 403a79 call 405e15 call 405e90 _rmdir 213->257 216->199 217->245 259 401af6-401ba9 call 4074f0 * 2 call 402779 call 40203d call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 224->259 260 401aeb-401af1 call 402130 224->260 225->99 281 401714-401726 call 4020c9 245->281 282 4016e6-40170f call 4036a2 _rmdir 245->282 286 4018b7-4018c9 call 406230 256->286 287 4018ac-4018b2 call 402130 256->287 257->99 259->99 260->259 297 401732-401768 call 401d57 281->297 298 401728-40172d 281->298 282->99 300 4019af-4019c1 call 406170 286->300 301 4018cf-40194e call 405fd0 call 4074f0 * 5 call 4036a2 286->301 287->286 297->156 298->297 300->257 312 4019c3-4019d8 call 406250 call 405fd0 300->312 301->300 331 401950-4019aa call 403a79 call 405e15 call 405e90 _rmdir 301->331 312->257 331->99
        APIs
        • memset.MSVCRT ref: 0040100F
        • GetModuleHandleA.KERNEL32(00000000), ref: 0040101C
        • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
          • Part of subcall function 00407470: HeapCreate.KERNELBASE(00000001,00001000,00000000), ref: 0040747C
          • Part of subcall function 00407470: RtlAllocateHeap.NTDLL(02300000,00000001,00004104), ref: 004074AA
          • Part of subcall function 00406807: HeapCreate.KERNEL32(00000000,00000400,00000000,0040104E,00000000,00001000,00000000,00000000), ref: 00406810
          • Part of subcall function 00404AB3: LoadIconA.USER32(00000001,00000058), ref: 00404AE1
          • Part of subcall function 00404AB3: LoadCursorA.USER32(00000000,00007F00), ref: 00404AF3
          • Part of subcall function 004040E0: RtlInitializeCriticalSection.NTDLL(0040B454), ref: 004040EA
          • Part of subcall function 004040E0: GetStockObject.GDI32(00000011), ref: 004040F2
          • Part of subcall function 004040E0: memset.MSVCRT ref: 0040412E
          • Part of subcall function 00403D90: HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
          • Part of subcall function 0040393B: RtlInitializeCriticalSection.NTDLL(0040B400), ref: 00403950
          • Part of subcall function 00403694: 6F781CD0.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
          • Part of subcall function 00403694: CoInitialize.OLE32(00000000), ref: 0040369B
          • Part of subcall function 00403EF0: RtlAllocateHeap.NTDLL(00000000,0000002C), ref: 00403EFD
          • Part of subcall function 00403060: HeapFree.KERNEL32(00000000,023312C8,00000000,004010A6,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 00403091
          • Part of subcall function 004030A0: RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
          • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(02510000,00000008,00000000), ref: 00403DD1
        • GetUserDefaultLangID.KERNEL32(00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010CF
        • VerLanguageNameA.KERNEL32(00000000,00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010D5
        • CharLowerA.USER32(00000000,00000008,00000400,00000008,0040A37C,0040B1F4,00000007,00000008,00000000,0040A384,00000007,00000000,00001000,00000000,00000000), ref: 004010E0
          • Part of subcall function 00403E30: HeapFree.KERNEL32(02510000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 00401311
          • Part of subcall function 00403A18: strncpy.MSVCRT ref: 00403A53
          • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
          • Part of subcall function 004036A2: MessageBoxA.USER32(00000000,00000010,00000000,?), ref: 004036BC
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
        Strings
        • Error!, xrefs: 0040120F
        • An unknown error occured. The program will be terminated., xrefs: 0040127F
        • deutsch, xrefs: 00401119
        • Please enter the password., xrefs: 004012BF
        • Fortfahren?, xrefs: 0040112A
        • Einige Include Dateien konnten nicht erstellt werden., xrefs: 0040114A
        • Password, xrefs: 004012AF
        • already exists in the current directory. Overwrite?, xrefs: 0040126F
        • Bitte whlen Sie einen Ordner zum Speichern der Dateien aus., xrefs: 004011CA
        • Can not create some of your include files., xrefs: 0040121F
        • 2, xrefs: 004012D6
        • Can not allocate the memory., xrefs: 0040122F
        • Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet., xrefs: 004011AA
        • The file , xrefs: 0040125F
        • Bitte geben Sie das Passwort ein., xrefs: 004011EA
        • "*, xrefs: 00401383
        • This program is not supported on this operating system., xrefs: 0040128F
        • Die Datei , xrefs: 0040118A
        • Overwrite?, xrefs: 0040124F
        • Choose a location to save the files., xrefs: 0040129F
        • Fehler!, xrefs: 0040113A
        • Passwort, xrefs: 004011DA
        • Wrong password., xrefs: 0040123F
        • Falsches Passwort., xrefs: 0040116A
        • \BDFINOPS, xrefs: 00401A4D
        • Continue?, xrefs: 004011FF
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Heap$AllocateCreate$Initialize$CriticalExitFreeHandleLoadModuleProcessSectionmemset$CharCursorDefaultDestroyF781IconLangLanguageLowerMessageNameObjectStockUserstrlenstrncpy
        • String ID: "*$ already exists in the current directory. Overwrite?$2$An unknown error occured. The program will be terminated.$Bitte geben Sie das Passwort ein.$Bitte whlen Sie einen Ordner zum Speichern der Dateien aus.$Can not allocate the memory.$Can not create some of your include files.$Choose a location to save the files.$Continue?$Die Datei $Ein unbekannter Fehler ist aufgetreten. Das Programm wird beendet.$Einige Include Dateien konnten nicht erstellt werden.$Error!$Falsches Passwort.$Fehler!$Fortfahren?$Overwrite?$Password$Passwort$Please enter the password.$The file $This program is not supported on this operating system.$Wrong password.$\BDFINOPS$deutsch
        • API String ID: 52241757-4079455548
        • Opcode ID: f54154b58939660886aa1753846721257ab89259d8018ab4a3b5c12191934324
        • Instruction ID: 3783c48d9a695ad555a110271d4ece50a90aebaed67b6da37d86febcd6e90675
        • Opcode Fuzzy Hash: f54154b58939660886aa1753846721257ab89259d8018ab4a3b5c12191934324
        • Instruction Fuzzy Hash: CE423C71250201EBD700BF62EE62E693B65EB48749F50403BF9007E2F2CB7D5951AB9E

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 362 406060-40607c call 40662c 365 40609a-40609d 362->365 366 40607e-406098 CreateFileA 362->366 368 4060bc-4060bf 365->368 369 40609f-4060ba CreateFileA 365->369 367 4060fd-406100 366->367 372 406102-406104 367->372 373 406149-40614e 367->373 370 4060c1-4060e1 CreateFileA 368->370 371 4060f9 368->371 369->367 370->372 374 4060e3-4060f7 CreateFileA 370->374 371->367 372->373 375 406106-406139 RtlAllocateHeap 372->375 376 406150-406157 call 4066bb 373->376 377 40615c-406162 373->377 374->367 378 406142-406148 375->378 379 40613b-406141 375->379 376->377
        APIs
        • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,023305B8,?,?,?,023312E0,?,00406244,00000001,00000000), ref: 00406090
        • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,023305B8,?,?,?,023312E0,?,00406244,00000001,00000000), ref: 004060B2
        • RtlAllocateHeap.NTDLL(02330000,00000000,00001000), ref: 00406116
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateFile$AllocateHeap
        • String ID:
        • API String ID: 2813278966-0
        • Opcode ID: dacec175d2f13c65ab783333143c09b2bd774a12aeda7b94236f53bba455d297
        • Instruction ID: 01b71ff79a8bf0c406e829018b558c6d2fff1d90de16ee11da95a5ed4ef269dc
        • Opcode Fuzzy Hash: dacec175d2f13c65ab783333143c09b2bd774a12aeda7b94236f53bba455d297
        • Instruction Fuzzy Hash: 2521E77278031176E6309B28AD06F57B3589744B71F22873AFB62BB2C1C6B5AC60479D

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 381 402779-40277b 382 402780-40278b 381->382 382->382 383 40278d-4027f6 call 403100 * 3 ShellExecuteEx 382->383 390 4027fa-402817 Sleep GetExitCodeProcess 383->390 391 402827 390->391 392 402819-402823 390->392 391->390 392->391 393 402825-402851 call 407550 * 3 392->393
        APIs
        • ShellExecuteEx.SHELL32(?), ref: 004027F1
        • Sleep.KERNEL32(00000019), ref: 004027FF
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402810
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CodeExecuteExitProcessShellSleep
        • String ID: open
        • API String ID: 3887608683-2758837156
        • Opcode ID: df14b4278b00ed0d26c83213d7738cdcd665813f5d206012612cba75c38f70a4
        • Instruction ID: 008d11a2a8203ddc74c484c16875f5973d42d86a5d435cc8cf274525409f5c07
        • Opcode Fuzzy Hash: df14b4278b00ed0d26c83213d7738cdcd665813f5d206012612cba75c38f70a4
        • Instruction Fuzzy Hash: 0F213A71508309AFD700EF15C841A9FBBE4EF44308F10893EF49866290D779EA15DB86

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 402 406330-406343 403 406365-40636e 402->403 404 406345-406362 SetFilePointer 402->404 405 406370-40637d 403->405 406 4063de-4063e9 call 405f90 403->406 404->403 408 4063cb-4063db 405->408 409 40637f-406382 405->409 415 40640b-40642a memcpy 406->415 416 4063eb-406408 WriteFile 406->416 411 406384-406387 409->411 412 4063b6-4063c8 409->412 413 4063a3-4063b3 411->413 414 406389-4063a0 memcpy 411->414
        APIs
        • SetFilePointer.KERNELBASE(?,?,00000000,00000001,?,?,?,00406298,00000000,?,?,?,023305B8,00000000), ref: 00406352
        • memcpy.MSVCRT(?,?,00000000,?,?,?,00406298,00000000,?,?,?,023305B8,00000000,?,?,00401A92), ref: 00406390
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: FilePointermemcpy
        • String ID:
        • API String ID: 1104741977-0
        • Opcode ID: b49d06cf3595ba276dc545326d44b73e09d5a742b1af48970d0989ac99cef6b7
        • Instruction ID: 6313678625fda58dd2c5a9f412bfcc8c508d375f5e4440298ee736b1d6e11be6
        • Opcode Fuzzy Hash: b49d06cf3595ba276dc545326d44b73e09d5a742b1af48970d0989ac99cef6b7
        • Instruction Fuzzy Hash: 95316C763006009FC224DF2AD448E5BF7E9EFD4321F14C82EE69697B90C634E854CBA6

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 417 4015f4 418 401689-40168a call 40505e 417->418 422 4015f9-401601 418->422 423 4015dc-4015ef _rmdir 418->423 424 401642-40164a 422->424 425 401603-401611 call 405066 422->425 426 401bbb-401bcb ExitProcess HeapDestroy ExitProcess 423->426 424->418 428 40164c-40165a call 405074 424->428 431 401613-40163d call 4045fc call 4030f0 call 404925 425->431 432 40163f-401640 425->432 435 401688 428->435 436 40165c-401686 call 4045fc call 4030f0 call 404925 428->436 448 40168f-4016e4 call 4031f0 call 406860 call 403de0 call 4074c0 431->448 432->418 435->418 436->448 457 401714-401726 call 4020c9 448->457 458 4016e6-40170f call 4036a2 _rmdir 448->458 463 401732-4017c7 call 401d57 call 403de0 call 4030f0 call 403de0 call 4030f0 call 4020c9 457->463 464 401728-40172d 457->464 458->426 477 401a3c-401a80 call 4074f0 * 3 call 4030f0 call 406170 463->477 478 4017cd-401815 call 403a18 call 403de0 call 4074c0 463->478 464->463 502 401a82-401ae9 call 406250 call 405fd0 call 4074c0 477->502 503 401a9e-401ad7 call 405ea0 call 40203d call 4036a2 _rmdir 477->503 492 401817-401820 478->492 493 401829 478->493 492->493 495 401822-401827 492->495 496 40182b-40182d 493->496 495->496 496->477 497 401833-40187a call 405dd5 call 4036f8 call 4030f0 call 4074c0 496->497 523 401880-4018aa call 4074f0 call 4030f0 call 4074c0 497->523 524 4019dd-401a37 call 403a79 call 405e15 call 405e90 _rmdir 497->524 525 401af6-401ba9 call 4074f0 * 2 call 402779 call 40203d call 405ea0 call 403a79 call 405e15 call 405e90 _rmdir 502->525 526 401aeb-401af1 call 402130 502->526 503->426 545 4018b7-4018c9 call 406230 523->545 546 4018ac-4018b2 call 402130 523->546 524->426 525->426 526->525 553 4019af-4019c1 call 406170 545->553 554 4018cf-40194e call 405fd0 call 4074f0 * 5 call 4036a2 545->554 546->545 553->524 564 4019c3-4019d8 call 406250 call 405fd0 553->564 554->553 583 401950-4019aa call 403a79 call 405e15 call 405e90 _rmdir 554->583 564->524 583->426
        APIs
        • _rmdir.MSVCRT ref: 004015E2
        • _rmdir.MSVCRT ref: 00401702
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: ExitProcess_rmdir$DestroyHeap
        • String ID:
        • API String ID: 2349447675-0
        • Opcode ID: ae173b18bee318a8e6ee3c6bd9685daada826712dcb14547edc22c3fc5a19cf2
        • Instruction ID: 60e15e31e36ec4f341ea57578d9192aa5bb5f3c1abe7231800a78ac4dbabb27b
        • Opcode Fuzzy Hash: ae173b18bee318a8e6ee3c6bd9685daada826712dcb14547edc22c3fc5a19cf2
        • Instruction Fuzzy Hash: 98E0E57106460099D9407BB2A993A1D29689F8835EF10047FF582781E39A3D5651657F

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 590 401bac-401bcb FreeLibrary ExitProcess HeapDestroy ExitProcess
        APIs
        • FreeLibrary.KERNEL32 ref: 00401BB1
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BBB
        • HeapDestroy.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BC6
        • ExitProcess.KERNEL32(00000001,00000010,OPS,00000000,00000000,00000000), ref: 00401BCB
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: ExitProcess$DestroyFreeHeapLibrary
        • String ID:
        • API String ID: 2053948195-0
        • Opcode ID: 11df7a65c876ebf354b943cab2a5a00fea6b763c2f44af75c1fb0680a71a7411
        • Instruction ID: a76ebcc7f67d18b801f3b767a6748b9316446318bb46ef4dd2753a3a033da90a
        • Opcode Fuzzy Hash: 11df7a65c876ebf354b943cab2a5a00fea6b763c2f44af75c1fb0680a71a7411
        • Instruction Fuzzy Hash: 7AD095700A062080EA80BBF36813A4C2C1C8F88B8EF4580BFB141380E39E3C921416BF

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 593 406170-4061ab call 40662c CreateFileA 596 4061c6-4061c8 593->596 597 4061ad-4061c4 CreateFileA 593->597 598 406211-406216 596->598 599 4061ca-4061fd RtlAllocateHeap 596->599 597->596 597->598 602 406224-40622a 598->602 603 406218-40621f call 4066bb 598->603 600 406208-40620e 599->600 601 4061ff-406205 599->601 603->602
        APIs
        • CreateFileA.KERNELBASE(00000000,C0000000,00000001,00000000,00000002,00000080,00000000,023305B8,00000000,?,?,?,00000000,00401A7E,00000001,00000000), ref: 004061A4
        • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000005,00000000,00000000,?,?,?,00000000,00401A7E,00000001,00000000,00000000,0040A0C7), ref: 004061BD
        • RtlAllocateHeap.NTDLL(02330000,00000000,00001000), ref: 004061DA
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateFile$AllocateHeap
        • String ID:
        • API String ID: 2813278966-0
        • Opcode ID: 99a9d3515a7f5ea1aac53cc33fb41400ef055c128be24c43cb4af01eba4f15bd
        • Instruction ID: 000130b85e76915fa5d363925ece99765dbccc5cf3196bdbfab5f4711e28a0ca
        • Opcode Fuzzy Hash: 99a9d3515a7f5ea1aac53cc33fb41400ef055c128be24c43cb4af01eba4f15bd
        • Instruction Fuzzy Hash: F211B67234030066D230AB69AD49F57B798D790B71F21872AF3A1BB2D1C7B6A8548768

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 605 405f13-405f20 606 405f22-405f50 strncpy strlen 605->606 607 405f86 605->607 609 405f68-405f70 606->609 608 405f88-405f89 607->608 610 405f52-405f5a 609->610 611 405f72-405f84 CreateDirectoryA 609->611 612 405f66 610->612 613 405f5c-405f5f 610->613 611->608 612->609 613->612 614 405f61-405f64 613->614 614->611 614->612
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateDirectorystrlenstrncpy
        • String ID:
        • API String ID: 2535372781-0
        • Opcode ID: 5f9ec9ca626cb59e2bb931f94f6eb124402c094757fdd0720826d6c6c0dd85c4
        • Instruction ID: 106eb3b8964d5d9676c23aae3fc3b966741f8cbe397171ba60076510be6c1ab0
        • Opcode Fuzzy Hash: 5f9ec9ca626cb59e2bb931f94f6eb124402c094757fdd0720826d6c6c0dd85c4
        • Instruction Fuzzy Hash: 0701F9319086099EDB21DA24CC89BEB77799B10344F5400B6E5C4E21D1DBBC9BC8CF1A

        Control-flow Graph

        APIs
          • Part of subcall function 00403DC0: RtlAllocateHeap.NTDLL(02510000,00000008,00000000), ref: 00403DD1
          • Part of subcall function 00405EB2: GetTempPathA.KERNEL32(00000104,00000000,00000104,004013CA,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 00405EC9
          • Part of subcall function 00405EB2: LoadLibraryA.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405ED6
          • Part of subcall function 00405EB2: GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405EE8
          • Part of subcall function 00405EB2: GetLongPathNameA.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA), ref: 00405EF5
          • Part of subcall function 00405EB2: FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401C13,00000000,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000), ref: 00405EFA
        • GetTempFileNameA.KERNEL32(?,0040A00D,00000000,?,00000000,00000400,00000000,00000000,00000000,00000000,004013CA,OPS,00000000,00000000,00000000), ref: 00401C2E
          • Part of subcall function 00403E50: memcpy.MSVCRT(00000000,00000000,00000000,00000000,004013CA,?,?,00000000,00401C43,00000000,00000000,00000000,?,0040A00D,00000000), ref: 00403E83
          • Part of subcall function 00403E30: HeapFree.KERNEL32(02510000,00000000,00000000,00401113,00000000,00000000), ref: 00403E3E
          • Part of subcall function 00405F13: strncpy.MSVCRT ref: 00405F31
          • Part of subcall function 00405F13: strlen.MSVCRT ref: 00405F41
          • Part of subcall function 00405F13: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00405F7E
          • Part of subcall function 00405DD5: GetCurrentDirectoryA.KERNEL32(00000104,00000000,00000104,?,?,?,00000000,00401C79,00000000,00000000,00000000,00000000,?,0040A00D,00000000), ref: 00405DEB
          • Part of subcall function 004074F0: strlen.MSVCRT ref: 00407503
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: DirectoryFreeHeapLibraryNamePathTempstrlen$AddressAllocateCreateCurrentFileLoadLongProcmemcpystrncpy
        • String ID: "*
        • API String ID: 4243183096-3137671172
        • Opcode ID: 258b0bdd16078e4e43f2e8e261a203eec998e560d85382cff294dbf00959b2b4
        • Instruction ID: 51c46ce23f5c993c5dfa76041344c512df945007a9040ee44b4dad7dc5fa6996
        • Opcode Fuzzy Hash: 258b0bdd16078e4e43f2e8e261a203eec998e560d85382cff294dbf00959b2b4
        • Instruction Fuzzy Hash: 9A3110701143019FC700EF75ED92A5B7B69EB44315F50483EB440B61B2CB39AD419B9D

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 663 407470-4074b6 HeapCreate RtlAllocateHeap
        APIs
        • HeapCreate.KERNELBASE(00000001,00001000,00000000), ref: 0040747C
        • RtlAllocateHeap.NTDLL(02300000,00000001,00004104), ref: 004074AA
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Heap$AllocateCreate
        • String ID:
        • API String ID: 2875408731-0
        • Opcode ID: d8f8987bb97edb255ba3889bf5c0dc041ec10e30f73c29571913b02a327f35f2
        • Instruction ID: 19be193239eadfd6624696bddd9959c39b43b36c58367bdf702e2eb6773df9a6
        • Opcode Fuzzy Hash: d8f8987bb97edb255ba3889bf5c0dc041ec10e30f73c29571913b02a327f35f2
        • Instruction Fuzzy Hash: 2AE0B6B018030AAFE3008F52EE45B553BA8E304704F108425FE44AB2E2C7B66454AFAD

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 664 403694-4036a1 6F781CD0 CoInitialize
        APIs
        • 6F781CD0.COMCTL32(0040106C,00000000,00001000,00000000,00000000), ref: 00403694
        • CoInitialize.OLE32(00000000), ref: 0040369B
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: F781Initialize
        • String ID:
        • API String ID: 2647752693-0
        • Opcode ID: 49e222b2d56f548959c65dd71d5b368c1574338499d51fc90ab1b458b9a7ed0b
        • Instruction ID: 29068fd5cd95f449554aa114ea224efd59727ecef1bc25bc8998cc2648164d1b
        • Opcode Fuzzy Hash: 49e222b2d56f548959c65dd71d5b368c1574338499d51fc90ab1b458b9a7ed0b
        • Instruction Fuzzy Hash: DAA0027194924056DD4477619A0B7093650578178AF0084E9B506752D64E78182185BB

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 665 407750-40776d 666 4077a2-4077bf 665->666 667 40776f-40779d RtlReAllocateHeap 665->667 667->666
        APIs
        • RtlReAllocateHeap.NTDLL(02300000,00000001,02300700,000040FF), ref: 00407797
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: b741e1a18e1ec6a1c8cc36c4e8ff102d5075275f906b6a1070ac9639d2900657
        • Instruction ID: c9249488049c71a3dc6bfb1d13f9ea7f9653b61409185b4aebe1202f111d2c66
        • Opcode Fuzzy Hash: b741e1a18e1ec6a1c8cc36c4e8ff102d5075275f906b6a1070ac9639d2900657
        • Instruction Fuzzy Hash: 6F01F275900208EFC708CF59EA81A597BF4EB88304B10C039ED49A7352D334AA64DFAE

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 668 4030a0-4030bd RtlAllocateHeap 669 4030e7-4030ed 668->669 670 4030bf-4030e4 668->670 670->669
        APIs
        • RtlAllocateHeap.NTDLL(00000008,-00000018,00000401), ref: 004030B5
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: fde173810f0f770b3ee8f92bf0d91459233e569a11f5aae0c4369e4be50e7f1b
        • Instruction ID: 45182e430f07211e2c2e7b9e92e733268b633b3e5bb8cd087db9ad99d1a89cb5
        • Opcode Fuzzy Hash: fde173810f0f770b3ee8f92bf0d91459233e569a11f5aae0c4369e4be50e7f1b
        • Instruction Fuzzy Hash: 5BF0BCB1604701AFC308CF05C940A0AFBE6EFC9311F25C96AE4889B36AE775D842CB91
        APIs
        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,004063E4,00000000,?,?,?,00406298,00000000,?,?), ref: 00405FB5
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: e39570a374a9e73ecbca4878267657e2ccddeabf15ea9a18561b4119754d7263
        • Instruction ID: eebe7d1dfbf70ebc15f045d01e808d655b32d5a11f46bacfc96fedd4abe8ca9e
        • Opcode Fuzzy Hash: e39570a374a9e73ecbca4878267657e2ccddeabf15ea9a18561b4119754d7263
        • Instruction Fuzzy Hash: 90E0AEB6514701AFC324DF68C948C67B7F8EB88620B00C92EA49A93A00E630F840CF61
        APIs
        • HeapCreate.KERNELBASE(00000000,00001000,00000000,00401062,00000000,00001000,00000000,00000000), ref: 00403D99
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 5ebacb2a8a1c22710d2d4a0e59dd9adb87e4cd845f16d6a5353a8221d79a7afd
        • Instruction ID: e6ed55b92d251dbf60f0c4db2285402f79bbd6f4894813bfaa03374b9dc15d69
        • Opcode Fuzzy Hash: 5ebacb2a8a1c22710d2d4a0e59dd9adb87e4cd845f16d6a5353a8221d79a7afd
        • Instruction Fuzzy Hash: 7CB012B428130056E3200B105D06B003530D304B43F144021B644781E5C7F010104E0F
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: State$Focus$ClassMessageNamePropSendstrncmp
        • String ID: PB_WindowID$Rich
        • API String ID: 2735883691-1396934994
        • Opcode ID: 2786138d884ec91afe30685b1d2f9404e6739455fca6a10e8f2cf972b6164ca8
        • Instruction ID: 295880306d369912066631a8706d072366ea9287afa58a3d02d5e853e8738312
        • Opcode Fuzzy Hash: 2786138d884ec91afe30685b1d2f9404e6739455fca6a10e8f2cf972b6164ca8
        • Instruction Fuzzy Hash: 1F0125715407286AED006B61DD0AF9B3F6CEF10744F048533B901F71D6D679A815DAAA
        APIs
        • GetWindowLongA.USER32(?,000000F4), ref: 0040471F
        • CallWindowProcA.USER32(?,?,?,?,?), ref: 00404748
        • RemovePropA.USER32(?,PB_ID), ref: 00404773
        • RemovePropA.USER32(?,PB_DropAccept), ref: 0040477B
        • RevokeDragDrop.OLE32(?), ref: 00404782
        • SetWindowLongA.USER32(?,000000F4,000000FF), ref: 0040478D
        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 004047AF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$LongPropRemove$CallDragDropNtdllProcProc_Revoke
        • String ID: PB_DropAccept$PB_ID
        • API String ID: 1182866496-3688647018
        • Opcode ID: e24715f7b2ca1719647f69d9aaab655f391fd5491f897dae3125c14ef974b860
        • Instruction ID: 26d55dd3bc0a13faf615adc1f81c0240ac0331d9be61dc94d2e7277a1ea7d7dc
        • Opcode Fuzzy Hash: e24715f7b2ca1719647f69d9aaab655f391fd5491f897dae3125c14ef974b860
        • Instruction Fuzzy Hash: 36118231000205BFCB016F65ED84D6B3BB9EB867747108235F925721E1C7399C219B6A
        APIs
        • sprintf.MSVCRT ref: 00407E31
        • GetPropA.USER32(?,?), ref: 00407E40
        • HeapFree.KERNEL32(00000000,?), ref: 00407E95
        • HeapFree.KERNEL32(00000000,00000000), ref: 00407E9F
        • RemovePropA.USER32(?,?), ref: 00407EA8
        • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00407EC3
        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00407ED7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: FreeHeapPropWindow$CallNtdllProcProc_Removesprintf
        • String ID: PB_GadgetStack_%i
        • API String ID: 1062891511-1190326050
        • Opcode ID: e84caf6ab20a979853fd8a155a0d10c59c3a74f03406633f4e3a48b8313abcd8
        • Instruction ID: 9495be4684c954f4985c5bbed51e6b929ec62d50171bbc7e14f773bf1326b445
        • Opcode Fuzzy Hash: e84caf6ab20a979853fd8a155a0d10c59c3a74f03406633f4e3a48b8313abcd8
        • Instruction Fuzzy Hash: F9213772901209FFCF019F90ED44CAA7B7AFB44345B10807AF905A6270D735AE61EB9A
        APIs
          • Part of subcall function 004056EF: GetPropA.USER32(?,PB_WindowID), ref: 00405736
          • Part of subcall function 004056EF: GetParent.USER32(?), ref: 00405746
        • GetPropA.USER32(?,PB_MDI_Gadget), ref: 00405B47
        • DefFrameProcA.USER32(?,00000000,?,?,?), ref: 00405B88
        • SetLastError.KERNEL32(00000000), ref: 00405B92
        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00405BA8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Prop$ErrorFrameLastNtdllParentProcProc_Window
        • String ID: PB_MDI_Gadget
        • API String ID: 1329112550-983833826
        • Opcode ID: 269fd701e99a7b285811eae7f8217e619eb12575e1e2615cef081d2ae9d6db4b
        • Instruction ID: d2e232ab503cb8b3b068a5d0a19e0a488f47f1087f69ffadd7d86e8e816e6ed0
        • Opcode Fuzzy Hash: 269fd701e99a7b285811eae7f8217e619eb12575e1e2615cef081d2ae9d6db4b
        • Instruction Fuzzy Hash: EC114C3190161DAFDB209E159D84EBF3A3CEB44350F004037F905B22808778BC61DAAA
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(0;@,00401302,00000000), ref: 00403BAC
        • SetUnhandledExceptionFilter.KERNEL32(00000000,00401302,00000000), ref: 00403BC0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID: 0;@$0;@
        • API String ID: 3192549508-1108649562
        • Opcode ID: 64c2b6b9c31235df9d05b2dba24abafc85a962d7f965a94dd5b50041edd19de7
        • Instruction ID: 03ed1251e5b82d0a9b1dd8357dd2ea466bfd254288420da3d75d37e4e8d64f8a
        • Opcode Fuzzy Hash: 64c2b6b9c31235df9d05b2dba24abafc85a962d7f965a94dd5b50041edd19de7
        • Instruction Fuzzy Hash: 2EF0A5B0545300DBC700DF94DA8C60A7BF8EBA875AF00887EA005A7361C778DA90DB9E
        APIs
        • FindResourceA.KERNEL32(004013B1,00000000,0000000A), ref: 004020E6
        • LoadResource.KERNEL32(?,00000000,00000000,00000000,004013B1,OPS,00000000,00000000), ref: 004020FE
        • SizeofResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,004013B1,OPS,00000000,00000000), ref: 00402110
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Resource$FindLoadSizeof
        • String ID:
        • API String ID: 507330600-0
        • Opcode ID: aa1a8b08b7dc22c46b1c861aeba25619853496701750f453b4bb729b9282f012
        • Instruction ID: ee1045747f34407a6d6bc23282b484ecb6b20e6a617ab4d886f8bfa51eb75997
        • Opcode Fuzzy Hash: aa1a8b08b7dc22c46b1c861aeba25619853496701750f453b4bb729b9282f012
        • Instruction Fuzzy Hash: 05F0B770508301EFC705AF20DE05A1EBAE5FB98B05F008C3EB5886A1A1D7359D24EB4A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID: $M$N
        • API String ID: 0-813528018
        • Opcode ID: 296eed21de5bc5a5b87bd96189a2c08ec8076c82fe3154c41960cc97ffc7d6a5
        • Instruction ID: c1850dc7fb9948695e9b9607665a1da3ec38db9305dac3888d0e67d99c0468f0
        • Opcode Fuzzy Hash: 296eed21de5bc5a5b87bd96189a2c08ec8076c82fe3154c41960cc97ffc7d6a5
        • Instruction Fuzzy Hash: 1802C370A00218FFDB21DF54EC45AAE7BB5FB44315F50816AF610AA2A1C77D9A42CF58
        APIs
        • GetVersionExA.KERNEL32(?), ref: 00403CF8
        • GetVersionExA.KERNEL32(?), ref: 00403D2C
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Version
        • String ID:
        • API String ID: 1889659487-0
        • Opcode ID: ba98cba157ab3b960229647d21839f567787df23c3c7d879bd2f0e37a5dce517
        • Instruction ID: 8f98cf7366f8b09a5e2b92140d047ce8a00d89b420ca6a4debb2036adb0e8e2a
        • Opcode Fuzzy Hash: ba98cba157ab3b960229647d21839f567787df23c3c7d879bd2f0e37a5dce517
        • Instruction Fuzzy Hash: 1E117231644A0A95EF309E689845FAF7EACAF10747F140037A201B53D4E67C8B46C66F
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(00000000,00401BDA,00401BC0,00000001,00000010,OPS,00000000,00000000,00000000), ref: 00403CC6
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: e0e7740ab41f41c427503136dfe7f7d29bd2fdb7ab83b42a702d68ec8da14e00
        • Instruction ID: cd7c64c5dc77f132242c3daac67179aa2c9d7864a58c2e899d60234b9b4753e9
        • Opcode Fuzzy Hash: e0e7740ab41f41c427503136dfe7f7d29bd2fdb7ab83b42a702d68ec8da14e00
        • Instruction Fuzzy Hash: 64B092740402008BCB008B90EE8C74836A4E398214F8009A8A000A6230C33880808BCD
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
        • Instruction ID: 7102d13b211e639c190c95f68438129d24ba1901ff3681f10da7641a22d18450
        • Opcode Fuzzy Hash: a1d082fc67961cf9c9017bdebd9d0fdabf83cbc1f99fd689fd60a11460bf935a
        • Instruction Fuzzy Hash: 7A12D3BBA557124BD708CA55CC80295B3E3BBC8364B1F913DD959D3305EEB9BA0B46C0
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3eb5f94d6d0be51d33e17c60d64c3c9350acf6c8481f3ed75c10603f2939ffed
        • Instruction ID: b85d43cf09f5069055057e0f9dd4e3a5ce79a5ed486bef41d357e511c92d6c7a
        • Opcode Fuzzy Hash: 3eb5f94d6d0be51d33e17c60d64c3c9350acf6c8481f3ed75c10603f2939ffed
        • Instruction Fuzzy Hash: B7E1F571A042418FD718CF69C4906AAB7E2EFCC304F0985BEE889EB355DB34EA45CB45
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d925c00ae1dd091c8efefa3aaaf8493b12ef5f9ccbdbcf6b88be7bd9186c30f9
        • Instruction ID: 55f82a2a2860603184d5158b03bdb4406137b8e9b15ddf23800e49180ff61f50
        • Opcode Fuzzy Hash: d925c00ae1dd091c8efefa3aaaf8493b12ef5f9ccbdbcf6b88be7bd9186c30f9
        • Instruction Fuzzy Hash: 24C150326083D14FD705CF7D94A00ABFFE1AF9E300B5E94ADE5D99B352C574A4098B89
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0e08022115337b6a48b31d80d8b8fdce5f5367cf90ea7c3831ccbe139a2457d1
        • Instruction ID: e1b82d14655f62c6ea2909a00c3306c027c3f8bf08d7b58be1d298e62f910c97
        • Opcode Fuzzy Hash: 0e08022115337b6a48b31d80d8b8fdce5f5367cf90ea7c3831ccbe139a2457d1
        • Instruction Fuzzy Hash: B8C18D266082C24FD305CF7988D00ABFFE2AFDE204B4E95ADE5C99B362C57594498789
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9159130f6e97a1f63c990d67648fd71c31b14a0cedd044277c05469dce088cf0
        • Instruction ID: ae2b8487e3aea49084d6fd28d5a3ed456773d8e70f5b5837c631c5ba5c29d16b
        • Opcode Fuzzy Hash: 9159130f6e97a1f63c990d67648fd71c31b14a0cedd044277c05469dce088cf0
        • Instruction Fuzzy Hash: FEB13675E00269CBCF18CFA9D8942EDBBB0FF44305F64856EC456AB281D7781A8ACF45
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3f13e73bcc20d6da386c3673c597a920b835246fb3133f97e2dd74b96cf6a4e2
        • Instruction ID: 29a3946611212e07eba827bf4ec3dd965f785ad503a435f61f8e75341ee429c7
        • Opcode Fuzzy Hash: 3f13e73bcc20d6da386c3673c597a920b835246fb3133f97e2dd74b96cf6a4e2
        • Instruction Fuzzy Hash: B791BF756083828FC718CF29D8806AABBE2FFC9304F18487EE989D7351D635E915CB85
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ce511f72298da0d49d558c10a5ff1193a7f805c1641b3a629b5ce4ada354f5cd
        • Instruction ID: 04d1cfc55325213d7eac5a63abe2581ec3c557b6e87fb71a75c23a52b251ea84
        • Opcode Fuzzy Hash: ce511f72298da0d49d558c10a5ff1193a7f805c1641b3a629b5ce4ada354f5cd
        • Instruction Fuzzy Hash: 9991D0756083828FC718CF29D8806AABBE2FFC9304F14497EE989D7341D635E916CB85
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 54305795cb5eab5a73fbc3fcf3239a085ce63c2c27f643dafc7d4a3a57f488cd
        • Instruction ID: 0129dfdfa06e8e145608a72f25beec552b62ecacafaafa8e4a62ac3fa9911df8
        • Opcode Fuzzy Hash: 54305795cb5eab5a73fbc3fcf3239a085ce63c2c27f643dafc7d4a3a57f488cd
        • Instruction Fuzzy Hash: E761D3316043458BC714DF26D8809ABB7E6EFCD704F04897EE889BB381C6799E198B59
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ee8ba0f6775abdc610cca4af624066302448de64448e7960d18526cae57c8319
        • Instruction ID: 60a83fcbf127d852f21b6d02f3097c58393ed52201a3528062d383d887290a9d
        • Opcode Fuzzy Hash: ee8ba0f6775abdc610cca4af624066302448de64448e7960d18526cae57c8319
        • Instruction Fuzzy Hash: EE61D4316043468BC715DF25D8509ABB7E6BBC8304F04497FFC89BB381C679AA0ACB59
        APIs
        • SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
        • GetWindowRect.USER32(?,00000010), ref: 004052B8
        • GetWindowRect.USER32(?,00000020), ref: 004052C1
        • GetSystemMetrics.USER32(0000003D), ref: 004052D1
        • GetSystemMetrics.USER32(0000003E), ref: 004052D8
        • GetWindowLongA.USER32(?,000000F0), ref: 004052E2
        • GetSystemMetrics.USER32(00000005), ref: 004052F1
        • GetWindowLongA.USER32(?,000000EC), ref: 004052FC
        • GetSystemMetrics.USER32(0000002D), ref: 0040530A
        • GetSystemMetrics.USER32(0000002E), ref: 00405311
        • GetSystemMetrics.USER32(00000022), ref: 00405320
        • GetSystemMetrics.USER32(00000023), ref: 00405327
        • GetSystemMetrics.USER32(0000003B), ref: 0040532E
        • GetSystemMetrics.USER32(0000003C), ref: 00405335
        • SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
        • GetKeyState.USER32(00000001), ref: 0040534E
        • SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
        • SetCapture.USER32(?), ref: 00405369
        • PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
        • GetCursorPos.USER32(-00000008), ref: 0040538F
        • LoadImageA.USER32(00000000,00007F86,00000002,00000000,00000000,00008040), ref: 004053A4
        • SetCursor.USER32(00000000), ref: 004053AB
        • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 004053E7
        • SendMessageA.USER32(?,00000214,?,00000010), ref: 0040540A
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: System$Metrics$Window$Message$Send$CursorLongRect$CaptureImageInfoLoadParametersPointsPostState
        • String ID:
        • API String ID: 985555588-0
        • Opcode ID: 01a2725190c872bf159c5bd0852e996972fb722d7f3f84b5786a012411d90e5f
        • Instruction ID: 586f9979426b920aefc07ff19cb97ca9c93cebbcd8dc2859b64a59a748dbd016
        • Opcode Fuzzy Hash: 01a2725190c872bf159c5bd0852e996972fb722d7f3f84b5786a012411d90e5f
        • Instruction Fuzzy Hash: ADC1A271A00A06BFDB10AF64CD48ABB7B75FB04340F50453BF905A66D0D779A8A1CF99
        APIs
        • sprintf.MSVCRT ref: 00404B46
        • memset.MSVCRT ref: 00404B63
        • RegisterClassA.USER32(?), ref: 00404BA8
        • AdjustWindowRect.USER32(?,00000010,00000000), ref: 00404C01
        • GetSystemMetrics.USER32(00000000), ref: 00404C3E
        • GetSystemMetrics.USER32(00000001), ref: 00404C58
        • GetActiveWindow.USER32 ref: 00404C7F
        • GetWindowRect.USER32(?,?), ref: 00404C8E
        • CreateWindowExA.USER32(00000000,?,?,00000010,?,?,00000001,?,?,00000000,00000000), ref: 00404CEF
        • SetPropA.USER32(00000000,PB_WindowID,00000100), ref: 00404D0C
        • ShowWindow.USER32(00000000,00000001), ref: 00404D33
        • RtlAllocateHeap.NTDLL(00000000,0000000C), ref: 00404D58
        • CreateAcceleratorTableA.USER32(?,?), ref: 00404D95
        • UnregisterClassA.USER32(?), ref: 00404DC9
          • Part of subcall function 004066BB: memset.MSVCRT ref: 004066D8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$ClassCreateMetricsRectSystemmemset$AcceleratorActiveAdjustAllocateHeapPropRegisterShowTableUnregistersprintf
        • String ID: PB_WindowID$WindowClass_%d
        • API String ID: 1820370190-2937193648
        • Opcode ID: e722d2cbf670614303020c1e730dda992e2a6a8db4ea0d57e5f5c4a9d38830f9
        • Instruction ID: c7ce8232fcfdd9da0e6d01810650b6905c309b16ddaece5cc0acf35632e3a176
        • Opcode Fuzzy Hash: e722d2cbf670614303020c1e730dda992e2a6a8db4ea0d57e5f5c4a9d38830f9
        • Instruction Fuzzy Hash: 49A17BB190020ADFDB10CF68D989B9EBBF4FF44344F14862AF955A32A0D778D950CB99
        APIs
        • CoInitialize.OLE32(00000000), ref: 00403718
        • memset.MSVCRT ref: 00403725
        • LoadLibraryA.KERNEL32(SHELL32.DLL), ref: 00403732
        • strncpy.MSVCRT ref: 00403763
        • strlen.MSVCRT ref: 00403772
        • GetProcAddress.KERNEL32(?,SHBrowseForFolder), ref: 0040379C
        • GetProcAddress.KERNEL32(?,SHGetPathFromIDList), ref: 004037EB
        • CoTaskMemFree.COMBASE(?), ref: 00403806
        • strlen.MSVCRT ref: 0040380D
        • FreeLibrary.KERNEL32(?,00000000), ref: 00403829
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AddressFreeLibraryProcstrlen$InitializeLoadTaskmemsetstrncpy
        • String ID: @$SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
        • API String ID: 1137656791-1801489780
        • Opcode ID: 00adc2b8da381255dd164f99cb6407cbd1248913ca3723a3718b7c387585913b
        • Instruction ID: ea8c443e7643bfdbcdfbd2f4adfdb3851681cb8806fbf168f8689d10ea387318
        • Opcode Fuzzy Hash: 00adc2b8da381255dd164f99cb6407cbd1248913ca3723a3718b7c387585913b
        • Instruction Fuzzy Hash: 35418F71800208AFDB11AFA5CC45ADE7FB8AF05315F0080BAF554B7292D7B99E14CB69
        APIs
        • GetWindow.USER32(00000000,00000004), ref: 0040494B
        • SetActiveWindow.USER32(00000000), ref: 0040495C
        • RemovePropA.USER32(00000000,PB_WindowID), ref: 00404970
        • RemovePropA.USER32(00000000,PB_DropAccept), ref: 00404979
        • RevokeDragDrop.OLE32(00000000), ref: 00404982
        • SendMessageA.USER32(?,00000221,00000000,00000000), ref: 00404999
        • sprintf.MSVCRT ref: 004049B8
        • UnregisterClassA.USER32(?), ref: 004049CD
        • HeapFree.KERNEL32(00000000,?), ref: 004049E3
        • DestroyAcceleratorTable.USER32(?), ref: 004049EC
        • DeleteObject.GDI32(?), ref: 004049FA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: PropRemoveWindow$AcceleratorActiveClassDeleteDestroyDragDropFreeHeapMessageObjectRevokeSendTableUnregistersprintf
        • String ID: PB_DropAccept$PB_WindowID$WindowClass_%d
        • API String ID: 192457453-976223216
        • Opcode ID: bd1377bf46f55631dd1ddbc54ba1d147947137b251771725122199eddbfbce36
        • Instruction ID: f0b996a718386a9457227e303234a4a67d6852f77ee41d513e9fa1cdc6f7bee2
        • Opcode Fuzzy Hash: bd1377bf46f55631dd1ddbc54ba1d147947137b251771725122199eddbfbce36
        • Instruction Fuzzy Hash: 38214C71500304EBDB226F61DD09F57BBB9EB44740F148436BA81B21A4C77AD8619B9D
        APIs
        • HeapFree.KERNEL32(00000000,?), ref: 00404F58
        • HeapFree.KERNEL32(00000000,?), ref: 00404F64
        • HeapFree.KERNEL32(00000000,?), ref: 00404F90
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FB8
        • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,000000FF,000001FF), ref: 00404FD5
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 00404FEB
        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404FF7
        • GetActiveWindow.USER32 ref: 00404FFD
        • TranslateAccelerator.USER32(00000000,00000000,?), ref: 00405015
        • TranslateMessage.USER32(?), ref: 00405023
        • DispatchMessageA.USER32(?), ref: 0040502D
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Message$FreeHeap$PeekTranslate$AcceleratorActiveDispatchMultipleObjectsWaitWindow
        • String ID:
        • API String ID: 1286715895-0
        • Opcode ID: afd76d8d9969832cc39f3518b52fe6eee0ff68f092de640222f9704823c623ab
        • Instruction ID: 6edb0f9935199db0e56a2c8fe76ef196a0bcbb4c32eec9ba7cc802ce8dc129a4
        • Opcode Fuzzy Hash: afd76d8d9969832cc39f3518b52fe6eee0ff68f092de640222f9704823c623ab
        • Instruction Fuzzy Hash: 6C414CB1900705AFCB20DF65DD88C6BBBF8EB85740710853AF556E62A0D338D941CBA9
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Focus$ActiveChildClassNameParentWindowstrcmp
        • String ID: MDI_ChildClass
        • API String ID: 1701595447-1946758919
        • Opcode ID: c935cd3b204af58cfbd2e96b124c70a4575aa5a5e9a59dbc8c47a68151999700
        • Instruction ID: a705aa9bed059d8bd142721d9e0f0f0abb2c12223c0bddd2eb61c98d35858e50
        • Opcode Fuzzy Hash: c935cd3b204af58cfbd2e96b124c70a4575aa5a5e9a59dbc8c47a68151999700
        • Instruction Fuzzy Hash: CE212172D04719EBDF11AFA59D888AFBBB8EF44301B24843BE501B2250D7384E51DF5A
        APIs
          • Part of subcall function 0040523F: SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00405290
          • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000010), ref: 004052B8
          • Part of subcall function 0040523F: GetWindowRect.USER32(?,00000020), ref: 004052C1
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003D), ref: 004052D1
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003E), ref: 004052D8
          • Part of subcall function 0040523F: GetWindowLongA.USER32(?,000000F0), ref: 004052E2
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000005), ref: 004052F1
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000002E), ref: 00405311
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000022), ref: 00405320
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(00000023), ref: 00405327
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003B), ref: 0040532E
          • Part of subcall function 0040523F: GetSystemMetrics.USER32(0000003C), ref: 00405335
          • Part of subcall function 0040523F: SendMessageA.USER32(?,00000024,00000000,00000034), ref: 0040534A
          • Part of subcall function 0040523F: GetKeyState.USER32(00000001), ref: 0040534E
          • Part of subcall function 0040523F: SendMessageA.USER32(?,00000201,00000001,00000000), ref: 00405364
          • Part of subcall function 0040523F: SetCapture.USER32(?), ref: 00405369
          • Part of subcall function 0040523F: PostMessageA.USER32(?,00000231,00000000,00000000), ref: 00405379
        • GetPropA.USER32(?,PB_WindowID), ref: 00405736
        • GetParent.USER32(?), ref: 00405746
        • GetClientRect.USER32(?,00000000), ref: 004058A2
        • FillRect.USER32(?,00000000,?), ref: 004058B2
        • GetWindowLongA.USER32(?,000000F4), ref: 0040593F
        • PostMessageA.USER32(?,000030D6,?,?), ref: 00405AB9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: System$Metrics$MessageRectWindow$LongPostSend$CaptureClientFillInfoParametersParentPropState
        • String ID: PB_WindowID
        • API String ID: 2736716905-1508741625
        • Opcode ID: 287e471188106aa8da4b0da2dea19a098f569f3bafd85ad9382638b62a02d066
        • Instruction ID: 1772321966a510f6b624cdf624929c11ab729ec9b834574b68c11bb728a73535
        • Opcode Fuzzy Hash: 287e471188106aa8da4b0da2dea19a098f569f3bafd85ad9382638b62a02d066
        • Instruction Fuzzy Hash: 26B1AE71600A06EBDF20AF55C884ABB7BB1EB54314F60843BE845B62D0D33D9A91EF1D
        APIs
        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00403858
        • GetCurrentThreadId.KERNEL32 ref: 00403866
        • IsWindowVisible.USER32(?), ref: 0040386D
        • IsWindowEnabled.USER32(?), ref: 00403878
        • GetForegroundWindow.USER32 ref: 00403882
        • EnableWindow.USER32(?,00000000), ref: 0040388F
          • Part of subcall function 004067DA: RtlAllocateHeap.NTDLL(00000008,?,00406649), ref: 004067E6
        • GetCurrentThreadId.KERNEL32 ref: 004038A8
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapProcessVisible
        • String ID:
        • API String ID: 2983394722-0
        • Opcode ID: 1d3563f3127e023f913d1c48bb15226510de4f21d660f64e0808139afde0f23e
        • Instruction ID: 3bd772517b7cdc64e9e8b09daf0a4afa7eecbfefda2ab3240d0ef6d89adb4e94
        • Opcode Fuzzy Hash: 1d3563f3127e023f913d1c48bb15226510de4f21d660f64e0808139afde0f23e
        • Instruction Fuzzy Hash: D9F04F321043005BE321AF75AD88B2B7BF8EB45751B14843AF545F3291DB38D811962E
        APIs
        • IsWindowEnabled.USER32(00000133), ref: 004042FE
        • SetTextColor.GDI32(?,?), ref: 0040431E
        • GetSysColor.USER32(00000014), ref: 0040432C
        • SetBkColor.GDI32(?,00000000), ref: 00404334
        • GetSysColorBrush.USER32(00000014), ref: 00404338
        • SetBkColor.GDI32(?,?), ref: 0040434A
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Color$BrushEnabledTextWindow
        • String ID:
        • API String ID: 3110319690-0
        • Opcode ID: 2a7694824716aea3b6171af8bdbe108ba02cf11c8357a94443167fb256057ea0
        • Instruction ID: e9a5ba519cd36739e06616fa0996cea1dec027768706913cc5cca44d1be32f40
        • Opcode Fuzzy Hash: 2a7694824716aea3b6171af8bdbe108ba02cf11c8357a94443167fb256057ea0
        • Instruction Fuzzy Hash: 78012571200304AFD6206B659C44967B3FCEF94321F145B36FA75E32E1C778EC558A25
        APIs
        • SetWindowLongA.USER32(000000FF,000000FC,00404714), ref: 004047F5
        • SetWindowLongA.USER32(000000FF,000000F4,000000FF), ref: 00404800
        • SetPropA.USER32(000000FF,PB_ID,000000FF), ref: 0040480B
        • SendMessageA.USER32(000000FF,00000030,000000FF,00000001), ref: 0040481C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: LongWindow$MessagePropSend
        • String ID: PB_ID
        • API String ID: 499798845-4173770792
        • Opcode ID: e916d51ecf110c9439ad90646b44f685ef3287c059c0a1308fabae0f9b2599b4
        • Instruction ID: d0f6b8676c2a3c83e12209fd00d02ec4e2cc3fdc8a34abd3e45ab61e197bb196
        • Opcode Fuzzy Hash: e916d51ecf110c9439ad90646b44f685ef3287c059c0a1308fabae0f9b2599b4
        • Instruction Fuzzy Hash: FF0180B5500308BFCB109F55DD84D8A7BB8FB44760F208626F925672D1C374D950CBA4
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$Focus$EnabledLongVisible
        • String ID:
        • API String ID: 1625685152-0
        • Opcode ID: 4104ecb720695028e7c8581ab3b6637147259ed4616aec29b930e32d6b114f79
        • Instruction ID: ef9e72a64073e5b6a23494da1a96f52c8b08a2b3360bc794104ab48438c1adb4
        • Opcode Fuzzy Hash: 4104ecb720695028e7c8581ab3b6637147259ed4616aec29b930e32d6b114f79
        • Instruction Fuzzy Hash: 72F08130208B015FE2225F659D8876BB3B8EF86B55B14843EE142B22D0C778D8859A2E
        APIs
        • SetTextColor.GDI32(?,?), ref: 00404195
        • GetSysColor.USER32(0000000F), ref: 004041A3
        • SetBkColor.GDI32(?,00000000), ref: 004041AB
        • GetSysColorBrush.USER32(0000000F), ref: 004041AF
        • SetBkColor.GDI32(?,?), ref: 004041C1
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Color$BrushText
        • String ID:
        • API String ID: 3324192670-0
        • Opcode ID: 6172721f2218073eb60c4652dad57f6f5c5b2bdd0d3b9622d53c644380a3572e
        • Instruction ID: 457ded62e3f9d5314adae7d240338f31a7adc438ae7f8fffd0e9670b0be44b42
        • Opcode Fuzzy Hash: 6172721f2218073eb60c4652dad57f6f5c5b2bdd0d3b9622d53c644380a3572e
        • Instruction Fuzzy Hash: ACF044B5100304ABD220AB299C48D67B3ECEBA4331F104B36F675E32D1C774EC558A65
        APIs
        • memset.MSVCRT ref: 004043D8
        • CreateWindowExA.USER32(?,Edit,00000000,?,?,?,?,?,00000000,000000FF,00000000), ref: 00404466
        • SetWindowLongA.USER32(00000000,000000FC,Function_00004358), ref: 0040448A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$CreateLongmemset
        • String ID: Edit
        • API String ID: 2917088559-554135844
        • Opcode ID: 535db69b1cdb1d4649623afdd7382da2ea4c0a12aa9df6c724ba0c28ee97b079
        • Instruction ID: e5c386e0b925eee2f29b2e51a672b597ac0c5d848ebaae7b82fd60e27dbe053f
        • Opcode Fuzzy Hash: 535db69b1cdb1d4649623afdd7382da2ea4c0a12aa9df6c724ba0c28ee97b079
        • Instruction Fuzzy Hash: 3C217CB5500309AFDB115F11ED09B5B3EA5FB80325F20823EFA64B62E1C77988248B9C
        APIs
          • Part of subcall function 00407750: RtlReAllocateHeap.NTDLL(02300000,00000001,02300700,000040FF), ref: 00407797
        • GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,?,?,?,00000000,00401B68,00000000,00000000,00000000,00000000,00000001,00000001,00000001,00000000), ref: 00403A95
        • strcmp.MSVCRT ref: 00403AA3
        • memmove.MSVCRT(00000000,00000004,-00000004,?,?,00000000,00401B68,00000000,00000000,00000000,00000000,00000001,00000001,00000001,00000000,00000000), ref: 00403AB7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AllocateFileHeapModuleNamememmovestrcmp
        • String ID: \\?\
        • API String ID: 1538048364-4282027825
        • Opcode ID: c005eb037396008ac0310d56044cb34282d931d78145fccdb6e90d5e5ca18477
        • Instruction ID: eca9fff87242976c9b07fb941aabbd565294bd6051fa6d81b78090b42e967216
        • Opcode Fuzzy Hash: c005eb037396008ac0310d56044cb34282d931d78145fccdb6e90d5e5ca18477
        • Instruction Fuzzy Hash: E1F0A7B36053006AD2116A769D89E9B6B9DDF94365F100437F605E2182E738A91483F9
        APIs
        • RtlInitializeCriticalSection.NTDLL(0040B454), ref: 004040EA
        • GetStockObject.GDI32(00000011), ref: 004040F2
          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,00000020), ref: 00406703
          • Part of subcall function 004066F1: RtlAllocateHeap.NTDLL(00000008,?), ref: 0040672E
          • Part of subcall function 00406434: RtlAllocateHeap.NTDLL(00000008,?), ref: 00406441
        • memset.MSVCRT ref: 0040412E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AllocateHeap$CriticalInitializeObjectSectionStockmemset
        • String ID: 3uo
        • API String ID: 681713604-2184686533
        • Opcode ID: eae40ce73e7bc3a5b72a3c68b7ab9022cd92d073ed51a1f903621673ff1c726c
        • Instruction ID: 54329a541da7fb3abe67cedf3be7a02972069548faaf6a86b27ad4e37661a0cf
        • Opcode Fuzzy Hash: eae40ce73e7bc3a5b72a3c68b7ab9022cd92d073ed51a1f903621673ff1c726c
        • Instruction Fuzzy Hash: 21F036B1580308BAD700ABB19D0BF8D3AA8E744708F50813AB301BA1D2DBF956148B9D
        APIs
        • RtlAllocateHeap.NTDLL(00000000,00000006), ref: 00404E99
        • DestroyAcceleratorTable.USER32(?), ref: 00404F07
        • CreateAcceleratorTableA.USER32(?,?,?), ref: 00404F13
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: AcceleratorTable$AllocateCreateDestroyHeap
        • String ID:
        • API String ID: 1846328917-0
        • Opcode ID: 553c449d7aaab30c656132e4121b42e9cae388fb6654b811fe19028ea8e614b7
        • Instruction ID: a9d74fe08e35607087e68633b6b3ac79de1f82750c2c3d7b4edd57319feaf6d7
        • Opcode Fuzzy Hash: 553c449d7aaab30c656132e4121b42e9cae388fb6654b811fe19028ea8e614b7
        • Instruction Fuzzy Hash: EC317070500702DBC725CF24CA45A6ABBF5FF94714F10C83DE956AB6A0E375EA50DB48
        APIs
        • strlen.MSVCRT ref: 00407665
        • RtlAllocateHeap.NTDLL(02300000,00000001,-00000005), ref: 00407687
        • RtlReAllocateHeap.NTDLL(02300000,00000001,?,-00000005), ref: 004076AA
        • HeapFree.KERNEL32(02300000,00000001), ref: 004076E0
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Heap$Allocate$Freestrlen
        • String ID:
        • API String ID: 3543670626-0
        • Opcode ID: 4a6dbc0a02a8b1f71d525bb3f498ef1f750a6f1fa80b627f687ffb3843d8e003
        • Instruction ID: cae9a5905be6ddab59d871ac1b064cb42395ff2a8ffa857ff663baf975441a1f
        • Opcode Fuzzy Hash: 4a6dbc0a02a8b1f71d525bb3f498ef1f750a6f1fa80b627f687ffb3843d8e003
        • Instruction Fuzzy Hash: 8D212E75A04208EFCB00DF58C984FAA37B5EF88314F20C469F8059B390D776AE51DB95
        APIs
        • IsWindowEnabled.USER32(?), ref: 00405C24
        • IsWindowVisible.USER32(?), ref: 00405C2F
        • GetWindowLongA.USER32(?,000000F0), ref: 00405C3C
        • SetFocus.USER32(?), ref: 00405C5A
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$EnabledFocusLongVisible
        • String ID:
        • API String ID: 599048109-0
        • Opcode ID: d6914770e2e1d8594dbfc7a4944e97bb1c076ccadc3317546e9f57e33cdf2bab
        • Instruction ID: e46cec46e1855522641c6138c738b3172ba88ca019945debca18c59b96db7e29
        • Opcode Fuzzy Hash: d6914770e2e1d8594dbfc7a4944e97bb1c076ccadc3317546e9f57e33cdf2bab
        • Instruction Fuzzy Hash: F0F0DA752047019BE7215F36DE8CA57B7ACEB94751718843EB896E3290CA38D850CA6A
        APIs
        • GetWindowLongA.USER32(?,000000F0), ref: 004051AB
        • GetParent.USER32(?), ref: 004051C1
        • MapWindowPoints.USER32(00000000,00000000), ref: 004051CA
        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004051E9
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: Window$LongMoveParentPoints
        • String ID:
        • API String ID: 473562985-0
        • Opcode ID: fca909fb8084ca993e23cb08f133c50a6035ac502da8b0c7087f63ad4b74f454
        • Instruction ID: a18a99c305bfb6e287be399bcb2239b6defd201362481c224b9852c7cddba058
        • Opcode Fuzzy Hash: fca909fb8084ca993e23cb08f133c50a6035ac502da8b0c7087f63ad4b74f454
        • Instruction Fuzzy Hash: CCF0F832100209BFDF019F98DD49FAA3BB9FB08310F008120FE19AA1A0C731D961DB55
        APIs
        • memset.MSVCRT ref: 004041F9
        • CreateWindowExA.USER32(?,Static,00000000,?,?,?,?,?,00000000,000000FF,00000000), ref: 00404285
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateWindowmemset
        • String ID: Static
        • API String ID: 1730425660-2272013587
        • Opcode ID: bb31573bacb5a1810e8e94bb570eece3961102becdd18999a8e42a38d137bbd2
        • Instruction ID: 84a37009a15c89f1d04e7a9e1e9a7395bcedb45b6e7d81063e5dd9e94b969813
        • Opcode Fuzzy Hash: bb31573bacb5a1810e8e94bb570eece3961102becdd18999a8e42a38d137bbd2
        • Instruction Fuzzy Hash: B0218BB1501209AFDB115F51ED09F5B3EA4EB85364F00427EFA24BA2E1C37A8920CBDC
        APIs
        • memset.MSVCRT ref: 0040451C
        • CreateWindowExA.USER32(00000000,Button,?,?,?,?,?,?,?,000000FF,00000000), ref: 00404583
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: CreateWindowmemset
        • String ID: Button
        • API String ID: 1730425660-1034594571
        • Opcode ID: d655a678b5e88d094de6bd0f529b1c6e06c1790f3825293257081829d2db64ce
        • Instruction ID: 90da7fe86d05c84136806c6f2a8b258a2b8c23e6b76e78d1d325a15fbfac5b34
        • Opcode Fuzzy Hash: d655a678b5e88d094de6bd0f529b1c6e06c1790f3825293257081829d2db64ce
        • Instruction Fuzzy Hash: FB114FB1400254BFCB119F65DD84D9B3FA9EB49358B10803AFA15B62A1C3398921DFDC
        APIs
        • GetPropA.USER32(00000000,PB_ID), ref: 0040563D
        • GetWindowLongA.USER32(00000000,000000F4), ref: 0040564A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: LongPropWindow
        • String ID: PB_ID
        • API String ID: 2492497586-4173770792
        • Opcode ID: 8efa6761e261a2f416a94a464cb2701e7ca63ff64c9f839587c1fbf4b0cffeb1
        • Instruction ID: d037ba408e12bde621d74b1635f54e41943069966e08b0c13ae498da23430538
        • Opcode Fuzzy Hash: 8efa6761e261a2f416a94a464cb2701e7ca63ff64c9f839587c1fbf4b0cffeb1
        • Instruction Fuzzy Hash: 3CF06232100208BBCF115FA4DC08E5B7B6AEB54350B54843AFD0DB22B0C736CC60DB98
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2066192117.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2066124859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000409000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066192117.0000000000579000.00000040.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066551878.000000000057A000.00000080.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2066572508.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_ocs.jbxd
        Similarity
        • API ID: ParentProp
        • String ID: PB_WindowID
        • API String ID: 919147419-1508741625
        • Opcode ID: e61d771c9100336b98a7d339edf77a3775cb866c4dae224fea0e610acfc27428
        • Instruction ID: b6360fad670133492f75da32d3061413dfb7044b1b8f5c3656c8761a87bd68ca
        • Opcode Fuzzy Hash: e61d771c9100336b98a7d339edf77a3775cb866c4dae224fea0e610acfc27428
        • Instruction Fuzzy Hash: 25D0C2B770136167C221662A5C84E47A6ACAAD4760300C437F701F3351C278CC0082A9

        Execution Graph

        Execution Coverage:10.6%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:26.3%
        Total number of Nodes:494
        Total number of Limit Nodes:2
        execution_graph 1659 401440 1660 408c9e #2379 1659->1660 1671 402c00 1672 408caa #815 1671->1672 1674 404d40 1679 405070 23 API calls 1674->1679 1676 404d48 1677 404d58 1676->1677 1678 404d4f #825 1676->1678 1678->1677 1679->1676 1680 401140 #4710 SendMessageA #6199 1682 4011c0 #656 1683 4011d8 1682->1683 1684 4011cf #825 1682->1684 1684->1683 1690 401240 1695 401260 #800 #800 #641 1690->1695 1692 401248 1693 401258 1692->1693 1694 40124f #825 1692->1694 1694->1693 1695->1692 1705 408ac0 1710 408ad0 ??0_Winit@std@@QAE 1705->1710 1728 408a80 1733 408a90 ??0Init@ios_base@std@@QAE 1728->1733 1673 4010e0 #2302 1681 401120 #3874 #4853 1685 4011a0 EnableWindow 1696 407a60 1697 407a71 #825 1696->1697 1698 407a7a 1696->1698 1697->1698 1699 408220 1704 408240 #800 1699->1704 1701 408228 1702 408238 1701->1702 1703 40822f #825 1701->1703 1703->1702 1704->1701 1711 4012e0 6 API calls 1712 401361 _mbscmp 1711->1712 1713 401351 #6199 1711->1713 1715 401372 #860 1712->1715 1716 40137e #535 1712->1716 1714 40141b 1713->1714 1715->1716 1725 404ed0 25 API calls 1716->1725 1718 401394 1719 405e80 432 API calls 1718->1719 1720 4013a6 1719->1720 1721 4013d5 #926 #6199 #800 1720->1721 1722 4013ab #6199 #860 #860 1720->1722 1723 401407 1721->1723 1722->1723 1726 405070 23 API calls 1723->1726 1725->1718 1726->1714 1164 408e22 __set_app_type __p__fmode __p__commode 1165 408e90 1164->1165 1166 408ea5 1165->1166 1167 408e99 __setusermatherr 1165->1167 1172 408f4a _controlfp 1166->1172 1167->1166 1169 408eaa _initterm __getmainargs _initterm __p___initenv 1173 403430 GetCommandLineA GetModuleHandleA #1575 1169->1173 1172->1169 1174 403499 #537 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD 1173->1174 1175 40346f ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 1173->1175 1320 404d60 23 API calls 1174->1320 1176 404a36 21 API calls 1175->1176 1179 404b45 exit _XcptFilter 1176->1179 1178 4034ce #540 1180 403507 #860 _mbscmp 1178->1180 1181 4034fa #860 1178->1181 1182 403530 _mbscmp 1180->1182 1183 403556 #860 1180->1183 1181->1180 1182->1183 1185 403543 _mbscmp 1182->1185 1184 403564 1183->1184 1186 40373b 1184->1186 1187 403574 #860 #860 #6877 1184->1187 1185->1183 1185->1184 1188 403d48 _mbscmp 1186->1188 1321 4011e0 #324 #540 #540 1186->1321 1191 4035b3 #6877 1187->1191 1192 4035a5 #858 1187->1192 1189 4042cf _mbscmp 1188->1189 1190 403d5f _mbscmp 1188->1190 1195 4042e6 _mbscmp 1189->1195 1196 40471a _mbscmp 1189->1196 1190->1189 1194 403d76 1190->1194 1197 4035d5 #6877 1191->1197 1198 4035c7 #858 1191->1198 1192->1191 1194->1189 1202 403d83 1194->1202 1195->1196 1203 4042fd 1195->1203 1206 404731 _mbscmp 1196->1206 1207 4047e5 _mbscmp 1196->1207 1204 4035f7 #6877 1197->1204 1205 4035e9 #858 1197->1205 1198->1197 1199 403752 #2514 1200 403770 #860 1199->1200 1201 403d05 #800 #800 #641 1199->1201 1322 405e80 11 API calls 1200->1322 1201->1188 1209 405e80 432 API calls 1202->1209 1467 4011e0 #324 #540 #540 1203->1467 1211 403619 #6877 1204->1211 1212 40360b #858 1204->1212 1205->1204 1206->1207 1215 404748 1206->1215 1213 404928 _mbscmp 1207->1213 1214 4047fc _mbscmp 1207->1214 1217 403d8c 1209->1217 1219 40363b #6877 1211->1219 1220 40362d #858 1211->1220 1212->1211 1222 4049dc ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ #800 1213->1222 1223 40493f _mbscmp 1213->1223 1214->1213 1221 404813 1214->1221 1215->1207 1224 404755 1215->1224 1227 403d95 1217->1227 1228 404039 22 API calls 1217->1228 1218 40430a #858 #2514 1229 4046d7 #800 #800 #641 1218->1229 1230 404339 1218->1230 1232 40365d #6877 1219->1232 1233 40364f #858 1219->1233 1220->1219 1234 407a90 17 API calls 1221->1234 1522 405070 23 API calls 1222->1522 1223->1222 1235 404956 1223->1235 1471 407a90 #540 #6662 #6662 1224->1471 1225 403790 1379 407190 #540 #540 1225->1379 1226 403a34 22 API calls 1240 403c6d #535 1226->1240 1238 407190 203 API calls 1227->1238 1242 404272 #535 1228->1242 1229->1196 1239 405e80 432 API calls 1230->1239 1244 403671 1232->1244 1245 40367f #6877 1232->1245 1233->1232 1243 40481c 1234->1243 1481 4051e0 8 API calls 1235->1481 1253 403d9e 1238->1253 1254 404342 1239->1254 1431 402c10 #860 #860 #540 GetLastError #2818 1240->1431 1241 404a22 #800 1241->1176 1256 402c10 138 API calls 1242->1256 1478 4011e0 #324 #540 #540 1243->1478 1244->1245 1250 4036a1 #6877 1245->1250 1251 403693 #858 1245->1251 1247 40475e 1249 407190 203 API calls 1247->1249 1260 404767 1249->1260 1261 4036c3 #6877 1250->1261 1262 4036b5 #858 1250->1262 1251->1250 1265 403da3 #800 1253->1265 1266 403ddf 24 API calls 1253->1266 1267 40434b 1254->1267 1268 40463e 1254->1268 1270 40428d #800 1256->1270 1258 40482a #860 #858 #2514 1279 4048b1 #800 #800 #641 #800 1258->1279 1280 404865 1258->1280 1259 4049a1 #800 1521 405070 23 API calls 1259->1521 1273 4047aa #800 1260->1273 1274 40476c #860 #860 1260->1274 1282 4036e5 #6877 1261->1282 1283 4036d7 #858 1261->1283 1262->1261 1263 4037da 24 API calls 1263->1240 1264 40379e #800 #800 1276 404390 #641 #800 1264->1276 1465 405070 23 API calls 1265->1465 1266->1242 1277 407190 203 API calls 1267->1277 1469 404b70 23 API calls 1268->1469 1269 403c87 #800 #800 #641 #800 1464 405070 23 API calls 1269->1464 1466 405070 23 API calls 1270->1466 1477 405070 23 API calls 1273->1477 1476 404b70 23 API calls 1274->1476 1468 405070 23 API calls 1276->1468 1290 404354 1277->1290 1480 405070 23 API calls 1279->1480 1293 407190 203 API calls 1280->1293 1295 403707 #6877 1282->1295 1296 4036f9 #860 1282->1296 1283->1282 1285 4042b4 #800 1285->1179 1286 40497a 1299 402c10 138 API calls 1286->1299 1289 4049c3 #800 1289->1179 1302 4043d2 25 API calls 1290->1302 1303 404359 #800 #800 1290->1303 1291 403cea #800 1291->1179 1305 40486e 1293->1305 1294 404654 1306 402c10 138 API calls 1294->1306 1295->1184 1307 40371b #860 1295->1307 1296->1295 1298 403dc4 #800 1298->1179 1309 40497f ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 1299->1309 1300 40479e 1310 402c10 138 API calls 1300->1310 1301 4047cc #800 1301->1179 1302->1294 1303->1276 1304 4043b7 #800 1304->1179 1305->1279 1311 404873 #860 #860 1305->1311 1312 404659 #800 #800 #641 #800 1306->1312 1307->1184 1308 40490f #800 1308->1179 1309->1259 1313 4047a3 1310->1313 1479 404b70 23 API calls 1311->1479 1470 405070 23 API calls 1312->1470 1313->1273 1316 4048a5 1318 402c10 138 API calls 1316->1318 1317 4046bc #800 1317->1179 1319 4048aa 1318->1319 1319->1279 1320->1178 1321->1199 1323 405f80 12 API calls 1322->1323 1324 406055 1322->1324 1325 403787 1323->1325 1326 406143 14 API calls 1324->1326 1327 40606d 12 API calls 1324->1327 1325->1225 1325->1226 1329 406238 #940 1326->1329 1327->1325 1329->1329 1330 40627b 1329->1330 1331 406292 #4129 #858 #800 1330->1331 1523 4014a0 1331->1523 1335 406370 66 API calls 1547 407bb0 #540 #6663 1335->1547 1336 406359 #6778 1336->1335 1336->1336 1337 4062ff 1337->1335 1337->1336 1339 4067a7 _mbscmp 1340 4067c2 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD 1339->1340 1341 4068a6 #922 #5194 #800 1339->1341 1571 401490 1340->1571 1342 4068fd _mbscmp 1341->1342 1343 4068ef #1997 1341->1343 1345 4069f1 _mbscmp 1342->1345 1346 406913 9 API calls 1342->1346 1343->1345 1350 4070b0 1345->1350 1351 406a07 #922 1345->1351 1348 406b10 GetLogicalDriveStringsA #860 #860 #858 #6648 1346->1348 1349 4069ba #1997 #858 #800 #800 1346->1349 1347 406801 8 API calls 1347->1325 1354 406c1b ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD #800 #800 1348->1354 1355 406b6f 6 API calls 1348->1355 1349->1345 1586 408290 #540 #6663 1350->1586 1572 4087c0 1351->1572 1582 401490 1354->1582 1359 406bfc lstrlenA 1355->1359 1360 406d1f #1997 1355->1360 1357 4070b7 1364 4070cb 8 API calls 1357->1364 1359->1354 1359->1355 1362 406d33 #922 #3790 #800 1360->1362 1361 406c7a 8 API calls 1361->1325 1365 406e60 #2818 _mbscmp 1362->1365 1366 406d7d ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD 1362->1366 1363 406a2d ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD 1581 401490 1363->1581 1364->1325 1369 406f72 #540 #2818 _mbscmp 1365->1369 1370 406e8e ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD 1365->1370 1583 401490 1366->1583 1374 4070a0 #800 1369->1374 1375 406fad ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD #800 1369->1375 1584 401490 1370->1584 1371 406a6b 8 API calls 1371->1325 1372 406dbb 8 API calls 1372->1325 1374->1350 1585 401490 1375->1585 1376 406ecd 8 API calls 1376->1325 1378 406ffb 8 API calls 1378->1325 1380 407bb0 86 API calls 1379->1380 1381 4071fd 11 API calls 1380->1381 1382 4072e3 1381->1382 1383 40733a #2915 MultiByteToWideChar _mbscmp 1381->1383 1384 4078d9 #800 #800 1382->1384 1385 4072ee MessageBoxA ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 1382->1385 1386 4073a4 7 API calls 1383->1386 1387 40737e #2915 GetComputerNameA #5572 1383->1387 1388 403799 1384->1388 1385->1384 1389 407427 #2915 MultiByteToWideChar _mbscmp 1386->1389 1390 40741c #858 1386->1390 1387->1386 1388->1263 1388->1264 1391 407466 1389->1391 1392 40746a _mbscmp 1389->1392 1390->1389 1391->1392 1393 407484 _mbscmp 1392->1393 1394 40747c 1392->1394 1395 4074f6 _mbscmp 1393->1395 1396 40749e GetCurrentProcess OpenProcessToken CreateEnvironmentBlock 1393->1396 1394->1393 1398 407512 1395->1398 1399 40751c _mbscmp 1395->1399 1396->1395 1397 4074c8 #800 #800 1396->1397 1397->1388 1398->1399 1400 407538 _mbscmp 1399->1400 1401 40752e 1399->1401 1402 407552 #6663 1400->1402 1403 40754a 1400->1403 1401->1400 1404 4075c2 #2915 MultiByteToWideChar 1402->1404 1405 407568 #6648 #2915 MultiByteToWideChar 1402->1405 1403->1402 1406 4075e1 _mbscmp 1404->1406 1407 4075a2 1405->1407 1408 407695 CreateProcessWithLogonW 1406->1408 1409 4075fa 1406->1409 1407->1406 1411 4076ec #540 GetLastError #2818 1408->1411 1412 40795f DestroyEnvironmentBlock 1408->1412 1632 401000 #324 #567 1409->1632 1416 4078c8 #800 1411->1416 1417 407729 1411->1417 1414 407974 CloseHandle 1412->1414 1415 40797b CloseHandle CloseHandle 1412->1415 1413 407608 #2514 1418 407621 #656 #641 1413->1418 1419 40764e #2915 MultiByteToWideChar #656 #641 1413->1419 1414->1415 1420 407994 12 API calls 1415->1420 1421 407a19 #800 #800 1415->1421 1416->1384 1422 407730 8 API calls 1417->1422 1423 407785 14 API calls 1417->1423 1418->1421 1419->1408 1420->1421 1421->1388 1422->1423 1423->1416 1428 407908 1423->1428 1424 407910 WaitForSingleObject 1425 407920 #2915 1424->1425 1426 40794e #800 1424->1426 1633 408990 CreateToolhelp32Snapshot 1425->1633 1426->1412 1428->1424 1429 40793f TerminateProcess 1428->1429 1430 40793d 1428->1430 1429->1426 1430->1426 1432 402dc1 1431->1432 1433 402c89 17 API calls 1431->1433 1434 402dcd 16 API calls 1432->1434 1435 402f0e 1432->1435 1436 402d77 MessageBoxA 1433->1436 1437 402d8b #800 1433->1437 1438 402ec4 MessageBoxA 1434->1438 1439 402ed8 #800 1434->1439 1440 402fb9 1435->1440 1441 402f1a 6 API calls 1435->1441 1436->1437 1640 405070 23 API calls 1437->1640 1438->1439 1641 405070 23 API calls 1439->1641 1446 403064 1440->1446 1447 402fc5 6 API calls 1440->1447 1444 402f83 #800 1441->1444 1445 402f6f MessageBoxA 1441->1445 1642 405070 23 API calls 1444->1642 1445->1444 1449 40321b 8 API calls 1446->1449 1450 40306d 23 API calls 1446->1450 1453 40301a MessageBoxA 1447->1453 1454 40302e #800 1447->1454 1448 402daa 1448->1269 1458 40340f LocalFree LocalFree ExitProcess 1449->1458 1459 40329f 21 API calls 1449->1459 1456 4031d1 MessageBoxA 1450->1456 1457 4031e5 #800 1450->1457 1451 402ef7 1451->1269 1453->1454 1643 405070 23 API calls 1454->1643 1456->1457 1644 405070 23 API calls 1457->1644 1459->1458 1460 402fa2 1460->1269 1461 40304d 1461->1269 1463 403204 1463->1269 1464->1291 1465->1298 1466->1285 1467->1218 1468->1304 1469->1294 1470->1317 1472 407b2a #5683 1471->1472 1473 407adb 6 API calls 1471->1473 1474 407b38 6 API calls 1472->1474 1475 407b8a #800 1472->1475 1473->1472 1474->1475 1475->1247 1476->1300 1477->1301 1478->1258 1479->1316 1480->1308 1482 407a90 17 API calls 1481->1482 1483 4052ac 1482->1483 1484 407bb0 86 API calls 1483->1484 1485 4052b3 #922 1484->1485 1486 4087c0 11 API calls 1485->1486 1487 4052cf #2818 _mbscmp 1486->1487 1488 405300 #922 #5194 #800 1487->1488 1489 4052f4 #860 1487->1489 1490 405351 9 API calls 1488->1490 1491 405404 1488->1491 1489->1488 1492 40495f 1490->1492 1493 408290 70 API calls 1491->1493 1492->1259 1520 404b70 23 API calls 1492->1520 1494 40540b #5194 1493->1494 1495 4054e2 6 API calls 1494->1495 1496 40542d 9 API calls 1494->1496 1497 405586 6 API calls 1495->1497 1498 40557a 1495->1498 1496->1492 1499 4055fa #940 1497->1499 1498->1497 1499->1499 1500 405648 1499->1500 1501 405654 #6648 1500->1501 1502 405666 1500->1502 1501->1502 1503 4056b9 #540 1502->1503 1504 405685 #939 #6648 1502->1504 1505 4056cf rand _ftol #940 1503->1505 1504->1503 1504->1504 1505->1505 1510 405701 1505->1510 1506 40573f 52 API calls 1508 405bb4 1506->1508 1509 405bb9 #823 #823 #823 1506->1509 1507 40571e #5856 1507->1506 1507->1510 1508->1509 1511 405bf0 1509->1511 1510->1506 1510->1507 1512 405c42 _itoa 1511->1512 1513 405c62 1511->1513 1512->1512 1512->1513 1514 4014a0 6 API calls 1513->1514 1515 405cd2 1514->1515 1645 402710 1515->1645 1519 405dc6 7 API calls 1519->1492 1520->1286 1521->1289 1522->1241 1524 4014d4 1523->1524 1525 4014ae ??0exception@@QAE@ABQBD _CxxThrowException 1523->1525 1526 40150d 1524->1526 1527 4014e7 ??0exception@@QAE@ABQBD _CxxThrowException 1524->1527 1525->1524 1528 401520 ??0exception@@QAE@ABQBD _CxxThrowException 1526->1528 1529 401546 1526->1529 1527->1526 1528->1529 1530 402970 1529->1530 1531 402980 ??0exception@@QAE@ABQBD _CxxThrowException 1530->1531 1532 40299e 1530->1532 1531->1532 1533 402bb2 ??0exception@@QAE@ABQBD _CxxThrowException 1532->1533 1545 4029c0 1532->1545 1619 402be0 #561 1533->1619 1535 402bd5 1620 408e0a 1535->1620 1536 402b6a 1539 402410 4 API calls 1536->1539 1546 402a75 1536->1546 1539->1536 1542 402a7f ??0exception@@QAE@ABQBD _CxxThrowException 1544 402a9d 1542->1544 1543 402b4c ??0exception@@QAE@ABQBD _CxxThrowException 1543->1536 1544->1536 1544->1543 1544->1546 1613 402110 1544->1613 1545->1542 1545->1544 1545->1545 1545->1546 1607 402410 1545->1607 1546->1337 1548 407d66 #6663 1547->1548 1549 407bfc 10 API calls 1547->1549 1550 407d81 10 API calls 1548->1550 1551 407eeb #6663 1548->1551 1552 407d48 1549->1552 1553 407cba 9 API calls 1549->1553 1555 407ecd 1550->1555 1556 407e3f 9 API calls 1550->1556 1557 408070 #6663 1551->1557 1558 407f06 10 API calls 1551->1558 1554 407d4c #6663 1552->1554 1553->1554 1554->1549 1559 407d62 1554->1559 1560 407ed1 #6663 1555->1560 1556->1560 1563 4081ee #800 1557->1563 1567 40808b 1557->1567 1561 408052 1558->1561 1562 407fc4 9 API calls 1558->1562 1559->1548 1560->1550 1565 407ee7 1560->1565 1566 408056 #6663 1561->1566 1562->1566 1563->1339 1564 408099 10 API calls 1564->1567 1568 408147 9 API calls 1564->1568 1565->1551 1566->1558 1569 40806c 1566->1569 1567->1564 1570 4081d8 #6663 1567->1570 1568->1570 1569->1557 1570->1563 1570->1564 1571->1347 1573 4087f1 1572->1573 1574 408838 CreateFileA 1573->1574 1575 408861 6 API calls 1574->1575 1576 4088c2 #800 1574->1576 1577 4088b1 #800 1575->1577 1578 4088d9 #800 #800 1575->1578 1579 406a20 1576->1579 1577->1576 1578->1579 1579->1362 1579->1363 1581->1371 1582->1361 1583->1372 1584->1376 1585->1378 1587 4083f3 #6663 1586->1587 1588 4082da 1586->1588 1590 408527 #6663 1587->1590 1591 40840e 1587->1591 1589 4082dd 7 API calls 1588->1589 1594 4083d6 #6663 1589->1594 1595 408357 8 API calls 1589->1595 1592 408542 1590->1592 1593 40865b #6663 1590->1593 1596 408411 7 API calls 1591->1596 1597 408545 7 API calls 1592->1597 1598 408676 1593->1598 1599 40878f #800 1593->1599 1594->1587 1594->1589 1595->1594 1600 40850a #6663 1596->1600 1601 40848b 8 API calls 1596->1601 1602 40863e #6663 1597->1602 1603 4085bf 8 API calls 1597->1603 1604 408679 7 API calls 1598->1604 1599->1357 1600->1590 1600->1596 1601->1600 1602->1593 1602->1597 1603->1602 1605 408772 #6663 1604->1605 1606 4086f3 8 API calls 1604->1606 1605->1599 1605->1604 1606->1605 1608 402420 ??0exception@@QAE@ABQBD _CxxThrowException 1607->1608 1609 40243e 1607->1609 1608->1609 1612 402464 1609->1612 1623 401d20 1609->1623 1612->1545 1614 402120 ??0exception@@QAE@ABQBD _CxxThrowException 1613->1614 1615 40213e 1613->1615 1614->1615 1618 402164 1615->1618 1626 401960 1615->1626 1618->1544 1618->1618 1619->1535 1629 408dde 1620->1629 1622 402bfa 1622->1337 1624 401d31 ??0exception@@QAE@ABQBD _CxxThrowException 1623->1624 1625 401d4f 1623->1625 1624->1625 1625->1545 1627 401971 ??0exception@@QAE@ABQBD _CxxThrowException 1626->1627 1628 40198f 1626->1628 1627->1628 1628->1544 1630 408df3 __dllonexit 1629->1630 1631 408de7 _onexit 1629->1631 1630->1622 1631->1622 1632->1413 1634 4089c8 1633->1634 1635 4089aa Process32First 1633->1635 1634->1428 1636 4089c1 CloseHandle 1635->1636 1639 4089d7 1635->1639 1636->1634 1637 408a15 Process32Next 1637->1634 1637->1639 1638 408a5b CloseHandle 1638->1428 1639->1637 1639->1638 1640->1448 1641->1451 1642->1460 1643->1461 1644->1463 1646 402720 ??0exception@@QAE@ABQBD _CxxThrowException 1645->1646 1647 40273e 1645->1647 1646->1647 1648 40294c ??0exception@@QAE@ABQBD _CxxThrowException 1647->1648 1651 402760 1647->1651 1649 402904 1652 402110 4 API calls 1649->1652 1657 402811 16 API calls 1649->1657 1650 40281b ??0exception@@QAE@ABQBD _CxxThrowException 1654 402839 1650->1654 1651->1650 1651->1654 1655 402110 4 API calls 1651->1655 1651->1657 1652->1649 1653 402110 4 API calls 1653->1654 1654->1649 1654->1653 1656 4028e6 ??0exception@@QAE@ABQBD _CxxThrowException 1654->1656 1654->1657 1655->1651 1656->1649 1658 401490 1657->1658 1658->1519 1735 408f26 _exit 1661 401470 1662 401478 1661->1662 1663 401488 1662->1663 1664 40147f #825 1662->1664 1664->1663 1665 401070 1670 401090 #656 #641 1665->1670 1667 401078 1668 401088 1667->1668 1669 40107f #825 1667->1669 1669->1668 1670->1667 1727 408af0 ??1_Winit@std@@QAE 1734 408ab0 ??1Init@ios_base@std@@QAE 1687 408db6 ??1type_info@@UAE 1688 408dc5 #825 1687->1688 1689 408dcc 1687->1689 1688->1689

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 153 402c10-402c83 #860 * 2 #540 GetLastError #2818 154 402dc1-402dc7 153->154 155 402c89-402d75 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 11 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #926 #922 #939 #800 * 2 153->155 156 402dcd-402ec2 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 8 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #926 #924 #922 #939 #800 * 3 154->156 157 402f0e-402f14 154->157 158 402d77-402d85 MessageBoxA 155->158 159 402d8b-402dc0 #800 call 405070 155->159 160 402ec4-402ed2 MessageBoxA 156->160 161 402ed8-402f0d #800 call 405070 156->161 162 402fb9-402fbf 157->162 163 402f1a-402f6d ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 4 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #941 157->163 158->159 160->161 168 403064-403067 162->168 169 402fc5-403018 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 4 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #941 162->169 166 402f83-402fb8 #800 call 405070 163->166 167 402f6f-402f7d MessageBoxA 163->167 167->166 171 40321b-403299 #540 GetLastError FormatMessageA lstrlenA * 2 LocalAlloc wsprintfA #860 168->171 172 40306d-4031cf ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 9 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #926 #924 * 2 #922 * 2 #924 #939 #800 * 6 168->172 175 40301a-403028 MessageBoxA 169->175 176 40302e-403063 #800 call 405070 169->176 180 40340f-403420 LocalFree * 2 ExitProcess 171->180 181 40329f-40340a #924 #922 * 2 #924 #922 #924 #922 #924 #922 #924 MessageBoxA #800 * 10 171->181 178 4031d1-4031df MessageBoxA 172->178 179 4031e5-40321a #800 call 405070 172->179 175->176 178->179 181->180
        APIs
        • #860.MFC42 ref: 00402C3F
        • #860.MFC42(00411C60), ref: 00402C50
        • #540.MFC42(00411C60), ref: 00402C59
        • GetLastError.KERNEL32(00411C60), ref: 00402C69
        • #2818.MFC42(?,004113A4,00000000), ref: 00402C78
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Errorcode: ,?,Access is denied.,username: ,?,domainname: ,?,004113A0,?,?,004113A0,?,6C8BA320,?,?), ref: 00402CD2
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CD8
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CDE
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CE4
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CEA
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CF0
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CF6
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402CFC
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402D02
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402D08
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402D0E
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00402D11
        • #926.MFC42(?,Access is denied.,?), ref: 00402D29
        • #922.MFC42(?,00000000,?,?,Access is denied.,?), ref: 00402D3F
        • #939.MFC42 ref: 00402D4E
        • #800.MFC42 ref: 00402D5B
        • #800.MFC42 ref: 00402D69
        • MessageBoxA.USER32(00000000,?,RunasSpc Error:,00000040), ref: 00402D85
        • #800.MFC42 ref: 00402D94
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Errorcode: ,?,Logon failure: unknown user name or bad password.,username: ,?,domainname: ,?,004113A0,?,6C8BA320,?,?,?,?), ref: 00402E08
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E0E
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E14
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E1A
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E20
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E26
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E2C
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402E32
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00402E35
        • #926.MFC42(?,Logon failure:unknown user name or bad password.Username: ,?), ref: 00402E50
        • #924.MFC42(?,00000000,Domain: ,?,Logon failure:unknown user name or bad password.Username: ,?), ref: 00402E66
        • #922.MFC42(?,00000000,?), ref: 00402E7E
        • #939.MFC42(00000000,?,00000000,?), ref: 00402E8D
        • #800.MFC42(00000000,?,00000000,?), ref: 00402E9B
        • #800.MFC42(00000000,?,00000000,?), ref: 00402EA8
        • #800.MFC42(00000000,?,00000000,?), ref: 00402EB6
        • MessageBoxA.USER32(00000000,?,RunasSpc Error:,00000040), ref: 00402ED2
        • #800.MFC42(00000000,?,00000000,?), ref: 00402EE1
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Errorcode: ,?,The service cannot be started:,Secondary Logon Service,?,6C8BA320,?,?,?,?), ref: 00402F3A
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402F40
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402F46
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402F4C
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00402F4F
        • #941.MFC42(The service cannot be started:Secondary Logon Service), ref: 00402F61
        • MessageBoxA.USER32(00000000,?,RunasSpc Error:,00000040), ref: 00402F7D
        • #800.MFC42 ref: 00402F8C
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Errorcode: ,?,The service cannot be started:,Secondary Logon Service,?,6C8BA320,?,?,?,?), ref: 00402FE5
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402FEB
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402FF1
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00402FF7
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00402FFA
        • #941.MFC42(The service cannot be started:Secondary Logon Service), ref: 0040300C
        • MessageBoxA.USER32(00000000,?,RunasSpc Error:,00000040), ref: 00403028
        • #800.MFC42 ref: 00403037
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Errorcode: ,?,User ,?, cannot find the path specified:,004113A0,?,?,Mapped drives are not supported.,?,6C8BA320,?,?,?,?), ref: 004030A9
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030AF
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030B5
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030BB
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030C1
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030C7
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030CD
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030D3
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004030D9
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004030DC
        • #926.MFC42(?,User ,?), ref: 004030F7
        • #924.MFC42(?), ref: 0040310C
        • #924.MFC42(?,00000000,004113A0,?), ref: 00403121
        • #922.MFC42(?,00000000,?,?,00000000,004113A0,?), ref: 00403136
        • #922.MFC42(?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 0040314B
        • #924.MFC42(?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 00403161
        • #939.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 00403170
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 0040317D
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 0040318B
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 00403199
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 004031A7
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 004031B5
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 004031C3
        • MessageBoxA.USER32(00000000,?,RunasSpc Error:,00000040), ref: 004031DF
        • #800.MFC42(00000000,?,00000000,Mapped drives are not supported.,?,00000000,?,?,00000000,?,?,00000000,004113A0,?), ref: 004031EE
        • #540.MFC42(?,6C8BA320,?,?,?,?), ref: 0040321F
        • GetLastError.KERNEL32 ref: 00403229
        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00403243
        • lstrlenA.KERNEL32(?), ref: 00403254
        • lstrlenA.KERNEL32(RunasSpc), ref: 0040325D
        • LocalAlloc.KERNEL32(00000040,00000028), ref: 00403266
        • wsprintfA.USER32 ref: 0040327F
        • #860.MFC42(00000000,?,?,?,?,?,?,6C8BA320,?,?,?,?), ref: 0040328D
        • #924.MFC42(?,?,Run application as user ,00000000,?,?,?,?,?,?,6C8BA320,?,?,?,?), ref: 004032AE
        • #922.MFC42(?,00000000,?), ref: 004032C3
        • #922.MFC42(?,00000000,?,?,00000000,?), ref: 004032D8
        • #924.MFC42(?,00000000,004111B4,?,00000000,?,?,00000000,?), ref: 004032ED
        • #922.MFC42(?,00000000,?,?,00000000,004111B4,?,00000000,?,?,00000000,?), ref: 00403302
        • #924.MFC42(?,00000000,username: ,?,00000000,?,?,00000000,004111B4,?,00000000,?,?,00000000,?), ref: 00403317
        • #922.MFC42(?,00000000,?,?,00000000,username: ,?,00000000,?,?,00000000,004111B4,?,00000000,?,?), ref: 0040332F
        • #924.MFC42(?,00000000,domainname: ,?,00000000,?,?,00000000,username: ,?,00000000,?,?,00000000,004111B4,?), ref: 00403344
        • #922.MFC42(?,00000000,?,?,00000000,domainname: ,?,00000000,?,?,00000000,username: ,?,00000000,?,?), ref: 0040335D
        • #924.MFC42(?,00000000,For more information contact:service@robotronic.de,?,00000000,?,?,00000000,domainname: ,?,00000000,?,?,00000000,username: ,?), ref: 00403372
        • MessageBoxA.USER32(00000000,?,Runasspc Information,00000040), ref: 00403383
        • #800.MFC42 ref: 0040338D
        • #800.MFC42 ref: 0040339A
        • #800.MFC42 ref: 004033A8
        • #800.MFC42 ref: 004033B6
        • #800.MFC42 ref: 004033C4
        • #800.MFC42 ref: 004033D2
        • #800.MFC42 ref: 004033E0
        • #800.MFC42 ref: 004033EE
        • #800.MFC42 ref: 004033FC
        • #800.MFC42 ref: 0040340A
        • LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,6C8BA320,?,?,?,?), ref: 0040341A
        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,6C8BA320,?,?,?,?), ref: 0040341D
        • ExitProcess.KERNEL32 ref: 00403420
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: U?$char_traits@V?$basic_ostream@$??6std@@D@std@@@0@V10@$#800$#922#924$Message$?endl@std@@D@std@@@1@V21@@$#860#926#939Local$#540#941ErrorFreeLastlstrlen$#2818AllocExitFormatProcesswsprintf
        • String ID: Access is denied.$Access is denied.$Domain: $For more information contact:service@robotronic.de$Logon failure:unknown user name or bad password.Username: $Logon failure: unknown user name or bad password.$Mapped drives are not supported.$Run application as user $Secondary Logon Service$The service cannot be started:$The service cannot be started:Secondary Logon Service$User $domainname: $username: $ cannot find the path specified:$%s failed with error %d: %s$Errorcode: $RunasSpc$RunasSpc Error:$Runasspc Information
        • API String ID: 2864664778-2974190135
        • Opcode ID: 1b61cc58dde2c8d07ae5818e1a9d5644681127198610d6753d1108a1e6deca82
        • Instruction ID: 51212f69be0c9ba29337226590f0ff30186e0f0ec0aeaf0a3d5b08038906b8b7
        • Opcode Fuzzy Hash: 1b61cc58dde2c8d07ae5818e1a9d5644681127198610d6753d1108a1e6deca82
        • Instruction Fuzzy Hash: CD22A770548340AAE310D764CD85F9FBBE8AF95708F00491EFAD4A32D1DB789548CABB

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 186 407190-4072e1 #540 * 2 call 407bb0 #926 #922 #924 * 2 #922 #858 #800 * 5 189 4072e3-4072e8 186->189 190 40733a-40737c #2915 MultiByteToWideChar _mbscmp 186->190 191 4078d9-407903 #800 * 2 189->191 192 4072ee-407335 MessageBoxA ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 189->192 193 4073a4-40741a #2915 MultiByteToWideChar #2915 MultiByteToWideChar #2915 MultiByteToWideChar _mbscmp 190->193 194 40737e-40739f #2915 GetComputerNameA #5572 190->194 195 407a43-407a5b 191->195 192->191 196 407427-407464 #2915 MultiByteToWideChar _mbscmp 193->196 197 40741c-407422 #858 193->197 194->193 198 407466 196->198 199 40746a-40747a _mbscmp 196->199 197->196 198->199 200 407484-40749c _mbscmp 199->200 201 40747c 199->201 202 4074f6-407510 _mbscmp 200->202 203 40749e-4074c6 GetCurrentProcess OpenProcessToken CreateEnvironmentBlock 200->203 201->200 205 407512 202->205 206 40751c-40752c _mbscmp 202->206 203->202 204 4074c8-4074f1 #800 * 2 203->204 204->195 205->206 207 407538-407548 _mbscmp 206->207 208 40752e 206->208 209 407552-407566 #6663 207->209 210 40754a 207->210 208->207 211 4075c2-4075df #2915 MultiByteToWideChar 209->211 212 407568-4075a0 #6648 #2915 MultiByteToWideChar 209->212 210->209 213 4075e1-4075f4 _mbscmp 211->213 214 4075a2-4075a9 212->214 215 4075b6-4075c0 212->215 217 407695-4076e6 CreateProcessWithLogonW 213->217 218 4075fa-40761f call 401000 #2514 213->218 216 4075ab-4075b4 214->216 215->213 216->215 216->216 220 4076ec-407723 #540 GetLastError #2818 217->220 221 40795f-407972 DestroyEnvironmentBlock 217->221 227 407621-407649 #656 #641 218->227 228 40764e-407690 #2915 MultiByteToWideChar #656 #641 218->228 225 4078c8-4078d4 #800 220->225 226 407729-40772e 220->226 223 407974-407979 CloseHandle 221->223 224 40797b-40798e CloseHandle * 2 221->224 223->224 229 407994-407a16 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 11 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 224->229 230 407a19-407a3e #800 * 2 224->230 225->191 231 407730-407782 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 7 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 226->231 232 407785-4078c6 #926 #922 #924 #922 #924 #858 #800 * 5 #2915 MultiByteToWideChar CreateProcessWithLogonW 226->232 227->230 228->217 229->230 230->195 231->232 232->225 233 407908-40790e 232->233 234 407910-40791e WaitForSingleObject 233->234 235 407920-407935 #2915 call 408990 234->235 236 40794e-40795a #800 234->236 239 407937-40793b 235->239 240 40793f-407948 TerminateProcess 235->240 236->221 239->234 241 40793d 239->241 240->236 241->236
        APIs
        • #540.MFC42 ref: 004071D5
        • #540.MFC42 ref: 004071E9
          • Part of subcall function 00407BB0: #540.MFC42(00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0,?), ref: 00407BD6
          • Part of subcall function 00407BB0: #6663.MFC42(00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0,?), ref: 00407BEE
          • Part of subcall function 00407BB0: #6663.MFC42(00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0), ref: 00407C04
          • Part of subcall function 00407BB0: #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?), ref: 00407C1A
          • Part of subcall function 00407BB0: #4278.MFC42(00411C30,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407C33
          • Part of subcall function 00407BB0: #939.MFC42 ref: 00407C45
          • Part of subcall function 00407BB0: #800.MFC42 ref: 00407C52
          • Part of subcall function 00407BB0: #4278.MFC42(00411C30,00411C30,-00000001), ref: 00407C65
          • Part of subcall function 00407BB0: #858.MFC42(00000000,00411C30,00411C30,-00000001), ref: 00407C74
          • Part of subcall function 00407BB0: #800.MFC42(00000000,00411C30,00411C30,-00000001), ref: 00407C81
          • Part of subcall function 00407BB0: #2915.MFC42(00000100,00000100,00000000,00411C30,00411C30,-00000001), ref: 00407CA1
          • Part of subcall function 00407BB0: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00411C30,00411C30,-00000001), ref: 00407CAC
          • Part of subcall function 00407BB0: #5572.MFC42(000000FF), ref: 00407CBE
          • Part of subcall function 00407BB0: #926.MFC42(00000001,00411C30,00000000,000000FF), ref: 00407CD2
          • Part of subcall function 00407BB0: #924.MFC42(00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407CE7
        • #926.MFC42(?,00411C2C,?), ref: 0040720B
        • #922.MFC42(?,00000000,00000000,?,00411C2C,?), ref: 00407222
        • #924.MFC42(?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 0040723A
        • #924.MFC42(?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 00407252
        • #922.MFC42(?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 00407269
        • #858.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 0040727B
        • #800.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 0040728C
        • #800.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 0040729D
        • #800.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 004072AE
        • #800.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 004072BF
        • #800.MFC42(00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000,00000000,?,00411C2C,?), ref: 004072D0
        • MessageBoxA.USER32(00000000,Application and parameters more than 256 characters,error,00000001), ref: 004072FC
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,decrypt and open process as user:,Application and parameters more than 256 characters,004113A0), ref: 0040731D
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000,763404F0,?), ref: 00407323
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00407329
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040732C
        • #2915.MFC42(00000000,000000FF,?,00000100,00000000,?,00000000,?,?,00000000,004111B4,?,00000000,00411C2C,?,00000000), ref: 0040734F
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00000100,00000000,?,00000000,?,?,00000000,004111B4,?,00000000), ref: 0040735F
        • _mbscmp.MSVCRT ref: 00407371
        • #2915.MFC42 ref: 0040738F
        • GetComputerNameA.KERNEL32(00000000), ref: 00407395
        • #5572.MFC42(000000FF), ref: 0040739F
        • #2915.MFC42(00000000,000000FF,?,00000010,763404F0,?), ref: 004073B4
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00000010,763404F0,?), ref: 004073BE
        • #2915.MFC42(00000000,000000FF,?,00000100), ref: 004073D8
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00000100), ref: 004073E2
        • #2915.MFC42(00000000,000000FF,?,00000100), ref: 004073F7
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00000100), ref: 00407401
        • _mbscmp.MSVCRT ref: 0040740F
        • #858.MFC42(?), ref: 00407422
        • #2915.MFC42(00000000,000000FF,?,00000100), ref: 0040743A
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00000100), ref: 00407444
        • _mbscmp.MSVCRT ref: 0040745D
        • #800.MFC42 ref: 004078E5
        • #800.MFC42 ref: 004078F9
        • WaitForSingleObject.KERNEL32(?,000003E8), ref: 0040791A
        • #2915.MFC42(00000000), ref: 00407925
          • Part of subcall function 00408990: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,6C8BA320,?,00000000,759230D0), ref: 0040899E
          • Part of subcall function 00408990: Process32First.KERNEL32(00000000,6C8BA320), ref: 004089B8
          • Part of subcall function 00408990: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 004089C2
        • TerminateProcess.KERNEL32(?,?,00000000,00000000), ref: 00407948
        • #800.MFC42 ref: 0040795A
        • DestroyEnvironmentBlock.USERENV(?), ref: 00407964
        • CloseHandle.KERNEL32(?), ref: 00407979
        • CloseHandle.KERNEL32(?), ref: 00407980
        • CloseHandle.KERNEL32(?), ref: 00407987
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,decrypt and open process as user:,?,application:,?,004113A0,domain: ,?,004113A0,user: ,?,004113A0), ref: 004079D1
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079D7
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079DD
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079E3
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079E9
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079EF
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079F5
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004079FB
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00407A01
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00407A07
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00407A0D
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00407A10
        • #800.MFC42 ref: 00407A25
        • #800.MFC42 ref: 00407A39
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: U?$char_traits@V?$basic_ostream@$??6std@@D@std@@@0@V10@$#800$#2915$ByteCharMultiWide$CloseHandle$#540#6663#858#924_mbscmp$#4278#5572#922#926?endl@std@@D@std@@@1@EnvironmentV21@@$#939BlockComputerCreateDestroyFirstMessageNameObjectProcessProcess32SingleSnapshotTerminateToolhelp32VariableWait
        • String ID: ELEVATION_REQUIRED $application:$Application and parameters more than 256 characters$D$Info: $cmd.exe /C "$crcrunasspc$decrypt and open process as user:$domain: $env$error$hide$localhost$maximize$minimize$netonly$noprofile$user:
        • API String ID: 2895198816-1800106406
        • Opcode ID: 4e50818912c03981c1d6084873f25ec61435b2654a60cef489e774b0d69ab78a
        • Instruction ID: 5c87b927571da435c10eb4658c016776b8efde65206660c3d855931957721db4
        • Opcode Fuzzy Hash: 4e50818912c03981c1d6084873f25ec61435b2654a60cef489e774b0d69ab78a
        • Instruction Fuzzy Hash: 95328570648340AAE720EB64CD55FAF77E8AF94704F004A1EF599A22D1DB78B508C77B

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 403430-40346d GetCommandLineA GetModuleHandleA #1575 1 403499-4034f8 #537 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z call 404d60 #540 0->1 2 40346f-403494 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 0->2 7 403507-40352e #860 _mbscmp 1->7 8 4034fa-403502 #860 1->8 3 404a36-404b42 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 20 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 2->3 6 404b45 3->6 9 404b49-404b61 6->9 10 403530-403541 _mbscmp 7->10 11 403556-40355f #860 7->11 8->7 10->11 13 403543-403554 _mbscmp 10->13 12 403564-403567 11->12 14 40356d-403570 12->14 15 40373e 12->15 13->11 13->12 16 403574-4035a3 #860 * 2 #6877 14->16 17 403744-40376a call 4011e0 #2514 15->17 18 403d48-403d59 _mbscmp 15->18 21 4035b3-4035c5 #6877 16->21 22 4035a5-4035ae #858 16->22 30 403770-40378a #860 call 405e80 17->30 31 403d05-403d41 #800 * 2 #641 17->31 19 4042cf-4042e0 _mbscmp 18->19 20 403d5f-403d70 _mbscmp 18->20 25 4042e6-4042f7 _mbscmp 19->25 26 40471a-40472b _mbscmp 19->26 20->19 24 403d76-403d7d 20->24 27 4035d5-4035e7 #6877 21->27 28 4035c7-4035d0 #858 21->28 22->21 24->19 32 403d83-403d8f call 405e80 24->32 25->26 33 4042fd-404333 call 4011e0 #858 #2514 25->33 36 404731-404742 _mbscmp 26->36 37 4047e5-4047f6 _mbscmp 26->37 34 4035f7-403609 #6877 27->34 35 4035e9-4035f2 #858 27->35 28->27 55 403790-40379c call 407190 30->55 56 403a34-403c6c #535 * 22 30->56 31->18 57 403d95-403da1 call 407190 32->57 58 404039-404271 #535 * 22 32->58 59 4046d7-404713 #800 * 2 #641 33->59 60 404339-404345 call 405e80 33->60 41 403619-40362b #6877 34->41 42 40360b-403614 #858 34->42 35->34 36->37 45 404748-40474f 36->45 43 404928-404939 _mbscmp 37->43 44 4047fc-40480d _mbscmp 37->44 49 40363b-40364d #6877 41->49 50 40362d-403636 #858 41->50 42->41 52 4049dc-404a31 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z #800 call 405070 #800 43->52 53 40493f-404950 _mbscmp 43->53 44->43 51 404813-404863 call 407a90 call 4011e0 #860 #858 #2514 44->51 45->37 54 404755-40476a call 407a90 call 407190 45->54 62 40365d-40366f #6877 49->62 63 40364f-403658 #858 49->63 50->49 110 4048b1-404923 #800 * 2 #641 #800 call 405070 #800 51->110 111 404865-404871 call 407190 51->111 52->3 53->52 65 404956-404962 call 4051e0 53->65 104 4047aa-4047e0 #800 call 405070 #800 54->104 105 40476c-4047a6 #860 * 2 call 404b70 call 402c10 54->105 94 4037da-403a2f #860 * 2 #535 * 22 55->94 95 40379e-4037d5 #800 * 2 55->95 70 403c6d-403d00 #535 call 402c10 #800 * 2 #641 #800 call 405070 #800 56->70 96 403da3-403dda #800 call 405070 #800 57->96 97 403ddf-404034 #860 * 2 #535 * 22 57->97 72 404272-4042ca #535 call 402c10 #800 call 405070 #800 58->72 59->26 98 40434b-404357 call 407190 60->98 99 40463e-40464f call 404b70 60->99 74 403671-40367b 62->74 75 40367f-403691 #6877 62->75 63->62 89 4049a1-4049d7 #800 call 405070 #800 65->89 90 404964-40499e call 404b70 call 402c10 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 65->90 70->9 72->9 74->75 80 4036a1-4036b3 #6877 75->80 81 403693-40369c #858 75->81 92 4036c3-4036d5 #6877 80->92 93 4036b5-4036be #858 80->93 81->80 89->6 90->89 113 4036e5-4036f7 #6877 92->113 114 4036d7-4036e0 #858 92->114 93->92 94->70 107 404390-4043cd #641 #800 call 405070 #800 95->107 96->9 97->72 133 4043d2-40463c #860 * 2 #535 * 23 98->133 134 404359-404389 #800 * 2 98->134 125 404654-4046d2 call 402c10 #800 * 2 #641 #800 call 405070 #800 99->125 104->6 105->104 107->9 110->6 111->110 143 404873-4048ad #860 * 2 call 404b70 call 402c10 111->143 126 403707-403719 #6877 113->126 127 4036f9-403702 #860 113->127 114->113 125->9 138 403729-403735 126->138 139 40371b-403724 #860 126->139 127->126 133->125 134->107 138->16 145 40373b 138->145 139->138 143->110 145->15
        APIs
        • GetCommandLineA.KERNEL32(00000000), ref: 00403456
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 0040345F
        • #1575.MFC42(00000000), ref: 00403466
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA484,Fatal Error: MFC initialization failed,00000000), ref: 00403480
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00403483
        • #537.MFC42( *************--> RUNASSPC <--************** * FOR PRIVATE USE * * Commercial use license at: * * www.robotronic.de/orderen.php * *******************************************,00000000), ref: 004034A2
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,?, *************--> RUNASSPC <--************** * FOR PRIVATE USE * * Commercial use license at: * * www.robotronic.de/orderen.php * *******************************************,00000000), ref: 004034C0
        • #540.MFC42 ref: 004034DA
        • #860.MFC42(00000000), ref: 00403502
        • #860.MFC42(00000000), ref: 00403512
        • _mbscmp.MSVCRT ref: 00403527
        • _mbscmp.MSVCRT ref: 0040353A
        • _mbscmp.MSVCRT ref: 0040354D
        • #860.MFC42(00411C60), ref: 0040355F
        • #860.MFC42(00411C60,00411C60), ref: 0040357D
        • #860.MFC42(00000000,00411C60,00411C60), ref: 00403589
        • #6877.MFC42(/program:,00411C60,00000000,00411C60,00411C60), ref: 0040359C
        • #858.MFC42(00411C60,/program:,00411C60,00000000,00411C60,00411C60), ref: 004035AE
        • #6877.MFC42(/param:,00000000,/program:,00411C60,00000000,00411C60,00411C60), ref: 004035BE
        • #858.MFC42(00411C60,/param:,00000000,/program:,00411C60,00000000,00411C60,00411C60), ref: 004035D0
        • #6877.MFC42(/domain:,00000000,/param:,00000000,/program:,00411C60,00000000,00411C60,00411C60), ref: 004035E0
        • #858.MFC42(00411C60,/domain:,00000000,/param:,00000000,/program:,00411C60,00000000,00411C60,00411C60), ref: 004035F2
        • #6877.MFC42(/user:,00000000,/domain:,00000000,/param:,00000000,/program:,00411C60,00000000,00411C60,00411C60), ref: 00403602
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,****************** Help RunasSpc ***************), ref: 00404A41
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Parameters:,runasspc /program:<applicationname> /domain:<domainname/localhost>, /user:<username> /password:<password> /cryptfile:<name of cryptfile>, /param:<programmoptions> /executein:<path to execute>, /logon:<noprofile/netonly/env>, /wstyle:<maximize/minimize/hide>, /crcOff /quiet /alldrives), ref: 00404A70
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A76
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A7C
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A82
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A88
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A8E
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404A94
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Examples:), ref: 00404AA2
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,1: call runasspc without cryptfile,runasspc /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass"), ref: 00404AB7
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404ABD
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,2: open a runasspc cryptfile and run the application without dialog of runasSpc,runasspc /cryptfile:"crypt.spc"), ref: 00404AD3
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404AD9
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,3: generate a cryptfile,runasspc /cryptfile:"crypt.spc" /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass"), ref: 00404AEF
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00404AF5
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,Additional Info:), ref: 00404B02
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8, For local user -> /domain:"localhost" ), ref: 00404B10
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8, For domain user -> /domain:"domainname.com" ), ref: 00404B1E
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8, Let option /password empty if you want to ask for it on runtime), ref: 00404B2B
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,************************************************), ref: 00404B39
        • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00404B3C
        Strings
        • crypt.spc, xrefs: 00403770
        • /password:, xrefs: 0040361B
        • /quiet, xrefs: 0040365F
        • /domain:, xrefs: 004035D7
        • TRUE, xrefs: 0040371B
        • ************************************************, xrefs: 00404B2D
        • /logon:<noprofile/netonly/env>, xrefs: 00404A56
        • Let option /password empty if you want to ask for it on runtime, xrefs: 00404B25
        • /user:<username> /password:<password> /cryptfile:<name of cryptfile>, xrefs: 00404A60
        • /program:, xrefs: 00403593
        • z, xrefs: 0040461E
        • Crc32SumOff, xrefs: 004036F9
        • Fatal Error: MFC initialization failed, xrefs: 0040347A
        • runasspc /cryptfile:"crypt.spc", xrefs: 00404AC8
        • Examples:, xrefs: 00404A9C
        • ****************** Help RunasSpc ***************, xrefs: 00404A3B
        • Exit: , xrefs: 004049E3
        • /cryptfile:, xrefs: 0040363D
        • Additional Info:, xrefs: 00404AFC
        • For local user -> /domain:"localhost" , xrefs: 00404B0A
        • runasspc /program:<applicationname> /domain:<domainname/localhost>, xrefs: 00404A65
        • runasspc /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass", xrefs: 00404AAC
        • 1: call runasspc without cryptfile, xrefs: 00404AB1
        • }, xrefs: 004046F2
        • y, xrefs: 0040460A
        • /logon:, xrefs: 004036A3
        • Parameters:, xrefs: 00404A6A
        • /wstyle:, xrefs: 004036C5
        • *************--> RUNASSPC <--************** * FOR PRIVATE USE * * Commercial use license at: * * www.robotronic.de/orderen.php * *******************************************, xrefs: 00403499
        • For domain user -> /domain:"domainname.com" , xrefs: 00404B18
        • /crcOff /quiet /alldrives, xrefs: 00404A4C
        • Error argc6 could not create cryptfile, xrefs: 00404985
        • /param:, xrefs: 004035B5
        • /wstyle:<maximize/minimize/hide>, xrefs: 00404A51
        • /crcoff, xrefs: 004036E7
        • /executein:, xrefs: 00403681
        • runasspc /cryptfile:"crypt.spc" /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass", xrefs: 00404AE4
        • /param:<programmoptions> /executein:<path to execute>, xrefs: 00404A5B
        • callDirectWithoutCryptfile, xrefs: 0040482A
        • /user:, xrefs: 004035F9
        • 2: open a runasspc cryptfile and run the application without dialog of runasSpc, xrefs: 00404ACD
        • 3: generate a cryptfile, xrefs: 00404AE9
        • /alldrives, xrefs: 00403709
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: U?$char_traits@V?$basic_ostream@$??6std@@D@std@@@0@V10@$#860$#6877$#858_mbscmp$?endl@std@@D@std@@@1@V21@@$#1575#537#540CommandHandleLineModule
        • String ID: *************--> RUNASSPC <--************** * FOR PRIVATE USE * * Commercial use license at: * * www.robotronic.de/orderen.php * *******************************************$****************** Help RunasSpc ***************$************************************************$ /crcOff /quiet /alldrives$ /logon:<noprofile/netonly/env>$ /param:<programmoptions> /executein:<path to execute>$ /user:<username> /password:<password> /cryptfile:<name of cryptfile>$ /wstyle:<maximize/minimize/hide>$ For domain user -> /domain:"domainname.com" $ For local user -> /domain:"localhost" $ Let option /password empty if you want to ask for it on runtime$/alldrives$/crcoff$/cryptfile:$/domain:$/executein:$/logon:$/param:$/password:$/program:$/quiet$/user:$/wstyle:$1: call runasspc without cryptfile$2: open a runasspc cryptfile and run the application without dialog of runasSpc$3: generate a cryptfile$Additional Info:$Crc32SumOff$Error argc6 could not create cryptfile$Examples:$Exit: $Fatal Error: MFC initialization failed$Parameters:$TRUE$callDirectWithoutCryptfile$crypt.spc$runasspc /cryptfile:"crypt.spc"$runasspc /cryptfile:"crypt.spc" /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass"$runasspc /program:"prog.exe" /domain:"localhost" /user:"admin" /password:"pass"$runasspc /program:<applicationname> /domain:<domainname/localhost>$y$z$}
        • API String ID: 1323381780-2985205317
        • Opcode ID: a5c02205037d565e866783021207720665e46038fc9f700e2b0ff70c6e766d56
        • Instruction ID: 69980da934618290c00fe8498e0abb2143914263a6a59288fb1c3e80223440d7
        • Opcode Fuzzy Hash: a5c02205037d565e866783021207720665e46038fc9f700e2b0ff70c6e766d56
        • Instruction Fuzzy Hash: E9D26D300493858AE374EB65C985FDFB7E4AF95308F04492EE5C9626D1EF78A108CB76

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
        • String ID:
        • API String ID: 167530163-0
        • Opcode ID: d7ed23da3a3a434dfc51be14d2c2ff1d4cbd9168e2ecdfa8cff615a9edd8d984
        • Instruction ID: 7ce569bc752729422ce2ffbd169d6d4b203643de0be0b8f44e0e3c6953163d1a
        • Opcode Fuzzy Hash: d7ed23da3a3a434dfc51be14d2c2ff1d4cbd9168e2ecdfa8cff615a9edd8d984
        • Instruction Fuzzy Hash: 58311A75900205AFCB149FA0ED49ADD7B79FB09714F10426EF651B62F0DB386440CBAC

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 251 405e80-405f7a #533 #350 #540 #860 #540 * 6 #5194 252 405f80-406050 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z #800 * 7 #798 251->252 253 406055-406067 251->253 254 40716b-407183 252->254 256 406143-406230 #823 * 3 #2915 #5448 * 2 #3790 #1997 #3337 * 4 #2818 #860 253->256 257 40606d-40613e ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z #800 * 7 #798 253->257 259 406238-406279 #940 256->259 257->254 259->259 260 40627b-406303 call 401460 #4129 #858 #800 call 4014a0 call 402970 259->260 267 406353-406357 260->267 268 406305-406317 260->268 270 406370-4067bc #6663 * 2 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 #6663 #4129 #858 #800 #6648 call 407bb0 _mbscmp 267->270 271 406359-40636e #6778 267->271 269 40631b-40633e 268->269 272 406340 269->272 273 406342-406351 269->273 276 4067c2-4068a1 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 call 401490 #800 * 7 #798 270->276 277 4068a6-4068ed #922 #5194 #800 270->277 271->270 271->271 272->273 273->267 273->269 276->254 278 4068fd-40690d _mbscmp 277->278 279 4068ef-4068f8 #1997 277->279 281 4069f1-406a01 _mbscmp 278->281 282 406913-4069b4 #540 * 2 GetCurrentDirectoryA #860 #941 #922 #858 #800 #5194 278->282 279->281 286 4070b0-407166 call 408290 call 401490 #800 * 7 #798 281->286 287 406a07-406a19 #922 281->287 284 406b10-406b69 GetLogicalDriveStringsA #860 * 2 #858 #6648 282->284 285 4069ba-4069ec #1997 #858 #800 * 2 282->285 290 406c1b-406d1a ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 #800 * 2 call 401490 #800 * 7 #798 284->290 291 406b6f-406bf6 #926 #858 #800 #922 #5194 #800 284->291 285->281 286->254 289 406a1b call 4087c0 287->289 294 406a20-406a27 289->294 290->254 295 406bfc-406c15 lstrlenA 291->295 296 406d1f-406d28 #1997 291->296 299 406d33-406d77 #922 #3790 #800 294->299 300 406a2d-406b0b ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 call 401490 #800 * 7 #798 294->300 295->290 295->291 296->299 302 406e60-406e88 #2818 _mbscmp 299->302 303 406d7d-406e5b ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 call 401490 #800 * 7 #798 299->303 300->254 306 406f72-406fa7 #540 #2818 _mbscmp 302->306 307 406e8e-406f6d ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 call 401490 #800 * 7 #798 302->307 303->254 311 4070a0-4070ab #800 306->311 312 406fad-40709b ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 3 #800 call 401490 #800 * 7 #798 306->312 307->254 311->286 312->254
        APIs
        • #533.MFC42(?,6C8BA320,763404F0,00000062), ref: 00405EA5
        • #350.MFC42(?,6C8BA320,763404F0,00000062), ref: 00405EB7
        • #540.MFC42 ref: 00405EC8
        • #860.MFC42(00000000), ref: 00405EEE
        • #540.MFC42(00000000), ref: 00405EFF
        • #540.MFC42(00000000), ref: 00405F10
        • #540.MFC42(00000000), ref: 00405F21
        • #540.MFC42(00000000), ref: 00405F32
        • #540.MFC42(00000000), ref: 00405F43
        • #540.MFC42(00000000), ref: 00405F54
        • #5194.MFC42(?,00008000,?,00000000), ref: 00405F73
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,?,File could not be opened,?,004113A0,?,00008000,?,00000000), ref: 00405F9F
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000,763404F0,00000062), ref: 00405FA5
        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP60 ref: 00405FAC
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00405FB3
        • #800.MFC42 ref: 00405FC4
        • #800.MFC42 ref: 00405FD5
        • #800.MFC42 ref: 00405FE6
        • #800.MFC42 ref: 00405FF7
        • #800.MFC42 ref: 00406008
        • #800.MFC42 ref: 00406019
        • #800.MFC42 ref: 0040602E
        • #798.MFC42 ref: 00406046
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6C8FA3D8,?,File empty?,?,004113A0), ref: 0040608D
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000,763404F0,00000062), ref: 00406093
        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP60 ref: 0040609A
        • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004060A1
        • #800.MFC42 ref: 004060B2
        • #800.MFC42 ref: 004060C3
        • #800.MFC42 ref: 004060D4
        • #800.MFC42 ref: 004060E5
        • #800.MFC42 ref: 004060F6
        • #800.MFC42 ref: 00406107
        • #800.MFC42 ref: 0040611C
        • #798.MFC42 ref: 00406134
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #800$U?$char_traits@$#540$??6std@@D@std@@@0@V10@V?$basic_ostream@$#798??6?$basic_ostream@D@std@@@std@@V01@$#350#5194#533#860
        • String ID: File could not be opened$File empty?$ $$$'$)$4q7$4q7endOfLine4q7$Crc32SumOff$ERROR Decrypt 3: Failed to read the application file $ERROR Decrypt 3: failed to find the application$ERROR Decrypt 4: Error crc32 checksum of file $ERROR Decrypt 5: Error crc32 checksum of file $ERROR Decrypt 7: Failed to read the cryptfile $TRUE$V1967
        • API String ID: 793790089-1127613661
        • Opcode ID: aea6a39aa208a2bb2cd85dd05a37ab1c4d4fa077030aa74d21730ccfdb11e916
        • Instruction ID: 93e124d25150c48dbf4f8967e8f07043bab98652d2e5a726337c96f4fe52c956
        • Opcode Fuzzy Hash: aea6a39aa208a2bb2cd85dd05a37ab1c4d4fa077030aa74d21730ccfdb11e916
        • Instruction Fuzzy Hash: A8B2637100C3859AD324EB61C951BAFBBE4AFA5304F04492EF5C5632D2DF78A509CBA7
        APIs
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 00402989
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402999
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 00402A88
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402A98
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 00402B55
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402B65
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110D0), ref: 00402BBB
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402BCB
          • Part of subcall function 00402BE0: #561.MFC42(00000000,00402BD5,?,0040F1E0,?,?,?,?,?,?,?,?,V1967,?,00000000,00000000), ref: 00402BE7
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: ??0exception@@ExceptionThrow$#561
        • String ID:
        • API String ID: 4183359236-0
        • Opcode ID: ee8ba0f6775abdc610cca4af624066302448de64448e7960d18526cae57c8319
        • Instruction ID: 600755a4557f33603e9c92ad1b29a8888be992e1ae723103c5e5d34b1f300c71
        • Opcode Fuzzy Hash: ee8ba0f6775abdc610cca4af624066302448de64448e7960d18526cae57c8319
        • Instruction Fuzzy Hash: 0761D5317043418BC715DE25895496BB7E6FBC8704F04457EEC89BB3C1CAB8AA06CB59
        APIs
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 00402729
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402739
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 00402824
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402834
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110CC), ref: 004028EF
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 004028FF
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(004110D0), ref: 00402955
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00402965
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: ??0exception@@ExceptionThrow
        • String ID:
        • API String ID: 941485209-0
        • Opcode ID: 54305795cb5eab5a73fbc3fcf3239a085ce63c2c27f643dafc7d4a3a57f488cd
        • Instruction ID: 466c68a17dc0d3f82790e04f2a0453448e09557c6905b2b3a78967f9c722e71c
        • Opcode Fuzzy Hash: 54305795cb5eab5a73fbc3fcf3239a085ce63c2c27f643dafc7d4a3a57f488cd
        • Instruction Fuzzy Hash: E661C1356043458BC714DF25D98496BB7E6AFCC704F08867EEC89BB381C6749E09CB59
        APIs
        • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 004014BF
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 004014CF
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 004014F8
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00401508
        • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 00401531
        • _CxxThrowException.MSVCRT(?,0040F1E0), ref: 00401541
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: ??0exception@@ExceptionThrow
        • String ID:
        • API String ID: 941485209-0
        • Opcode ID: 3eb5f94d6d0be51d33e17c60d64c3c9350acf6c8481f3ed75c10603f2939ffed
        • Instruction ID: b4c26c01885419149a1ed748d7a7ee9faf8056654f3dac687f6c59d5d5e8b4df
        • Opcode Fuzzy Hash: 3eb5f94d6d0be51d33e17c60d64c3c9350acf6c8481f3ed75c10603f2939ffed
        • Instruction Fuzzy Hash: 23E1E2716042418FD718CF29C8906AAB7E2EFCD304F49857EE88AEB365DB34DA45CB45
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,6C8BA320,?,00000000,759230D0), ref: 0040899E
        • Process32First.KERNEL32(00000000,6C8BA320), ref: 004089B8
        • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 004089C2
        • Process32Next.KERNEL32(00000000,00000128), ref: 00408A1B
        • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 00408A5C
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
        • String ID:
        • API String ID: 1789362936-0
        • Opcode ID: 5f24443cd0201599320946b3296bbfed24c61365564dbbae36ee14a2de7d9ddb
        • Instruction ID: 287636196161a16c6dd40c29d03daf9913f8cb35a0f63b75fa8a2840499e8a8d
        • Opcode Fuzzy Hash: 5f24443cd0201599320946b3296bbfed24c61365564dbbae36ee14a2de7d9ddb
        • Instruction Fuzzy Hash: CB2107756042441AD3206A345EA16F77BD98B67324F191A3FECD0A33C0FA3F980DC659

        Control-flow Graph

        APIs
        • #540.MFC42(00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0,?), ref: 00407BD6
        • #6663.MFC42(00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0,?), ref: 00407BEE
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0), ref: 00407C04
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?), ref: 00407C1A
        • #4278.MFC42(00411C30,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407C33
        • #939.MFC42 ref: 00407C45
        • #800.MFC42 ref: 00407C52
        • #4278.MFC42(00411C30,00411C30,-00000001), ref: 00407C65
        • #858.MFC42(00000000,00411C30,00411C30,-00000001), ref: 00407C74
        • #800.MFC42(00000000,00411C30,00411C30,-00000001), ref: 00407C81
        • #2915.MFC42(00000100,00000100,00000000,00411C30,00411C30,-00000001), ref: 00407CA1
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00411C30,00411C30,-00000001), ref: 00407CAC
        • #5572.MFC42(000000FF), ref: 00407CBE
        • #926.MFC42(00000001,00411C30,00000000,000000FF), ref: 00407CD2
        • #924.MFC42(00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407CE7
        • #858.MFC42(00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407CF6
        • #800.MFC42(00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407D04
        • #800.MFC42(00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407D11
        • #2764.MFC42(00000000,00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407D1D
        • #6648.MFC42(00000000,?,00000000,00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407D31
        • #6779.MFC42(00000000,?,00000000,?,00000000,00000000,00000001,00000000,00411C30,00000001,00411C30,00000000,000000FF), ref: 00407D41
        • #6663.MFC42(00411C30,00000000), ref: 00407D54
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?,6C8BA320,763404F0), ref: 00407D73
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?), ref: 00407D89
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407D9F
        • #4278.MFC42(00000001,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407DB8
        • #939.MFC42(00000000,00000001,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000), ref: 00407DCA
        • #800.MFC42(00000000,00000001,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000), ref: 00407DD7
        • #4278.MFC42(00000001,00411C30,-00000001), ref: 00407DEA
        • #858.MFC42(00000000,00000001,00411C30,-00000001), ref: 00407DF9
        • #800.MFC42(00000000,00000001,00411C30,-00000001), ref: 00407E06
        • #2915.MFC42(00000100,00000100,00000000,00000001,00411C30,-00000001), ref: 00407E26
        • GetEnvironmentVariableA.KERNEL32(00411C30,00000000,00000100,00000100,00000000,00000001,00411C30,-00000001), ref: 00407E31
        • #5572.MFC42(000000FF), ref: 00407E43
        • #926.MFC42(00411C30,00411C30,00000000,000000FF), ref: 00407E57
        • #924.MFC42(00000000,00000000,00411C30,00411C30,00411C30), ref: 00407E6C
        • #858.MFC42(00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407E7B
        • #800.MFC42(00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407E89
        • #800.MFC42(00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407E96
        • #2764.MFC42(00000000,00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407EA2
        • #6648.MFC42(00000000,?,00000000,00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407EB6
        • #6779.MFC42(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00411C30,00411C30,00411C30), ref: 00407EC6
        • #6663.MFC42(00411C30,00000000), ref: 00407ED9
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?,?,?,?,?,?,?), ref: 00407EF8
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407F0E
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 00407F24
        • #4278.MFC42(00411C30,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0), ref: 00407F3D
        • #939.MFC42(00000000,00411C30), ref: 00407F4F
        • #800.MFC42(00000000,00411C30), ref: 00407F5C
        • #4278.MFC42(00411C30,00411C30,-00000001,00000000,00411C30), ref: 00407F6F
        • #858.MFC42(00000000,00411C30,00411C30,-00000001,00000000,00411C30), ref: 00407F7E
        • #800.MFC42(00000000,00411C30,00411C30,-00000001,00000000,00411C30), ref: 00407F8B
        • #2915.MFC42(00000100,00000100,00000000,00411C30,00411C30,-00000001,00000000,00411C30), ref: 00407FAB
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00411C30,00411C30,-00000001,00000000,00411C30), ref: 00407FB6
        • #5572.MFC42(000000FF), ref: 00407FC8
        • #926.MFC42(00411C30,00411C30,00000000,000000FF), ref: 00407FDC
        • #924.MFC42(00411C30,00000000,00411C30,00411C30,00411C30), ref: 00407FF1
        • #858.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 00408000
        • #800.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 0040800E
        • #800.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 0040801B
        • #2764.MFC42(00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 00408027
        • #6648.MFC42(00000000,?,00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 0040803B
        • #6779.MFC42(00000000,?,00000000,?,00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 0040804B
        • #6663.MFC42(00411C30,00000000), ref: 0040805E
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 0040807D
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 004080A1
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,763404F0,?), ref: 004080B7
        • #4278.MFC42(00000000,00000000,00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000), ref: 004080D0
        • #939.MFC42(00000000,00000000,00000000,00000001), ref: 004080DF
        • #800.MFC42(00000000,00000000,00000000,00000001), ref: 004080EC
        • #4278.MFC42(00000000,00411C30,-00000001,00000000,00000000,00000000,00000001), ref: 004080FF
        • #858.MFC42(00000000,00000000,00411C30,-00000001,00000000,00000000,00000000,00000001), ref: 0040810E
        • #800.MFC42(00000000,00000000,00411C30,-00000001,00000000,00000000,00000000,00000001), ref: 0040811B
        • #2915.MFC42(00000100,00000100,00000000,00000000,00411C30,-00000001,00000000,00000000,00000000,00000001), ref: 00408132
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00000000,00411C30,-00000001,00000000,00000000,00000000,00000001), ref: 00408139
        • #5572.MFC42(000000FF), ref: 0040814D
        • #926.MFC42(00411C30,00411C30,00000000,000000FF), ref: 00408161
        • #924.MFC42(00411C30,00000000,00411C30,00411C30,00411C30), ref: 00408176
        • #858.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 00408185
        • #800.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 00408193
        • #800.MFC42(00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 004081A0
        • #2764.MFC42(00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 004081AC
        • #6648.MFC42(00000000,?,00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 004081BE
        • #6779.MFC42(00000000,00000000,00000000,?,00000000,00000000,00411C30,00000000,00411C30,00411C30,00411C30), ref: 004081CD
        • #6663.MFC42(00411C30,00000000), ref: 004081E0
        • #800.MFC42(00411C30,00000000), ref: 004081FA
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #800$#6663$#4278#858$#2764#2915#5572#6648#6779#924#926#939EnvironmentVariable$#540
        • String ID:
        • API String ID: 644718658-0
        • Opcode ID: b3875298e88dde9b3a1a7f68ce8572d523ecc6b12d7aae0b01e1a1f58cf4a4ca
        • Instruction ID: b5e7f6783f2a53484c9e783abcf1978f599fac888e5d3e1c9bb0bb08875e91d2
        • Opcode Fuzzy Hash: b3875298e88dde9b3a1a7f68ce8572d523ecc6b12d7aae0b01e1a1f58cf4a4ca
        • Instruction Fuzzy Hash: BC02AE71108345AFC704EB25C951E6F77E8AFD9708F004A2EF5D5632D1EF3899098BAA

        Control-flow Graph

        APIs
        • #540.MFC42(00000000,?,?,?,?,?,00008000,?,?,?,00000000), ref: 004082B6
        • #6663.MFC42(00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?,00000000), ref: 004082CC
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?,00000000), ref: 004082E5
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?), ref: 004082FB
        • #4278.MFC42(00411C30,00411C30,-00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000), ref: 00408314
        • #858.MFC42 ref: 00408323
        • #800.MFC42 ref: 00408331
        • #2915.MFC42(00000100,00000100), ref: 00408346
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100), ref: 0040834D
        • #5572.MFC42(000000FF), ref: 0040835B
        • #2764.MFC42(00000000,000000FF), ref: 00408368
        • #6648.MFC42(00000000,?,00000000,000000FF), ref: 00408378
        • #926.MFC42(00411C30,00411C30,00000000,00000000,?,00000000,000000FF), ref: 0040838C
        • #924.MFC42(00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 004083A1
        • #6779.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 004083B1
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 004083BF
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 004083CD
        • #6663.MFC42(00411C30,00411C31), ref: 004083E5
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?,00000000), ref: 00408400
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?), ref: 00408419
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?), ref: 0040842F
        • #4278.MFC42(00411C30,00000000,-00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?), ref: 00408448
        • #858.MFC42(00000000,00411C30), ref: 00408457
        • #800.MFC42(00000000,00411C30), ref: 00408465
        • #2915.MFC42(00000100,00000100,00000000,00411C30), ref: 0040847A
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00411C30), ref: 00408481
        • #5572.MFC42(000000FF), ref: 0040848F
        • #2764.MFC42(00000000,000000FF), ref: 0040849C
        • #6648.MFC42(00000000,?,00000000,000000FF), ref: 004084AC
        • #926.MFC42(00411C30,00411C30,00000000,00000000,?,00000000,000000FF), ref: 004084C0
        • #924.MFC42(00000001,00000000,00411C30,00411C30,00411C30,00000000,00000000,?,00000000), ref: 004084D5
        • #6779.MFC42(00000000,?,00000001,00000000,00411C30,00411C30,00411C30,00000000,00000000,?,00000000), ref: 004084E5
        • #800.MFC42(00000000,?,00000001,00000000,00411C30,00411C30,00411C30,00000000,00000000,?,00000000), ref: 004084F3
        • #800.MFC42(00000000,?,00000001,00000000,00411C30,00411C30,00411C30,00000000,00000000,?,00000000), ref: 00408501
        • #6663.MFC42(00411C30,00411C31), ref: 00408519
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?,?,?), ref: 00408534
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?), ref: 0040854D
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?), ref: 00408563
        • #4278.MFC42(00000000,00000000,-00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?), ref: 0040857C
        • #858.MFC42(00000000,00000000,00000000,-00000001), ref: 0040858B
        • #800.MFC42(00000000,00000000,00000000,-00000001), ref: 00408599
        • #2915.MFC42(00000100,00000100,00000000,00000000,00000000,-00000001), ref: 004085AE
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00000000,00000000,-00000001), ref: 004085B5
        • #5572.MFC42(000000FF), ref: 004085C3
        • #2764.MFC42(00000000,000000FF), ref: 004085D0
        • #6648.MFC42(00000000,?,00000000,000000FF), ref: 004085E0
        • #926.MFC42(00411C30,00411C30,00000000,00000000,?,00000000,000000FF), ref: 004085F4
        • #924.MFC42(00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 00408609
        • #6779.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 00408619
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 00408627
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 00408635
        • #6663.MFC42(00411C30,00411C31), ref: 0040864D
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?,00008000,?), ref: 00408668
        • #6663.MFC42(00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?,?,?), ref: 00408681
        • #6663.MFC42(00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000,?,?,?), ref: 00408697
        • #4278.MFC42(00411C30,00411C30,-00000001,00411C30,00000001,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00411C30,00000000,00000000), ref: 004086B0
        • #858.MFC42(00000000,00411C30,00411C30,-00000001,00411C30,00000001), ref: 004086BF
        • #800.MFC42(00000000,00411C30,00411C30,-00000001,00411C30,00000001), ref: 004086CD
        • #2915.MFC42(00000100,00000100,00000000,00411C30,00411C30,-00000001,00411C30,00000001), ref: 004086E2
        • GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000100,00000100,00000000,00411C30,00411C30,-00000001,00411C30,00000001), ref: 004086E9
        • #5572.MFC42(000000FF), ref: 004086F7
        • #2764.MFC42(00000000,000000FF), ref: 00408704
        • #6648.MFC42(00000000,?,00000000,000000FF), ref: 00408714
        • #926.MFC42(00411C30,00411C30,00000000,00000000,?,00000000,000000FF), ref: 00408728
        • #924.MFC42(00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 0040873D
        • #6779.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 0040874D
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 0040875B
        • #800.MFC42(00000000,?,00411C30,00000000,00411C30,00411C30,00411C30,00000000,00000000,?), ref: 00408769
        • #6663.MFC42(00411C30,00411C31), ref: 00408781
        • #800.MFC42(00411C30,00411C31), ref: 0040879B
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #6663$#800$#2764#2915#4278#5572#6648#6779#858#924#926EnvironmentVariable$#540
        • String ID:
        • API String ID: 2291264435-0
        • Opcode ID: 8f626a75e6804749f18367f8a89c89d37ff833e24c0bfaed2a4b273821c21bf4
        • Instruction ID: 35290dd43057ce11dd0bcaf391a2d58f338d49f1c43caa3067d1b2a47494e39d
        • Opcode Fuzzy Hash: 8f626a75e6804749f18367f8a89c89d37ff833e24c0bfaed2a4b273821c21bf4
        • Instruction Fuzzy Hash: BBE1BB71208344AFD700EF65CA81E6F77D8AF99758F000A2EF5D5632D2EF7899088766

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 416 404ed0-405066 #540 * 23 #858 #800
        APIs
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404EF9
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F06
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F13
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F20
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F2D
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F3A
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F47
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F54
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F61
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F6E
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F7B
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F88
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404F97
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FA4
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FB1
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FBE
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FCB
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FD8
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FE5
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FF2
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00404FFF
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 0040500C
        • #540.MFC42(?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00405019
        • #858.MFC42(?,?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 00405030
        • #800.MFC42(?,?,?,?,00000000,00409AB5,000000FF,00401394,?), ref: 0040504F
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #540$#800#858
        • String ID:
        • API String ID: 4193629919-0
        • Opcode ID: 2603281cbe406f3112f1e66ceee0501dedaf871c4669dbe02b12fa71a5a9781e
        • Instruction ID: 705caeccdf15bfd911376f1347196fac011df722ccdd70ba73290209ad53df97
        • Opcode Fuzzy Hash: 2603281cbe406f3112f1e66ceee0501dedaf871c4669dbe02b12fa71a5a9781e
        • Instruction Fuzzy Hash: B2414D3401EB85CEF314EB25C25575ABBE4AF65748F48081EE8C6226C2DF78A60CC677

        Control-flow Graph

        APIs
        • #4710.MFC42 ref: 004012FE
        • #3092.MFC42(000003EA), ref: 0040130A
        • #6199.MFC42(********* RUNASSPC **************,000003EA), ref: 00401318
        • #6199.MFC42(FOR PRIVATE USE. Commercial use license at: www.robotronic.de/orderEn.php,********* RUNASSPC **************,000003EA), ref: 00401324
        • #3092.MFC42(000003E9,FOR PRIVATE USE. Commercial use license at: www.robotronic.de/orderEn.php,********* RUNASSPC **************,000003EA), ref: 00401330
        • _mbscmp.MSVCRT ref: 00401348
        • #6199.MFC42(?), ref: 00401357
        • _mbscmp.MSVCRT ref: 00401369
        • #860.MFC42(crypt.spc), ref: 00401379
        • #535.MFC42(?), ref: 00401386
        • #6199.MFC42(?,?), ref: 004013B2
        • #860.MFC42(00411C60,?,?), ref: 004013C0
        • #860.MFC42(00411C60,00411C60,?,?), ref: 004013CE
        Strings
        • crypt.spc, xrefs: 00401372
        • ********* RUNASSPC **************, xrefs: 0040130F
        • FOR PRIVATE USE. Commercial use license at: www.robotronic.de/orderEn.php, xrefs: 0040131D
        • Cryptfile ERROR: , xrefs: 004013DA
        • callDirectWithoutCryptfile, xrefs: 00401340
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #6199$#860$#3092_mbscmp$#4710#535
        • String ID: ********* RUNASSPC **************$Cryptfile ERROR: $FOR PRIVATE USE. Commercial use license at: www.robotronic.de/orderEn.php$callDirectWithoutCryptfile$crypt.spc
        • API String ID: 5592086-1008838813
        • Opcode ID: 62bc2e54c5fa159ebe406e21b709e0e821378aca13311402415602045015ea94
        • Instruction ID: 6da1ad6cf6863b465f216f3d79776a8b4ba845f173436e415558ab50383e7b9a
        • Opcode Fuzzy Hash: 62bc2e54c5fa159ebe406e21b709e0e821378aca13311402415602045015ea94
        • Instruction Fuzzy Hash: 5631E7302483409BD614EB25CA86BAE77B4EB85704F20453FF9C5A32D1DE7C584887AA

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 431 404b70-404d3b #535 * 23
        APIs
        • #535.MFC42(?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BA5
        • #535.MFC42(?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BB9
        • #535.MFC42(?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BCA
        • #535.MFC42(00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BDB
        • #535.MFC42(?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BEC
        • #535.MFC42(?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404BFD
        • #535.MFC42(?,?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404C0E
        • #535.MFC42(?,?,?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A,?), ref: 00404C1F
        • #535.MFC42(?,?,?,?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF,0040497A), ref: 00404C30
        • #535.MFC42(?,?,?,?,?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2,000000FF), ref: 00404C41
        • #535.MFC42(?,?,?,?,?,?,?,00000000,?,?,?,?,6C8BA320,?,?,004098A2), ref: 00404C52
        • #535.MFC42(00408F05,?,?,?,?,?,?,?,00000000,?,?,?,?,6C8BA320,?,?), ref: 00404C63
        • #535.MFC42(000000FF,00408F05,?,?,?,?,?,?,?,00000000,?,?,?,?,6C8BA320), ref: 00404C74
        • #535.MFC42(004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000,?,?,?,?,6C8BA320), ref: 00404C85
        • #535.MFC42(00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00404C96
        • #535.MFC42(?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00404CA7
        • #535.MFC42(?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000,?,?), ref: 00404CB8
        • #535.MFC42(?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000,?), ref: 00404CC9
        • #535.MFC42(?,?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?,00000000), ref: 00404CDA
        • #535.MFC42(?,?,?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?,?), ref: 00404CEB
        • #535.MFC42(?,?,?,?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?,?), ref: 00404CFC
        • #535.MFC42(?,?,?,?,?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?,?), ref: 00404D0D
        • #535.MFC42(?,?,?,?,?,?,?,?,00000000,004097A5,000000FF,00408F05,?,?,?,?), ref: 00404D1E
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #535
        • String ID:
        • API String ID: 331045284-0
        • Opcode ID: 6095b3803738ff7bd68a3eb7f04316fc6ae85086346a9ec0959d59b7d1851cf9
        • Instruction ID: 601eeb1b36584abf2ff66922b3f5e0315953d04961f1674a9ff7aa0aef536c69
        • Opcode Fuzzy Hash: 6095b3803738ff7bd68a3eb7f04316fc6ae85086346a9ec0959d59b7d1851cf9
        • Instruction Fuzzy Hash: 43513E71009B46DEE358DB25D580B96BBF4BF64348F04491EA4C653992EBB4B24CCBF2

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 432 404d60-404ecb #540 * 23
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #540
        • String ID:
        • API String ID: 747650028-0
        • Opcode ID: 45e3470830ccedf70ef064cb9f773fd58eb24f26bb327727a99213d96dfb9bf2
        • Instruction ID: 3871879c23c7efe2ed1416739e36e42631d84b3175c48087f061e93dbe32b42c
        • Opcode Fuzzy Hash: 45e3470830ccedf70ef064cb9f773fd58eb24f26bb327727a99213d96dfb9bf2
        • Instruction Fuzzy Hash: B6412530059BC5CAF314EB65C25575ABBE4AF65308F480E2DE8D6126C2DBB8A20CC676

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 433 405070-4051d3 #800 * 23
        APIs
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 0040509E
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050AB
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050B8
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050C5
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050D2
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050DF
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050EC
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004050F9
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405106
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405113
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405120
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 0040512D
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 0040513A
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405147
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405154
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405161
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 0040516E
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 0040517B
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405188
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 00405195
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004051A2
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004051AF
        • #800.MFC42(6C8BA320,?,00000000,00409BB2,000000FF,00404A22), ref: 004051BF
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #800
        • String ID:
        • API String ID: 1076129211-0
        • Opcode ID: 7f793b68a468f1cd52d678222789412c3637855f9102d45c58442dba8dccb525
        • Instruction ID: 8216c5d0d9ded216e5c3292fc870c671df634ba7449befffa7b1ae31152ebc23
        • Opcode Fuzzy Hash: 7f793b68a468f1cd52d678222789412c3637855f9102d45c58442dba8dccb525
        • Instruction Fuzzy Hash: F741263100D7D1CAE314EB25C191B5ABBE0BF66308F440E1DA8D6126C2DBB8A20CC6B7

        Control-flow Graph

        APIs
        • #540.MFC42(00000000,?,763404F0,?,763404F0,?), ref: 00407AB2
        • #6662.MFC42(0000002E,00000000,00000000,?,763404F0,?,763404F0,?), ref: 00407AC5
        • #6662.MFC42(00000020,00000000,0000002E,00000000,00000000,?,763404F0,?,763404F0,?), ref: 00407ACF
        • #4277.MFC42(00000000,00000000,00000020,00000000,0000002E,00000000,00000000,?,763404F0,?,763404F0,?), ref: 00407AE3
        • #858.MFC42(00000000,00000000), ref: 00407AF1
        • #800.MFC42(00000000,00000000), ref: 00407AFE
        • #4129.MFC42(00000000,00000000,00000000,00000000), ref: 00407B0B
        • #858.MFC42(00000000,00000000,00000000,00000000,00000000), ref: 00407B18
        • #800.MFC42(00000000,00000000,00000000,00000000,00000000), ref: 00407B25
        • #5683.MFC42(0000005C,00000020,00000000,0000002E,00000000,00000000,?,763404F0,?,763404F0,?), ref: 00407B2E
        • #4129.MFC42(00000000,00000001,0000005C,00000020,00000000,0000002E,00000000,00000000,?,763404F0,?,763404F0,?), ref: 00407B43
        • #858.MFC42(00000000,00000000,00000001), ref: 00407B51
        • #800.MFC42(00000000,00000000,00000001), ref: 00407B5E
        • #4277.MFC42(00000000,00000001,00000000,00000000,00000001), ref: 00407B6B
        • #858.MFC42(00000000,00000000,00000001,00000000,00000000,00000001), ref: 00407B78
        • #800.MFC42(00000000,00000000,00000001,00000000,00000000,00000001), ref: 00407B85
        • #800.MFC42(0000005C), ref: 00407B96
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #800$#858$#4129#4277#6662$#540#5683
        • String ID:
        • API String ID: 61239756-0
        • Opcode ID: 7b20debd6cc334e9cb581dc9269d34bd86068b8946fed9410a8d5f989e32b9a1
        • Instruction ID: 744d983c1e1d42b22649f42b393dbec7a6aeb2da1f53b3180750c0c69a5ce31b
        • Opcode Fuzzy Hash: 7b20debd6cc334e9cb581dc9269d34bd86068b8946fed9410a8d5f989e32b9a1
        • Instruction Fuzzy Hash: 7131A4711093809AD305EB29C951A5F77E8AF99718F440B2EF4D5632C1DF3C9909C77A

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 439 4087c0-4087ed 440 4087f1-408800 call 408950 439->440 443 408805-40881e 440->443 443->443 444 408820-408836 call 408950 443->444 444->440 447 408838-40885f CreateFileA 444->447 448 408861-4088af GetFileSize #536 #2915 ReadFile CloseHandle #5572 447->448 449 4088c2-4088d7 #800 447->449 450 4088b1-4088bd #800 448->450 451 4088d9-4088e1 448->451 452 408928-40893f 449->452 450->449 453 4088e3-4088fc 451->453 454 4088fe-408926 #800 * 2 451->454 453->453 453->454 454->452
        APIs
        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,08000000,00000000,?,00000020,00000000,00000008), ref: 00408852
        • GetFileSize.KERNEL32(00000000,00000000,?,00000020,00000000,00000008), ref: 00408864
        • #536.MFC42(00000020,00000000,?,00000020,00000000,00000008), ref: 00408873
        • #2915.MFC42(00000000,00000000,?,00000000,00000020,00000000,?,00000020,00000000,00000008), ref: 0040888D
        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000020,00000000,?,00000020,00000000,00000008), ref: 00408894
        • CloseHandle.KERNEL32(00000000,?,00000020,00000000,00000008), ref: 0040889B
        • #5572.MFC42(?,?,00000020,00000000,00000008), ref: 004088A6
        • #800.MFC42(?,?,00000020,00000000,00000008), ref: 004088BD
        • #800.MFC42(?,00000020,00000000,00000008), ref: 004088D0
        • #800.MFC42(?,?,00000020,00000000,00000008), ref: 0040890E
        • #800.MFC42(?,?,00000020,00000000,00000008), ref: 00408921
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #800$File$#2915#536#5572CloseCreateHandleReadSize
        • String ID:
        • API String ID: 1688483687-0
        • Opcode ID: ec56a31d9066793c546ac67297f0c5d263686ce4c55d9d6e55accd87e8dbae34
        • Instruction ID: 85eb2ca32fe83dffe473e753c81bb2223308d922ea907c39846903ccb5b8300b
        • Opcode Fuzzy Hash: ec56a31d9066793c546ac67297f0c5d263686ce4c55d9d6e55accd87e8dbae34
        • Instruction Fuzzy Hash: D241B2722446409BE330EB25CD41BAFB6D4DBD5710F50893EF5D9A72C1DE3858098BAA
        APIs
        • #324.MFC42(00000069,00000000,6C8BA320,?,00000000,00408FC3,000000FF,0040482A,00000000), ref: 00401204
        • #540.MFC42(00000069,00000000,6C8BA320,?,00000000), ref: 00401214
        • #540.MFC42(00000069,00000000,6C8BA320,?,00000000), ref: 00401221
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2060336862.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2060320544.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060355682.000000000040B000.00000002.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060371598.0000000000411000.00000004.00000001.01000000.00000005.sdmpDownload File
        • Associated: 00000004.00000002.2060386418.0000000000412000.00000002.00000001.01000000.00000005.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_runasspc.jbxd
        Similarity
        • API ID: #540$#324
        • String ID: *H@
        • API String ID: 2753626916-2229771961
        • Opcode ID: ee42e73ff08a494e43ac01cd40389a1b2f795427ac5910f0f8ad3fee146e8886
        • Instruction ID: a5a109d97bdffec6aea5cc0079446195dfdd51488e321a5ad603735e49381207
        • Opcode Fuzzy Hash: ee42e73ff08a494e43ac01cd40389a1b2f795427ac5910f0f8ad3fee146e8886
        • Instruction Fuzzy Hash: 87F03471148B91EBE314DF09CA01B56B7E8FB54B20F004A2EF49593BC1CBB895088BA6