Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UdY4Kc66Bc.exe

Overview

General Information

Sample name:UdY4Kc66Bc.exe
renamed because original name is a hash value
Original sample name:511ca3f9e84a22885d9dac546aba034373a63a83825a058320713180ef485d74.exe
Analysis ID:1560270
MD5:739682b6fd2b25f2a6234b733090735b
SHA1:171b56b4dcb6a37cc9ec3704be6982f042f1c461
SHA256:511ca3f9e84a22885d9dac546aba034373a63a83825a058320713180ef485d74
Tags:exefnback9636-siteuser-JAMESWT_MHT
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Detected potential unwanted application
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • UdY4Kc66Bc.exe (PID: 5048 cmdline: "C:\Users\user\Desktop\UdY4Kc66Bc.exe" MD5: 739682B6FD2B25F2A6234B733090735B)
    • dfsvc.exe (PID: 1688 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
    • WerFault.exe (PID: 772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 880 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49713, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 1688, Protocol: tcp, SourceIp: 37.221.65.128, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: UdY4Kc66Bc.exeReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B81000
Source: UdY4Kc66Bc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: UdY4Kc66Bc.exeStatic PE information: certificate valid
Source: UdY4Kc66Bc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: UdY4Kc66Bc.exe
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2283644187.000001A3E5ED0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbllrT source: dfsvc.exe, 00000001.00000002.2283950958.000001A3E5F69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2283644187.000001A3E5ED0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdbrap source: dfsvc.exe, 00000001.00000002.2284401483.000001A3E5FA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdbb~@ source: dfsvc.exe, 00000001.00000002.2284401483.000001A3E5FA0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B84A4B FindFirstFileExA,0_2_00B84A4B
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: fn3699.kafinora.cyou
Source: UdY4Kc66Bc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: UdY4Kc66Bc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UdY4Kc66Bc.exe, 00000000.00000002.1461015578.00000000010C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustefR
Source: UdY4Kc66Bc.exe, 00000000.00000002.1461015578.00000000010C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digic
Source: UdY4Kc66Bc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UdY4Kc66Bc.exe, 00000000.00000002.1461015578.00000000010C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeSBS
Source: UdY4Kc66Bc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.2282085524.000001A3CD66C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD69B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fn3699.kafinora.cyou
Source: UdY4Kc66Bc.exeString found in binary or memory: http://ocsp.digicert.com0
Source: UdY4Kc66Bc.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: UdY4Kc66Bc.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: UdY4Kc66Bc.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.2282085524.000001A3CD5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
Source: UdY4Kc66Bc.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.2282085524.000001A3CD65C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD60B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fn3699.kafinora.cyou
Source: dfsvc.exe, 00000001.00000002.2282085524.000001A3CD66C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fn3699.kafinora.cyou(
Source: dfsvc.exe, 00000001.00000002.2282085524.000001A3CD70D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD6D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Gues
Source: DJY51CAU.log.1.drString found in binary or memory: https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=fnback9636.sit
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

System Summary

barindex
Detected potential unwanted application
Source: UdY4Kc66Bc.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B8A4950_2_00B8A495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E4D0991_2_00007FF886E4D099
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E4AEF51_2_00007FF886E4AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E564B91_2_00007FF886E564B9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E540D91_2_00007FF886E540D9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E566D41_2_00007FF886E566D4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E4F4411_2_00007FF886E4F441
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E412111_2_00007FF886E41211
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 880
Source: UdY4Kc66Bc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal42.evad.winEXE@4/7@1/1
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B81000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5048
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCommand line argument: dfshim0_2_00B81000
Source: UdY4Kc66Bc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: UdY4Kc66Bc.exeReversingLabs: Detection: 23%
Source: unknownProcess created: C:\Users\user\Desktop\UdY4Kc66Bc.exe "C:\Users\user\Desktop\UdY4Kc66Bc.exe"
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 880
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: dfshim.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: UdY4Kc66Bc.exeStatic PE information: certificate valid
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UdY4Kc66Bc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: UdY4Kc66Bc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: UdY4Kc66Bc.exe
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2283644187.000001A3E5ED0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbllrT source: dfsvc.exe, 00000001.00000002.2283950958.000001A3E5F69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2283644187.000001A3E5ED0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdbrap source: dfsvc.exe, 00000001.00000002.2284401483.000001A3E5FA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdbb~@ source: dfsvc.exe, 00000001.00000002.2284401483.000001A3E5FA0000.00000004.00000020.00020000.00000000.sdmp
Source: UdY4Kc66Bc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UdY4Kc66Bc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UdY4Kc66Bc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UdY4Kc66Bc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UdY4Kc66Bc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B81000
Source: UdY4Kc66Bc.exeStatic PE information: real checksum: 0x1979e should be: 0x18f01
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81BC0 push ecx; ret 0_2_00B81BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E400BD pushad ; iretd 1_2_00007FF886E400C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E4845E push eax; ret 1_2_00007FF886E4846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E4842E pushad ; ret 1_2_00007FF886E4845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF886E47C35 push eax; retf 1_2_00007FF886E47C6D
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1A3CBAE0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1A3E54F0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599890Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599780Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599668Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599554Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599262Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599149Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598828Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598250Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598062Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597952Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597836Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597734Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597622Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597514Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597296Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597187Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597077Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596968Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596859Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596750Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596639Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596531Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596421Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596312Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596202Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596093Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595984Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595875Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595764Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595653Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595533Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595296Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594968Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594858Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594749Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594640Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594530Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594421Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594312Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594203Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594093Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593984Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593874Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593765Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593656Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593543Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593437Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 1950Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 7729Jump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exe TID: 5340Thread sleep time: -40000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -27670116110564310s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599890s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599780s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599668s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599554s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599406s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599262s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -599149s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -598828s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -598250s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -598062s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597952s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597836s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597734s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597622s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597514s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597406s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597296s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597187s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -597077s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596968s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596859s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596750s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596639s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596531s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596421s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596312s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596202s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -596093s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595984s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595875s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595764s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595653s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595533s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595406s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595296s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595187s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -595078s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594968s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594858s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594749s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594640s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594530s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594421s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594312s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594203s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -594093s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593984s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593874s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593765s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593656s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593543s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6916Thread sleep time: -593437s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B84A4B FindFirstFileExA,0_2_00B84A4B
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeThread delayed: delay time: 40000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599890Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599780Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599668Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599554Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599262Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599149Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598828Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598250Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598062Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597952Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597836Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597734Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597622Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597514Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597296Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597187Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597077Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596968Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596859Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596750Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596639Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596531Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596421Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596312Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596202Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596093Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595984Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595875Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595764Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595653Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595533Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595296Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594968Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594858Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594749Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594640Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594530Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594421Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594312Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594203Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594093Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593984Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593874Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593765Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593656Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593543Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593437Jump to behavior
Source: Amcache.hve.6.drBinary or memory string: VMware
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: dfsvc.exe, 00000001.00000002.2283950958.000001A3E5F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.drBinary or memory string: vmci.sys
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.drBinary or memory string: VMware20,1
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B8191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B8191F
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00B81000
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B83677 mov eax, dword ptr fs:[00000030h]0_2_00B83677
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B86893 GetProcessHeap,0_2_00B86893
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B81493
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B8191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B8191F
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B84573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B84573
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81AAC SetUnhandledExceptionFilter,0_2_00B81AAC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81BD4 cpuid 0_2_00B81BD4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeCode function: 0_2_00B81806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B81806
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\UdY4Kc66Bc.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		22
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
Disable or Modify Tools		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Process Injection		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Install Root Certificate		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UdY4Kc66Bc.exe24%ReversingLabsWin32.PUA.ScreenConnect

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=fnback9636.sit0%Avira URL Cloudsafe
https://fn3699.kafinora.cyou(0%Avira URL Cloudsafe
https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Gues0%Avira URL Cloudsafe
http://fn3699.kafinora.cyou0%Avira URL Cloudsafe
https://fn3699.kafinora.cyou0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0015.t-0009.t-msedge.net
13.107.246.43
truefalse
    		high
    fn3699.kafinora.cyou
    		37.221.65.128
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://crl3.digicUdY4Kc66Bc.exe, 00000000.00000002.1461015578.00000000010C9000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=fnback9636.sitDJY51CAU.log.1.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://upx.sf.netAmcache.hve.6.drfalse
          		high
          https://fn3699.kafinora.cyoudfsvc.exe, 00000001.00000002.2282085524.000001A3CD65C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD60B000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://fn3699.kafinora.cyou/Bin/ScreenConnect.Client.application?e=Support&y=Guesdfsvc.exe, 00000001.00000002.2282085524.000001A3CD70D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD6D9000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedfsvc.exe, 00000001.00000002.2282085524.000001A3CD5C6000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://fn3699.kafinora.cyoudfsvc.exe, 00000001.00000002.2282085524.000001A3CD66C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2282085524.000001A3CD69B000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://fn3699.kafinora.cyou(dfsvc.exe, 00000001.00000002.2282085524.000001A3CD66C000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            37.221.65.128
            		fn3699.kafinora.cyouRussian Federation
            		48430FIRSTDC-ASRUfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1560270
            Start date and time:2024-11-21 15:55:11 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 33s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:UdY4Kc66Bc.exe
            renamed because original name is a hash value
            Original Sample Name:511ca3f9e84a22885d9dac546aba034373a63a83825a058320713180ef485d74.exe
            Detection:MAL
            Classification:mal42.evad.winEXE@4/7@1/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 5
            • Number of non-executed functions: 26
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 13.89.179.12
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • VT rate limit hit for: UdY4Kc66Bc.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:56:04API Interceptor641267x Sleep call for process: dfsvc.exe modified
            09:56:04API Interceptor1x Sleep call for process: UdY4Kc66Bc.exe modified
            09:56:15API Interceptor1x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            37.221.65.1284GO734bOd8.exeGet hashmaliciousUnknownBrowse
              814iXDSMYu.exeGet hashmaliciousUnknownBrowse
                Statement-110122025.exeGet hashmaliciousScreenConnect ToolBrowse
                  Statement-110122025.exeGet hashmaliciousScreenConnect ToolBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    fn3699.kafinora.cyou4GO734bOd8.exeGet hashmaliciousUnknownBrowse
                    • 37.221.65.128
                    814iXDSMYu.exeGet hashmaliciousUnknownBrowse
                    • 37.221.65.128
                    s-part-0015.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousLummaCBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousRemcosBrowse
                    • 13.107.246.43
                    zhbEGHo55P.exeGet hashmaliciousLockBit ransomwareBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousLummaCBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                    • 13.107.246.43
                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                    • 13.107.246.43
                    VNC Sales.xlsxGet hashmaliciousUnknownBrowse
                    • 13.107.246.43
                    https://midlandtxconstruction.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPU5VVmliM0U9JnVpZD1VU0VSMTcxMDIwMjRVMDAxMDE3NDA=N0123NGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                    • 13.107.246.43

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    FIRSTDC-ASRU4GO734bOd8.exeGet hashmaliciousUnknownBrowse
                    • 37.221.65.128
                    814iXDSMYu.exeGet hashmaliciousUnknownBrowse
                    • 37.221.65.128
                    Statement-110122025.exeGet hashmaliciousScreenConnect ToolBrowse
                    • 37.221.65.128
                    Statement-110122025.exeGet hashmaliciousScreenConnect ToolBrowse
                    • 37.221.65.128
                    https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                    • 37.221.67.19
                    meow.arm5.elfGet hashmaliciousUnknownBrowse
                    • 45.89.63.16
                    BLh4H2eIU9.exeGet hashmaliciousRHADAMANTHYSBrowse
                    • 37.221.67.152
                    vsYkceYJOX.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, VidarBrowse
                    • 62.133.62.93
                    6.dllGet hashmaliciousUnknownBrowse
                    • 141.98.169.154
                    build.exeGet hashmaliciousPureLog StealerBrowse
                    • 93.185.167.95

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UdY4Kc66Bc.exe_a8a277acefd3409613122e36fa81eae6606dbdad_d91d52ad_41794d01-c599-49cc-99fa-a17bb59c0039\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9120542837260193
                    Encrypted:false
                    SSDEEP:96:141F/y/GS/sYhq2GXyf8QXIDcQvc6QcEVcw3cE/jmi+HbHg/Jg+OgBCXEYcI+1sO:1QM/E20BU/HmLji0ozuiFhZ24IO8ql5
                    MD5:CD89DBADFF646A33F1A5BE6A16FFD566
                    SHA1:80CC650B20111A0D07C93EFE619BBB44B76454C1
                    SHA-256:ACBBCEC3BD57AAFDA1BA3673CF5865D8E55A52386C32A68E7E27A9AFA11F00C9
                    SHA-512:9B60CF30FCE51CB6EE447D63B4F87D65A2F63EC5853DCAE1F85C939C1D976F53AFC30BE6F5E69AB31D59B0D73C3459CCB234D1774A977AE9BB51782F14897F8B
                    Malicious:true
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.6.7.4.5.6.5.8.7.1.7.0.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.6.7.4.5.6.7.1.5.2.9.5.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.7.9.4.d.0.1.-.c.5.9.9.-.4.9.c.c.-.9.9.f.a.-.a.1.7.b.b.5.9.c.0.0.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.d.7.7.f.2.b.-.1.1.5.d.-.4.5.3.0.-.8.8.4.b.-.2.f.a.4.4.5.9.e.b.5.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.U.d.Y.4.K.c.6.6.B.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.8.-.0.0.0.1.-.0.0.1.4.-.8.3.2.a.-.a.5.7.c.2.5.3.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.1.7.c.5.7.8.7.c.d.9.4.7.1.3.4.d.d.2.5.a.4.1.e.d.1.7.2.2.b.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.1.b.5.6.b.4.d.c.b.6.a.3.7.c.c.9.e.c.3.7.0.4.b.e.6.9.8.2.f.0.4.2.f.1.c.4.6.1.!.U.d.Y.4.K.c.6.6.B.c...e.x.e.....T.a.r.g.e.t.A.p.p.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD0.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Thu Nov 21 14:56:06 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):82532
                    Entropy (8bit):1.6775158929375191
                    Encrypted:false
                    SSDEEP:192:EK2ZHfD0XkROhI/sFv9HGZtfQUrtbUTTuu2dYADfqil7/l2kBRBx3w1GcO1q/+wy:AHfahI/44tbUs242YwTt8m
                    MD5:6E10DB9D31B8FFBC8CEDC013B133E38A
                    SHA1:4AF48F1F9E78511893CB1202C545B84BA0B0E908
                    SHA-256:3B76ED5B7D20972E29026471E994B74E23E6D889547A4B0BD09C18E50EEA483C
                    SHA-512:2A199AA15757322C7B6AA623375D7F6FEE2012BC6F0F11E7B73C9B5D488C968008A46B3B3BAAA07BBFA6EB97E9BEBB9D9A2BAD4110BF4A7FBC536D694B4C9F61
                    Malicious:false
                    Reputation:low
                    Preview:MDMP..a..... ........J?g.........................................;..........T.......8...........T............!... .......... ...........................................................................................eJ..............GenuineIntel............T............J?g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER330E.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8328
                    Entropy (8bit):3.702253782592016
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJds6l6YcDZSU9IgmfvtlprR89bFnsf/3m:R6lXJ26l6YeSU9Igmfvt2Fsf+
                    MD5:721D55CB39FFF58A0141D19159923DDC
                    SHA1:ED7FC3BA345832C397383F02C3BED4A583B862F4
                    SHA-256:7DB4C7208D249F070CD775C57BF3F5C6BC10B4C23C2F84011AAED5CC5D75C5D2
                    SHA-512:5E1D987A585B56D3FCCE491141D6F68A25602FD63A9F2E7D2C5444F5EB4F959B1BE4117EA1F5D33B4726BC88149CC44952466B51ABC35944C28AEF6F00BC8E6B
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.8.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER335D.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4593
                    Entropy (8bit):4.483133439832674
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsBJg77aI9HEWpW8VYrYm8M4JxsLFC++q8XQVWMdg/Yd:uIjfTI7pd7VPJxj+YwWog/Yd
                    MD5:C0ABA4B12A7AC5F777926FF2A7849A35
                    SHA1:10A24B1A3A029B4A24829C41E4069C147A6D5F00
                    SHA-256:FC0F5F12BAD201BD639A7067823DE7E74197E75EC522E98CDD2C7C5DFE21B70A
                    SHA-512:551DBEBE8009DB5F6F1BEB6A62A8981B4A4FAC4C602F99FE03D7A91B3240997649E43C865E0CDDD8A1BB5AA20776E6C3DC39C0CF5CCF2163FC0F0778707B6ED4
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="597958" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1373
                    Entropy (8bit):5.369201792577388
                    Encrypted:false
                    SSDEEP:24:ML1XE4qpE4KQ71qE4GIs0E4KGAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI65
                    MD5:AE112903AD8CD5C130DF44E7E1601F48
                    SHA1:A3D879E7F63259F5C76C846DC8A59E5AA36EC5F6
                    SHA-256:FAFA70F9D4F34235B7681A6296CA5B27A7932EDFF8A029BE748810DC2547C2ED
                    SHA-512:29388D9599B400D9BDC2F869548A0448470755C7A3AFA24955B768D214A7E5802BB655C1EB4C679E308916266DFA5C2FA7CE3A3F10E802D349C63588C735984F
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\DJY51CAU.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (650), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15916
                    Entropy (8bit):3.8516472810422253
                    Encrypted:false
                    SSDEEP:192:XCmjtLCmjtuknlWSCmjt0knQ4e1uSOCp4y53n:XCKtLCKtuslNCKt0sQ4e1uS1myJ
                    MD5:F66B10D32C6B698D9B68240C0D8D9D53
                    SHA1:F5D2D932EAFF32FBB6F64D963032005512922D69
                    SHA-256:5BBFB2A08E2CC78B8EE9580901CD8165842F40533ED8CB168A0AC99F3A1F56AF
                    SHA-512:79261830E099C1EEA4C15AD468CA450F33631D0CDF7FD3883B3EA13E90C9B03FF7D047A0E96C949C92F395522B185287A14348B4119A8B595D28CB333F0A8A34
                    Malicious:false
                    Reputation:low
                    Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.f.n.3.6.9.9...k.a.f.i.n.o.r.a...c.y.o.u./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.f.n.b.a.c.k.9.6.3.6...s.i.t.e.&.p.=.8.0.4.1.&.s.=.0.8.e.b.8.7.7.0.-.c.8.b.8.-.4.d.5.8.-.9.0.a.

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.39382429233197
                    Encrypted:false
                    SSDEEP:6144:al4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAJOBSqa:K4vF0MYQUMM6VFYSJU
                    MD5:47CFB63F3B6978C36135FB660C72B15F
                    SHA1:EBAE592313DDFA580FB69B7C02F6F6729382A056
                    SHA-256:D1E7279A9459E694127CBD1A08BA8EC197C0229FF645F632EC684913989905EF
                    SHA-512:7ED02E64027403996BE385367B16654C5B0025B1EFC98AF89E0BEFC44889B673E737C1A943B3439C191A3CA09B41578BA0A20BA8508A39991C984054ECE92EF9
                    Malicious:false
                    Reputation:low
                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.u.}%<..............................................................................................................................................................................................................................................................................................................................................1C.I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.514893710192672
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:UdY4Kc66Bc.exe
                    File size:83'368 bytes
                    MD5:739682b6fd2b25f2a6234b733090735b
                    SHA1:171b56b4dcb6a37cc9ec3704be6982f042f1c461
                    SHA256:511ca3f9e84a22885d9dac546aba034373a63a83825a058320713180ef485d74
                    SHA512:f1c886e79dd1e6dad08f24417e4a9675cc125a0524bf593341729cfa97e634424832289fb03bcd92084563cf82c8524b5b7a4946c89b7441c3e48090b7e2b2c5
                    SSDEEP:1536:7oG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cda2PBJYY27SxO:VenkyfPAwiMq0RqRfba2ZJYY2v
                    TLSH:8F836C43B5D18875E9720D3118B1D9B4593FBE110E948EAF3398826E0F391D19E3AE7B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x401489
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66A1348F [Wed Jul 24 17:06:23 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:37d5c89163970dd3cc69230538a1b72b

                    Authenticode Signature

                    Signature Valid:true
                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                    Signature Validation Error:The operation completed successfully
                    Error Number:0
                    Not Before, Not After
                    • 17/08/2022 01:00:00 16/08/2025 00:59:59
                    Subject Chain
                    • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                    Version:3
                    Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                    Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                    Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                    Serial:0B9360051BCCF66642998998D5BA97CE

                    Entrypoint Preview

                    Instruction
                    call 00007F0D0883624Ah
                    jmp 00007F0D08835CFFh
                    push ebp
                    mov ebp, esp
                    push 00000000h
                    call dword ptr [0040B048h]
                    push dword ptr [ebp+08h]
                    call dword ptr [0040B044h]
                    push C0000409h
                    call dword ptr [0040B04Ch]
                    push eax
                    call dword ptr [0040B050h]
                    pop ebp
                    ret
                    push ebp
                    mov ebp, esp
                    sub esp, 00000324h
                    push 00000017h
                    call dword ptr [0040B054h]
                    test eax, eax
                    je 00007F0D08835E87h
                    push 00000002h
                    pop ecx
                    int 29h
                    mov dword ptr [004118C0h], eax
                    mov dword ptr [004118BCh], ecx
                    mov dword ptr [004118B8h], edx
                    mov dword ptr [004118B4h], ebx
                    mov dword ptr [004118B0h], esi
                    mov dword ptr [004118ACh], edi
                    mov word ptr [004118D8h], ss
                    mov word ptr [004118CCh], cs
                    mov word ptr [004118A8h], ds
                    mov word ptr [004118A4h], es
                    mov word ptr [004118A0h], fs
                    mov word ptr [0041189Ch], gs
                    pushfd
                    pop dword ptr [004118D0h]
                    mov eax, dword ptr [ebp+00h]
                    mov dword ptr [004118C4h], eax
                    mov eax, dword ptr [ebp+04h]
                    mov dword ptr [004118C8h], eax
                    lea eax, dword ptr [ebp+08h]
                    mov dword ptr [004118D4h], eax
                    mov eax, dword ptr [ebp-00000324h]
                    mov dword ptr [00411810h], 00010001h

                    Rich Headers

                    Programming Language:
                    • [IMP] VS2008 SP1 build 30729

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1060c0x3c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x118000x2da8
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xddc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xfe380x70.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfd780x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0xb0000x13c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x9cf80x9e00bae4521030709e187bdbe8a34d7bf731False0.6035650712025317data6.581464957368758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0xb0000x5d580x5e00128d20faa5b43ccea3bd795f74eb5527False0.4178025265957447Applesoft BASIC program data, first line number 14.843109417397977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x110000x11cc0x80004a548a5c04675d08166d3823a6bf61bFalse0.16357421875data2.0120795802951505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x140000xddc0xe00908329e10a1923a3c4938a10d44237d9False0.7776227678571429data6.495696626464028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                    Imports

                    DLLImport
                    KERNEL32.dllLocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW
                    CRYPT32.dllCertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 21, 2024 15:56:08.167907000 CET49713443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:08.167941093 CET4434971337.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:08.168008089 CET49713443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:08.234174967 CET49713443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:08.234193087 CET4434971337.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:11.272259951 CET4434971337.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:11.272367001 CET49713443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:11.300631046 CET49713443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:11.300657034 CET4434971337.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:11.303788900 CET49726443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:11.303853035 CET4434972637.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:11.303927898 CET49726443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:11.304522038 CET49726443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:11.304536104 CET4434972637.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:14.304800987 CET4434972637.221.65.128192.168.2.9
                    Nov 21, 2024 15:56:14.304905891 CET49726443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:14.323950052 CET49726443192.168.2.937.221.65.128
                    Nov 21, 2024 15:56:14.323992014 CET4434972637.221.65.128192.168.2.9

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 21, 2024 15:56:07.967323065 CET6358453192.168.2.91.1.1.1
                    Nov 21, 2024 15:56:08.106595039 CET53635841.1.1.1192.168.2.9

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Nov 21, 2024 15:56:07.967323065 CET192.168.2.91.1.1.10x1806Standard query (0)fn3699.kafinora.cyouA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Nov 21, 2024 15:56:03.236252069 CET1.1.1.1192.168.2.90xe968No error (0)shed.dual-low.s-part-0015.t-0009.t-msedge.nets-part-0015.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                    Nov 21, 2024 15:56:03.236252069 CET1.1.1.1192.168.2.90xe968No error (0)s-part-0015.t-0009.t-msedge.net13.107.246.43A (IP address)IN (0x0001)false
                    Nov 21, 2024 15:56:08.106595039 CET1.1.1.1192.168.2.90x1806No error (0)fn3699.kafinora.cyou37.221.65.128A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:09:56:04
                    Start date:21/11/2024
                    Path:C:\Users\user\Desktop\UdY4Kc66Bc.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\UdY4Kc66Bc.exe"
                    Imagebase:0xb80000
                    File size:83'368 bytes
                    MD5 hash:739682B6FD2B25F2A6234B733090735B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:09:56:04
                    Start date:21/11/2024
                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                    Imagebase:0x1a3cb7b0000
                    File size:24'856 bytes
                    MD5 hash:B4088F44B80D363902E11F897A7BAC09
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:6
                    Start time:09:56:05
                    Start date:21/11/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 880
                    Imagebase:0xc50000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:2.2%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:3.8%
                      Total number of Nodes:1465
                      Total number of Limit Nodes:4
                      execution_graph 5748 b81ab8 5749 b81aef 5748->5749 5752 b81aca 5748->5752 5752->5749 5757 b8209a 5752->5757 5769 b823c3 5757->5769 5760 b820a3 5761 b823c3 43 API calls 5760->5761 5762 b81b06 5761->5762 5763 b83e89 5762->5763 5764 b83e95 _abort 5763->5764 5765 b84424 _abort 33 API calls 5764->5765 5768 b83e9a 5765->5768 5766 b83f24 _abort 33 API calls 5767 b83ec4 5766->5767 5768->5766 5783 b823d1 5769->5783 5771 b823c8 5772 b81afc 5771->5772 5773 b86b14 _abort 2 API calls 5771->5773 5772->5760 5774 b83f29 5773->5774 5775 b83f35 5774->5775 5776 b86b6f _abort 33 API calls 5774->5776 5777 b83f3e IsProcessorFeaturePresent 5775->5777 5778 b83f5c 5775->5778 5776->5775 5780 b83f49 5777->5780 5779 b83793 _abort 23 API calls 5778->5779 5781 b83f66 5779->5781 5782 b84573 _abort 3 API calls 5780->5782 5782->5778 5784 b823da 5783->5784 5785 b823dd GetLastError 5783->5785 5784->5771 5795 b826a4 5785->5795 5788 b82411 5789 b82457 SetLastError 5788->5789 5789->5771 5790 b826df ___vcrt_FlsSetValue 6 API calls 5791 b8240b 5790->5791 5791->5788 5792 b82433 5791->5792 5793 b826df ___vcrt_FlsSetValue 6 API calls 5791->5793 5792->5788 5794 b826df ___vcrt_FlsSetValue 6 API calls 5792->5794 5793->5792 5794->5788 5796 b82543 ___vcrt_FlsSetValue 5 API calls 5795->5796 5797 b826be 5796->5797 5798 b826d6 TlsGetValue 5797->5798 5799 b823f2 5797->5799 5798->5799 5799->5788 5799->5789 5799->5790 5800 b848bb 5801 b848cb 5800->5801 5810 b848e1 5800->5810 5802 b847f9 __dosmaperr 15 API calls 5801->5802 5803 b848d0 5802->5803 5805 b8473d _abort 21 API calls 5803->5805 5806 b848da 5805->5806 5807 b8494b 5807->5807 5830 b831ec 5807->5830 5809 b849b9 5812 b84869 _free 15 API calls 5809->5812 5810->5807 5813 b84a2c 5810->5813 5819 b84a4b 5810->5819 5811 b849b0 5811->5809 5816 b84a3e 5811->5816 5836 b879bb 5811->5836 5812->5813 5845 b84c65 5813->5845 5817 b8474d _abort 6 API calls 5816->5817 5818 b84a4a 5817->5818 5820 b84a57 5819->5820 5820->5820 5821 b8480c _abort 15 API calls 5820->5821 5822 b84a85 5821->5822 5823 b879bb 21 API calls 5822->5823 5824 b84ab1 5823->5824 5825 b8474d _abort 6 API calls 5824->5825 5826 b84ae0 _abort 5825->5826 5827 b84b81 FindFirstFileExA 5826->5827 5828 b84bd0 5827->5828 5829 b84a4b 21 API calls 5828->5829 5831 b831fd 5830->5831 5832 b83201 5830->5832 5831->5811 5832->5831 5833 b8480c _abort 15 API calls 5832->5833 5834 b8322f 5833->5834 5835 b84869 _free 15 API calls 5834->5835 5835->5831 5838 b8790a 5836->5838 5837 b8791f 5839 b847f9 __dosmaperr 15 API calls 5837->5839 5840 b87924 5837->5840 5838->5837 5838->5840 5842 b8795b 5838->5842 5844 b8794a 5839->5844 5840->5811 5841 b8473d _abort 21 API calls 5841->5840 5842->5840 5843 b847f9 __dosmaperr 15 API calls 5842->5843 5843->5844 5844->5841 5846 b84c6f 5845->5846 5847 b84c7f 5846->5847 5848 b84869 _free 15 API calls 5846->5848 5849 b84869 _free 15 API calls 5847->5849 5848->5846 5850 b84c86 5849->5850 5850->5806 5851 b814bb IsProcessorFeaturePresent 5852 b814d0 5851->5852 5855 b81493 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5852->5855 5854 b815b3 5855->5854 5947 b812fb 5952 b81aac SetUnhandledExceptionFilter 5947->5952 5949 b81300 5953 b838f9 5949->5953 5951 b8130b 5952->5949 5954 b8391f 5953->5954 5955 b83905 5953->5955 5954->5951 5955->5954 5956 b847f9 __dosmaperr 15 API calls 5955->5956 5957 b8390f 5956->5957 5958 b8473d _abort 21 API calls 5957->5958 5959 b8391a 5958->5959 5959->5951 6126 b8383f 6127 b8384b ___scrt_is_nonwritable_in_current_image 6126->6127 6128 b83882 _abort 6127->6128 6134 b856e2 EnterCriticalSection 6127->6134 6130 b8385f 6131 b867cb __fassign 15 API calls 6130->6131 6132 b8386f 6131->6132 6135 b83888 6132->6135 6134->6130 6138 b8572a LeaveCriticalSection 6135->6138 6137 b8388f 6137->6128 6138->6137 6590 b87570 6591 b875a9 6590->6591 6592 b847f9 __dosmaperr 15 API calls 6591->6592 6596 b875d5 _ValidateLocalCookies 6591->6596 6593 b875b2 6592->6593 6594 b8473d _abort 21 API calls 6593->6594 6595 b875bd _ValidateLocalCookies 6594->6595 5960 b88df1 5961 b88e15 5960->5961 5962 b88e2e 5961->5962 5964 b89beb __startOneArgErrorHandling 5961->5964 5963 b88e78 5962->5963 5968 b899d3 5962->5968 5967 b89c2d __startOneArgErrorHandling 5964->5967 5976 b8a1c4 5964->5976 5969 b899f0 DecodePointer 5968->5969 5971 b89a00 5968->5971 5969->5971 5970 b89a8d 5972 b89a82 _ValidateLocalCookies 5970->5972 5973 b847f9 __dosmaperr 15 API calls 5970->5973 5971->5970 5971->5972 5974 b89a37 5971->5974 5972->5963 5973->5972 5974->5972 5975 b847f9 __dosmaperr 15 API calls 5974->5975 5975->5972 5977 b8a1fd __startOneArgErrorHandling 5976->5977 5979 b8a224 __startOneArgErrorHandling 5977->5979 5985 b8a495 5977->5985 5980 b8a267 5979->5980 5981 b8a242 5979->5981 5996 b8a786 5980->5996 5989 b8a7b5 5981->5989 5983 b8a262 __startOneArgErrorHandling _ValidateLocalCookies 5983->5967 5986 b8a4c0 __raise_exc 5985->5986 5987 b8a6b9 RaiseException 5986->5987 5988 b8a6d1 5987->5988 5988->5979 5990 b8a7c4 5989->5990 5991 b8a838 __startOneArgErrorHandling 5990->5991 5993 b8a7e3 __startOneArgErrorHandling 5990->5993 5992 b8a786 __startOneArgErrorHandling 15 API calls 5991->5992 5995 b8a831 5992->5995 5994 b8a786 __startOneArgErrorHandling 15 API calls 5993->5994 5993->5995 5994->5995 5995->5983 5997 b8a7a8 5996->5997 5998 b8a793 5996->5998 6000 b847f9 __dosmaperr 15 API calls 5997->6000 5999 b8a7ad 5998->5999 6001 b847f9 __dosmaperr 15 API calls 5998->6001 5999->5983 6000->5999 6002 b8a7a0 6001->6002 6002->5983 6003 b81ff4 6006 b82042 6003->6006 6007 b81fff 6006->6007 6008 b8204b 6006->6008 6008->6007 6009 b823c3 43 API calls 6008->6009 6010 b82086 6009->6010 6011 b823c3 43 API calls 6010->6011 6012 b82091 6011->6012 6013 b83e89 33 API calls 6012->6013 6014 b82099 6013->6014 5856 b83eb5 5857 b83eb8 5856->5857 5858 b83f24 _abort 33 API calls 5857->5858 5859 b83ec4 5858->5859 6015 b89beb 6016 b89c04 __startOneArgErrorHandling 6015->6016 6017 b8a1c4 16 API calls 6016->6017 6018 b89c2d __startOneArgErrorHandling 6016->6018 6017->6018 6139 b8452d 6147 b85858 6139->6147 6141 b84537 6142 b84541 6141->6142 6143 b844a8 _abort 15 API calls 6141->6143 6144 b84549 6143->6144 6145 b84556 6144->6145 6152 b84559 6144->6152 6148 b85741 _abort 5 API calls 6147->6148 6149 b8587f 6148->6149 6150 b85897 TlsAlloc 6149->6150 6151 b85888 _ValidateLocalCookies 6149->6151 6150->6151 6151->6141 6153 b84563 6152->6153 6155 b84569 6152->6155 6156 b858ae 6153->6156 6155->6142 6157 b85741 _abort 5 API calls 6156->6157 6158 b858d5 6157->6158 6159 b858ed TlsFree 6158->6159 6160 b858e1 _ValidateLocalCookies 6158->6160 6159->6160 6160->6155 6161 b8142e 6164 b82cf0 6161->6164 6163 b8143f 6165 b844a8 _abort 15 API calls 6164->6165 6166 b82d07 _ValidateLocalCookies 6165->6166 6166->6163 6597 b89160 6600 b8917e 6597->6600 6599 b89176 6604 b89183 6600->6604 6601 b899d3 16 API calls 6602 b893af 6601->6602 6602->6599 6603 b89218 6603->6599 6604->6601 6604->6603 5860 b856a1 5861 b856ac 5860->5861 5863 b856d5 5861->5863 5864 b856d1 5861->5864 5866 b859b3 5861->5866 5871 b856f9 5863->5871 5867 b85741 _abort 5 API calls 5866->5867 5868 b859da 5867->5868 5869 b859f8 InitializeCriticalSectionAndSpinCount 5868->5869 5870 b859e3 _ValidateLocalCookies 5868->5870 5869->5870 5870->5861 5872 b85725 5871->5872 5873 b85706 5871->5873 5872->5864 5874 b85710 DeleteCriticalSection 5873->5874 5874->5872 5874->5874 6019 b88ce1 6020 b88d01 6019->6020 6023 b88d38 6020->6023 6022 b88d2b 6025 b88d3f 6023->6025 6024 b88d5f 6027 b8988e 6024->6027 6030 b89997 16 API calls 6024->6030 6025->6024 6026 b88da0 6025->6026 6026->6027 6032 b89997 6026->6032 6027->6022 6031 b898be 6030->6031 6031->6022 6033 b899a0 6032->6033 6036 b8a06f 6033->6036 6035 b88dee 6035->6022 6037 b8a0ae __startOneArgErrorHandling 6036->6037 6040 b8a130 __startOneArgErrorHandling 6037->6040 6042 b8a472 6037->6042 6039 b8a786 __startOneArgErrorHandling 15 API calls 6041 b8a166 _ValidateLocalCookies 6039->6041 6040->6039 6040->6041 6041->6035 6043 b8a495 __raise_exc RaiseException 6042->6043 6044 b8a490 6043->6044 6044->6040 6045 b833e5 6046 b833fd 6045->6046 6047 b833f7 6045->6047 6049 b83376 6047->6049 6053 b83383 6049->6053 6054 b833a0 6049->6054 6050 b8339a 6052 b84869 _free 15 API calls 6050->6052 6051 b84869 _free 15 API calls 6051->6053 6052->6054 6053->6050 6053->6051 6054->6046 5875 b85ba6 5876 b85bd7 5875->5876 5877 b85bb1 5875->5877 5877->5876 5878 b85bc1 FreeLibrary 5877->5878 5878->5877 6167 b86026 6168 b8602b 6167->6168 6170 b8604e 6168->6170 6171 b85c56 6168->6171 6172 b85c85 6171->6172 6173 b85c63 6171->6173 6172->6168 6174 b85c7f 6173->6174 6175 b85c71 DeleteCriticalSection 6173->6175 6176 b84869 _free 15 API calls 6174->6176 6175->6174 6175->6175 6176->6172 6177 b87419 6187 b87fb2 6177->6187 6181 b87426 6200 b8828e 6181->6200 6184 b87450 6185 b84869 _free 15 API calls 6184->6185 6186 b8745b 6185->6186 6204 b87fbb 6187->6204 6189 b87421 6190 b881ee 6189->6190 6191 b881fa ___scrt_is_nonwritable_in_current_image 6190->6191 6224 b856e2 EnterCriticalSection 6191->6224 6193 b88270 6238 b88285 6193->6238 6195 b88205 6195->6193 6196 b88244 DeleteCriticalSection 6195->6196 6225 b8901c 6195->6225 6199 b84869 _free 15 API calls 6196->6199 6197 b8827c _abort 6197->6181 6199->6195 6201 b87435 DeleteCriticalSection 6200->6201 6202 b882a4 6200->6202 6201->6181 6201->6184 6202->6201 6203 b84869 _free 15 API calls 6202->6203 6203->6201 6205 b87fc7 ___scrt_is_nonwritable_in_current_image 6204->6205 6214 b856e2 EnterCriticalSection 6205->6214 6207 b8806a 6219 b8808a 6207->6219 6210 b87fd6 6210->6207 6213 b87f6b 61 API calls 6210->6213 6215 b87465 EnterCriticalSection 6210->6215 6216 b88060 6210->6216 6211 b88076 _abort 6211->6189 6213->6210 6214->6210 6215->6210 6222 b87479 LeaveCriticalSection 6216->6222 6218 b88068 6218->6210 6223 b8572a LeaveCriticalSection 6219->6223 6221 b88091 6221->6211 6222->6218 6223->6221 6224->6195 6226 b89028 ___scrt_is_nonwritable_in_current_image 6225->6226 6227 b89039 6226->6227 6228 b8904e 6226->6228 6229 b847f9 __dosmaperr 15 API calls 6227->6229 6237 b89049 _abort 6228->6237 6241 b87465 EnterCriticalSection 6228->6241 6231 b8903e 6229->6231 6233 b8473d _abort 21 API calls 6231->6233 6232 b8906a 6242 b88fa6 6232->6242 6233->6237 6235 b89075 6258 b89092 6235->6258 6237->6195 6496 b8572a LeaveCriticalSection 6238->6496 6240 b8828c 6240->6197 6241->6232 6243 b88fc8 6242->6243 6244 b88fb3 6242->6244 6250 b88fc3 6243->6250 6261 b87f05 6243->6261 6245 b847f9 __dosmaperr 15 API calls 6244->6245 6247 b88fb8 6245->6247 6249 b8473d _abort 21 API calls 6247->6249 6249->6250 6250->6235 6251 b8828e 15 API calls 6252 b88fe4 6251->6252 6267 b8732b 6252->6267 6254 b88fea 6274 b89d4e 6254->6274 6257 b84869 _free 15 API calls 6257->6250 6495 b87479 LeaveCriticalSection 6258->6495 6260 b8909a 6260->6237 6262 b87f1d 6261->6262 6266 b87f19 6261->6266 6263 b8732b 21 API calls 6262->6263 6262->6266 6264 b87f3d 6263->6264 6289 b889a7 6264->6289 6266->6251 6268 b8734c 6267->6268 6269 b87337 6267->6269 6268->6254 6270 b847f9 __dosmaperr 15 API calls 6269->6270 6271 b8733c 6270->6271 6272 b8473d _abort 21 API calls 6271->6272 6273 b87347 6272->6273 6273->6254 6275 b89d5d 6274->6275 6276 b89d72 6274->6276 6277 b847e6 __dosmaperr 15 API calls 6275->6277 6278 b89dad 6276->6278 6282 b89d99 6276->6282 6279 b89d62 6277->6279 6280 b847e6 __dosmaperr 15 API calls 6278->6280 6281 b847f9 __dosmaperr 15 API calls 6279->6281 6283 b89db2 6280->6283 6286 b88ff0 6281->6286 6452 b89d26 6282->6452 6285 b847f9 __dosmaperr 15 API calls 6283->6285 6287 b89dba 6285->6287 6286->6250 6286->6257 6288 b8473d _abort 21 API calls 6287->6288 6288->6286 6290 b889b3 ___scrt_is_nonwritable_in_current_image 6289->6290 6291 b889bb 6290->6291 6292 b889d3 6290->6292 6314 b847e6 6291->6314 6293 b88a71 6292->6293 6297 b88a08 6292->6297 6295 b847e6 __dosmaperr 15 API calls 6293->6295 6298 b88a76 6295->6298 6317 b85d23 EnterCriticalSection 6297->6317 6301 b847f9 __dosmaperr 15 API calls 6298->6301 6299 b847f9 __dosmaperr 15 API calls 6307 b889c8 _abort 6299->6307 6303 b88a7e 6301->6303 6302 b88a0e 6304 b88a2a 6302->6304 6305 b88a3f 6302->6305 6306 b8473d _abort 21 API calls 6303->6306 6308 b847f9 __dosmaperr 15 API calls 6304->6308 6318 b88a92 6305->6318 6306->6307 6307->6266 6310 b88a2f 6308->6310 6312 b847e6 __dosmaperr 15 API calls 6310->6312 6311 b88a3a 6367 b88a69 6311->6367 6312->6311 6315 b844a8 _abort 15 API calls 6314->6315 6316 b847eb 6315->6316 6316->6299 6317->6302 6319 b88ac0 6318->6319 6348 b88ab9 _ValidateLocalCookies 6318->6348 6320 b88ae3 6319->6320 6321 b88ac4 6319->6321 6323 b88b34 6320->6323 6324 b88b17 6320->6324 6322 b847e6 __dosmaperr 15 API calls 6321->6322 6325 b88ac9 6322->6325 6327 b88b4a 6323->6327 6370 b88f8b 6323->6370 6326 b847e6 __dosmaperr 15 API calls 6324->6326 6328 b847f9 __dosmaperr 15 API calls 6325->6328 6332 b88b1c 6326->6332 6373 b88637 6327->6373 6330 b88ad0 6328->6330 6333 b8473d _abort 21 API calls 6330->6333 6335 b847f9 __dosmaperr 15 API calls 6332->6335 6333->6348 6338 b88b24 6335->6338 6336 b88b58 6339 b88b5c 6336->6339 6340 b88b7e 6336->6340 6337 b88b91 6342 b88beb WriteFile 6337->6342 6343 b88ba5 6337->6343 6341 b8473d _abort 21 API calls 6338->6341 6346 b88c52 6339->6346 6380 b885ca 6339->6380 6385 b88417 GetConsoleCP 6340->6385 6341->6348 6349 b88c0e GetLastError 6342->6349 6354 b88b74 6342->6354 6344 b88bdb 6343->6344 6345 b88bad 6343->6345 6405 b886ad 6344->6405 6350 b88bcb 6345->6350 6351 b88bb2 6345->6351 6346->6348 6356 b847f9 __dosmaperr 15 API calls 6346->6356 6348->6311 6349->6354 6399 b8887a 6350->6399 6351->6346 6394 b8878c 6351->6394 6354->6346 6354->6348 6357 b88c2e 6354->6357 6359 b88c77 6356->6359 6361 b88c49 6357->6361 6362 b88c35 6357->6362 6360 b847e6 __dosmaperr 15 API calls 6359->6360 6360->6348 6410 b847c3 6361->6410 6363 b847f9 __dosmaperr 15 API calls 6362->6363 6365 b88c3a 6363->6365 6366 b847e6 __dosmaperr 15 API calls 6365->6366 6366->6348 6451 b85d46 LeaveCriticalSection 6367->6451 6369 b88a6f 6369->6307 6415 b88f0d 6370->6415 6437 b87eaf 6373->6437 6375 b88647 6376 b8864c 6375->6376 6377 b84424 _abort 33 API calls 6375->6377 6376->6336 6376->6337 6378 b8866f 6377->6378 6378->6376 6379 b8868d GetConsoleMode 6378->6379 6379->6376 6381 b88624 6380->6381 6384 b885ef 6380->6384 6381->6354 6382 b89101 WriteConsoleW CreateFileW 6382->6384 6383 b88626 GetLastError 6383->6381 6384->6381 6384->6382 6384->6383 6386 b8858c _ValidateLocalCookies 6385->6386 6388 b8847a 6385->6388 6386->6354 6388->6386 6389 b88500 WideCharToMultiByte 6388->6389 6391 b872b7 35 API calls __fassign 6388->6391 6393 b88557 WriteFile 6388->6393 6446 b86052 6388->6446 6389->6386 6390 b88526 WriteFile 6389->6390 6390->6388 6392 b885af GetLastError 6390->6392 6391->6388 6392->6386 6393->6388 6393->6392 6396 b8879b 6394->6396 6395 b88819 WriteFile 6395->6396 6397 b8885f GetLastError 6395->6397 6396->6395 6398 b8885d _ValidateLocalCookies 6396->6398 6397->6398 6398->6354 6404 b88889 6399->6404 6400 b88994 _ValidateLocalCookies 6400->6354 6401 b8890b WideCharToMultiByte 6402 b8898c GetLastError 6401->6402 6403 b88940 WriteFile 6401->6403 6402->6400 6403->6402 6403->6404 6404->6400 6404->6401 6404->6403 6406 b886bc 6405->6406 6407 b8872e WriteFile 6406->6407 6408 b8876f _ValidateLocalCookies 6406->6408 6407->6406 6409 b88771 GetLastError 6407->6409 6408->6354 6409->6408 6411 b847e6 __dosmaperr 15 API calls 6410->6411 6412 b847ce __dosmaperr 6411->6412 6413 b847f9 __dosmaperr 15 API calls 6412->6413 6414 b847e1 6413->6414 6414->6348 6424 b85dfa 6415->6424 6417 b88f1f 6418 b88f38 SetFilePointerEx 6417->6418 6419 b88f27 6417->6419 6421 b88f50 GetLastError 6418->6421 6423 b88f2c 6418->6423 6420 b847f9 __dosmaperr 15 API calls 6419->6420 6420->6423 6422 b847c3 __dosmaperr 15 API calls 6421->6422 6422->6423 6423->6327 6425 b85e1c 6424->6425 6426 b85e07 6424->6426 6428 b847e6 __dosmaperr 15 API calls 6425->6428 6432 b85e41 6425->6432 6427 b847e6 __dosmaperr 15 API calls 6426->6427 6429 b85e0c 6427->6429 6430 b85e4c 6428->6430 6431 b847f9 __dosmaperr 15 API calls 6429->6431 6433 b847f9 __dosmaperr 15 API calls 6430->6433 6434 b85e14 6431->6434 6432->6417 6435 b85e54 6433->6435 6434->6417 6436 b8473d _abort 21 API calls 6435->6436 6436->6434 6438 b87ec9 6437->6438 6439 b87ebc 6437->6439 6442 b87ed5 6438->6442 6443 b847f9 __dosmaperr 15 API calls 6438->6443 6440 b847f9 __dosmaperr 15 API calls 6439->6440 6441 b87ec1 6440->6441 6441->6375 6442->6375 6444 b87ef6 6443->6444 6445 b8473d _abort 21 API calls 6444->6445 6445->6441 6447 b84424 _abort 33 API calls 6446->6447 6448 b8605d 6447->6448 6449 b872d1 __fassign 33 API calls 6448->6449 6450 b8606d 6449->6450 6450->6388 6451->6369 6455 b89ca4 6452->6455 6454 b89d4a 6454->6286 6456 b89cb0 ___scrt_is_nonwritable_in_current_image 6455->6456 6466 b85d23 EnterCriticalSection 6456->6466 6458 b89cbe 6459 b89cf0 6458->6459 6460 b89ce5 6458->6460 6462 b847f9 __dosmaperr 15 API calls 6459->6462 6467 b89dcd 6460->6467 6463 b89ceb 6462->6463 6482 b89d1a 6463->6482 6465 b89d0d _abort 6465->6454 6466->6458 6468 b85dfa 21 API calls 6467->6468 6470 b89ddd 6468->6470 6469 b89de3 6485 b85d69 6469->6485 6470->6469 6472 b85dfa 21 API calls 6470->6472 6481 b89e15 6470->6481 6475 b89e0c 6472->6475 6473 b85dfa 21 API calls 6476 b89e21 CloseHandle 6473->6476 6479 b85dfa 21 API calls 6475->6479 6476->6469 6480 b89e2d GetLastError 6476->6480 6477 b847c3 __dosmaperr 15 API calls 6478 b89e5d 6477->6478 6478->6463 6479->6481 6480->6469 6481->6469 6481->6473 6494 b85d46 LeaveCriticalSection 6482->6494 6484 b89d24 6484->6465 6486 b85d78 6485->6486 6487 b85ddf 6485->6487 6486->6487 6493 b85da2 6486->6493 6488 b847f9 __dosmaperr 15 API calls 6487->6488 6489 b85de4 6488->6489 6490 b847e6 __dosmaperr 15 API calls 6489->6490 6491 b85dcf 6490->6491 6491->6477 6491->6478 6492 b85dc9 SetStdHandle 6492->6491 6493->6491 6493->6492 6494->6484 6495->6260 6496->6240 6497 b87d1c 6498 b8522b 46 API calls 6497->6498 6499 b87d21 6498->6499 6605 b8365d 6606 b83e89 33 API calls 6605->6606 6607 b83665 6606->6607 6055 b85fd0 6056 b85fdc ___scrt_is_nonwritable_in_current_image 6055->6056 6067 b856e2 EnterCriticalSection 6056->6067 6058 b85fe3 6068 b85c8b 6058->6068 6060 b85ff2 6061 b86001 6060->6061 6081 b85e64 GetStartupInfoW 6060->6081 6092 b8601d 6061->6092 6065 b86012 _abort 6067->6058 6069 b85c97 ___scrt_is_nonwritable_in_current_image 6068->6069 6070 b85cbb 6069->6070 6071 b85ca4 6069->6071 6095 b856e2 EnterCriticalSection 6070->6095 6072 b847f9 __dosmaperr 15 API calls 6071->6072 6074 b85ca9 6072->6074 6075 b8473d _abort 21 API calls 6074->6075 6076 b85cb3 _abort 6075->6076 6076->6060 6077 b85cf3 6103 b85d1a 6077->6103 6078 b85cc7 6078->6077 6096 b85bdc 6078->6096 6082 b85e81 6081->6082 6083 b85f13 6081->6083 6082->6083 6084 b85c8b 22 API calls 6082->6084 6087 b85f1a 6083->6087 6085 b85eaa 6084->6085 6085->6083 6086 b85ed8 GetFileType 6085->6086 6086->6085 6088 b85f21 6087->6088 6089 b85f64 GetStdHandle 6088->6089 6090 b85fcc 6088->6090 6091 b85f77 GetFileType 6088->6091 6089->6088 6090->6061 6091->6088 6107 b8572a LeaveCriticalSection 6092->6107 6094 b86024 6094->6065 6095->6078 6097 b8480c _abort 15 API calls 6096->6097 6099 b85bee 6097->6099 6098 b85bfb 6100 b84869 _free 15 API calls 6098->6100 6099->6098 6101 b859b3 6 API calls 6099->6101 6102 b85c4d 6100->6102 6101->6099 6102->6078 6106 b8572a LeaveCriticalSection 6103->6106 6105 b85d21 6105->6076 6106->6105 6107->6094 6500 b87a10 6503 b87a27 6500->6503 6504 b87a49 6503->6504 6505 b87a35 6503->6505 6507 b87a51 6504->6507 6508 b87a63 6504->6508 6506 b847f9 __dosmaperr 15 API calls 6505->6506 6509 b87a3a 6506->6509 6510 b847f9 __dosmaperr 15 API calls 6507->6510 6511 b83f72 __fassign 33 API calls 6508->6511 6515 b87a22 6508->6515 6512 b8473d _abort 21 API calls 6509->6512 6513 b87a56 6510->6513 6511->6515 6512->6515 6514 b8473d _abort 21 API calls 6513->6514 6514->6515 6608 b87351 6609 b8735e 6608->6609 6610 b8480c _abort 15 API calls 6609->6610 6611 b87378 6610->6611 6612 b84869 _free 15 API calls 6611->6612 6613 b87384 6612->6613 6614 b8480c _abort 15 API calls 6613->6614 6618 b873aa 6613->6618 6616 b8739e 6614->6616 6615 b859b3 6 API calls 6615->6618 6617 b84869 _free 15 API calls 6616->6617 6617->6618 6618->6615 6619 b873b6 6618->6619 5879 b86893 GetProcessHeap 6620 b82f53 6621 b82f7e 6620->6621 6622 b82f62 6620->6622 6623 b8522b 46 API calls 6621->6623 6622->6621 6624 b82f68 6622->6624 6625 b82f85 GetModuleFileNameA 6623->6625 6626 b847f9 __dosmaperr 15 API calls 6624->6626 6627 b82fa9 6625->6627 6628 b82f6d 6626->6628 6643 b83077 6627->6643 6629 b8473d _abort 21 API calls 6628->6629 6640 b82f77 6629->6640 6632 b831ec 15 API calls 6633 b82fd3 6632->6633 6634 b82fe8 6633->6634 6635 b82fdc 6633->6635 6637 b83077 33 API calls 6634->6637 6636 b847f9 __dosmaperr 15 API calls 6635->6636 6642 b82fe1 6636->6642 6638 b82ffe 6637->6638 6641 b84869 _free 15 API calls 6638->6641 6638->6642 6639 b84869 _free 15 API calls 6639->6640 6641->6642 6642->6639 6646 b8309c 6643->6646 6644 b855b6 33 API calls 6644->6646 6645 b830fc 6647 b82fc6 6645->6647 6648 b855b6 33 API calls 6645->6648 6646->6644 6646->6645 6647->6632 6648->6645 6649 b81248 6650 b81250 6649->6650 6666 b837f7 6650->6666 6652 b8125b 6673 b81664 6652->6673 6654 b812cd 6655 b8191f 4 API calls 6654->6655 6665 b812ea 6654->6665 6657 b812f2 6655->6657 6656 b81270 __RTC_Initialize 6656->6654 6679 b817f1 6656->6679 6659 b81289 6659->6654 6682 b818ab InitializeSListHead 6659->6682 6661 b8129f 6683 b818ba 6661->6683 6663 b812c2 6689 b83891 6663->6689 6667 b83829 6666->6667 6668 b83806 6666->6668 6667->6652 6668->6667 6669 b847f9 __dosmaperr 15 API calls 6668->6669 6670 b83819 6669->6670 6671 b8473d _abort 21 API calls 6670->6671 6672 b83824 6671->6672 6672->6652 6674 b81670 6673->6674 6675 b81674 6673->6675 6674->6656 6676 b81681 ___scrt_release_startup_lock 6675->6676 6677 b8191f 4 API calls 6675->6677 6676->6656 6678 b816ea 6677->6678 6696 b817c4 6679->6696 6682->6661 6734 b83e2a 6683->6734 6685 b818cb 6686 b818d2 6685->6686 6687 b8191f 4 API calls 6685->6687 6686->6663 6688 b818da 6687->6688 6688->6663 6690 b84424 _abort 33 API calls 6689->6690 6692 b8389c 6690->6692 6691 b838d4 6691->6654 6692->6691 6693 b847f9 __dosmaperr 15 API calls 6692->6693 6694 b838c9 6693->6694 6695 b8473d _abort 21 API calls 6694->6695 6695->6691 6697 b817da 6696->6697 6698 b817d3 6696->6698 6705 b83cf1 6697->6705 6702 b83c81 6698->6702 6701 b817d8 6701->6659 6703 b83cf1 24 API calls 6702->6703 6704 b83c93 6703->6704 6704->6701 6708 b839f8 6705->6708 6711 b8392e 6708->6711 6710 b83a1c 6710->6701 6712 b8393a ___scrt_is_nonwritable_in_current_image 6711->6712 6719 b856e2 EnterCriticalSection 6712->6719 6714 b83948 6720 b83b40 6714->6720 6716 b83955 6730 b83973 6716->6730 6718 b83966 _abort 6718->6710 6719->6714 6721 b83b5e 6720->6721 6728 b83b56 _abort 6720->6728 6722 b83bb7 6721->6722 6723 b8681b 24 API calls 6721->6723 6721->6728 6724 b8681b 24 API calls 6722->6724 6722->6728 6725 b83bad 6723->6725 6726 b83bcd 6724->6726 6727 b84869 _free 15 API calls 6725->6727 6729 b84869 _free 15 API calls 6726->6729 6727->6722 6728->6716 6729->6728 6733 b8572a LeaveCriticalSection 6730->6733 6732 b8397d 6732->6718 6733->6732 6737 b83e48 6734->6737 6739 b83e68 6734->6739 6735 b847f9 __dosmaperr 15 API calls 6736 b83e5e 6735->6736 6738 b8473d _abort 21 API calls 6736->6738 6737->6735 6738->6739 6739->6685 5880 b81489 5883 b81853 5880->5883 5882 b8148e 5882->5882 5884 b81869 5883->5884 5886 b81872 5884->5886 5887 b81806 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5884->5887 5886->5882 5887->5886 5888 b84c8a 5893 b84cbf 5888->5893 5891 b84ca6 5892 b84869 _free 15 API calls 5892->5891 5894 b84cd1 5893->5894 5895 b84c98 5893->5895 5896 b84d01 5894->5896 5897 b84cd6 5894->5897 5895->5891 5895->5892 5896->5895 5904 b8681b 5896->5904 5898 b8480c _abort 15 API calls 5897->5898 5899 b84cdf 5898->5899 5901 b84869 _free 15 API calls 5899->5901 5901->5895 5902 b84d1c 5903 b84869 _free 15 API calls 5902->5903 5903->5895 5905 b86826 5904->5905 5906 b8684e 5905->5906 5907 b8683f 5905->5907 5908 b8685d 5906->5908 5913 b87e13 5906->5913 5909 b847f9 __dosmaperr 15 API calls 5907->5909 5920 b87e46 5908->5920 5912 b86844 _abort 5909->5912 5912->5902 5914 b87e1e 5913->5914 5915 b87e33 HeapSize 5913->5915 5916 b847f9 __dosmaperr 15 API calls 5914->5916 5915->5908 5917 b87e23 5916->5917 5918 b8473d _abort 21 API calls 5917->5918 5919 b87e2e 5918->5919 5919->5908 5921 b87e5e 5920->5921 5922 b87e53 5920->5922 5924 b87e66 5921->5924 5930 b87e6f _abort 5921->5930 5923 b862ff 16 API calls 5922->5923 5929 b87e5b 5923->5929 5927 b84869 _free 15 API calls 5924->5927 5925 b87e99 HeapReAlloc 5925->5929 5925->5930 5926 b87e74 5928 b847f9 __dosmaperr 15 API calls 5926->5928 5927->5929 5928->5929 5929->5912 5930->5925 5930->5926 5931 b86992 _abort 2 API calls 5930->5931 5931->5930 5032 b8130d 5033 b81319 ___scrt_is_nonwritable_in_current_image 5032->5033 5060 b8162b 5033->5060 5035 b81320 5036 b81473 5035->5036 5047 b8134a ___scrt_is_nonwritable_in_current_image _abort ___scrt_release_startup_lock 5035->5047 5112 b8191f IsProcessorFeaturePresent 5036->5112 5038 b8147a 5039 b81480 5038->5039 5116 b837e1 5038->5116 5119 b83793 5039->5119 5043 b81369 5044 b813ea 5068 b81a34 5044->5068 5047->5043 5047->5044 5097 b837a9 5047->5097 5052 b81405 5103 b81a6a GetModuleHandleW 5052->5103 5055 b81410 5056 b81419 5055->5056 5105 b83784 5055->5105 5108 b8179c 5056->5108 5061 b81634 5060->5061 5122 b81bd4 IsProcessorFeaturePresent 5061->5122 5065 b81645 5067 b81649 5065->5067 5132 b81f7d 5065->5132 5067->5035 5192 b820b0 5068->5192 5071 b813f0 5072 b83457 5071->5072 5194 b8522b 5072->5194 5075 b83460 5076 b813f8 5075->5076 5198 b855b6 5075->5198 5077 b81000 6 API calls 5076->5077 5078 b811e3 Sleep 5077->5078 5079 b81096 CryptMsgGetParam 5077->5079 5080 b81215 CertCloseStore LocalFree LocalFree LocalFree 5078->5080 5081 b811f7 5078->5081 5082 b810bc LocalAlloc 5079->5082 5083 b81162 CryptMsgGetParam 5079->5083 5080->5052 5081->5080 5087 b8120a CertDeleteCertificateFromStore 5081->5087 5084 b81156 LocalFree 5082->5084 5085 b810d7 5082->5085 5083->5078 5086 b81174 CryptMsgGetParam 5083->5086 5084->5083 5088 b810e0 LocalAlloc CryptMsgGetParam 5085->5088 5086->5078 5089 b81188 CertFindAttribute CertFindAttribute 5086->5089 5087->5081 5090 b8113d LocalFree 5088->5090 5091 b81114 CertCreateCertificateContext 5088->5091 5092 b811b1 5089->5092 5093 b811b5 LoadLibraryA GetProcAddress 5089->5093 5090->5088 5096 b8114d 5090->5096 5094 b81133 CertFreeCertificateContext 5091->5094 5095 b81126 CertAddCertificateContextToStore 5091->5095 5092->5078 5092->5093 5093->5078 5094->5090 5095->5094 5096->5084 5098 b837d1 _abort 5097->5098 5098->5044 5099 b84424 _abort 33 API calls 5098->5099 5102 b83e9a 5099->5102 5100 b83f24 _abort 33 API calls 5101 b83ec4 5100->5101 5102->5100 5104 b8140c 5103->5104 5104->5038 5104->5055 5686 b8355e 5105->5686 5107 b8378f 5107->5056 5110 b817a8 ___scrt_uninitialize_crt 5108->5110 5109 b81421 5109->5043 5110->5109 5111 b81f7d ___scrt_uninitialize_crt 7 API calls 5110->5111 5111->5109 5113 b81935 _abort 5112->5113 5114 b819e0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5113->5114 5115 b81a24 _abort 5114->5115 5115->5038 5117 b8355e _abort 23 API calls 5116->5117 5118 b837f2 5117->5118 5118->5039 5120 b8355e _abort 23 API calls 5119->5120 5121 b81488 5120->5121 5123 b81640 5122->5123 5124 b81f5e 5123->5124 5138 b824b1 5124->5138 5128 b81f7a 5128->5065 5129 b81f6f 5129->5128 5152 b824ed 5129->5152 5131 b81f67 5131->5065 5133 b81f90 5132->5133 5134 b81f86 5132->5134 5133->5067 5135 b82496 ___vcrt_uninitialize_ptd 6 API calls 5134->5135 5136 b81f8b 5135->5136 5137 b824ed ___vcrt_uninitialize_locks DeleteCriticalSection 5136->5137 5137->5133 5139 b824ba 5138->5139 5141 b824e3 5139->5141 5143 b81f63 5139->5143 5156 b8271d 5139->5156 5142 b824ed ___vcrt_uninitialize_locks DeleteCriticalSection 5141->5142 5142->5143 5143->5131 5144 b82463 5143->5144 5173 b8262e 5144->5173 5146 b82478 5146->5129 5150 b82493 5150->5129 5153 b82517 5152->5153 5154 b824f8 5152->5154 5153->5131 5155 b82502 DeleteCriticalSection 5154->5155 5155->5153 5155->5155 5161 b82543 5156->5161 5159 b82755 InitializeCriticalSectionAndSpinCount 5160 b82740 5159->5160 5160->5139 5162 b82560 5161->5162 5165 b82564 5161->5165 5162->5159 5162->5160 5164 b825cc GetProcAddress 5164->5162 5165->5162 5165->5164 5166 b825bd 5165->5166 5168 b825e3 LoadLibraryExW 5165->5168 5166->5164 5167 b825c5 FreeLibrary 5166->5167 5167->5164 5169 b825fa GetLastError 5168->5169 5170 b8262a 5168->5170 5169->5170 5171 b82605 ___vcrt_FlsSetValue 5169->5171 5170->5165 5171->5170 5172 b8261b LoadLibraryExW 5171->5172 5172->5165 5174 b82543 ___vcrt_FlsSetValue 5 API calls 5173->5174 5175 b82648 5174->5175 5176 b82661 TlsAlloc 5175->5176 5177 b8246d 5175->5177 5177->5146 5178 b826df 5177->5178 5179 b82543 ___vcrt_FlsSetValue 5 API calls 5178->5179 5180 b826f9 5179->5180 5181 b82714 TlsSetValue 5180->5181 5182 b82486 5180->5182 5181->5182 5182->5150 5183 b82496 5182->5183 5184 b824a6 5183->5184 5185 b824a0 5183->5185 5184->5146 5187 b82669 5185->5187 5188 b82543 ___vcrt_FlsSetValue 5 API calls 5187->5188 5189 b82683 5188->5189 5190 b8269b TlsFree 5189->5190 5191 b8268f 5189->5191 5190->5191 5191->5184 5193 b81a47 GetStartupInfoW 5192->5193 5193->5071 5195 b85234 5194->5195 5196 b8523d 5194->5196 5201 b8512a 5195->5201 5196->5075 5683 b8555d 5198->5683 5221 b84424 GetLastError 5201->5221 5203 b85137 5241 b85249 5203->5241 5205 b8513f 5250 b84ebe 5205->5250 5208 b85156 5208->5196 5212 b8518c 5214 b851b1 5212->5214 5215 b85194 5212->5215 5217 b851dd 5214->5217 5218 b84869 _free 15 API calls 5214->5218 5272 b847f9 5215->5272 5220 b85199 5217->5220 5281 b84d94 5217->5281 5218->5217 5275 b84869 5220->5275 5222 b8443a 5221->5222 5225 b84440 5221->5225 5284 b85904 5222->5284 5228 b8448f SetLastError 5225->5228 5289 b8480c 5225->5289 5226 b8445a 5230 b84869 _free 15 API calls 5226->5230 5228->5203 5232 b84460 5230->5232 5231 b8446f 5231->5226 5233 b84476 5231->5233 5234 b8449b SetLastError 5232->5234 5301 b84296 5233->5301 5306 b83f24 5234->5306 5239 b84869 _free 15 API calls 5240 b84488 5239->5240 5240->5228 5240->5234 5242 b85255 ___scrt_is_nonwritable_in_current_image 5241->5242 5243 b84424 _abort 33 API calls 5242->5243 5248 b8525f 5243->5248 5245 b852e3 _abort 5245->5205 5247 b83f24 _abort 33 API calls 5247->5248 5248->5245 5248->5247 5249 b84869 _free 15 API calls 5248->5249 5542 b856e2 EnterCriticalSection 5248->5542 5543 b852da 5248->5543 5249->5248 5547 b83f72 5250->5547 5253 b84edf GetOEMCP 5256 b84f08 5253->5256 5254 b84ef1 5255 b84ef6 GetACP 5254->5255 5254->5256 5255->5256 5256->5208 5257 b862ff 5256->5257 5258 b8633d 5257->5258 5262 b8630d _abort 5257->5262 5260 b847f9 __dosmaperr 15 API calls 5258->5260 5259 b86328 HeapAlloc 5261 b85167 5259->5261 5259->5262 5260->5261 5261->5220 5264 b852eb 5261->5264 5262->5258 5262->5259 5263 b86992 _abort 2 API calls 5262->5263 5263->5262 5265 b84ebe 35 API calls 5264->5265 5266 b8530a 5265->5266 5267 b8535b IsValidCodePage 5266->5267 5269 b85311 _ValidateLocalCookies 5266->5269 5271 b85380 _abort 5266->5271 5268 b8536d GetCPInfo 5267->5268 5267->5269 5268->5269 5268->5271 5269->5212 5584 b84f96 GetCPInfo 5271->5584 5273 b844a8 _abort 15 API calls 5272->5273 5274 b847fe 5273->5274 5274->5220 5276 b84874 HeapFree 5275->5276 5280 b8489d __dosmaperr 5275->5280 5277 b84889 5276->5277 5276->5280 5278 b847f9 __dosmaperr 13 API calls 5277->5278 5279 b8488f GetLastError 5278->5279 5279->5280 5280->5208 5647 b84d51 5281->5647 5283 b84db8 5283->5220 5317 b85741 5284->5317 5286 b8592b 5287 b85943 TlsGetValue 5286->5287 5288 b85937 _ValidateLocalCookies 5286->5288 5287->5288 5288->5225 5294 b84819 _abort 5289->5294 5290 b84859 5293 b847f9 __dosmaperr 14 API calls 5290->5293 5291 b84844 HeapAlloc 5292 b84452 5291->5292 5291->5294 5292->5226 5296 b8595a 5292->5296 5293->5292 5294->5290 5294->5291 5330 b86992 5294->5330 5297 b85741 _abort 5 API calls 5296->5297 5298 b85981 5297->5298 5299 b8599c TlsSetValue 5298->5299 5300 b85990 _ValidateLocalCookies 5298->5300 5299->5300 5300->5231 5344 b8426e 5301->5344 5452 b86b14 5306->5452 5309 b83f35 5311 b83f3e IsProcessorFeaturePresent 5309->5311 5316 b83f5c 5309->5316 5313 b83f49 5311->5313 5312 b83793 _abort 23 API calls 5314 b83f66 5312->5314 5480 b84573 5313->5480 5316->5312 5318 b85771 _abort 5317->5318 5321 b8576d 5317->5321 5318->5286 5319 b85791 5319->5318 5322 b8579d GetProcAddress 5319->5322 5321->5318 5321->5319 5323 b857dd 5321->5323 5322->5318 5324 b857fe LoadLibraryExW 5323->5324 5325 b857f3 5323->5325 5326 b8581b GetLastError 5324->5326 5327 b85833 5324->5327 5325->5321 5326->5327 5329 b85826 LoadLibraryExW 5326->5329 5327->5325 5328 b8584a FreeLibrary 5327->5328 5328->5325 5329->5327 5333 b869d6 5330->5333 5332 b869a8 _ValidateLocalCookies 5332->5294 5334 b869e2 ___scrt_is_nonwritable_in_current_image 5333->5334 5339 b856e2 EnterCriticalSection 5334->5339 5336 b869ed 5340 b86a1f 5336->5340 5338 b86a14 _abort 5338->5332 5339->5336 5343 b8572a LeaveCriticalSection 5340->5343 5342 b86a26 5342->5338 5343->5342 5350 b841ae 5344->5350 5346 b84292 5347 b8421e 5346->5347 5361 b840b2 5347->5361 5349 b84242 5349->5239 5351 b841ba ___scrt_is_nonwritable_in_current_image 5350->5351 5356 b856e2 EnterCriticalSection 5351->5356 5353 b841c4 5357 b841ea 5353->5357 5355 b841e2 _abort 5355->5346 5356->5353 5360 b8572a LeaveCriticalSection 5357->5360 5359 b841f4 5359->5355 5360->5359 5362 b840be ___scrt_is_nonwritable_in_current_image 5361->5362 5369 b856e2 EnterCriticalSection 5362->5369 5364 b840c8 5370 b843d9 5364->5370 5366 b840e0 5374 b840f6 5366->5374 5368 b840ee _abort 5368->5349 5369->5364 5371 b8440f __fassign 5370->5371 5372 b843e8 __fassign 5370->5372 5371->5366 5372->5371 5377 b86507 5372->5377 5451 b8572a LeaveCriticalSection 5374->5451 5376 b84100 5376->5368 5379 b86587 5377->5379 5380 b8651d 5377->5380 5381 b84869 _free 15 API calls 5379->5381 5403 b865d5 5379->5403 5380->5379 5386 b84869 _free 15 API calls 5380->5386 5401 b86550 5380->5401 5382 b865a9 5381->5382 5383 b84869 _free 15 API calls 5382->5383 5384 b865bc 5383->5384 5388 b84869 _free 15 API calls 5384->5388 5385 b84869 _free 15 API calls 5389 b8657c 5385->5389 5391 b86545 5386->5391 5387 b84869 _free 15 API calls 5393 b86567 5387->5393 5394 b865ca 5388->5394 5395 b84869 _free 15 API calls 5389->5395 5390 b86643 5396 b84869 _free 15 API calls 5390->5396 5405 b86078 5391->5405 5392 b865e3 5392->5390 5404 b84869 15 API calls _free 5392->5404 5433 b86176 5393->5433 5399 b84869 _free 15 API calls 5394->5399 5395->5379 5400 b86649 5396->5400 5399->5403 5400->5371 5401->5387 5402 b86572 5401->5402 5402->5385 5445 b8667a 5403->5445 5404->5392 5406 b86089 5405->5406 5432 b86172 5405->5432 5407 b8609a 5406->5407 5408 b84869 _free 15 API calls 5406->5408 5409 b860ac 5407->5409 5410 b84869 _free 15 API calls 5407->5410 5408->5407 5411 b860be 5409->5411 5413 b84869 _free 15 API calls 5409->5413 5410->5409 5412 b860d0 5411->5412 5414 b84869 _free 15 API calls 5411->5414 5415 b860e2 5412->5415 5416 b84869 _free 15 API calls 5412->5416 5413->5411 5414->5412 5417 b860f4 5415->5417 5418 b84869 _free 15 API calls 5415->5418 5416->5415 5419 b86106 5417->5419 5421 b84869 _free 15 API calls 5417->5421 5418->5417 5420 b86118 5419->5420 5422 b84869 _free 15 API calls 5419->5422 5423 b8612a 5420->5423 5424 b84869 _free 15 API calls 5420->5424 5421->5419 5422->5420 5425 b8613c 5423->5425 5426 b84869 _free 15 API calls 5423->5426 5424->5423 5427 b84869 _free 15 API calls 5425->5427 5428 b8614e 5425->5428 5426->5425 5427->5428 5429 b84869 _free 15 API calls 5428->5429 5430 b86160 5428->5430 5429->5430 5431 b84869 _free 15 API calls 5430->5431 5430->5432 5431->5432 5432->5401 5434 b86183 5433->5434 5444 b861db 5433->5444 5435 b84869 _free 15 API calls 5434->5435 5437 b86193 5434->5437 5435->5437 5436 b861a5 5439 b861b7 5436->5439 5440 b84869 _free 15 API calls 5436->5440 5437->5436 5438 b84869 _free 15 API calls 5437->5438 5438->5436 5441 b861c9 5439->5441 5442 b84869 _free 15 API calls 5439->5442 5440->5439 5443 b84869 _free 15 API calls 5441->5443 5441->5444 5442->5441 5443->5444 5444->5402 5446 b86687 5445->5446 5450 b866a5 5445->5450 5447 b8621b __fassign 15 API calls 5446->5447 5446->5450 5448 b8669f 5447->5448 5449 b84869 _free 15 API calls 5448->5449 5449->5450 5450->5392 5451->5376 5484 b86a82 5452->5484 5455 b86b6f 5456 b86b7b _abort 5455->5456 5457 b86ba2 _abort 5456->5457 5458 b86ba8 _abort 5456->5458 5498 b844a8 GetLastError 5456->5498 5457->5458 5460 b86bf4 5457->5460 5464 b86bd7 _abort 5457->5464 5466 b86c20 5458->5466 5520 b856e2 EnterCriticalSection 5458->5520 5461 b847f9 __dosmaperr 15 API calls 5460->5461 5462 b86bf9 5461->5462 5517 b8473d 5462->5517 5464->5309 5467 b86c7f 5466->5467 5469 b86c77 5466->5469 5477 b86caa 5466->5477 5521 b8572a LeaveCriticalSection 5466->5521 5467->5477 5522 b86b66 5467->5522 5472 b83793 _abort 23 API calls 5469->5472 5472->5467 5475 b84424 _abort 33 API calls 5478 b86d0d 5475->5478 5476 b86b66 _abort 33 API calls 5476->5477 5525 b86d2f 5477->5525 5478->5464 5479 b84424 _abort 33 API calls 5478->5479 5479->5464 5481 b8458f _abort 5480->5481 5482 b845bb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5481->5482 5483 b8468c _abort _ValidateLocalCookies 5482->5483 5483->5316 5487 b86a28 5484->5487 5486 b83f29 5486->5309 5486->5455 5488 b86a34 ___scrt_is_nonwritable_in_current_image 5487->5488 5493 b856e2 EnterCriticalSection 5488->5493 5490 b86a42 5494 b86a76 5490->5494 5492 b86a69 _abort 5492->5486 5493->5490 5497 b8572a LeaveCriticalSection 5494->5497 5496 b86a80 5496->5492 5497->5496 5499 b844c7 5498->5499 5500 b844c1 5498->5500 5502 b8480c _abort 12 API calls 5499->5502 5504 b8451e SetLastError 5499->5504 5501 b85904 _abort 6 API calls 5500->5501 5501->5499 5503 b844d9 5502->5503 5505 b844e1 5503->5505 5506 b8595a _abort 6 API calls 5503->5506 5507 b84527 5504->5507 5509 b84869 _free 12 API calls 5505->5509 5508 b844f6 5506->5508 5507->5457 5508->5505 5510 b844fd 5508->5510 5511 b844e7 5509->5511 5512 b84296 _abort 12 API calls 5510->5512 5513 b84515 SetLastError 5511->5513 5514 b84508 5512->5514 5513->5507 5515 b84869 _free 12 API calls 5514->5515 5516 b8450e 5515->5516 5516->5504 5516->5513 5529 b846c2 5517->5529 5519 b84749 5519->5464 5520->5466 5521->5469 5523 b84424 _abort 33 API calls 5522->5523 5524 b86b6b 5523->5524 5524->5476 5526 b86cfe 5525->5526 5527 b86d35 5525->5527 5526->5464 5526->5475 5526->5478 5541 b8572a LeaveCriticalSection 5527->5541 5530 b844a8 _abort 15 API calls 5529->5530 5531 b846d8 5530->5531 5536 b846e6 _ValidateLocalCookies 5531->5536 5537 b8474d IsProcessorFeaturePresent 5531->5537 5533 b8473c 5534 b846c2 _abort 21 API calls 5533->5534 5535 b84749 5534->5535 5535->5519 5536->5519 5538 b84758 5537->5538 5539 b84573 _abort 3 API calls 5538->5539 5540 b8476d GetCurrentProcess TerminateProcess 5539->5540 5540->5533 5541->5526 5542->5248 5546 b8572a LeaveCriticalSection 5543->5546 5545 b852e1 5545->5248 5546->5545 5548 b83f8f 5547->5548 5549 b83f85 5547->5549 5548->5549 5550 b84424 _abort 33 API calls 5548->5550 5549->5253 5549->5254 5551 b83fb0 5550->5551 5555 b872d1 5551->5555 5556 b83fc9 5555->5556 5557 b872e4 5555->5557 5559 b872fe 5556->5559 5557->5556 5563 b86754 5557->5563 5560 b87326 5559->5560 5561 b87311 5559->5561 5560->5549 5561->5560 5562 b85249 __fassign 33 API calls 5561->5562 5562->5560 5564 b86760 ___scrt_is_nonwritable_in_current_image 5563->5564 5565 b84424 _abort 33 API calls 5564->5565 5566 b86769 5565->5566 5569 b867b7 _abort 5566->5569 5575 b856e2 EnterCriticalSection 5566->5575 5568 b86787 5576 b867cb 5568->5576 5569->5556 5574 b83f24 _abort 33 API calls 5574->5569 5575->5568 5577 b867d9 __fassign 5576->5577 5579 b8679b 5576->5579 5578 b86507 __fassign 15 API calls 5577->5578 5577->5579 5578->5579 5580 b867ba 5579->5580 5583 b8572a LeaveCriticalSection 5580->5583 5582 b867ae 5582->5569 5582->5574 5583->5582 5588 b84fd0 5584->5588 5591 b8507a _ValidateLocalCookies 5584->5591 5586 b85031 5604 b87cd1 5586->5604 5592 b8634d 5588->5592 5590 b87cd1 38 API calls 5590->5591 5591->5269 5593 b83f72 __fassign 33 API calls 5592->5593 5594 b8636d MultiByteToWideChar 5593->5594 5596 b863ab 5594->5596 5597 b86443 _ValidateLocalCookies 5594->5597 5598 b862ff 16 API calls 5596->5598 5601 b863cc _abort __alloca_probe_16 5596->5601 5597->5586 5598->5601 5599 b8643d 5609 b8646a 5599->5609 5601->5599 5602 b86411 MultiByteToWideChar 5601->5602 5602->5599 5603 b8642d GetStringTypeW 5602->5603 5603->5599 5605 b83f72 __fassign 33 API calls 5604->5605 5606 b87ce4 5605->5606 5613 b87ab4 5606->5613 5608 b85052 5608->5590 5610 b86487 5609->5610 5611 b86476 5609->5611 5610->5597 5611->5610 5612 b84869 _free 15 API calls 5611->5612 5612->5610 5614 b87acf 5613->5614 5615 b87af5 MultiByteToWideChar 5614->5615 5616 b87ca9 _ValidateLocalCookies 5615->5616 5617 b87b1f 5615->5617 5616->5608 5618 b862ff 16 API calls 5617->5618 5620 b87b40 __alloca_probe_16 5617->5620 5618->5620 5619 b87b89 MultiByteToWideChar 5621 b87ba2 5619->5621 5634 b87bf5 5619->5634 5620->5619 5620->5634 5638 b85a15 5621->5638 5622 b8646a __freea 15 API calls 5622->5616 5624 b87bb9 5625 b87bcc 5624->5625 5626 b87c04 5624->5626 5624->5634 5628 b85a15 6 API calls 5625->5628 5625->5634 5627 b87c25 __alloca_probe_16 5626->5627 5630 b862ff 16 API calls 5626->5630 5629 b87c9a 5627->5629 5631 b85a15 6 API calls 5627->5631 5628->5634 5632 b8646a __freea 15 API calls 5629->5632 5630->5627 5633 b87c79 5631->5633 5632->5634 5633->5629 5635 b87c88 WideCharToMultiByte 5633->5635 5634->5622 5635->5629 5636 b87cc8 5635->5636 5637 b8646a __freea 15 API calls 5636->5637 5637->5634 5639 b85741 _abort 5 API calls 5638->5639 5640 b85a3c 5639->5640 5643 b85a45 _ValidateLocalCookies 5640->5643 5644 b85a9d 5640->5644 5642 b85a85 LCMapStringW 5642->5643 5643->5624 5645 b85741 _abort 5 API calls 5644->5645 5646 b85ac4 _ValidateLocalCookies 5645->5646 5646->5642 5648 b84d5d ___scrt_is_nonwritable_in_current_image 5647->5648 5655 b856e2 EnterCriticalSection 5648->5655 5650 b84d67 5656 b84dbc 5650->5656 5654 b84d80 _abort 5654->5283 5655->5650 5668 b854dc 5656->5668 5658 b84e0a 5659 b854dc 21 API calls 5658->5659 5660 b84e26 5659->5660 5661 b854dc 21 API calls 5660->5661 5662 b84e44 5661->5662 5663 b84d74 5662->5663 5664 b84869 _free 15 API calls 5662->5664 5665 b84d88 5663->5665 5664->5663 5682 b8572a LeaveCriticalSection 5665->5682 5667 b84d92 5667->5654 5669 b854ed 5668->5669 5678 b854e9 5668->5678 5670 b854f4 5669->5670 5673 b85507 _abort 5669->5673 5671 b847f9 __dosmaperr 15 API calls 5670->5671 5672 b854f9 5671->5672 5674 b8473d _abort 21 API calls 5672->5674 5675 b8553e 5673->5675 5676 b85535 5673->5676 5673->5678 5674->5678 5675->5678 5680 b847f9 __dosmaperr 15 API calls 5675->5680 5677 b847f9 __dosmaperr 15 API calls 5676->5677 5679 b8553a 5677->5679 5678->5658 5681 b8473d _abort 21 API calls 5679->5681 5680->5679 5681->5678 5682->5667 5684 b83f72 __fassign 33 API calls 5683->5684 5685 b85571 5684->5685 5685->5075 5687 b8356a _abort 5686->5687 5694 b83582 5687->5694 5701 b836b8 GetModuleHandleW 5687->5701 5708 b856e2 EnterCriticalSection 5694->5708 5695 b8358a 5700 b835ff _abort 5695->5700 5709 b83c97 5695->5709 5696 b83671 _abort 5696->5107 5712 b83668 5700->5712 5702 b83576 5701->5702 5702->5694 5703 b836fc GetModuleHandleExW 5702->5703 5704 b83726 GetProcAddress 5703->5704 5706 b8373b 5703->5706 5704->5706 5705 b8374f FreeLibrary 5707 b83758 _ValidateLocalCookies 5705->5707 5706->5705 5706->5707 5707->5694 5708->5695 5723 b839d0 5709->5723 5743 b8572a LeaveCriticalSection 5712->5743 5714 b83641 5714->5696 5715 b83677 5714->5715 5744 b85b1f 5715->5744 5717 b83681 5718 b836a5 5717->5718 5719 b83685 GetPEB 5717->5719 5721 b836fc _abort 3 API calls 5718->5721 5719->5718 5720 b83695 GetCurrentProcess TerminateProcess 5719->5720 5720->5718 5722 b836ad ExitProcess 5721->5722 5726 b8397f 5723->5726 5725 b839f4 5725->5700 5727 b8398b ___scrt_is_nonwritable_in_current_image 5726->5727 5734 b856e2 EnterCriticalSection 5727->5734 5729 b83999 5735 b83a20 5729->5735 5731 b839a6 5739 b839c4 5731->5739 5733 b839b7 _abort 5733->5725 5734->5729 5736 b83a48 5735->5736 5738 b83a40 _ValidateLocalCookies 5735->5738 5737 b84869 _free 15 API calls 5736->5737 5736->5738 5737->5738 5738->5731 5742 b8572a LeaveCriticalSection 5739->5742 5741 b839ce 5741->5733 5742->5741 5743->5714 5745 b85b44 5744->5745 5747 b85b3a _ValidateLocalCookies 5744->5747 5746 b85741 _abort 5 API calls 5745->5746 5746->5747 5747->5717 6740 b8324d 6741 b8522b 46 API calls 6740->6741 6742 b8325f 6741->6742 6751 b8561e GetEnvironmentStringsW 6742->6751 6746 b84869 _free 15 API calls 6748 b8329f 6746->6748 6747 b83275 6749 b84869 _free 15 API calls 6747->6749 6750 b8326a 6749->6750 6750->6746 6752 b85635 6751->6752 6762 b85688 6751->6762 6755 b8563b WideCharToMultiByte 6752->6755 6753 b83264 6753->6750 6763 b832a5 6753->6763 6754 b85691 FreeEnvironmentStringsW 6754->6753 6756 b85657 6755->6756 6755->6762 6757 b862ff 16 API calls 6756->6757 6758 b8565d 6757->6758 6759 b8567a 6758->6759 6760 b85664 WideCharToMultiByte 6758->6760 6761 b84869 _free 15 API calls 6759->6761 6760->6759 6761->6762 6762->6753 6762->6754 6764 b832ba 6763->6764 6765 b8480c _abort 15 API calls 6764->6765 6767 b832e1 6765->6767 6766 b84869 _free 15 API calls 6769 b8335f 6766->6769 6768 b83345 6767->6768 6770 b8480c _abort 15 API calls 6767->6770 6771 b83347 6767->6771 6776 b83369 6767->6776 6778 b84869 _free 15 API calls 6767->6778 6780 b83eca 6767->6780 6768->6766 6769->6747 6770->6767 6772 b83376 15 API calls 6771->6772 6774 b8334d 6772->6774 6775 b84869 _free 15 API calls 6774->6775 6775->6768 6777 b8474d _abort 6 API calls 6776->6777 6779 b83375 6777->6779 6778->6767 6781 b83ee5 6780->6781 6782 b83ed7 6780->6782 6783 b847f9 __dosmaperr 15 API calls 6781->6783 6782->6781 6787 b83efc 6782->6787 6784 b83eed 6783->6784 6785 b8473d _abort 21 API calls 6784->6785 6786 b83ef7 6785->6786 6786->6767 6787->6786 6788 b847f9 __dosmaperr 15 API calls 6787->6788 6788->6784 6108 b855ce GetCommandLineA GetCommandLineW 5932 b83d8f 5933 b83d9e 5932->5933 5937 b83db2 5932->5937 5935 b84869 _free 15 API calls 5933->5935 5933->5937 5934 b84869 _free 15 API calls 5936 b83dc4 5934->5936 5935->5937 5938 b84869 _free 15 API calls 5936->5938 5937->5934 5939 b83dd7 5938->5939 5940 b84869 _free 15 API calls 5939->5940 5941 b83de8 5940->5941 5942 b84869 _free 15 API calls 5941->5942 5943 b83df9 5942->5943 6516 b8430f 6517 b8431a 6516->6517 6518 b8432a 6516->6518 6522 b84330 6517->6522 6521 b84869 _free 15 API calls 6521->6518 6523 b84349 6522->6523 6524 b84343 6522->6524 6525 b84869 _free 15 API calls 6523->6525 6526 b84869 _free 15 API calls 6524->6526 6527 b84355 6525->6527 6526->6523 6528 b84869 _free 15 API calls 6527->6528 6529 b84360 6528->6529 6530 b84869 _free 15 API calls 6529->6530 6531 b8436b 6530->6531 6532 b84869 _free 15 API calls 6531->6532 6533 b84376 6532->6533 6534 b84869 _free 15 API calls 6533->6534 6535 b84381 6534->6535 6536 b84869 _free 15 API calls 6535->6536 6537 b8438c 6536->6537 6538 b84869 _free 15 API calls 6537->6538 6539 b84397 6538->6539 6540 b84869 _free 15 API calls 6539->6540 6541 b843a2 6540->6541 6542 b84869 _free 15 API calls 6541->6542 6543 b843b0 6542->6543 6548 b841f6 6543->6548 6554 b84102 6548->6554 6550 b8421a 6551 b84246 6550->6551 6567 b84163 6551->6567 6553 b8426a 6553->6521 6555 b8410e ___scrt_is_nonwritable_in_current_image 6554->6555 6562 b856e2 EnterCriticalSection 6555->6562 6557 b84118 6560 b84869 _free 15 API calls 6557->6560 6561 b84142 6557->6561 6559 b8414f _abort 6559->6550 6560->6561 6563 b84157 6561->6563 6562->6557 6566 b8572a LeaveCriticalSection 6563->6566 6565 b84161 6565->6559 6566->6565 6568 b8416f ___scrt_is_nonwritable_in_current_image 6567->6568 6575 b856e2 EnterCriticalSection 6568->6575 6570 b84179 6571 b843d9 _abort 15 API calls 6570->6571 6572 b8418c 6571->6572 6576 b841a2 6572->6576 6574 b8419a _abort 6574->6553 6575->6570 6579 b8572a LeaveCriticalSection 6576->6579 6578 b841ac 6578->6574 6579->6578 6580 b83400 6581 b83418 6580->6581 6582 b83412 6580->6582 6583 b83376 15 API calls 6582->6583 6583->6581 6584 b81e00 6585 b81e1e ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 6584->6585 6586 b81e9e _ValidateLocalCookies 6585->6586 6589 b82340 RtlUnwind 6585->6589 6588 b81f27 _ValidateLocalCookies 6589->6588 6789 b83d41 6792 b8341b 6789->6792 6793 b8342a 6792->6793 6794 b83376 15 API calls 6793->6794 6795 b83444 6794->6795 6796 b83376 15 API calls 6795->6796 6797 b8344f 6796->6797 6798 b81442 6799 b81a6a GetModuleHandleW 6798->6799 6800 b8144a 6799->6800 6801 b8144e 6800->6801 6802 b81480 6800->6802 6803 b81459 6801->6803 6807 b83775 6801->6807 6804 b83793 _abort 23 API calls 6802->6804 6806 b81488 6804->6806 6808 b8355e _abort 23 API calls 6807->6808 6809 b83780 6808->6809 6809->6803 6109 b89ec3 6110 b89ed9 6109->6110 6111 b89ecd 6109->6111 6111->6110 6112 b89ed2 CloseHandle 6111->6112 6112->6110 6113 b898c5 6115 b898ed 6113->6115 6114 b89925 6115->6114 6116 b8991e 6115->6116 6117 b89917 6115->6117 6122 b89980 6116->6122 6118 b89997 16 API calls 6117->6118 6120 b8991c 6118->6120 6123 b899a0 6122->6123 6124 b8a06f __startOneArgErrorHandling 16 API calls 6123->6124 6125 b89923 6124->6125 5944 b83d86 5945 b81f7d ___scrt_uninitialize_crt 7 API calls 5944->5945 5946 b83d8d 5945->5946 6810 b89146 IsProcessorFeaturePresent

                      Executed Functions

                      Function 00B81000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199encryptionmemorylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • LocalAlloc.KERNEL32(00000000,00000104), ref: 00B81016
                      • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00B81025
                      • CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00B81032
                      • LocalAlloc.KERNELBASE(00000000,00040000), ref: 00B81057
                      • LocalAlloc.KERNEL32(00000000,00040000), ref: 00B81063
                      • CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B81082
                      • CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00B810B2
                      • LocalAlloc.KERNEL32(00000000,?), ref: 00B810C5
                      • LocalAlloc.KERNEL32(00000000,00002000), ref: 00B810F4
                      • CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00B8110A
                      • CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00B8111A
                      • CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00B8112D
                      • CertFreeCertificateContext.CRYPT32(00000000), ref: 00B81134
                      • LocalFree.KERNEL32(00000000), ref: 00B8113E
                      • LocalFree.KERNEL32(00000000), ref: 00B8115D
                      • CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00B8116E
                      • CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00B81182
                      • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00B81198
                      • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00B811A9
                      • LoadLibraryA.KERNELBASE(dfshim), ref: 00B811BA
                      • GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00B811C6
                      • Sleep.KERNELBASE(00009C40), ref: 00B811E8
                      • CertDeleteCertificateFromStore.CRYPT32(?), ref: 00B8120B
                      • CertCloseStore.CRYPT32(?,00000000), ref: 00B8121A
                      • LocalFree.KERNEL32(?), ref: 00B81223
                      • LocalFree.KERNEL32(?), ref: 00B81228
                      • LocalFree.KERNEL32(?), ref: 00B8122D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
                      • String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
                      • API String ID: 335784236-860318880
                      • Opcode ID: 854d2b1140725a0bce5d28b6a848a54b3c27fd0e0d27422eb382f9390f45dd09
                      • Instruction ID: 8f245fc1f75a25bf4d580f758c3386be75f243bb0229720d690618cd95255a12
                      • Opcode Fuzzy Hash: 854d2b1140725a0bce5d28b6a848a54b3c27fd0e0d27422eb382f9390f45dd09
                      • Instruction Fuzzy Hash: 09613E71A40219ABEB11AFA4DC49FAFBBB9EF48B50F100055E614B72B0CB719901DBA4

                      Non-executed Functions

                      Function 00B8191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B8192B
                      • IsDebuggerPresent.KERNEL32 ref: 00B819F7
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B81A10
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00B81A1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: e655ad9f733c6edce580e2ebc503ae53a090fabc442a323f6a28856ce4382d42
                      • Instruction ID: 8513504ce83a8b97a7e45ed586f61510539cbfdbb194d7381d47f272e738e38c
                      • Opcode Fuzzy Hash: e655ad9f733c6edce580e2ebc503ae53a090fabc442a323f6a28856ce4382d42
                      • Instruction Fuzzy Hash: 8831F875D012189BDB21EF64D949BCDBBF8AF08300F1041EAE50CAB260EB759A85CF45
                      Function 00B84573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B8466B
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B84675
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B84682
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: bc74a99c119bb977e002eb1b3513b33c9e0f1d2abbac8a964ecc09fa7f3bb1af
                      • Instruction ID: c4e9b37a9a80926d97ea9b8758d64cf2fb7fb501dbef046463e9b0ca62f5f7d0
                      • Opcode Fuzzy Hash: bc74a99c119bb977e002eb1b3513b33c9e0f1d2abbac8a964ecc09fa7f3bb1af
                      • Instruction Fuzzy Hash: 2231B2749012199BCB21EF68DD89B8DBBF8EF08310F5045EAE41CA7260EB709B85CF45
                      Function 00B83677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,00B8364D,?,00B902E0,0000000C,00B837A4,?,00000002,00000000,?,00B83F66,00000003,00B8209F,00B81AFC), ref: 00B83698
                      • TerminateProcess.KERNEL32(00000000,?,00B8364D,?,00B902E0,0000000C,00B837A4,?,00000002,00000000,?,00B83F66,00000003,00B8209F,00B81AFC), ref: 00B8369F
                      • ExitProcess.KERNEL32 ref: 00B836B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 4a4da21198cb1ad8f3435973b1abb9b7fe99d0788ad0d13b47af27c220fe1010
                      • Instruction ID: a0e83d33bb9cc6f0a3d1e35e7aae801aa203a3888c5786e2008b773af7ca453e
                      • Opcode Fuzzy Hash: 4a4da21198cb1ad8f3435973b1abb9b7fe99d0788ad0d13b47af27c220fe1010
                      • Instruction Fuzzy Hash: 4CE0B631014548AFCF11BF68DD09E5A3BAAEF40B45B004094FA559B231EF35DE42CB50
                      Function 00B84A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: ce476cd0276c51d9be60fffdad3783c28c1c97c4e75cacebbd402a65132aaebb
                      • Instruction ID: 65ca41977c3fc81b13b4860b444e054c858c398e862fed35b8cdd24fdf8174bd
                      • Opcode Fuzzy Hash: ce476cd0276c51d9be60fffdad3783c28c1c97c4e75cacebbd402a65132aaebb
                      • Instruction Fuzzy Hash: CD31D07290024AABCB28AE78CC84EEA7BFDEB85314F1441E9E51997261E730DD45CB50
                      Function 00B8A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B8A490,?,?,00000008,?,?,00B8A130,00000000), ref: 00B8A6C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 65d48d9d5e9d9b082275c534cdcf195aac9f3b14c7cf3a34eb718a42a334ad44
                      • Instruction ID: 6cfd201fc30f7587e6582aa2d23872a8ab881a6477ad10d8ec9f922e49f2bf0c
                      • Opcode Fuzzy Hash: 65d48d9d5e9d9b082275c534cdcf195aac9f3b14c7cf3a34eb718a42a334ad44
                      • Instruction Fuzzy Hash: BEB15E352106088FE715DF28C48ABA47BE0FF04364F298699E89ACF2B1D335DD91CB41
                      Function 00B81BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B81BEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: db83586990e6de501eff9e4cc4c98c360b1d07f4c024213ce4e2fe3e0f420225
                      • Instruction ID: d8261c8ce37745ebf5adb251590ea67a9d669988f885fcf90b65077709c3efb2
                      • Opcode Fuzzy Hash: db83586990e6de501eff9e4cc4c98c360b1d07f4c024213ce4e2fe3e0f420225
                      • Instruction Fuzzy Hash: 1D51AEB1E122068FEB14CF6DD9817AEBBF5FB48340F1488AAC401EB2A0D7759942CF50
                      Function 00B81AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00B81300), ref: 00B81AB1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: dbcffeb582e53177c0e1011fa62c408d5a8bbc632e074a59ce207ddc6cdb7025
                      • Instruction ID: 6d1eea477546ae4c539eae8f10e6bc3c3af67a8cf573b1fc02bdeaf9743dd8eb
                      • Opcode Fuzzy Hash: dbcffeb582e53177c0e1011fa62c408d5a8bbc632e074a59ce207ddc6cdb7025
                      • Instruction Fuzzy Hash:
                      Function 00B86893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 2936c2fe9b64675f118ceb3b977bde004123ce92c101b2015ce77f9e84adb994
                      • Instruction ID: fdb55ab4dbb937123ed6c2862012bf6e07e6de89dc90780baf9b1f1ca5145125
                      • Opcode Fuzzy Hash: 2936c2fe9b64675f118ceb3b977bde004123ce92c101b2015ce77f9e84adb994
                      • Instruction Fuzzy Hash: D6A01130A00202EB83008F30AB8A2083AA8AA00A80B02002AA008EA030EF3080A0AB02
                      Function 00B86507 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 81 b86507-b8651b 82 b86589-b86591 81->82 83 b8651d-b86522 81->83 85 b865d8-b865f0 call b8667a 82->85 86 b86593-b86596 82->86 83->82 84 b86524-b86529 83->84 84->82 87 b8652b-b8652e 84->87 95 b865f3-b865fa 85->95 86->85 89 b86598-b865d5 call b84869 * 4 86->89 87->82 90 b86530-b86538 87->90 89->85 93 b8653a-b8653d 90->93 94 b86552-b8655a 90->94 93->94 100 b8653f-b86551 call b84869 call b86078 93->100 97 b8655c-b8655f 94->97 98 b86574-b86588 call b84869 * 2 94->98 101 b86619-b8661d 95->101 102 b865fc-b86600 95->102 97->98 103 b86561-b86573 call b84869 call b86176 97->103 98->82 100->94 105 b8661f-b86624 101->105 106 b86635-b86641 101->106 109 b86602-b86605 102->109 110 b86616 102->110 103->98 113 b86632 105->113 114 b86626-b86629 105->114 106->95 116 b86643-b86650 call b84869 106->116 109->110 118 b86607-b86615 call b84869 * 2 109->118 110->101 113->106 114->113 121 b8662b-b86631 call b84869 114->121 118->110 121->113
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 00B8654B
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86095
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B860A7
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B860B9
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B860CB
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B860DD
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B860EF
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86101
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86113
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86125
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86137
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B86149
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B8615B
                        • Part of subcall function 00B86078: _free.LIBCMT ref: 00B8616D
                      • _free.LIBCMT ref: 00B86540
                        • Part of subcall function 00B84869: HeapFree.KERNEL32(00000000,00000000,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?), ref: 00B8487F
                        • Part of subcall function 00B84869: GetLastError.KERNEL32(?,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?,?), ref: 00B84891
                      • _free.LIBCMT ref: 00B86562
                      • _free.LIBCMT ref: 00B86577
                      • _free.LIBCMT ref: 00B86582
                      • _free.LIBCMT ref: 00B865A4
                      • _free.LIBCMT ref: 00B865B7
                      • _free.LIBCMT ref: 00B865C5
                      • _free.LIBCMT ref: 00B865D0
                      • _free.LIBCMT ref: 00B86608
                      • _free.LIBCMT ref: 00B8660F
                      • _free.LIBCMT ref: 00B8662C
                      • _free.LIBCMT ref: 00B86644
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 42a712ebfcf84b6093adecc72c19ca7ddf2f5ad4a74fa2167d7cc1d38142e2ae
                      • Instruction ID: aa2b41c6e8694657a5f3db461de1921ca2f21e8f7c21beb24da40b10e2f8968e
                      • Opcode Fuzzy Hash: 42a712ebfcf84b6093adecc72c19ca7ddf2f5ad4a74fa2167d7cc1d38142e2ae
                      • Instruction Fuzzy Hash: 94313B71600246DFEB61BA7AE849B9A73E8EF50314F1449AAF449D71B1DF31ED40CB50
                      Function 00B84330 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 138 b84330-b84341 139 b8434d-b843d8 call b84869 * 9 call b841f6 call b84246 138->139 140 b84343-b8434c call b84869 138->140 140->139
                      APIs
                      • _free.LIBCMT ref: 00B84344
                        • Part of subcall function 00B84869: HeapFree.KERNEL32(00000000,00000000,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?), ref: 00B8487F
                        • Part of subcall function 00B84869: GetLastError.KERNEL32(?,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?,?), ref: 00B84891
                      • _free.LIBCMT ref: 00B84350
                      • _free.LIBCMT ref: 00B8435B
                      • _free.LIBCMT ref: 00B84366
                      • _free.LIBCMT ref: 00B84371
                      • _free.LIBCMT ref: 00B8437C
                      • _free.LIBCMT ref: 00B84387
                      • _free.LIBCMT ref: 00B84392
                      • _free.LIBCMT ref: 00B8439D
                      • _free.LIBCMT ref: 00B843AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: e300e69031d3a071499d2849c2642482825d4fc5b60e13a081148624893ac81d
                      • Instruction ID: ac824a7160a8393b02ca7df73991e546d06b4674aa6c71e48a6323524b936816
                      • Opcode Fuzzy Hash: e300e69031d3a071499d2849c2642482825d4fc5b60e13a081148624893ac81d
                      • Instruction Fuzzy Hash: CA119076A00149EFCB81FF96D846CD93BA5EF44754F0140A2BA088B272DB31EE50DB80
                      Function 00B87AB4 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 165 b87ab4-b87acd 166 b87acf-b87adf call b882cc 165->166 167 b87ae3-b87ae8 165->167 166->167 177 b87ae1 166->177 169 b87aea-b87af2 167->169 170 b87af5-b87b19 MultiByteToWideChar 167->170 169->170 171 b87cac-b87cbf call b8123a 170->171 172 b87b1f-b87b2b 170->172 174 b87b2d-b87b3e 172->174 175 b87b7f 172->175 178 b87b5d-b87b63 174->178 179 b87b40-b87b4f call b8ac20 174->179 181 b87b81-b87b83 175->181 177->167 183 b87b64 call b862ff 178->183 185 b87ca1 179->185 191 b87b55-b87b5b 179->191 184 b87b89-b87b9c MultiByteToWideChar 181->184 181->185 187 b87b69-b87b6e 183->187 184->185 188 b87ba2-b87bbd call b85a15 184->188 189 b87ca3-b87caa call b8646a 185->189 187->185 192 b87b74 187->192 188->185 197 b87bc3-b87bca 188->197 189->171 196 b87b7a-b87b7d 191->196 192->196 196->181 198 b87bcc-b87bd1 197->198 199 b87c04-b87c10 197->199 198->189 200 b87bd7-b87bd9 198->200 201 b87c5c 199->201 202 b87c12-b87c23 199->202 200->185 203 b87bdf-b87bf9 call b85a15 200->203 204 b87c5e-b87c60 201->204 205 b87c3e-b87c44 202->205 206 b87c25-b87c34 call b8ac20 202->206 203->189 218 b87bff 203->218 208 b87c9a-b87ca0 call b8646a 204->208 209 b87c62-b87c7b call b85a15 204->209 211 b87c45 call b862ff 205->211 206->208 221 b87c36-b87c3c 206->221 208->185 209->208 223 b87c7d-b87c84 209->223 212 b87c4a-b87c4f 211->212 212->208 217 b87c51 212->217 222 b87c57-b87c5a 217->222 218->185 221->222 222->204 224 b87cc0-b87cc6 223->224 225 b87c86-b87c87 223->225 226 b87c88-b87c98 WideCharToMultiByte 224->226 225->226 226->208 227 b87cc8-b87ccf call b8646a 226->227 227->189
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00B854C8,00000000,?,?,?,00B87D05,?,?,00000100), ref: 00B87B0E
                      • __alloca_probe_16.LIBCMT ref: 00B87B46
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00B87D05,?,?,00000100,5EFC4D8B,?,?), ref: 00B87B94
                      • __alloca_probe_16.LIBCMT ref: 00B87C2B
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B87C8E
                      • __freea.LIBCMT ref: 00B87C9B
                        • Part of subcall function 00B862FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B87E5B,?,00000000,?,00B8686F,?,00000004,00000000,?,?,?,00B83BCD), ref: 00B86331
                      • __freea.LIBCMT ref: 00B87CA4
                      • __freea.LIBCMT ref: 00B87CC9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                      • String ID:
                      • API String ID: 2597970681-0
                      • Opcode ID: b71f3e098b26c77c234633378cc79db2455a1dbcd71119cb87f94da7a927fdfb
                      • Instruction ID: e1f8c8ec1b8c989c97f8430ed63d33707bf35c6db9b8a01ea9e0bdcf987f2095
                      • Opcode Fuzzy Hash: b71f3e098b26c77c234633378cc79db2455a1dbcd71119cb87f94da7a927fdfb
                      • Instruction Fuzzy Hash: D551F072654206ABEB25AF64CC81EAF77EAEB40758F2446A8FC04D7160EF34DC40DB90
                      Function 00B88417 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 230 b88417-b88474 GetConsoleCP 231 b8847a-b88496 230->231 232 b885b7-b885c9 call b8123a 230->232 233 b88498-b884af 231->233 234 b884b1-b884c2 call b86052 231->234 236 b884eb-b884fa call b872b7 233->236 242 b884e8-b884ea 234->242 243 b884c4-b884c7 234->243 236->232 244 b88500-b88520 WideCharToMultiByte 236->244 242->236 245 b884cd-b884df call b872b7 243->245 246 b8858e-b885ad 243->246 244->232 247 b88526-b8853c WriteFile 244->247 245->232 253 b884e5-b884e6 245->253 246->232 249 b8853e-b8854f 247->249 250 b885af-b885b5 GetLastError 247->250 249->232 252 b88551-b88555 249->252 250->232 254 b88583-b88586 252->254 255 b88557-b88575 WriteFile 252->255 253->244 254->231 257 b8858c 254->257 255->250 256 b88577-b8857b 255->256 256->232 258 b8857d-b88580 256->258 257->232 258->254
                      APIs
                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B88B8C,?,00000000,?,00000000,00000000), ref: 00B88459
                      • __fassign.LIBCMT ref: 00B884D4
                      • __fassign.LIBCMT ref: 00B884EF
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B88515
                      • WriteFile.KERNEL32(?,?,00000000,00B88B8C,00000000,?,?,?,?,?,?,?,?,?,00B88B8C,?), ref: 00B88534
                      • WriteFile.KERNEL32(?,?,00000001,00B88B8C,00000000,?,?,?,?,?,?,?,?,?,00B88B8C,?), ref: 00B8856D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: 2075bf4041de9bb67dded5baa0ee9a4a692b721e3af1946dea1cfa05a619f83e
                      • Instruction ID: 0236fae686e7b42707bda247324c564ebd4ac11a04bd2a8d9744f6eea2e10126
                      • Opcode Fuzzy Hash: 2075bf4041de9bb67dded5baa0ee9a4a692b721e3af1946dea1cfa05a619f83e
                      • Instruction Fuzzy Hash: 68519471A002499FDB10DFA8DC85AEEBBF9EF19300F14455AE955E72A1DB309A41CB60
                      Function 00B81E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 259 b81e00-b81e51 call b8ac80 call b81dc0 call b82377 266 b81ead-b81eb0 259->266 267 b81e53-b81e65 259->267 268 b81ed0-b81ed9 266->268 269 b81eb2-b81ebf call b82360 266->269 267->268 270 b81e67-b81e7e 267->270 275 b81ec4-b81ecd call b81dc0 269->275 272 b81e80-b81e8e call b82300 270->272 273 b81e94 270->273 282 b81e90 272->282 283 b81ea4-b81eab 272->283 274 b81e97-b81e9c 273->274 274->270 277 b81e9e-b81ea0 274->277 275->268 277->268 280 b81ea2 277->280 280->275 284 b81eda-b81ee3 282->284 285 b81e92 282->285 283->275 286 b81f1d-b81f2d call b82340 284->286 287 b81ee5-b81eec 284->287 285->274 293 b81f2f-b81f3e call b82360 286->293 294 b81f41-b81f5d call b81dc0 call b82320 286->294 287->286 289 b81eee-b81efd call b8aac0 287->289 295 b81f1a 289->295 296 b81eff-b81f17 289->296 293->294 295->286 296->295
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00B81E37
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00B81E3F
                      • _ValidateLocalCookies.LIBCMT ref: 00B81EC8
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00B81EF3
                      • _ValidateLocalCookies.LIBCMT ref: 00B81F48
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: 2cbdbc600a7d3cd7d4d66be0581412becb471ad862e3bdaafa8c72bb02916bef
                      • Instruction ID: b83c7e94ae02e524ac3755ef5222805f9d66a3ca4a1e179860ca592308fc4f89
                      • Opcode Fuzzy Hash: 2cbdbc600a7d3cd7d4d66be0581412becb471ad862e3bdaafa8c72bb02916bef
                      • Instruction Fuzzy Hash: BF41B034A012089FCF10EF6CC894A9EBBF9EF45354F1488D5E818AB3B2D7359902CB90
                      Function 00B8621B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 305 b8621b-b86226 306 b862fc-b862fe 305->306 307 b8622c-b862f9 call b861df * 5 call b84869 * 3 call b861df * 5 call b84869 * 4 305->307 307->306
                      APIs
                        • Part of subcall function 00B861DF: _free.LIBCMT ref: 00B86208
                      • _free.LIBCMT ref: 00B86269
                        • Part of subcall function 00B84869: HeapFree.KERNEL32(00000000,00000000,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?), ref: 00B8487F
                        • Part of subcall function 00B84869: GetLastError.KERNEL32(?,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?,?), ref: 00B84891
                      • _free.LIBCMT ref: 00B86274
                      • _free.LIBCMT ref: 00B8627F
                      • _free.LIBCMT ref: 00B862D3
                      • _free.LIBCMT ref: 00B862DE
                      • _free.LIBCMT ref: 00B862E9
                      • _free.LIBCMT ref: 00B862F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                      • Instruction ID: 15df3be814ee0b2a8e242f85f3d8692479eede7c3573b70aea713145da8ea519
                      • Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                      • Instruction Fuzzy Hash: 76110771950B54AAD660BBB1CC0BFCB77DCAF44700F4058A5B69AA60B3EB65AE04C790
                      Function 00B823D1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 342 b823d1-b823d8 343 b823da-b823dc 342->343 344 b823dd-b823f8 GetLastError call b826a4 342->344 347 b823fa-b823fc 344->347 348 b82411-b82413 344->348 349 b82457-b82462 SetLastError 347->349 350 b823fe-b8240f call b826df 347->350 348->349 350->348 353 b82415-b82425 call b83f67 350->353 356 b82439-b82449 call b826df 353->356 357 b82427-b82437 call b826df 353->357 363 b8244f-b82456 call b83ec5 356->363 357->356 362 b8244b-b8244d 357->362 362->363 363->349
                      APIs
                      • GetLastError.KERNEL32(?,?,00B823C8,00B8209F,00B81AFC), ref: 00B823DF
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B823ED
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B82406
                      • SetLastError.KERNEL32(00000000,00B823C8,00B8209F,00B81AFC), ref: 00B82458
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: c7e0332bc4d3f43384faf8c2793fd10c25a2e9326f244ea1744b31042c0c1cf3
                      • Instruction ID: aa88c51fb16bdf3c5954716cafb681f98f73f0355b5e8219041da3faa47450fc
                      • Opcode Fuzzy Hash: c7e0332bc4d3f43384faf8c2793fd10c25a2e9326f244ea1744b31042c0c1cf3
                      • Instruction Fuzzy Hash: A40184321092166FAA2437B8AC85A6727D4DB117F573407BAFA20862F9FF524C91E364
                      Function 00B84424 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 366 b84424-b84438 GetLastError 367 b8443a-b84444 call b85904 366->367 368 b84446-b8444b 366->368 367->368 375 b8448f-b8449a SetLastError 367->375 369 b8444d call b8480c 368->369 371 b84452-b84458 369->371 373 b8445a 371->373 374 b84463-b84471 call b8595a 371->374 376 b8445b-b84461 call b84869 373->376 381 b84473-b84474 374->381 382 b84476-b8448d call b84296 call b84869 374->382 383 b8449b-b844a7 SetLastError call b83f24 376->383 381->376 382->375 382->383
                      APIs
                      • GetLastError.KERNEL32(00000008,?,00B86D69,?,?,?,00B904C8,0000002C,00B83F34,00000016,00B8209F,00B81AFC), ref: 00B84428
                      • _free.LIBCMT ref: 00B8445B
                      • _free.LIBCMT ref: 00B84483
                      • SetLastError.KERNEL32(00000000), ref: 00B84490
                      • SetLastError.KERNEL32(00000000), ref: 00B8449C
                      • _abort.LIBCMT ref: 00B844A2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: 828d5d5146381f92b92f3da22a3ea8ab807715c2a49c78d77cf235eaf5d626c4
                      • Instruction ID: 01ecde3e63a950673ba437e99570add5e77ac7ae6a62b8de156511a4dfebd78e
                      • Opcode Fuzzy Hash: 828d5d5146381f92b92f3da22a3ea8ab807715c2a49c78d77cf235eaf5d626c4
                      • Instruction Fuzzy Hash: FFF0FC35500643B7C6227B34AC59F2B26EADFD1771B294595F528D33F1EF218901D321
                      Function 00B836FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 390 b836fc-b83724 GetModuleHandleExW 391 b83749-b8374d 390->391 392 b83726-b83739 GetProcAddress 390->392 393 b83758-b83765 call b8123a 391->393 394 b8374f-b83752 FreeLibrary 391->394 395 b83748 392->395 396 b8373b-b83746 392->396 394->393 395->391 396->395
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B836AD,?,?,00B8364D,?,00B902E0,0000000C,00B837A4,?,00000002), ref: 00B8371C
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B8372F
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00B836AD,?,?,00B8364D,?,00B902E0,0000000C,00B837A4,?,00000002,00000000), ref: 00B83752
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 3018e533cfa0eb63d5113c6c68341f57b6fd9db97d9023c4a6adb52c463d5ea7
                      • Instruction ID: 3f3dff58257643a84861c857c1468fe8bedd36666c56b994472f64fd8beb8971
                      • Opcode Fuzzy Hash: 3018e533cfa0eb63d5113c6c68341f57b6fd9db97d9023c4a6adb52c463d5ea7
                      • Instruction Fuzzy Hash: 96F03C75A00209BBDB11ABA4DC59FAEBBF8EF08B52F0040A5E805A6170DF359E45DB90
                      Function 00B8634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 400 b8634d-b86372 call b83f72 403 b8637f-b863a5 MultiByteToWideChar 400->403 404 b86374-b8637c 400->404 405 b863ab-b863b7 403->405 406 b86444-b86448 403->406 404->403 407 b863b9-b863ca 405->407 408 b86403 405->408 409 b8644a-b8644d 406->409 410 b86454-b86469 call b8123a 406->410 411 b863cc-b863db call b8ac20 407->411 412 b863e5-b863eb 407->412 414 b86405-b86407 408->414 409->410 419 b8643d-b86443 call b8646a 411->419 425 b863dd-b863e3 411->425 416 b863ec call b862ff 412->416 418 b86409-b8642b call b820b0 MultiByteToWideChar 414->418 414->419 422 b863f1-b863f6 416->422 418->419 429 b8642d-b8643b GetStringTypeW 418->429 419->406 422->419 426 b863f8 422->426 428 b863fe-b86401 425->428 426->428 428->414 429->419
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00B854C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00B8639A
                      • __alloca_probe_16.LIBCMT ref: 00B863D2
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B86423
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B86435
                      • __freea.LIBCMT ref: 00B8643E
                        • Part of subcall function 00B862FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B87E5B,?,00000000,?,00B8686F,?,00000004,00000000,?,?,?,00B83BCD), ref: 00B86331
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                      • String ID:
                      • API String ID: 1857427562-0
                      • Opcode ID: feaab26826358c0e930c75a3f228870e69ef0fde84da745504aaa31ae9834198
                      • Instruction ID: 98bb0cf82acc14ae62e2f9a3982286ab39d58f79c12f37f640c352dfdfdd35df
                      • Opcode Fuzzy Hash: feaab26826358c0e930c75a3f228870e69ef0fde84da745504aaa31ae9834198
                      • Instruction Fuzzy Hash: D331CF72A0021AABDF25AF68DC85DAE7BE5EF00710F0841A9FC14D7260EB35CD55CBA1
                      Function 00B8561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 430 b8561e-b85633 GetEnvironmentStringsW 431 b8568b 430->431 432 b85635-b85655 call b855e7 WideCharToMultiByte 430->432 433 b8568d-b8568f 431->433 432->431 438 b85657 432->438 435 b85698-b856a0 433->435 436 b85691-b85692 FreeEnvironmentStringsW 433->436 436->435 439 b85658 call b862ff 438->439 440 b8565d-b85662 439->440 441 b85680 440->441 442 b85664-b85678 WideCharToMultiByte 440->442 444 b85682-b85689 call b84869 441->444 442->441 443 b8567a-b8567e 442->443 443->444 444->433
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 00B85627
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B8564A
                        • Part of subcall function 00B862FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00B87E5B,?,00000000,?,00B8686F,?,00000004,00000000,?,?,?,00B83BCD), ref: 00B86331
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B85670
                      • _free.LIBCMT ref: 00B85683
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B85692
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                      • String ID:
                      • API String ID: 2278895681-0
                      • Opcode ID: 81e00a0056eded2a40fa463e1eb2d250ffa132215fab1c698fc08561f24cea9d
                      • Instruction ID: 9e316cb1a54a59acd153070d0b90c594202c7ae5a1fd3cc2d9bc3309b57c49ce
                      • Opcode Fuzzy Hash: 81e00a0056eded2a40fa463e1eb2d250ffa132215fab1c698fc08561f24cea9d
                      • Instruction Fuzzy Hash: 19017172601A597FA7313AB65C9DCBB6AADDEC2BA135501A9F904D7170FF608C01C3B0
                      Function 00B844A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 447 b844a8-b844bf GetLastError 448 b844cd-b844d2 447->448 449 b844c1-b844cb call b85904 447->449 451 b844d4 call b8480c 448->451 449->448 454 b8451e-b84525 SetLastError 449->454 453 b844d9-b844df 451->453 455 b844ea-b844f8 call b8595a 453->455 456 b844e1 453->456 458 b84527-b8452c 454->458 462 b844fa-b844fb 455->462 463 b844fd-b84513 call b84296 call b84869 455->463 459 b844e2-b844e8 call b84869 456->459 466 b84515-b8451c SetLastError 459->466 462->459 463->454 463->466 466->458
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00B847FE,00B87E79,?,00B8686F,?,00000004,00000000,?,?,?,00B83BCD,?,00000000), ref: 00B844AD
                      • _free.LIBCMT ref: 00B844E2
                      • _free.LIBCMT ref: 00B84509
                      • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B84516
                      • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B8451F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 11a9d8bd6aa8a38b7389acaccbdf4b9c86bbf79cfcaffb87111f2bbe594e3fb2
                      • Instruction ID: 84e6a00d253c18f7b903cbf19a4c738f69ff22d08bbad2dd7f02b9404c0345b3
                      • Opcode Fuzzy Hash: 11a9d8bd6aa8a38b7389acaccbdf4b9c86bbf79cfcaffb87111f2bbe594e3fb2
                      • Instruction Fuzzy Hash: 44012836200603ABC2227B346C89E6F26EEEBD177573400A5F519E32B2EF718E01C320
                      Function 00B86176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 470 b86176-b86181 471 b861dc-b861de 470->471 472 b86183-b8618b 470->472 473 b8618d-b86193 call b84869 472->473 474 b86194-b8619d 472->474 473->474 476 b8619f-b861a5 call b84869 474->476 477 b861a6-b861af 474->477 476->477 480 b861b8-b861c1 477->480 481 b861b1-b861b7 call b84869 477->481 484 b861ca-b861d3 480->484 485 b861c3-b861c9 call b84869 480->485 481->480 484->471 487 b861d5-b861db call b84869 484->487 485->484 487->471
                      APIs
                      • _free.LIBCMT ref: 00B8618E
                        • Part of subcall function 00B84869: HeapFree.KERNEL32(00000000,00000000,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?), ref: 00B8487F
                        • Part of subcall function 00B84869: GetLastError.KERNEL32(?,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?,?), ref: 00B84891
                      • _free.LIBCMT ref: 00B861A0
                      • _free.LIBCMT ref: 00B861B2
                      • _free.LIBCMT ref: 00B861C4
                      • _free.LIBCMT ref: 00B861D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: b99139998e9afa0b66b72ef56ad429781edce1b454881bd1cd9133388fe08c43
                      • Instruction ID: 2c68f71d861efc2e73f5aa3395a656c1d9ec343669388ac9e4ed03ec0a1926af
                      • Opcode Fuzzy Hash: b99139998e9afa0b66b72ef56ad429781edce1b454881bd1cd9133388fe08c43
                      • Instruction Fuzzy Hash: 0CF01232A14251AF86A0FF59FA89C1A77DDEA40B547581C96F409E7573CB30FC80D754
                      Function 00B83D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00B83DAD
                        • Part of subcall function 00B84869: HeapFree.KERNEL32(00000000,00000000,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?), ref: 00B8487F
                        • Part of subcall function 00B84869: GetLastError.KERNEL32(?,?,00B8620D,?,00000000,?,00000000,?,00B86234,?,00000007,?,?,00B8669F,?,?), ref: 00B84891
                      • _free.LIBCMT ref: 00B83DBF
                      • _free.LIBCMT ref: 00B83DD2
                      • _free.LIBCMT ref: 00B83DE3
                      • _free.LIBCMT ref: 00B83DF4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 8c661f009d9546379b15d37002f147c2da25825acdf6502904e4a33f614ecc32
                      • Instruction ID: 42be00c1f21c63c44396bea47e6fe897f30b26cb7fb9422b98b867f276831b7d
                      • Opcode Fuzzy Hash: 8c661f009d9546379b15d37002f147c2da25825acdf6502904e4a33f614ecc32
                      • Instruction Fuzzy Hash: 7FF03A78801262AFDB817F29FE054093BA0EF54B203020AA7F416A72B1CF350951EBC4
                      Function 00B82F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\UdY4Kc66Bc.exe,00000104), ref: 00B82F93
                      • _free.LIBCMT ref: 00B8305E
                      • _free.LIBCMT ref: 00B83068
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\UdY4Kc66Bc.exe
                      • API String ID: 2506810119-358099547
                      • Opcode ID: 16c3ef11e8994b1d959ac6d755a15af538e874c7e5c73c25cc4a5a52e4234f15
                      • Instruction ID: a14d507c12582d3968b1a91befb3cf359f1460f6db0991f4bf75603bc332c1de
                      • Opcode Fuzzy Hash: 16c3ef11e8994b1d959ac6d755a15af538e874c7e5c73c25cc4a5a52e4234f15
                      • Instruction Fuzzy Hash: 8B317075A00249AFCB21BB99D88199EBBFCEF85B10B1040A6E504A7261DB718E40DB51
                      Function 00B825E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B82594,00000000,?,00B91B50,?,?,?,00B82737,00000004,InitializeCriticalSectionEx,00B8BC48,InitializeCriticalSectionEx), ref: 00B825F0
                      • GetLastError.KERNEL32(?,00B82594,00000000,?,00B91B50,?,?,?,00B82737,00000004,InitializeCriticalSectionEx,00B8BC48,InitializeCriticalSectionEx,00000000,?,00B824C7), ref: 00B825FA
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B82622
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID: api-ms-
                      • API String ID: 3177248105-2084034818
                      • Opcode ID: 60a74a5a2cc85ade3c220f55cb51a4f7d88272100eb31891120b50ab0f622c26
                      • Instruction ID: 80251a4a0ea4e55394bf51489585aed27e48a3a5c99719d2fcc6416f70a7b2d9
                      • Opcode Fuzzy Hash: 60a74a5a2cc85ade3c220f55cb51a4f7d88272100eb31891120b50ab0f622c26
                      • Instruction Fuzzy Hash: DCE01A30680205FBEF212B70EC06F5A3B98EB10B51F104460F90DA80B1EBB2A954EB49
                      Function 00B857DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00B85784,00000000,00000000,00000000,00000000,?,00B85981,00000006,FlsSetValue), ref: 00B8580F
                      • GetLastError.KERNEL32(?,00B85784,00000000,00000000,00000000,00000000,?,00B85981,00000006,FlsSetValue,00B8C4D8,FlsSetValue,00000000,00000364,?,00B844F6), ref: 00B8581B
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B85784,00000000,00000000,00000000,00000000,?,00B85981,00000006,FlsSetValue,00B8C4D8,FlsSetValue,00000000), ref: 00B85829
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: aef722afbf42cd22f35430837c6a07611af93c14c12a02030cb5cddea7fbd7d4
                      • Instruction ID: 356a1314284bc084a28af6c1279ae193a482fda0299644ffa10cbc4488cd7471
                      • Opcode Fuzzy Hash: aef722afbf42cd22f35430837c6a07611af93c14c12a02030cb5cddea7fbd7d4
                      • Instruction Fuzzy Hash: 4D01A236605A22EBCB315B78AC84E5777D8EF05BA1B210665FA2AD7161DF20DC00C7E0
                      Function 00B848BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00B84A27
                        • Part of subcall function 00B8474D: IsProcessorFeaturePresent.KERNEL32(00000017,00B8473C,00000000,?,00000004,00000000,?,?,?,?,00B84749,00000000,00000000,00000000,00000000,00000000), ref: 00B8474F
                        • Part of subcall function 00B8474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00B84771
                        • Part of subcall function 00B8474D: TerminateProcess.KERNEL32(00000000), ref: 00B84778
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1460710481.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                      • Associated: 00000000.00000002.1460680288.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460730799.0000000000B8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460753992.0000000000B91000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1460781447.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_b80000_UdY4Kc66Bc.jbxd
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                      • String ID: *?$.
                      • API String ID: 2667617558-3972193922
                      • Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                      • Instruction ID: 574d9da84382bb66c40a1f9d74731b1dc5aaa395b3c19ed9515271984696a6b4
                      • Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                      • Instruction Fuzzy Hash: 6A518275E0011AAFDF14EFA8C881AAEB7F5EF58314F2441AAE454E7351E7359E01CB50

                      Execution Graph

                      Execution Coverage:20.2%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:26
                      Total number of Limit Nodes:0
                      execution_graph 11501 7ff886e52cbd 11502 7ff886e52d30 11501->11502 11505 7ff886e415d8 11502->11505 11504 7ff886e52e36 11507 7ff886e415e1 11505->11507 11506 7ff886e41683 11506->11504 11507->11506 11508 7ff886e41802 LoadLibraryExW 11507->11508 11509 7ff886e41836 11508->11509 11509->11504 11519 7ff886e52ef9 11521 7ff886e52f07 CreateUrlCacheEntryW 11519->11521 11522 7ff886e53116 11521->11522 11497 7ff886e4994b 11498 7ff886e49957 CreateFileW 11497->11498 11500 7ff886e49a8c 11498->11500 11510 7ff886e57611 11511 7ff886e5763f 11510->11511 11512 7ff886e5765a 11511->11512 11514 7ff886e415e8 11511->11514 11516 7ff886e415f1 11514->11516 11515 7ff886e41683 11515->11512 11516->11515 11517 7ff886e41802 LoadLibraryExW 11516->11517 11518 7ff886e41836 11517->11518 11518->11512 11523 7ff886e50a02 11525 7ff886e50a2f 11523->11525 11524 7ff886e50b9b InternetGetCookieW 11526 7ff886e50bf9 11524->11526 11525->11524 11525->11525

                      Executed Functions

                      Function 00007FF886E415D8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 279libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.2287408195.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_7ff886e40000_dfsvc.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: 1M_I
                      • API String ID: 1029625771-598927076
                      • Opcode ID: a931b1573b69473138e81ffefbf9be078e28ae1907b1277f2acb02fae619a2fd
                      • Instruction ID: 0ad9ed6d4e24f32b467b8590814219e5aa24f6423e8bcbba36087057439d5e2b
                      • Opcode Fuzzy Hash: a931b1573b69473138e81ffefbf9be078e28ae1907b1277f2acb02fae619a2fd
                      • Instruction Fuzzy Hash: AA81D431E5CA894FEB59DB7C98592F97BE1FF96350F1841BAC00DC7292EE249805C741
                      Function 00007FF886E52EF9 Relevance: 1.8, APIs: 1, Instructions: 296COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 228 7ff886e52ef9-7ff886e52f05 229 7ff886e52f08-7ff886e52f19 228->229 230 7ff886e52f07 228->230 231 7ff886e52f1c-7ff886e52f2d 229->231 232 7ff886e52f1b 229->232 230->229 233 7ff886e52f2f 231->233 234 7ff886e52f30-7ff886e52f41 231->234 232->231 233->234 235 7ff886e52f44-7ff886e52fe2 234->235 236 7ff886e52f43 234->236 240 7ff886e52fef-7ff886e52ff8 235->240 241 7ff886e52fe4-7ff886e52fec 235->241 236->235 242 7ff886e52ffa-7ff886e53002 240->242 243 7ff886e53005-7ff886e53011 240->243 241->240 242->243 244 7ff886e5308d-7ff886e53094 243->244 245 7ff886e53013-7ff886e53043 243->245 246 7ff886e530ae-7ff886e53114 CreateUrlCacheEntryW 244->246 250 7ff886e53045-7ff886e53047 245->250 251 7ff886e53096-7ff886e5309c 245->251 248 7ff886e5311c-7ff886e53136 246->248 249 7ff886e53116 246->249 255 7ff886e53138-7ff886e5315a 248->255 256 7ff886e5315b-7ff886e5318d call 7ff886e531a9 248->256 249->248 253 7ff886e53049-7ff886e5305b 250->253 254 7ff886e53080-7ff886e5308b 250->254 259 7ff886e5309e-7ff886e530a8 251->259 257 7ff886e5305d 253->257 258 7ff886e5305f-7ff886e53072 253->258 254->259 255->256 265 7ff886e5318f 256->265 266 7ff886e53194-7ff886e531a8 256->266 257->258 258->258 261 7ff886e53074-7ff886e5307c 258->261 259->246 261->254 265->266
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.2287408195.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_7ff886e40000_dfsvc.jbxd
                      Similarity
                      • API ID: CacheCreateEntry
                      • String ID:
                      • API String ID: 3741994674-0
                      • Opcode ID: 99e259ecd8a984423b3c701095d91f42b89a0281608d728894de18ec59a8cf42
                      • Instruction ID: ac004a92186f76eaf9a5fc5a287693e7967dafb7e7aa62e8a6fa0d9ed3f8753a
                      • Opcode Fuzzy Hash: 99e259ecd8a984423b3c701095d91f42b89a0281608d728894de18ec59a8cf42
                      • Instruction Fuzzy Hash: C8A1F27051CA8D8FDBA9DF2898497E53BE0FF55310F10426EE88DC7292DA789845CB91
                      Function 00007FF886E50A02 Relevance: 1.8, APIs: 1, Instructions: 280networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.2287408195.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_7ff886e40000_dfsvc.jbxd
                      Similarity
                      • API ID: CookieInternet
                      • String ID:
                      • API String ID: 930238652-0
                      • Opcode ID: c2d8192f53cbfff796b254ed03fcc2a6e12be3f56a6c6d9e34daad4ea7fae688
                      • Instruction ID: 3173fe9c92bb32e515dbf4aa3c0a1e57305ab872821d2498cf367b5d8ece3fb1
                      • Opcode Fuzzy Hash: c2d8192f53cbfff796b254ed03fcc2a6e12be3f56a6c6d9e34daad4ea7fae688
                      • Instruction Fuzzy Hash: 5291C170508B8D8FDBA9DF28C8597E93BE1FF59310F04426EE84DC7292DA749945CB81
                      Function 00007FF886E4994B Relevance: 1.7, APIs: 1, Instructions: 179fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 506 7ff886e4994b-7ff886e499e0 511 7ff886e499ea-7ff886e49a8a CreateFileW 506->511 512 7ff886e499e2-7ff886e499e7 506->512 514 7ff886e49a8c 511->514 515 7ff886e49a92-7ff886e49ac5 511->515 512->511 514->515
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.2287408195.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_7ff886e40000_dfsvc.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 57d5b296c80ce097b837757f2d785cbf4fecf83a07f7e7657a2c462e8a3768f7
                      • Instruction ID: b31f3c98ba8f82c5cd5026c7bfa8a5adeebbde74625888dbc7c96e467ee8cb53
                      • Opcode Fuzzy Hash: 57d5b296c80ce097b837757f2d785cbf4fecf83a07f7e7657a2c462e8a3768f7
                      • Instruction Fuzzy Hash: DC518F7191CA5C8FDB58EF68D845BE9BBE0FB69310F1442AED04DD3252CB35A845CB81