Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NLRpif3sEB.exe

Overview

General Information

Sample name:NLRpif3sEB.exe
renamed because original name is a hash value
Original sample name:3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814.exe
Analysis ID:1575228
MD5:7083f90ec97477ac0dc977324bba3ec8
SHA1:003402d622f48f10c5f3521244be458619e8d49b
SHA256:3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814
Tags:exeuser-NDA0E
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

  • System is w10x64
  • NLRpif3sEB.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\NLRpif3sEB.exe" MD5: 7083F90EC97477AC0DC977324BBA3EC8)
    • cmd.exe (PID: 6324 cmdline: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7132 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: NLRpif3sEB.exeAvira: detected
Source: NLRpif3sEB.exeReversingLabs: Detection: 60%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: NLRpif3sEB.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00404911 CryptUnprotectData,LocalFree,0_2_00404911
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00410D22 CryptUnprotectData,LocalFree,0_2_00410D22
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00410ED8 CoCreateInstance,CoTaskMemFree,CoTaskMemFree,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,0_2_00410ED8
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00411FC7 CryptUnprotectData,LocalFree,0_2_00411FC7
Source: NLRpif3sEB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: NLRpif3sEB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose,0_2_00404CE1
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose,0_2_004108E4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,0_2_004118BB

Networking

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: unknownTCP traffic detected without corresponding DNS query: 213.226.100.197
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004129A8 InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004129A8
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197
Source: NLRpif3sEB.exe, NLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.226.100.197;
Source: NLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.226.100.197;%s
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004058F2 OpenProcessToken,GetTokenInformation,NtCreateToken,CloseHandle,0_2_004058F2
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle,0_2_00405750
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040A8560_2_0040A856
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004084060_2_00408406
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040881D0_2_0040881D
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040A4D40_2_0040A4D4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00407CEF0_2_00407CEF
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004040BB0_2_004040BB
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040795E0_2_0040795E
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00403DFA0_2_00403DFA
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040D6110_2_0040D611
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040821E0_2_0040821E
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00410ED80_2_00410ED8
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040A2A00_2_0040A2A0
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00407AA00_2_00407AA0
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00415B500_2_00415B50
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_0040A7590_2_0040A759
Source: NLRpif3sEB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@6/0@0/2
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle,0_2_00405750
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00405836 RtlAdjustPrivilege,CreateToolhelp32Snapshot,Process32NextW,OpenProcess,OpenProcessToken,CloseHandle,CloseHandle,Process32NextW,CloseHandle,0_2_00405836
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00407656 CoCreateInstance,SysAllocString,SysAllocString,VariantClear,0_2_00407656
Source: C:\Users\user\Desktop\NLRpif3sEB.exeMutant created: \Sessions\1\BaseNamedObjects\58E95B720E951117388365
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCommand line argument: 0r0_2_00E47180
Source: NLRpif3sEB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NLRpif3sEB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: NLRpif3sEB.exeReversingLabs: Detection: 60%
Source: unknownProcess created: C:\Users\user\Desktop\NLRpif3sEB.exe "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: NLRpif3sEB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: NLRpif3sEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NLRpif3sEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NLRpif3sEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NLRpif3sEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NLRpif3sEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E44B40 LoadLibraryA,GetProcAddress,0_2_00E44B40
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00417AB0 push eax; ret 0_2_00417AC4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00417AB0 push eax; ret 0_2_00417AEC
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E467D5 push ecx; ret 0_2_00E467E8

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\NLRpif3sEB.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-15319
Source: C:\Users\user\Desktop\NLRpif3sEB.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15730
Source: C:\Users\user\Desktop\NLRpif3sEB.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-14346
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-16121
Source: C:\Users\user\Desktop\NLRpif3sEB.exe TID: 6472Thread sleep time: -30000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004145B8 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jne 00414B0Dh0_2_004145B8
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose,0_2_00404CE1
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose,0_2_004108E4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,0_2_004118BB
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004145B8 GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetComputerNameW,GetUserNameW,GetLocalTime,EnumDisplayDevicesW,GetKeyboardLayoutList,GetKeyboardLayoutList,0_2_004145B8
Source: NLRpif3sEB.exe, 00000000.00000002.2634885653.000000000115F000.00000004.00000020.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2634885653.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\NLRpif3sEB.exeAPI call chain: ExitProcess graph end nodegraph_0-15239
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E450C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E450C4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E44B40 LoadLibraryA,GetProcAddress,0_2_00E44B40
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00405108 mov eax, dword ptr fs:[00000030h]0_2_00405108
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004075F1 mov eax, dword ptr fs:[00000030h]0_2_004075F1
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00407605 mov eax, dword ptr fs:[00000030h]0_2_00407605
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00407621 mov eax, dword ptr fs:[00000030h]0_2_00407621
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E44CC0 mov eax, dword ptr fs:[00000030h]0_2_00E44CC0
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E44960 mov eax, dword ptr fs:[00000030h]0_2_00E44960
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E44F20 mov ecx, dword ptr fs:[00000030h]0_2_00E44F20
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E450C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E450C4
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E46A31 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E46A31
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00E45B09 SetUnhandledExceptionFilter,0_2_00E45B09
Source: C:\Users\user\Desktop\NLRpif3sEB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1Jump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: GetLocaleInfoA,0_2_00416E6D
Source: C:\Users\user\Desktop\NLRpif3sEB.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00413CAF CreateMutexA,ExitProcess,GetModuleFileNameW,ExitProcess,GetSystemTime,GetSystemTime,CloseHandle,ExitProcess,0_2_00413CAF
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_004145B8 GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetComputerNameW,GetUserNameW,GetLocalTime,EnumDisplayDevicesW,GetKeyboardLayoutList,GetKeyboardLayoutList,0_2_004145B8
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00406418 GetTimeZoneInformation,0_2_00406418
Source: C:\Users\user\Desktop\NLRpif3sEB.exeCode function: 0_2_00416E8E RtlGetVersion,0_2_00416E8E

Stealing of Sensitive Information

barindex
Source: NLRpif3sEB.exeString found in binary or memory: Electrum
Source: NLRpif3sEB.exeString found in binary or memory: com.liberty.jaxx\IndexedDB
Source: NLRpif3sEB.exeString found in binary or memory: Exodus
Source: NLRpif3sEB.exeString found in binary or memory: Ethereum
Source: NLRpif3sEB.exeString found in binary or memory: keystore
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Access Token Manipulation
1
Virtualization/Sandbox Evasion
OS Credential Dumping2
System Time Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts13
Native API
Boot or Logon Initialization Scripts11
Process Injection
1
Access Token Manipulation
LSASS Memory11
Security Software Discovery
Remote Desktop Protocol1
Data from Local System
2
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
11
Process Injection
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Process Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
Account Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion
Cached Domain Credentials1
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
Remote System Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
System Network Configuration Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
File and Directory Discovery
Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing34
System Information Discovery
Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
NLRpif3sEB.exe61%ReversingLabsWin32.Trojan.KpotStealer
NLRpif3sEB.exe100%AviraTR/AD.Khalesi.aeba
NLRpif3sEB.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://213.226.100.197;%s0%Avira URL Cloudsafe
http://213.226.100.197;0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://213.226.100.197;NLRpif3sEB.exe, NLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://213.226.100.197;%sNLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
213.226.100.197
unknownRussian Federation
200019ALEXHOSTMDfalse
IP
127.0.0.1
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1575228
Start date and time:2024-12-14 20:08:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:NLRpif3sEB.exe
renamed because original name is a hash value
Original Sample Name:3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814.exe
Detection:MAL
Classification:mal80.troj.spyw.evad.winEXE@6/0@0/2
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 34
  • Number of non-executed functions: 69
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: NLRpif3sEB.exe
No simulations
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
ALEXHOSTMDsora.sh4.elfGet hashmaliciousMiraiBrowse
  • 176.123.5.14
http://server.citierupticx.com/specId/product-mje%EF%BC%A0ml.avio.co.jpGet hashmaliciousHTMLPhisherBrowse
  • 91.208.197.216
2024-11 eStmt 5563019.exeGet hashmaliciousScreenConnect ToolBrowse
  • 176.123.1.130
otis.exeGet hashmaliciousUnknownBrowse
  • 91.132.92.231
otis.exeGet hashmaliciousUnknownBrowse
  • 91.132.92.231
armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 91.208.162.247
mips.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 91.208.162.247
m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 91.208.162.247
powerpc.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 91.208.162.247
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.913242559455033
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:NLRpif3sEB.exe
File size:544'256 bytes
MD5:7083f90ec97477ac0dc977324bba3ec8
SHA1:003402d622f48f10c5f3521244be458619e8d49b
SHA256:3bbda4a44d5416394724d568a5cdcedfd7e05d236dd5c0917070bc9795516814
SHA512:7ea07933377c2a7651547889decf558dc4243e2b4e4c3e41b374ec2e9bd6d25f2e1109b579b51696cc9f3127ab458f5050917fed1c673df6ccd299fad0089f4c
SSDEEP:6144:jbgH72UMexaE7qzXi41IpGP2Uxf1SOXUqcAgJo6VVTsGP7J2DMABQ7lOMPJ3Q:jbgH72lWaEcXi4GcxzRr7
TLSH:9FC492E7C303660FF70374B0C18CAAB5A4561771BE4A58626A266FFCF36D1D10969B83
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...;i..M...;\..M...;h..M...5Q..M...M...M...;m..M...;X..M...;_..M..Rich.M..........PE..L....{{^...................
Icon Hash:00928e8e8686b000
Entrypoint:0x435414
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x5E7B7BE5 [Wed Mar 25 15:42:29 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:489091380902ae5fab5138a1044fd8fa
Instruction
call 00007F63C87AB73Bh
jmp 00007F63C87AA05Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043DC78h], eax
mov dword ptr [0043DC74h], ecx
mov dword ptr [0043DC70h], edx
mov dword ptr [0043DC6Ch], ebx
mov dword ptr [0043DC68h], esi
mov dword ptr [0043DC64h], edi
mov word ptr [0043DC90h], ss
mov word ptr [0043DC84h], cs
mov word ptr [0043DC60h], ds
mov word ptr [0043DC5Ch], es
mov word ptr [0043DC58h], fs
mov word ptr [0043DC54h], gs
pushfd
pop dword ptr [0043DC88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043DC7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043DC80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043DC8Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0043DBC8h], 00010001h
mov eax, dword ptr [0043DC80h]
mov dword ptr [0043DB7Ch], eax
mov dword ptr [0043DB70h], C0000409h
mov dword ptr [0043DB74h], 00000001h
mov eax, dword ptr [0043D004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0043D008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]
Programming Language:
  • [C++] VS2010 build 30319
  • [ASM] VS2010 build 30319
  • [ C ] VS2010 build 30319
  • [IMP] VS2008 SP1 build 30729
  • [RES] VS2010 build 30319
  • [LNK] VS2010 build 30319
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3bd3c0x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f0000x48464.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x72c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3bb480x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3a0000x150.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x385820x386002ca1e21247c586cd81cd50ddd8f96bbaFalse0.3514109271064302data5.281420630473987IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x3a0000x24aa0x2600324c6009672f87605820a2907d77065fFalse0.34745065789473684data4.724043806815104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3d0000x19400xc00a1e869547c364d560b5be05df1ef49cbFalse0.22265625data2.53160662042428IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x3f0000x484640x48600477999904eacff1380b3c82f67633d0aFalse0.3737721286701209data3.539645845792326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x880000xa760xc000551b6d0bb13bc88ee9f5875dfe694fdFalse0.5087890625data4.540521816553144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
AFX_DIALOG_LAYOUT0x3f1cc0x2dataEnglishUnited States5.0
RT_MENU0x3f1d00xa2dataEnglishUnited States0.5679012345679012
RT_DIALOG0x3f2740x144dataEnglishUnited States0.5679012345679012
RT_STRING0x3f3b80x90dataEnglishUnited States0.5972222222222222
RT_RCDATA0x3f4480x48000dataEnglishUnited States0.3737284342447917
RT_RCDATA0x874480x19dataEnglishUnited States1.36
DLLImport
KERNEL32.dllTerminateProcess, GetLastError, VirtualAlloc, LoadLibraryA, SetCalendarInfoA, HeapAlloc, GetProcAddress, CloseHandle, HeapReAlloc, GetStringTypeW, MultiByteToWideChar, LCMapStringW, GetModuleHandleW, RtlUnwind, Sleep, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LoadLibraryW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetCurrentProcess, HeapSize, InterlockedDecrement, GetCurrentThreadId, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameW, EncodePointer, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, IsProcessorFeaturePresent
USER32.dllEndPaint, PostQuitMessage, GetClientRect, BeginPaint, GetDC, ReleaseDC, DefWindowProcW, GetMessageW, LoadCursorW, TranslateMessage, LoadIconW, ShowWindow, CreateWindowExW, MessageBoxW, RegisterClassW, UpdateWindow, DispatchMessageW
GDI32.dllLineTo, GetStockObject, MoveToEx
Normaliz.dllIdnToNameprepUnicode
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
TimestampSource PortDest PortSource IPDest IP
Dec 14, 2024 20:08:56.417300940 CET4969980192.168.2.6213.226.100.197
Dec 14, 2024 20:08:56.544154882 CET8049699213.226.100.197192.168.2.6
Dec 14, 2024 20:08:56.544425964 CET4969980192.168.2.6213.226.100.197
Dec 14, 2024 20:08:56.544574022 CET4969980192.168.2.6213.226.100.197
Dec 14, 2024 20:08:56.671477079 CET8049699213.226.100.197192.168.2.6
Dec 14, 2024 20:09:18.429389954 CET8049699213.226.100.197192.168.2.6
Dec 14, 2024 20:09:18.429507017 CET4969980192.168.2.6213.226.100.197
Dec 14, 2024 20:09:18.434113979 CET4969980192.168.2.6213.226.100.197
Dec 14, 2024 20:09:18.437199116 CET4973380192.168.2.6213.226.100.197
Dec 14, 2024 20:09:18.553869963 CET8049699213.226.100.197192.168.2.6
Dec 14, 2024 20:09:18.557039022 CET8049733213.226.100.197192.168.2.6
Dec 14, 2024 20:09:18.557245016 CET4973380192.168.2.6213.226.100.197
Dec 14, 2024 20:09:18.557363987 CET4973380192.168.2.6213.226.100.197
Dec 14, 2024 20:09:18.677431107 CET8049733213.226.100.197192.168.2.6
Dec 14, 2024 20:09:40.445126057 CET8049733213.226.100.197192.168.2.6
Dec 14, 2024 20:09:40.445209026 CET4973380192.168.2.6213.226.100.197
Dec 14, 2024 20:09:40.445287943 CET4973380192.168.2.6213.226.100.197
Dec 14, 2024 20:09:40.565366030 CET8049733213.226.100.197192.168.2.6
  • 213.226.100.197
Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.649699213.226.100.197805088C:\Users\user\Desktop\NLRpif3sEB.exe
TimestampBytes transferredDirectionData
Dec 14, 2024 20:08:56.544574022 CET65OUTGET / HTTP/1.1
Connection: Keep-Alive
Host: 213.226.100.197


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.649733213.226.100.197805088C:\Users\user\Desktop\NLRpif3sEB.exe
TimestampBytes transferredDirectionData
Dec 14, 2024 20:09:18.557363987 CET65OUTGET / HTTP/1.1
Connection: Keep-Alive
Host: 213.226.100.197


Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:14:08:55
Start date:14/12/2024
Path:C:\Users\user\Desktop\NLRpif3sEB.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\NLRpif3sEB.exe"
Imagebase:0xe10000
File size:544'256 bytes
MD5 hash:7083F90EC97477AC0DC977324BBA3EC8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Target ID:5
Start time:14:09:40
Start date:14/12/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe"
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:6
Start time:14:09:40
Start date:14/12/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:7
Start time:14:09:40
Start date:14/12/2024
Path:C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):true
Commandline:ping 127.0.0.1
Imagebase:0x3f0000
File size:18'944 bytes
MD5 hash:B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Reset < >

    Execution Graph

    Execution Coverage:16.3%
    Dynamic/Decrypted Code Coverage:55.7%
    Signature Coverage:13.2%
    Total number of Nodes:2000
    Total number of Limit Nodes:22
    execution_graph 15142 e18262 15143 e18274 VirtualAlloc 15142->15143 15144 e18288 15142->15144 15143->15144 16742 412ce3 16743 412cf9 16742->16743 16744 413569 2 API calls 16743->16744 16747 412d09 16744->16747 16745 413973 HeapFree 16746 412e55 16745->16746 16747->16745 16757 e4435c 16758 e4437c 16757->16758 16759 e4436b VirtualAlloc 16757->16759 16760 e44382 VirtualAlloc 16758->16760 16761 e44393 16758->16761 16759->16758 16760->16761 16762 e443ad 16761->16762 16763 e44399 MessageBoxW 16761->16763 16763->16762 14162 e452a7 14200 e46790 14162->14200 14164 e452b3 GetStartupInfoW 14165 e452c7 HeapSetInformation 14164->14165 14167 e452d2 14164->14167 14165->14167 14201 e45579 HeapCreate 14167->14201 14168 e45320 14169 e4532b 14168->14169 14298 e4527e 14168->14298 14202 e46615 GetModuleHandleW 14169->14202 14172 e45331 14173 e4533c __RTC_Initialize 14172->14173 14174 e4527e _fast_error_exit 66 API calls 14172->14174 14227 e4608b GetStartupInfoW 14173->14227 14174->14173 14177 e45356 GetCommandLineA 14240 e45ff4 GetEnvironmentStringsW 14177->14240 14184 e4537b 14266 e45cc0 14184->14266 14185 e45864 __amsg_exit 66 API calls 14185->14184 14187 e45381 14188 e4538c 14187->14188 14189 e45864 __amsg_exit 66 API calls 14187->14189 14286 e45643 14188->14286 14189->14188 14191 e45394 14192 e4539f 14191->14192 14193 e45864 __amsg_exit 66 API calls 14191->14193 14292 e45c61 14192->14292 14193->14192 14195 e453a5 14196 e453cf 14195->14196 14313 e4581a 14195->14313 14316 e45846 14196->14316 14199 e453d4 _raise 14200->14164 14201->14168 14203 e46632 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14202->14203 14204 e46629 14202->14204 14206 e4667c TlsAlloc 14203->14206 14319 e46362 14204->14319 14209 e466ca TlsSetValue 14206->14209 14210 e4678b 14206->14210 14209->14210 14211 e466db 14209->14211 14210->14172 14329 e455ec 14211->14329 14216 e46786 14218 e46362 __mtterm 70 API calls 14216->14218 14217 e46723 DecodePointer 14219 e46738 14217->14219 14218->14210 14219->14216 14338 e47f00 14219->14338 14222 e46756 DecodePointer 14223 e46767 14222->14223 14223->14216 14224 e4676b 14223->14224 14344 e4639f 14224->14344 14226 e46773 GetCurrentThreadId 14226->14210 14228 e47f00 __calloc_crt 66 API calls 14227->14228 14234 e460a9 14228->14234 14229 e46254 GetStdHandle 14235 e4621e 14229->14235 14230 e462b8 SetHandleCount 14239 e4534a 14230->14239 14231 e47f00 __calloc_crt 66 API calls 14231->14234 14232 e46266 GetFileType 14232->14235 14233 e4619e 14233->14235 14236 e461d5 InitializeCriticalSectionAndSpinCount 14233->14236 14237 e461ca GetFileType 14233->14237 14234->14231 14234->14233 14234->14235 14234->14239 14235->14229 14235->14230 14235->14232 14238 e4628c InitializeCriticalSectionAndSpinCount 14235->14238 14236->14233 14236->14239 14237->14233 14237->14236 14238->14235 14238->14239 14239->14177 14306 e45864 14239->14306 14241 e46010 WideCharToMultiByte 14240->14241 14242 e45366 14240->14242 14244 e46045 14241->14244 14245 e4607d FreeEnvironmentStringsW 14241->14245 14253 e45f36 14242->14253 14246 e47ebb __malloc_crt 66 API calls 14244->14246 14245->14242 14247 e4604b 14246->14247 14247->14245 14248 e46053 WideCharToMultiByte 14247->14248 14249 e46065 14248->14249 14250 e46071 FreeEnvironmentStringsW 14248->14250 14251 e450d3 _free 66 API calls 14249->14251 14250->14242 14252 e4606d 14251->14252 14252->14250 14254 e45f50 GetModuleFileNameA 14253->14254 14255 e45f4b 14253->14255 14257 e45f77 14254->14257 14591 e47e3e 14255->14591 14585 e45d9c 14257->14585 14260 e45370 14260->14184 14260->14185 14261 e45fb3 14262 e47ebb __malloc_crt 66 API calls 14261->14262 14263 e45fb9 14262->14263 14263->14260 14264 e45d9c _parse_cmdline 76 API calls 14263->14264 14265 e45fd3 14264->14265 14265->14260 14267 e45cc9 14266->14267 14269 e45cce _strlen 14266->14269 14268 e47e3e ___initmbctable 94 API calls 14267->14268 14268->14269 14270 e47f00 __calloc_crt 66 API calls 14269->14270 14273 e45cdc 14269->14273 14276 e45d03 _strlen 14270->14276 14271 e45d52 14272 e450d3 _free 66 API calls 14271->14272 14272->14273 14273->14187 14274 e47f00 __calloc_crt 66 API calls 14274->14276 14275 e45d78 14278 e450d3 _free 66 API calls 14275->14278 14276->14271 14276->14273 14276->14274 14276->14275 14279 e45d8f 14276->14279 15032 e47e5c 14276->15032 14278->14273 14280 e46b5a __invoke_watson 10 API calls 14279->14280 14282 e45d9b 14280->14282 14281 e47760 __wincmdln 76 API calls 14281->14282 14282->14281 14284 e45e28 14282->14284 14283 e45f26 14283->14187 14284->14283 14285 e47760 76 API calls __wincmdln 14284->14285 14285->14284 14288 e45651 __IsNonwritableInCurrentImage 14286->14288 15041 e47110 14288->15041 14289 e4566f __initterm_e 14291 e45690 __IsNonwritableInCurrentImage 14289->14291 15044 e470f9 14289->15044 14291->14191 14293 e45c6f 14292->14293 14295 e45c74 14292->14295 14294 e47e3e ___initmbctable 94 API calls 14293->14294 14294->14295 14296 e45cb0 14295->14296 14297 e47760 __wincmdln 76 API calls 14295->14297 14296->14195 14297->14295 14299 e45291 14298->14299 14300 e4528c 14298->14300 14302 e458a8 __NMSG_WRITE 66 API calls 14299->14302 14301 e45a57 __FF_MSGBANNER 66 API calls 14300->14301 14301->14299 14303 e45299 14302->14303 14304 e455c2 _malloc 3 API calls 14303->14304 14305 e452a3 14304->14305 14305->14169 14307 e45a57 __FF_MSGBANNER 66 API calls 14306->14307 14308 e4586e 14307->14308 14309 e458a8 __NMSG_WRITE 66 API calls 14308->14309 14310 e45876 14309->14310 15109 e45830 14310->15109 14314 e456da _doexit 66 API calls 14313->14314 14315 e4582b 14314->14315 14315->14196 14317 e456da _doexit 66 API calls 14316->14317 14318 e45851 14317->14318 14318->14199 14320 e4637b 14319->14320 14321 e4636c DecodePointer 14319->14321 14322 e4638c TlsFree 14320->14322 14323 e4639a 14320->14323 14321->14320 14322->14323 14324 e46c3a 14323->14324 14325 e46c22 DeleteCriticalSection 14323->14325 14327 e46c4c DeleteCriticalSection 14324->14327 14328 e4662e 14324->14328 14357 e450d3 14325->14357 14327->14324 14328->14172 14383 e4631c EncodePointer 14329->14383 14331 e455f4 __init_pointers __initp_misc_winsig 14384 e46da2 EncodePointer 14331->14384 14333 e4561a EncodePointer EncodePointer EncodePointer EncodePointer 14334 e46bbc 14333->14334 14336 e46bc7 14334->14336 14335 e46bd1 InitializeCriticalSectionAndSpinCount 14335->14336 14337 e4671f 14335->14337 14336->14335 14336->14337 14337->14216 14337->14217 14341 e47f09 14338->14341 14340 e4674e 14340->14216 14340->14222 14341->14340 14342 e47f27 Sleep 14341->14342 14385 e48c01 14341->14385 14343 e47f3c 14342->14343 14343->14340 14343->14341 14396 e46790 14344->14396 14346 e463ab GetModuleHandleW 14397 e46d36 14346->14397 14348 e463e9 InterlockedIncrement 14404 e46441 14348->14404 14351 e46d36 __lock 64 API calls 14352 e4640a 14351->14352 14407 e47f9a InterlockedIncrement 14352->14407 14354 e46428 14419 e4644a 14354->14419 14356 e46435 _raise 14356->14226 14358 e450de HeapFree 14357->14358 14359 e45107 _free 14357->14359 14358->14359 14360 e450f3 14358->14360 14359->14323 14363 e45566 14360->14363 14366 e46453 GetLastError 14363->14366 14365 e450f9 GetLastError 14365->14359 14380 e4632e TlsGetValue 14366->14380 14369 e464c0 SetLastError 14369->14365 14370 e47f00 __calloc_crt 62 API calls 14371 e4647e 14370->14371 14371->14369 14372 e46486 DecodePointer 14371->14372 14373 e4649b 14372->14373 14374 e464b7 14373->14374 14375 e4649f 14373->14375 14377 e450d3 _free 62 API calls 14374->14377 14376 e4639f __getptd_noexit 62 API calls 14375->14376 14378 e464a7 GetCurrentThreadId 14376->14378 14379 e464bd 14377->14379 14378->14369 14379->14369 14381 e46343 DecodePointer TlsSetValue 14380->14381 14382 e4635e 14380->14382 14381->14382 14382->14369 14382->14370 14383->14331 14384->14333 14386 e48c0d 14385->14386 14391 e48c28 14385->14391 14387 e48c19 14386->14387 14386->14391 14389 e45566 _raise 65 API calls 14387->14389 14388 e48c3b HeapAlloc 14388->14391 14393 e48c62 14388->14393 14390 e48c1e 14389->14390 14390->14341 14391->14388 14391->14393 14394 e45a9f DecodePointer 14391->14394 14393->14341 14395 e45ab4 14394->14395 14395->14391 14396->14346 14398 e46d5e EnterCriticalSection 14397->14398 14399 e46d4b 14397->14399 14398->14348 14422 e46c74 14399->14422 14401 e46d51 14401->14398 14402 e45864 __amsg_exit 65 API calls 14401->14402 14403 e46d5d 14402->14403 14403->14398 14583 e46c5d LeaveCriticalSection 14404->14583 14406 e46403 14406->14351 14408 e47fb8 InterlockedIncrement 14407->14408 14409 e47fbb 14407->14409 14408->14409 14410 e47fc5 InterlockedIncrement 14409->14410 14411 e47fc8 14409->14411 14410->14411 14412 e47fd5 14411->14412 14413 e47fd2 InterlockedIncrement 14411->14413 14414 e47fe2 14412->14414 14415 e47fdf InterlockedIncrement 14412->14415 14413->14412 14416 e47ffb InterlockedIncrement 14414->14416 14417 e4800b InterlockedIncrement 14414->14417 14418 e48016 InterlockedIncrement 14414->14418 14415->14414 14416->14414 14417->14414 14418->14354 14584 e46c5d LeaveCriticalSection 14419->14584 14421 e46451 14421->14356 14423 e46c80 _raise 14422->14423 14424 e46ca6 14423->14424 14447 e45a57 14423->14447 14430 e46cb6 _raise 14424->14430 14483 e47ebb 14424->14483 14430->14401 14432 e46cd7 14435 e46d36 __lock 65 API calls 14432->14435 14433 e46cc8 14434 e45566 _raise 65 API calls 14433->14434 14434->14430 14437 e46cde 14435->14437 14438 e46ce6 InitializeCriticalSectionAndSpinCount 14437->14438 14439 e46d11 14437->14439 14440 e46cf6 14438->14440 14441 e46d02 14438->14441 14442 e450d3 _free 65 API calls 14439->14442 14443 e450d3 _free 65 API calls 14440->14443 14488 e46d2d 14441->14488 14442->14441 14445 e46cfc 14443->14445 14446 e45566 _raise 65 API calls 14445->14446 14446->14441 14491 e47647 14447->14491 14449 e45a5e 14450 e45a6b 14449->14450 14451 e47647 __NMSG_WRITE 66 API calls 14449->14451 14452 e458a8 __NMSG_WRITE 66 API calls 14450->14452 14455 e45a8d 14450->14455 14451->14450 14453 e45a83 14452->14453 14454 e458a8 __NMSG_WRITE 66 API calls 14453->14454 14454->14455 14456 e458a8 14455->14456 14457 e458c9 __NMSG_WRITE 14456->14457 14458 e459e5 14457->14458 14460 e47647 __NMSG_WRITE 63 API calls 14457->14460 14552 e450c4 14458->14552 14462 e458e3 14460->14462 14461 e45a55 14480 e455c2 14461->14480 14463 e459f4 GetStdHandle 14462->14463 14464 e47647 __NMSG_WRITE 63 API calls 14462->14464 14463->14458 14467 e45a02 _strlen 14463->14467 14465 e458f4 14464->14465 14465->14463 14466 e45906 14465->14466 14466->14458 14516 e475e4 14466->14516 14467->14458 14470 e45a38 WriteFile 14467->14470 14470->14458 14471 e45932 GetModuleFileNameW 14472 e45953 14471->14472 14476 e4595f _wcslen 14471->14476 14473 e475e4 __NMSG_WRITE 63 API calls 14472->14473 14473->14476 14474 e46b5a __invoke_watson 10 API calls 14474->14476 14475 e47487 63 API calls __NMSG_WRITE 14475->14476 14476->14474 14476->14475 14478 e459d5 14476->14478 14525 e474fc 14476->14525 14534 e4731b 14478->14534 14562 e45597 GetModuleHandleW 14480->14562 14485 e47ec4 14483->14485 14486 e46cc1 14485->14486 14487 e47edb Sleep 14485->14487 14565 e4510d 14485->14565 14486->14432 14486->14433 14487->14485 14582 e46c5d LeaveCriticalSection 14488->14582 14490 e46d34 14490->14430 14492 e47653 14491->14492 14493 e4765d 14492->14493 14494 e45566 _raise 66 API calls 14492->14494 14493->14449 14495 e47676 14494->14495 14498 e46bac 14495->14498 14501 e46b7f DecodePointer 14498->14501 14502 e46b94 14501->14502 14507 e46b5a 14502->14507 14504 e46bab 14505 e46b7f _raise 10 API calls 14504->14505 14506 e46bb8 14505->14506 14506->14449 14510 e46a31 14507->14510 14511 e46a50 _memset __call_reportfault 14510->14511 14512 e46a6e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14511->14512 14513 e46b3c __call_reportfault 14512->14513 14514 e450c4 __except_handler4 5 API calls 14513->14514 14515 e46b58 GetCurrentProcess TerminateProcess 14514->14515 14515->14504 14517 e475f2 14516->14517 14518 e475f9 14516->14518 14517->14518 14523 e4761a 14517->14523 14519 e45566 _raise 66 API calls 14518->14519 14520 e475fe 14519->14520 14521 e46bac _raise 11 API calls 14520->14521 14522 e45927 14521->14522 14522->14471 14522->14476 14523->14522 14524 e45566 _raise 66 API calls 14523->14524 14524->14520 14530 e4750e 14525->14530 14526 e47512 14527 e45566 _raise 66 API calls 14526->14527 14528 e47517 14526->14528 14529 e4752e 14527->14529 14528->14476 14531 e46bac _raise 11 API calls 14529->14531 14530->14526 14530->14528 14532 e47555 14530->14532 14531->14528 14532->14528 14533 e45566 _raise 66 API calls 14532->14533 14533->14529 14560 e4631c EncodePointer 14534->14560 14536 e47341 14537 e47351 LoadLibraryW 14536->14537 14538 e473ce 14536->14538 14539 e47366 GetProcAddress 14537->14539 14544 e47466 14537->14544 14543 e473e8 DecodePointer DecodePointer 14538->14543 14549 e473fb 14538->14549 14542 e4737c 7 API calls 14539->14542 14539->14544 14540 e47431 DecodePointer 14541 e4745a DecodePointer 14540->14541 14546 e47438 14540->14546 14541->14544 14542->14538 14547 e473be GetProcAddress EncodePointer 14542->14547 14543->14549 14545 e450c4 __except_handler4 5 API calls 14544->14545 14548 e47485 14545->14548 14546->14541 14550 e4744b DecodePointer 14546->14550 14547->14538 14548->14458 14549->14540 14549->14541 14551 e4741e 14549->14551 14550->14541 14550->14551 14551->14541 14553 e450cc 14552->14553 14554 e450ce IsDebuggerPresent 14552->14554 14553->14461 14561 e46a1a 14554->14561 14557 e454eb SetUnhandledExceptionFilter UnhandledExceptionFilter 14558 e45510 GetCurrentProcess TerminateProcess 14557->14558 14559 e45508 __call_reportfault 14557->14559 14558->14461 14559->14558 14560->14536 14561->14557 14563 e455bb ExitProcess 14562->14563 14564 e455ab GetProcAddress 14562->14564 14564->14563 14566 e4518a 14565->14566 14579 e4511b 14565->14579 14567 e45a9f _malloc DecodePointer 14566->14567 14569 e45190 14567->14569 14568 e45126 14571 e45a57 __FF_MSGBANNER 65 API calls 14568->14571 14574 e458a8 __NMSG_WRITE 65 API calls 14568->14574 14578 e455c2 _malloc 3 API calls 14568->14578 14568->14579 14570 e45566 _raise 65 API calls 14569->14570 14573 e45182 14570->14573 14571->14568 14572 e45149 RtlAllocateHeap 14572->14573 14572->14579 14573->14485 14574->14568 14575 e45176 14577 e45566 _raise 65 API calls 14575->14577 14576 e45a9f _malloc DecodePointer 14576->14579 14580 e45174 14577->14580 14578->14568 14579->14568 14579->14572 14579->14575 14579->14576 14579->14580 14581 e45566 _raise 65 API calls 14580->14581 14581->14573 14582->14490 14583->14406 14584->14421 14587 e45dbb 14585->14587 14589 e45e28 14587->14589 14595 e47760 14587->14595 14588 e45f26 14588->14260 14588->14261 14589->14588 14590 e47760 76 API calls __wincmdln 14589->14590 14590->14589 14592 e47e47 14591->14592 14593 e47e4e 14591->14593 14919 e47ca4 14592->14919 14593->14254 14598 e4770d 14595->14598 14601 e47686 14598->14601 14602 e47699 14601->14602 14608 e476e6 14601->14608 14609 e464cc 14602->14609 14605 e476c6 14605->14608 14629 e4799b 14605->14629 14608->14587 14610 e46453 __getptd_noexit 66 API calls 14609->14610 14611 e464d4 14610->14611 14612 e464e1 14611->14612 14613 e45864 __amsg_exit 66 API calls 14611->14613 14612->14605 14614 e4825a 14612->14614 14613->14612 14615 e48266 _raise 14614->14615 14616 e464cc __getptd 66 API calls 14615->14616 14617 e4826b 14616->14617 14618 e48299 14617->14618 14620 e4827d 14617->14620 14619 e46d36 __lock 66 API calls 14618->14619 14621 e482a0 14619->14621 14622 e464cc __getptd 66 API calls 14620->14622 14645 e4820d 14621->14645 14624 e48282 14622->14624 14627 e48290 _raise 14624->14627 14628 e45864 __amsg_exit 66 API calls 14624->14628 14627->14605 14628->14627 14630 e479a7 _raise 14629->14630 14631 e464cc __getptd 66 API calls 14630->14631 14632 e479ac 14631->14632 14633 e46d36 __lock 66 API calls 14632->14633 14634 e479be 14632->14634 14635 e479dc 14633->14635 14637 e479cc _raise 14634->14637 14641 e45864 __amsg_exit 66 API calls 14634->14641 14636 e47a25 14635->14636 14638 e479f3 InterlockedDecrement 14635->14638 14639 e47a0d InterlockedIncrement 14635->14639 14915 e47a36 14636->14915 14637->14608 14638->14639 14642 e479fe 14638->14642 14639->14636 14641->14637 14642->14639 14643 e450d3 _free 66 API calls 14642->14643 14644 e47a0c 14643->14644 14644->14639 14646 e4824f 14645->14646 14647 e4821a 14645->14647 14653 e482c7 14646->14653 14647->14646 14648 e47f9a ___addlocaleref 8 API calls 14647->14648 14649 e48230 14648->14649 14649->14646 14656 e48029 14649->14656 14914 e46c5d LeaveCriticalSection 14653->14914 14655 e482ce 14655->14624 14657 e480bd 14656->14657 14658 e4803a InterlockedDecrement 14656->14658 14657->14646 14670 e480c2 14657->14670 14659 e48052 14658->14659 14660 e4804f InterlockedDecrement 14658->14660 14661 e4805c InterlockedDecrement 14659->14661 14662 e4805f 14659->14662 14660->14659 14661->14662 14663 e4806c 14662->14663 14664 e48069 InterlockedDecrement 14662->14664 14665 e48076 InterlockedDecrement 14663->14665 14667 e48079 14663->14667 14664->14663 14665->14667 14666 e48092 InterlockedDecrement 14666->14667 14667->14666 14668 e480ad InterlockedDecrement 14667->14668 14669 e480a2 InterlockedDecrement 14667->14669 14668->14657 14669->14667 14671 e48146 14670->14671 14673 e480d9 14670->14673 14672 e48193 14671->14672 14674 e450d3 _free 66 API calls 14671->14674 14685 e481bc 14672->14685 14740 e48d30 14672->14740 14673->14671 14675 e4810d 14673->14675 14683 e450d3 _free 66 API calls 14673->14683 14677 e48167 14674->14677 14679 e4812e 14675->14679 14687 e450d3 _free 66 API calls 14675->14687 14680 e450d3 _free 66 API calls 14677->14680 14681 e450d3 _free 66 API calls 14679->14681 14686 e4817a 14680->14686 14689 e4813b 14681->14689 14682 e48201 14690 e450d3 _free 66 API calls 14682->14690 14691 e48102 14683->14691 14684 e450d3 _free 66 API calls 14684->14685 14685->14682 14694 e450d3 66 API calls _free 14685->14694 14688 e450d3 _free 66 API calls 14686->14688 14692 e48123 14687->14692 14693 e48188 14688->14693 14695 e450d3 _free 66 API calls 14689->14695 14696 e48207 14690->14696 14700 e49110 14691->14700 14728 e490a7 14692->14728 14699 e450d3 _free 66 API calls 14693->14699 14694->14685 14695->14671 14696->14646 14699->14672 14701 e49121 14700->14701 14727 e4920a 14700->14727 14702 e49132 14701->14702 14704 e450d3 _free 66 API calls 14701->14704 14703 e49144 14702->14703 14705 e450d3 _free 66 API calls 14702->14705 14706 e49156 14703->14706 14707 e450d3 _free 66 API calls 14703->14707 14704->14702 14705->14703 14708 e49168 14706->14708 14709 e450d3 _free 66 API calls 14706->14709 14707->14706 14710 e4917a 14708->14710 14712 e450d3 _free 66 API calls 14708->14712 14709->14708 14711 e4918c 14710->14711 14713 e450d3 _free 66 API calls 14710->14713 14714 e4919e 14711->14714 14715 e450d3 _free 66 API calls 14711->14715 14712->14710 14713->14711 14716 e491b0 14714->14716 14717 e450d3 _free 66 API calls 14714->14717 14715->14714 14718 e450d3 _free 66 API calls 14716->14718 14722 e491c2 14716->14722 14717->14716 14718->14722 14719 e450d3 _free 66 API calls 14721 e491d4 14719->14721 14720 e491e6 14724 e491f8 14720->14724 14725 e450d3 _free 66 API calls 14720->14725 14721->14720 14723 e450d3 _free 66 API calls 14721->14723 14722->14719 14722->14721 14723->14720 14726 e450d3 _free 66 API calls 14724->14726 14724->14727 14725->14724 14726->14727 14727->14675 14729 e490b4 14728->14729 14739 e4910c 14728->14739 14730 e450d3 _free 66 API calls 14729->14730 14732 e490c4 14729->14732 14730->14732 14731 e490d6 14734 e490e8 14731->14734 14735 e450d3 _free 66 API calls 14731->14735 14732->14731 14733 e450d3 _free 66 API calls 14732->14733 14733->14731 14736 e490fa 14734->14736 14737 e450d3 _free 66 API calls 14734->14737 14735->14734 14738 e450d3 _free 66 API calls 14736->14738 14736->14739 14737->14736 14738->14739 14739->14679 14741 e48d41 14740->14741 14913 e481b1 14740->14913 14742 e450d3 _free 66 API calls 14741->14742 14743 e48d49 14742->14743 14744 e450d3 _free 66 API calls 14743->14744 14745 e48d51 14744->14745 14746 e450d3 _free 66 API calls 14745->14746 14747 e48d59 14746->14747 14748 e450d3 _free 66 API calls 14747->14748 14749 e48d61 14748->14749 14750 e450d3 _free 66 API calls 14749->14750 14751 e48d69 14750->14751 14752 e450d3 _free 66 API calls 14751->14752 14753 e48d71 14752->14753 14754 e450d3 _free 66 API calls 14753->14754 14755 e48d78 14754->14755 14756 e450d3 _free 66 API calls 14755->14756 14757 e48d80 14756->14757 14758 e450d3 _free 66 API calls 14757->14758 14759 e48d88 14758->14759 14760 e450d3 _free 66 API calls 14759->14760 14761 e48d90 14760->14761 14762 e450d3 _free 66 API calls 14761->14762 14763 e48d98 14762->14763 14764 e450d3 _free 66 API calls 14763->14764 14765 e48da0 14764->14765 14766 e450d3 _free 66 API calls 14765->14766 14767 e48da8 14766->14767 14768 e450d3 _free 66 API calls 14767->14768 14769 e48db0 14768->14769 14770 e450d3 _free 66 API calls 14769->14770 14771 e48db8 14770->14771 14772 e450d3 _free 66 API calls 14771->14772 14773 e48dc0 14772->14773 14774 e450d3 _free 66 API calls 14773->14774 14775 e48dcb 14774->14775 14776 e450d3 _free 66 API calls 14775->14776 14777 e48dd3 14776->14777 14778 e450d3 _free 66 API calls 14777->14778 14779 e48ddb 14778->14779 14780 e450d3 _free 66 API calls 14779->14780 14781 e48de3 14780->14781 14782 e450d3 _free 66 API calls 14781->14782 14783 e48deb 14782->14783 14784 e450d3 _free 66 API calls 14783->14784 14785 e48df3 14784->14785 14786 e450d3 _free 66 API calls 14785->14786 14787 e48dfb 14786->14787 14788 e450d3 _free 66 API calls 14787->14788 14789 e48e03 14788->14789 14790 e450d3 _free 66 API calls 14789->14790 14791 e48e0b 14790->14791 14792 e450d3 _free 66 API calls 14791->14792 14793 e48e13 14792->14793 14794 e450d3 _free 66 API calls 14793->14794 14795 e48e1b 14794->14795 14796 e450d3 _free 66 API calls 14795->14796 14797 e48e23 14796->14797 14798 e450d3 _free 66 API calls 14797->14798 14799 e48e2b 14798->14799 14800 e450d3 _free 66 API calls 14799->14800 14801 e48e33 14800->14801 14802 e450d3 _free 66 API calls 14801->14802 14803 e48e3b 14802->14803 14804 e450d3 _free 66 API calls 14803->14804 14805 e48e43 14804->14805 14806 e450d3 _free 66 API calls 14805->14806 14807 e48e51 14806->14807 14808 e450d3 _free 66 API calls 14807->14808 14809 e48e5c 14808->14809 14810 e450d3 _free 66 API calls 14809->14810 14811 e48e67 14810->14811 14812 e450d3 _free 66 API calls 14811->14812 14813 e48e72 14812->14813 14814 e450d3 _free 66 API calls 14813->14814 14815 e48e7d 14814->14815 14816 e450d3 _free 66 API calls 14815->14816 14817 e48e88 14816->14817 14818 e450d3 _free 66 API calls 14817->14818 14819 e48e93 14818->14819 14820 e450d3 _free 66 API calls 14819->14820 14821 e48e9e 14820->14821 14822 e450d3 _free 66 API calls 14821->14822 14823 e48ea9 14822->14823 14824 e450d3 _free 66 API calls 14823->14824 14825 e48eb4 14824->14825 14826 e450d3 _free 66 API calls 14825->14826 14827 e48ebf 14826->14827 14828 e450d3 _free 66 API calls 14827->14828 14829 e48eca 14828->14829 14830 e450d3 _free 66 API calls 14829->14830 14831 e48ed5 14830->14831 14832 e450d3 _free 66 API calls 14831->14832 14833 e48ee0 14832->14833 14834 e450d3 _free 66 API calls 14833->14834 14835 e48eeb 14834->14835 14836 e450d3 _free 66 API calls 14835->14836 14837 e48ef6 14836->14837 14838 e450d3 _free 66 API calls 14837->14838 14839 e48f04 14838->14839 14840 e450d3 _free 66 API calls 14839->14840 14841 e48f0f 14840->14841 14842 e450d3 _free 66 API calls 14841->14842 14843 e48f1a 14842->14843 14844 e450d3 _free 66 API calls 14843->14844 14845 e48f25 14844->14845 14846 e450d3 _free 66 API calls 14845->14846 14847 e48f30 14846->14847 14848 e450d3 _free 66 API calls 14847->14848 14849 e48f3b 14848->14849 14850 e450d3 _free 66 API calls 14849->14850 14851 e48f46 14850->14851 14852 e450d3 _free 66 API calls 14851->14852 14853 e48f51 14852->14853 14854 e450d3 _free 66 API calls 14853->14854 14855 e48f5c 14854->14855 14856 e450d3 _free 66 API calls 14855->14856 14857 e48f67 14856->14857 14858 e450d3 _free 66 API calls 14857->14858 14859 e48f72 14858->14859 14860 e450d3 _free 66 API calls 14859->14860 14861 e48f7d 14860->14861 14862 e450d3 _free 66 API calls 14861->14862 14863 e48f88 14862->14863 14864 e450d3 _free 66 API calls 14863->14864 14865 e48f93 14864->14865 14866 e450d3 _free 66 API calls 14865->14866 14867 e48f9e 14866->14867 14868 e450d3 _free 66 API calls 14867->14868 14869 e48fa9 14868->14869 14870 e450d3 _free 66 API calls 14869->14870 14871 e48fb7 14870->14871 14872 e450d3 _free 66 API calls 14871->14872 14873 e48fc2 14872->14873 14874 e450d3 _free 66 API calls 14873->14874 14875 e48fcd 14874->14875 14876 e450d3 _free 66 API calls 14875->14876 14877 e48fd8 14876->14877 14878 e450d3 _free 66 API calls 14877->14878 14879 e48fe3 14878->14879 14880 e450d3 _free 66 API calls 14879->14880 14881 e48fee 14880->14881 14882 e450d3 _free 66 API calls 14881->14882 14883 e48ff9 14882->14883 14884 e450d3 _free 66 API calls 14883->14884 14885 e49004 14884->14885 14886 e450d3 _free 66 API calls 14885->14886 14887 e4900f 14886->14887 14888 e450d3 _free 66 API calls 14887->14888 14889 e4901a 14888->14889 14890 e450d3 _free 66 API calls 14889->14890 14891 e49025 14890->14891 14892 e450d3 _free 66 API calls 14891->14892 14893 e49030 14892->14893 14894 e450d3 _free 66 API calls 14893->14894 14895 e4903b 14894->14895 14896 e450d3 _free 66 API calls 14895->14896 14897 e49046 14896->14897 14898 e450d3 _free 66 API calls 14897->14898 14913->14684 14914->14655 14918 e46c5d LeaveCriticalSection 14915->14918 14917 e47a3d 14917->14634 14918->14917 14920 e47cb0 _raise 14919->14920 14921 e464cc __getptd 66 API calls 14920->14921 14922 e47cb9 14921->14922 14923 e4799b _LocaleUpdate::_LocaleUpdate 68 API calls 14922->14923 14924 e47cc3 14923->14924 14950 e47a3f 14924->14950 14927 e47ebb __malloc_crt 66 API calls 14928 e47ce4 14927->14928 14929 e47e03 _raise 14928->14929 14957 e47abb 14928->14957 14929->14593 14932 e47d14 InterlockedDecrement 14933 e47d35 InterlockedIncrement 14932->14933 14936 e47d24 14932->14936 14933->14929 14937 e47d4b 14933->14937 14934 e47e23 14939 e45566 _raise 66 API calls 14934->14939 14935 e47e10 14935->14929 14935->14934 14938 e450d3 _free 66 API calls 14935->14938 14936->14933 14940 e450d3 _free 66 API calls 14936->14940 14937->14929 14941 e46d36 __lock 66 API calls 14937->14941 14938->14934 14939->14929 14942 e47d34 14940->14942 14944 e47d5f InterlockedDecrement 14941->14944 14942->14933 14945 e47dee InterlockedIncrement 14944->14945 14946 e47ddb 14944->14946 14967 e47e05 14945->14967 14946->14945 14948 e450d3 _free 66 API calls 14946->14948 14949 e47ded 14948->14949 14949->14945 14951 e47686 _LocaleUpdate::_LocaleUpdate 76 API calls 14950->14951 14952 e47a53 14951->14952 14953 e47a7c 14952->14953 14954 e47a5e GetOEMCP 14952->14954 14955 e47a81 GetACP 14953->14955 14956 e47a6e 14953->14956 14954->14956 14955->14956 14956->14927 14956->14929 14958 e47a3f getSystemCP 78 API calls 14957->14958 14960 e47adb 14958->14960 14959 e47ae6 setSBCS 14961 e450c4 __except_handler4 5 API calls 14959->14961 14960->14959 14963 e47b2a IsValidCodePage 14960->14963 14966 e47b4f _memset __setmbcp_nolock 14960->14966 14962 e47ca2 14961->14962 14962->14932 14962->14935 14963->14959 14964 e47b3c GetCPInfo 14963->14964 14964->14959 14964->14966 14970 e4780b GetCPInfo 14966->14970 15031 e46c5d LeaveCriticalSection 14967->15031 14969 e47e0c 14969->14929 14973 e4783f _memset 14970->14973 14979 e478f3 14970->14979 14980 e48bc1 14973->14980 14975 e450c4 __except_handler4 5 API calls 14977 e47999 14975->14977 14977->14966 14978 e48a94 ___crtLCMapStringA 82 API calls 14978->14979 14979->14975 14981 e47686 _LocaleUpdate::_LocaleUpdate 76 API calls 14980->14981 14982 e48bd4 14981->14982 14990 e48ada 14982->14990 14985 e48a94 14986 e47686 _LocaleUpdate::_LocaleUpdate 76 API calls 14985->14986 14987 e48aa7 14986->14987 15007 e488ad 14987->15007 14991 e48b03 MultiByteToWideChar 14990->14991 14992 e48af8 14990->14992 14993 e48b30 14991->14993 15002 e48b2c 14991->15002 14992->14991 14995 e48b45 _memset __alloca_probe_16 14993->14995 14998 e4510d _malloc 66 API calls 14993->14998 14994 e450c4 __except_handler4 5 API calls 14996 e478ae 14994->14996 14997 e48b7e MultiByteToWideChar 14995->14997 14995->15002 14996->14985 14999 e48b94 GetStringTypeW 14997->14999 15000 e48ba5 14997->15000 14998->14995 14999->15000 15003 e48851 15000->15003 15002->14994 15004 e4885d 15003->15004 15005 e4886e 15003->15005 15004->15005 15006 e450d3 _free 66 API calls 15004->15006 15005->15002 15006->15005 15008 e488cb MultiByteToWideChar 15007->15008 15010 e48929 15008->15010 15012 e48930 15008->15012 15011 e450c4 __except_handler4 5 API calls 15010->15011 15014 e478ce 15011->15014 15015 e4510d _malloc 66 API calls 15012->15015 15020 e48949 __alloca_probe_16 15012->15020 15013 e4897d MultiByteToWideChar 15016 e48996 LCMapStringW 15013->15016 15030 e48a75 15013->15030 15014->14978 15015->15020 15018 e489b5 15016->15018 15016->15030 15017 e48851 __freea 66 API calls 15017->15010 15019 e489bf 15018->15019 15024 e489e8 15018->15024 15022 e489d3 LCMapStringW 15019->15022 15019->15030 15020->15010 15020->15013 15021 e48a03 __alloca_probe_16 15023 e48a37 LCMapStringW 15021->15023 15021->15030 15022->15030 15025 e48a6f 15023->15025 15027 e48a4d WideCharToMultiByte 15023->15027 15024->15021 15026 e4510d _malloc 66 API calls 15024->15026 15028 e48851 __freea 66 API calls 15025->15028 15026->15021 15027->15025 15028->15030 15030->15017 15031->14969 15033 e47e71 15032->15033 15034 e47e6a 15032->15034 15035 e45566 _raise 66 API calls 15033->15035 15034->15033 15037 e47e8f 15034->15037 15040 e47e76 15035->15040 15036 e46bac _raise 11 API calls 15038 e47e80 15036->15038 15037->15038 15039 e45566 _raise 66 API calls 15037->15039 15038->14276 15039->15040 15040->15036 15042 e47116 EncodePointer 15041->15042 15042->15042 15043 e47130 15042->15043 15043->14289 15047 e470bd 15044->15047 15046 e47106 15046->14291 15048 e470c9 _raise 15047->15048 15055 e455da 15048->15055 15054 e470ea _raise 15054->15046 15056 e46d36 __lock 66 API calls 15055->15056 15057 e455e1 15056->15057 15058 e46fd6 DecodePointer DecodePointer 15057->15058 15059 e47004 15058->15059 15060 e47085 15058->15060 15059->15060 15072 e48871 15059->15072 15069 e470f3 15060->15069 15062 e47068 EncodePointer EncodePointer 15062->15060 15063 e4703a 15063->15060 15066 e47f4c __realloc_crt 70 API calls 15063->15066 15067 e47056 EncodePointer 15063->15067 15064 e47016 15064->15062 15064->15063 15079 e47f4c 15064->15079 15068 e47050 15066->15068 15067->15062 15068->15060 15068->15067 15105 e455e3 15069->15105 15073 e48891 HeapSize 15072->15073 15074 e4887c 15072->15074 15073->15064 15075 e45566 _raise 66 API calls 15074->15075 15076 e48881 15075->15076 15077 e46bac _raise 11 API calls 15076->15077 15078 e4888c 15077->15078 15078->15064 15082 e47f55 15079->15082 15081 e47f94 15081->15063 15082->15081 15083 e47f75 Sleep 15082->15083 15084 e48c83 15082->15084 15083->15082 15085 e48c8e 15084->15085 15086 e48c99 15084->15086 15088 e4510d _malloc 66 API calls 15085->15088 15087 e48ca1 15086->15087 15097 e48cae 15086->15097 15090 e450d3 _free 66 API calls 15087->15090 15089 e48c96 15088->15089 15089->15082 15104 e48ca9 _free 15090->15104 15091 e48ce6 15093 e45a9f _malloc DecodePointer 15091->15093 15092 e48cb6 HeapReAlloc 15092->15097 15092->15104 15094 e48cec 15093->15094 15095 e45566 _raise 66 API calls 15094->15095 15095->15104 15096 e48d16 15099 e45566 _raise 66 API calls 15096->15099 15097->15091 15097->15092 15097->15096 15098 e45a9f _malloc DecodePointer 15097->15098 15101 e48cfe 15097->15101 15098->15097 15100 e48d1b GetLastError 15099->15100 15100->15104 15102 e45566 _raise 66 API calls 15101->15102 15103 e48d03 GetLastError 15102->15103 15103->15104 15104->15082 15108 e46c5d LeaveCriticalSection 15105->15108 15107 e455ea 15107->15054 15108->15107 15112 e456da 15109->15112 15111 e45841 15113 e456e6 _raise 15112->15113 15114 e46d36 __lock 61 API calls 15113->15114 15115 e456ed 15114->15115 15117 e45718 DecodePointer 15115->15117 15121 e45797 15115->15121 15119 e4572f DecodePointer 15117->15119 15117->15121 15131 e45742 15119->15131 15120 e45814 _raise 15120->15111 15135 e45805 15121->15135 15123 e457fc 15125 e45805 15123->15125 15126 e455c2 _malloc 3 API calls 15123->15126 15127 e45812 15125->15127 15140 e46c5d LeaveCriticalSection 15125->15140 15126->15125 15127->15111 15128 e45759 DecodePointer 15134 e4631c EncodePointer 15128->15134 15131->15121 15131->15128 15132 e45768 DecodePointer DecodePointer 15131->15132 15133 e4631c EncodePointer 15131->15133 15132->15131 15133->15131 15134->15131 15136 e457e5 15135->15136 15137 e4580b 15135->15137 15136->15120 15139 e46c5d LeaveCriticalSection 15136->15139 15141 e46c5d LeaveCriticalSection 15137->15141 15139->15123 15140->15127 15141->15136 15145 e4452d 15146 e44546 SetCalendarInfoA 15145->15146 15147 e44537 GetCurrentProcess TerminateProcess 15145->15147 15148 e44563 GetCurrentProcess TerminateProcess 15146->15148 15149 e44558 GetLastError 15146->15149 15147->15146 15150 e44572 IdnToNameprepUnicode 15148->15150 15149->15148 15149->15150 15151 e44586 GetLastError 15150->15151 15152 e44591 GetCurrentProcess TerminateProcess 15150->15152 15151->15152 15153 e445a0 15151->15153 15152->15153 15154 e4510d _malloc 66 API calls 15153->15154 15155 e445aa _memset 15154->15155 15162 e446d2 15155->15162 15168 e443c0 15155->15168 15157 e445e9 15158 e443c0 68 API calls 15157->15158 15163 e445fd 15158->15163 15159 e450d3 _free 66 API calls 15160 e446c6 15159->15160 15161 e450d3 _free 66 API calls 15160->15161 15161->15162 15167 e446ba 15163->15167 15175 e45040 15163->15175 15166 e450d3 _free 66 API calls 15166->15167 15167->15159 15180 e44960 GetPEB 15168->15180 15170 e443cb 15171 e44404 GetModuleHandleW 15170->15171 15172 e44429 15171->15172 15173 e4510d _malloc 66 API calls 15172->15173 15174 e4445d 15172->15174 15173->15174 15174->15157 15181 e44f20 15175->15181 15178 e446ae 15178->15166 15180->15170 15182 e44f45 15181->15182 15183 e44f41 15181->15183 15182->15183 15186 e44f8d GetPEB 15182->15186 15184 e44fb0 CloseHandle 15183->15184 15185 e44fba 15183->15185 15184->15185 15187 e44fc0 CloseHandle 15185->15187 15188 e44fca 15185->15188 15186->15183 15187->15188 15188->15178 15189 e44fe0 15188->15189 15196 e44d80 15189->15196 15192 e44ff3 15192->15178 15194 e45003 15194->15192 15207 e44cc0 GetPEB 15194->15207 15210 e44960 GetPEB 15196->15210 15198 e44ded VirtualAlloc 15200 e44d92 15198->15200 15199 e44e65 15199->15192 15201 e44b40 15199->15201 15200->15198 15200->15199 15203 e44b66 15201->15203 15202 e44b81 15202->15194 15203->15202 15204 e44b9d LoadLibraryA 15203->15204 15205 e44bbc 15204->15205 15205->15203 15206 e44c59 GetProcAddress 15205->15206 15206->15205 15211 413ea0 15207->15211 15210->15200 15218 404ea0 15211->15218 15287 407621 GetPEB 15218->15287 15220 404ea5 15221 4064c7 15220->15221 15222 4064e3 15221->15222 15288 4075f1 GetPEB 15222->15288 15224 4072ea 15289 405192 15224->15289 15228 4073b8 13 API calls 15229 4075c0 15228->15229 15230 4075ec 15229->15230 15231 405192 3 API calls 15229->15231 15232 413caf 15230->15232 15231->15229 15311 413b6c 15232->15311 15234 413cc0 15316 41701b GetVolumeInformationW 15234->15316 15237 413ce4 15238 413cf2 GetModuleFileNameW 15237->15238 15239 413ceb ExitProcess 15237->15239 15320 413b1d 15238->15320 15241 413d18 15242 413d21 15241->15242 15243 413d35 15241->15243 15325 413c2c 15242->15325 15332 40b4b3 15243->15332 15249 413d4d 15345 416f96 GetUserDefaultLangID 15249->15345 15252 413de6 15506 404f2c 15252->15506 15255 413d6c 15257 413d7e 15255->15257 15416 414523 15255->15416 15260 413d90 15257->15260 15426 4115b6 15257->15426 15262 413da2 15260->15262 15440 4123e4 15260->15440 15264 413db4 15262->15264 15453 416dac 15262->15453 15267 413dc6 15264->15267 15458 415ada 15264->15458 15265 413e04 15266 413e39 GetSystemTime 15265->15266 15518 406122 15265->15518 15528 40647d SystemTimeToFileTime SystemTimeToFileTime FileTimeToSystemTime 15266->15528 15462 41538e 15267->15462 15275 413e64 15278 413e70 CloseHandle 15275->15278 15529 413b96 15278->15529 15279 413e2f 15281 404f2c HeapFree 15279->15281 15284 413e38 15281->15284 15284->15266 15287->15220 15288->15224 15291 4051ce 15289->15291 15290 405283 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 15298 407605 GetPEB 15290->15298 15291->15290 15299 405108 15291->15299 15293 405267 15294 405277 15293->15294 15295 40526c LoadLibraryA 15293->15295 15303 40528d 15294->15303 15295->15290 15295->15294 15298->15228 15300 405117 15299->15300 15301 40513d GetPEB 15300->15301 15302 40515e 15301->15302 15302->15293 15304 4052c7 15303->15304 15305 405108 GetPEB 15304->15305 15310 40527e 15304->15310 15306 405375 15305->15306 15307 405385 15306->15307 15308 40537a LoadLibraryA 15306->15308 15309 40528d GetPEB 15307->15309 15308->15307 15308->15310 15309->15310 15310->15290 15312 413b72 15311->15312 15545 413010 15312->15545 15315 413b86 15315->15234 15317 417041 15316->15317 15319 413ccb CreateMutexA 15316->15319 15318 405e03 wvnsprintfA 15317->15318 15318->15319 15319->15237 15667 413756 15320->15667 15322 413b27 15323 404f2c HeapFree 15322->15323 15324 413b47 15322->15324 15323->15324 15324->15241 15326 413c45 15325->15326 15327 405dba wvnsprintfW 15326->15327 15328 413c76 ExpandEnvironmentStringsW 15327->15328 15329 413c95 15328->15329 15331 413caa ExitProcess 15328->15331 15330 405552 ShellExecuteW 15329->15330 15330->15331 15333 40b4c3 15332->15333 15334 40b4b8 CreateStreamOnHGlobal 15332->15334 15335 413a44 15333->15335 15334->15333 15336 413a58 15335->15336 15758 4054e6 OpenProcessToken 15336->15758 15341 416e8e RtlGetVersion 15342 413a6d 15341->15342 15343 41701b 2 API calls 15342->15343 15344 413a7b 15343->15344 15344->15249 15346 413d53 15345->15346 15346->15252 15347 4145b8 15346->15347 15348 4145d4 15347->15348 15349 405e03 wvnsprintfA 15348->15349 15350 414607 15349->15350 15351 405e03 wvnsprintfA 15350->15351 15352 41461f 15351->15352 15353 405dba wvnsprintfW 15352->15353 15354 4146c1 15353->15354 15775 405a55 15354->15775 15356 414717 15358 405dba wvnsprintfW 15356->15358 15357 4146d5 15357->15356 15359 405e03 wvnsprintfA 15357->15359 15360 41474f 15358->15360 15361 414701 15359->15361 15362 405a55 5 API calls 15360->15362 15364 404f2c HeapFree 15361->15364 15363 414763 15362->15363 15365 414796 15363->15365 15366 405e03 wvnsprintfA 15363->15366 15364->15356 15368 405e03 wvnsprintfA 15365->15368 15367 414781 15366->15367 15369 404f2c HeapFree 15367->15369 15370 4147b5 15368->15370 15369->15365 15371 414816 GetSystemInfo 15370->15371 15372 405e03 wvnsprintfA 15371->15372 15373 414840 15372->15373 15374 41485b GlobalMemoryStatusEx 15373->15374 15375 405e03 wvnsprintfA 15374->15375 15376 414896 15375->15376 15377 4148b0 GetSystemMetrics GetSystemMetrics 15376->15377 15378 405e03 wvnsprintfA 15377->15378 15379 4148d5 15378->15379 15380 4148f3 GetComputerNameW GetUserNameW 15379->15380 15381 405dba wvnsprintfW 15380->15381 15382 41493e 15381->15382 15383 4060c6 3 API calls 15382->15383 15384 414946 15383->15384 15385 414969 15384->15385 15388 404f2c HeapFree 15384->15388 15386 414987 GetLocalTime 15385->15386 15387 405e03 wvnsprintfA 15386->15387 15389 4149c1 15387->15389 15388->15385 15778 406418 GetTimeZoneInformation 15389->15778 15391 4149c9 15392 405e03 wvnsprintfA 15391->15392 15401 4149eb 15392->15401 15393 414a78 EnumDisplayDevicesW 15394 414a83 GetKeyboardLayoutList 15393->15394 15393->15401 15395 404eab RtlAllocateHeap 15394->15395 15397 414a96 15395->15397 15396 4060c6 3 API calls 15396->15401 15398 414b0d 15397->15398 15399 414a9e GetKeyboardLayoutList 15397->15399 15400 404f2c HeapFree 15398->15400 15399->15398 15405 414aaa 15399->15405 15404 414b15 15400->15404 15401->15393 15401->15396 15403 404f2c HeapFree 15401->15403 15403->15401 15406 405dba wvnsprintfW 15404->15406 15405->15398 15779 416e6d 15405->15779 15415 414b85 15406->15415 15408 414ca0 15408->15255 15409 405dba wvnsprintfW 15409->15415 15411 405a55 RtlAllocateHeap RegOpenKeyExW RegQueryValueExW RegQueryValueExW RegCloseKey 15411->15415 15412 404f2c HeapFree 15412->15415 15413 4060c6 3 API calls 15413->15415 15414 405e03 wvnsprintfA 15414->15415 15415->15408 15415->15409 15415->15411 15415->15412 15415->15413 15415->15414 15782 405ae5 RegOpenKeyExW 15415->15782 15792 404f48 15415->15792 15417 414538 15416->15417 15808 405721 15417->15808 15419 41456f 15420 405721 13 API calls 15419->15420 15421 41457d 15420->15421 15813 404ce1 15421->15813 15424 404ce1 6 API calls 15425 4145b2 15424->15425 15425->15257 15427 4115c6 15426->15427 15428 40b4b3 CreateStreamOnHGlobal 15427->15428 15429 4115ce 15428->15429 15436 411615 15429->15436 15844 410ed8 15429->15844 15431 4115df 15879 4112d2 15431->15879 15435 4115f9 15435->15436 15907 40b589 15435->15907 15436->15260 15438 41160d 15439 404f2c HeapFree 15438->15439 15439->15436 15441 4123fb 15440->15441 15442 405dba wvnsprintfW 15441->15442 15443 412454 15442->15443 15444 405a55 5 API calls 15443->15444 15445 41246b 15444->15445 15446 404ce1 6 API calls 15445->15446 15452 41250d 15445->15452 15448 412494 15446->15448 15447 405dba wvnsprintfW 15447->15448 15448->15447 15450 412505 15448->15450 15986 40f39a 15448->15986 15451 404f2c HeapFree 15450->15451 15451->15452 15452->15262 16010 416916 CredEnumerateW 15453->16010 15459 415aeb 15458->15459 15460 415b4b 15459->15460 15461 415b0f GetDesktopWindow GetWindowDC EnumDisplayMonitors ReleaseDC 15459->15461 15460->15267 15461->15460 15463 404eab RtlAllocateHeap 15462->15463 15464 4153a1 15463->15464 15465 4153b1 GetUserNameW 15464->15465 15466 413dd7 15464->15466 15467 405721 13 API calls 15465->15467 15493 415025 15466->15493 15468 4153da 15467->15468 15469 405721 13 API calls 15468->15469 15470 4153e8 15469->15470 15471 405721 13 API calls 15470->15471 15472 4153f6 15471->15472 15473 405721 13 API calls 15472->15473 15474 415404 RegOpenKeyExW 15473->15474 15475 405662 12 API calls 15474->15475 15476 415456 15475->15476 16061 414cb7 15476->16061 15479 415470 15481 41072d RtlAllocateHeap 15479->15481 15480 415467 RegCloseKey 15480->15479 15482 41547f 15481->15482 16105 405836 RtlAdjustPrivilege 15482->16105 15484 415680 15485 404f48 HeapFree 15484->15485 15485->15466 15486 41548a 15486->15466 15486->15484 15488 415525 SHGetFolderPathW SHGetFolderPathW SHGetFolderPathW SHGetFolderPathW 15486->15488 15489 404efc 3 API calls 15486->15489 15490 415649 CloseHandle 15486->15490 15491 41072d RtlAllocateHeap 15486->15491 15492 414cb7 60 API calls 15486->15492 16120 4058f2 OpenProcessToken 15486->16120 15488->15486 15489->15486 15490->15486 15491->15486 15492->15486 15503 415032 15493->15503 15494 415389 15494->15252 15495 415296 15495->15494 16635 414082 15495->16635 15496 406122 RtlAllocateHeap MultiByteToWideChar MultiByteToWideChar 15496->15503 15498 404f2c HeapFree 15498->15503 15499 405662 12 API calls 15499->15503 15503->15495 15503->15496 15503->15498 15503->15499 16579 4107d9 15503->16579 16583 410c0e GetLogicalDrives 15503->16583 16590 410b2d WNetOpenEnumW 15503->16590 16604 414e86 15503->16604 16618 4108e4 15503->16618 15507 404f35 HeapFree 15506->15507 15508 404f46 GetSystemTime 15506->15508 15507->15508 15509 413852 15508->15509 15510 40b765 4 API calls 15509->15510 15511 413868 15510->15511 15512 405dba wvnsprintfW 15511->15512 15517 41396d 15511->15517 15513 413907 15512->15513 15514 405dba wvnsprintfW 15513->15514 15515 41391b 15514->15515 15516 404f2c HeapFree 15515->15516 15516->15517 15517->15265 15519 406132 MultiByteToWideChar 15518->15519 15521 40612e 15518->15521 15520 406152 15519->15520 15519->15521 15522 404eab RtlAllocateHeap 15520->15522 15521->15266 15525 405552 15521->15525 15523 40615c 15522->15523 15523->15521 15524 406164 MultiByteToWideChar 15523->15524 15524->15521 15526 405566 15525->15526 15527 405573 ShellExecuteW 15526->15527 15527->15279 15528->15275 15530 413ba4 15529->15530 15531 413bbb 15529->15531 15530->15531 15532 404f2c HeapFree 15530->15532 15533 404f2c HeapFree 15531->15533 15532->15530 15534 413bc6 15533->15534 15535 413be8 15534->15535 15537 404f2c HeapFree 15534->15537 15536 404f2c HeapFree 15535->15536 15541 413bf3 15536->15541 15537->15534 15538 413c13 15540 404f2c HeapFree 15538->15540 15539 404f2c HeapFree 15539->15541 15542 413c1e 15540->15542 15541->15538 15541->15539 16698 41319c WSACleanup 15542->16698 15546 413029 15545->15546 15547 41304c WSAStartup 15546->15547 15548 413067 15547->15548 15555 4130bd 15548->15555 15557 413119 15548->15557 15560 404f2c HeapFree 15548->15560 15568 413117 15548->15568 15602 41072d 15548->15602 15550 413182 15579 416e8e RtlGetVersion 15550->15579 15555->15548 15556 406122 3 API calls 15555->15556 15561 404f2c HeapFree 15555->15561 15581 4131bb 15555->15581 15556->15555 15558 413120 15557->15558 15559 41313c 15557->15559 15607 40638e 15558->15607 15618 413457 15559->15618 15560->15548 15561->15555 15564 413128 15611 4060c6 15564->15611 15565 413144 15567 40638e RtlAllocateHeap 15565->15567 15570 41314e 15567->15570 15575 40f13f 15568->15575 15569 413134 15573 404f2c HeapFree 15569->15573 15571 40638e RtlAllocateHeap 15570->15571 15572 41315f 15571->15572 15626 413973 15572->15626 15573->15568 15576 40f150 15575->15576 15578 40f172 15575->15578 15631 404efc 15576->15631 15578->15550 15580 413188 CoInitializeEx 15579->15580 15580->15315 15584 4131d4 15581->15584 15583 405dba wvnsprintfW 15583->15584 15584->15583 15585 41340b 15584->15585 15587 404f2c HeapFree 15584->15587 15590 413315 15584->15590 15644 405e03 15584->15644 15654 405e7d 15585->15654 15587->15584 15589 404f2c HeapFree 15591 413409 15589->15591 15649 405dba 15590->15649 15591->15555 15593 41333d 15594 405dba wvnsprintfW 15593->15594 15595 413369 15594->15595 15595->15585 15598 4133a6 15595->15598 15596 4133c2 gethostbyname 15596->15598 15597 4133d7 DnsQuery_A 15597->15598 15599 413428 inet_ntoa 15597->15599 15598->15591 15598->15596 15598->15597 15600 405e7d 4 API calls 15599->15600 15601 413442 DnsFree 15600->15601 15601->15591 15603 410736 15602->15603 15604 41073a 15602->15604 15603->15548 15664 404eab 15604->15664 15606 410755 15606->15548 15608 40639a 15607->15608 15609 40639e 15607->15609 15608->15564 15610 404eab RtlAllocateHeap 15609->15610 15610->15608 15612 4060d6 WideCharToMultiByte 15611->15612 15613 4060d2 15611->15613 15612->15613 15614 4060f8 15612->15614 15613->15569 15615 404eab RtlAllocateHeap 15614->15615 15616 406101 15615->15616 15616->15613 15617 406109 WideCharToMultiByte 15616->15617 15617->15613 15619 41346c 15618->15619 15620 413483 InternetCrackUrlA 15619->15620 15621 41349f 15620->15621 15625 4134f8 15620->15625 15622 404eab RtlAllocateHeap 15621->15622 15623 4134a9 15622->15623 15624 404eab RtlAllocateHeap 15623->15624 15623->15625 15624->15625 15625->15565 15627 404f2c HeapFree 15626->15627 15628 41397a 15627->15628 15629 404f2c HeapFree 15628->15629 15630 413982 15629->15630 15630->15569 15632 404f12 15631->15632 15633 404f05 15631->15633 15637 404ecb 15632->15637 15634 404f2c HeapFree 15633->15634 15636 404f0c 15634->15636 15636->15578 15638 404ed4 15637->15638 15639 404ed8 15637->15639 15638->15636 15640 404ee1 15639->15640 15641 404ee9 RtlReAllocateHeap 15639->15641 15642 404eab RtlAllocateHeap 15640->15642 15641->15636 15643 404ee6 15642->15643 15643->15636 15645 405e0a 15644->15645 15646 405e0f 15644->15646 15645->15584 15647 405e16 wvnsprintfA 15646->15647 15648 405e31 15647->15648 15648->15584 15650 405dc1 15649->15650 15651 405dc6 15649->15651 15650->15593 15652 405dd1 wvnsprintfW 15651->15652 15653 405def 15652->15653 15653->15593 15659 405cdb 15654->15659 15657 405ea5 15657->15589 15658 404f2c HeapFree 15658->15657 15662 405ceb 15659->15662 15660 405d26 15660->15657 15660->15658 15661 404efc RtlAllocateHeap RtlReAllocateHeap HeapFree 15661->15662 15662->15660 15662->15661 15663 405d0f wvnsprintfA 15662->15663 15663->15662 15665 404eb5 15664->15665 15666 404eb7 RtlAllocateHeap 15664->15666 15665->15606 15666->15606 15668 41376f 15667->15668 15669 41701b 2 API calls 15668->15669 15670 413797 15669->15670 15671 405dba wvnsprintfW 15670->15671 15672 4137b5 15671->15672 15673 405dba wvnsprintfW 15672->15673 15676 4137cc 15673->15676 15674 413806 15677 413848 15674->15677 15738 40452f 15674->15738 15676->15674 15687 412b44 15676->15687 15694 4129a8 15676->15694 15714 412e5d 15676->15714 15677->15322 15678 413818 15678->15677 15679 404f2c HeapFree 15678->15679 15680 413833 15679->15680 15741 4044a2 15680->15741 15682 413840 15683 404f2c HeapFree 15682->15683 15683->15677 15745 413569 15687->15745 15689 412cd3 15690 413973 HeapFree 15689->15690 15691 412cdb 15690->15691 15691->15676 15692 404ecb 2 API calls 15693 412b5d 15692->15693 15693->15689 15693->15692 15695 413569 2 API calls 15694->15695 15696 4129c1 15695->15696 15697 4129c5 InternetOpenW 15696->15697 15698 4129fd InternetSetOptionW 15696->15698 15699 412b34 15696->15699 15697->15696 15698->15698 15700 412a14 InternetConnectW 15698->15700 15701 413973 HeapFree 15699->15701 15702 412a32 HttpOpenRequestW 15700->15702 15703 412b16 InternetCloseHandle 15700->15703 15704 412b3c 15701->15704 15705 412b0d InternetCloseHandle 15702->15705 15706 412a6c InternetQueryOptionW 15702->15706 15703->15696 15703->15699 15704->15676 15705->15703 15707 412a8a InternetSetOptionW 15706->15707 15708 412a9f HttpSendRequestW 15706->15708 15707->15708 15709 412b06 InternetCloseHandle 15708->15709 15712 412abb 15708->15712 15709->15705 15710 412abd InternetQueryDataAvailable 15710->15712 15711 404ecb 2 API calls 15713 412adf InternetReadFile 15711->15713 15712->15709 15712->15710 15712->15711 15713->15712 15715 4060c6 3 API calls 15714->15715 15716 412e73 15715->15716 15717 412e7a 15716->15717 15718 413457 2 API calls 15716->15718 15717->15676 15719 412e87 15718->15719 15720 404f2c HeapFree 15719->15720 15721 412e8d gethostbyname 15720->15721 15722 412ead socket 15721->15722 15723 412e9e 15721->15723 15725 413007 15722->15725 15726 412ec8 connect 15722->15726 15724 413973 HeapFree 15723->15724 15724->15717 15727 412efb 15726->15727 15728 412ffe closesocket 15726->15728 15729 405e03 wvnsprintfA 15727->15729 15728->15725 15730 412f27 send 15729->15730 15730->15728 15731 412f45 send 15730->15731 15731->15728 15732 412f5e recv 15731->15732 15733 404ecb 2 API calls 15732->15733 15734 412f82 15733->15734 15734->15732 15735 412f9f 15734->15735 15735->15728 15753 404fe2 15735->15753 15739 404eab RtlAllocateHeap 15738->15739 15740 404544 15739->15740 15740->15678 15742 4044b8 15741->15742 15743 404eab RtlAllocateHeap 15742->15743 15744 4044d6 15743->15744 15744->15682 15746 41357e 15745->15746 15747 4135a7 InternetCrackUrlW 15746->15747 15748 4135b9 15747->15748 15752 413620 15747->15752 15749 404eab RtlAllocateHeap 15748->15749 15750 4135c6 15749->15750 15751 404eab RtlAllocateHeap 15750->15751 15750->15752 15751->15752 15752->15693 15754 404eab RtlAllocateHeap 15753->15754 15756 404fef 15754->15756 15755 405028 15755->15728 15756->15755 15757 404f2c HeapFree 15756->15757 15757->15755 15759 405501 GetTokenInformation 15758->15759 15760 405529 15758->15760 15761 405520 CloseHandle 15759->15761 15762 40551a 15759->15762 15763 405595 OpenProcessToken 15760->15763 15761->15760 15762->15761 15764 4055b3 GetTokenInformation 15763->15764 15765 40565d 15763->15765 15766 405654 CloseHandle 15764->15766 15767 4055cc 15764->15767 15765->15341 15766->15765 15767->15766 15768 404eab RtlAllocateHeap 15767->15768 15769 4055df 15768->15769 15770 4055e6 GetTokenInformation 15769->15770 15774 405652 15769->15774 15771 4055fd GetSidSubAuthorityCount GetSidSubAuthority 15770->15771 15773 40561b 15770->15773 15771->15773 15772 404f2c HeapFree 15772->15774 15773->15772 15774->15766 15798 4059b0 15775->15798 15778->15391 15806 40502d 15779->15806 15781 416e7a GetLocaleInfoA 15781->15405 15783 405b10 RegQueryInfoKeyW 15782->15783 15784 405b98 15782->15784 15785 405b34 15783->15785 15786 405b88 RegCloseKey 15783->15786 15784->15415 15787 404eab RtlAllocateHeap 15785->15787 15786->15784 15791 405b45 15787->15791 15788 405b86 15788->15786 15789 404eab RtlAllocateHeap 15790 405b60 RegEnumKeyExW 15789->15790 15790->15791 15791->15788 15791->15789 15794 404f4f 15792->15794 15797 404f67 15792->15797 15793 404f2c HeapFree 15793->15794 15794->15793 15795 404f61 15794->15795 15794->15797 15796 404f2c HeapFree 15795->15796 15796->15797 15797->15415 15799 4059c1 15798->15799 15800 4059ca RegOpenKeyExW 15799->15800 15802 405a30 RegCloseKey 15799->15802 15803 405a4f 15799->15803 15804 404eab RtlAllocateHeap 15799->15804 15805 405a11 RegQueryValueExW 15799->15805 15800->15799 15801 4059e5 RegQueryValueExW 15800->15801 15801->15799 15801->15802 15802->15799 15802->15803 15803->15357 15804->15799 15805->15799 15805->15802 15807 40503d 15806->15807 15807->15781 15809 40573d SHGetFolderPathW 15808->15809 15810 40572d 15808->15810 15809->15419 15826 405662 15810->15826 15814 404eab RtlAllocateHeap 15813->15814 15815 404cf7 15814->15815 15816 404e15 15815->15816 15840 404ca7 15815->15840 15816->15424 15819 404e0f 15820 404f2c HeapFree 15819->15820 15820->15816 15821 404d31 15822 404dee FindNextFileW 15821->15822 15823 404e06 FindClose 15821->15823 15824 404ca7 wvnsprintfW 15821->15824 15825 404ce1 3 API calls 15821->15825 15822->15821 15822->15823 15823->15819 15824->15821 15825->15821 15827 40567a CreateToolhelp32Snapshot 15826->15827 15830 4056c1 15826->15830 15828 4056af Process32NextW 15827->15828 15829 405695 15828->15829 15828->15830 15829->15828 15832 4056c3 OpenProcess 15829->15832 15835 405d77 15829->15835 15830->15809 15833 405710 CloseHandle 15832->15833 15834 4056dc OpenProcessToken DuplicateTokenEx CloseHandle CloseHandle 15832->15834 15833->15830 15834->15833 15836 4060c6 3 API calls 15835->15836 15837 405d89 15836->15837 15838 404f2c HeapFree 15837->15838 15839 405db2 15837->15839 15838->15839 15839->15829 15841 404cb7 15840->15841 15842 405dba wvnsprintfW 15841->15842 15843 404cd5 FindFirstFileW 15842->15843 15843->15819 15843->15821 15845 410eef 15844->15845 15846 410f19 CoCreateInstance 15845->15846 15855 411023 15846->15855 15863 410f48 15846->15863 15847 405dba wvnsprintfW 15848 41105d 15847->15848 15934 405ba3 RegOpenKeyExW 15848->15934 15850 411119 15852 404f48 HeapFree 15850->15852 15851 41110e 15854 404f48 HeapFree 15851->15854 15856 411123 15852->15856 15853 405a55 5 API calls 15865 411069 15853->15865 15854->15850 15855->15847 15857 411131 CredEnumerateW 15856->15857 15858 4112cd 15857->15858 15877 411153 15857->15877 15858->15431 15859 404efc 3 API calls 15859->15865 15860 404efc 3 API calls 15860->15863 15861 410d22 13 API calls 15861->15865 15862 404f2c HeapFree 15862->15865 15863->15855 15863->15860 15866 41072d RtlAllocateHeap 15863->15866 15868 410fe8 CoTaskMemFree 15863->15868 15869 410fff CoTaskMemFree 15863->15869 15913 410d22 15863->15913 15864 41072d RtlAllocateHeap 15864->15865 15865->15850 15865->15851 15865->15853 15865->15859 15865->15861 15865->15862 15865->15864 15866->15863 15868->15863 15869->15863 15870 4112c4 CredFree 15870->15858 15871 4111e3 CryptUnprotectData 15871->15877 15872 41072d RtlAllocateHeap 15872->15877 15873 404f2c HeapFree 15875 4112ad LocalFree 15873->15875 15875->15877 15876 4060c6 3 API calls 15876->15877 15877->15858 15877->15870 15877->15871 15877->15872 15877->15873 15877->15876 15878 404f2c HeapFree 15877->15878 15944 405e43 15877->15944 15878->15877 15880 4112e9 15879->15880 15881 41131b LoadLibraryA 15880->15881 15882 4115b1 15881->15882 15883 411334 15881->15883 15900 40b765 GetHGlobalFromStream 15882->15900 15884 405192 3 API calls 15883->15884 15885 41133e 15884->15885 15886 405192 3 API calls 15885->15886 15887 41134a 15886->15887 15888 405192 3 API calls 15887->15888 15889 411357 15888->15889 15890 405192 3 API calls 15889->15890 15891 411364 15890->15891 15892 405192 3 API calls 15891->15892 15899 411371 15892->15899 15893 4115aa FreeLibrary 15893->15882 15894 41159a 15894->15893 15895 416e8e RtlGetVersion 15895->15899 15896 405e43 RtlAllocateHeap RtlReAllocateHeap HeapFree wvnsprintfW 15896->15899 15897 4060c6 RtlAllocateHeap WideCharToMultiByte WideCharToMultiByte 15897->15899 15898 404f2c HeapFree 15898->15899 15899->15893 15899->15894 15899->15895 15899->15896 15899->15897 15899->15898 15901 40b782 GlobalLock 15900->15901 15902 40b7c5 15900->15902 15901->15902 15903 40b792 15901->15903 15902->15435 15904 40b7be GlobalUnlock 15903->15904 15905 404eab RtlAllocateHeap 15903->15905 15904->15902 15906 40b7a6 15905->15906 15906->15904 15908 40b5a1 15907->15908 15909 405e03 wvnsprintfA 15908->15909 15912 40b5f3 15908->15912 15910 40b61a 15909->15910 15911 405e03 wvnsprintfA 15910->15911 15911->15912 15912->15438 15914 410d39 15913->15914 15949 410c9e 15914->15949 15916 410d79 15955 414442 15916->15955 15919 405dba wvnsprintfW 15920 410da2 15919->15920 15921 4059b0 5 API calls 15920->15921 15922 410dbe 15921->15922 15923 410de2 CryptUnprotectData 15922->15923 15927 410ed2 15922->15927 15924 410eca 15923->15924 15933 410e07 15923->15933 15925 404f2c HeapFree 15924->15925 15925->15927 15926 410ec3 LocalFree 15926->15924 15927->15863 15928 410ec0 15928->15926 15929 405e43 4 API calls 15929->15933 15931 4060c6 3 API calls 15931->15933 15932 404f2c HeapFree 15932->15933 15933->15926 15933->15928 15933->15929 15933->15931 15933->15932 15962 414397 15933->15962 15935 405c5b 15934->15935 15936 405bd3 RegQueryInfoKeyW 15934->15936 15935->15865 15937 405bf7 15936->15937 15938 405c4b RegCloseKey 15936->15938 15939 404eab RtlAllocateHeap 15937->15939 15938->15935 15940 405c08 15939->15940 15941 404eab RtlAllocateHeap 15940->15941 15943 405c49 15940->15943 15942 405c23 RegEnumValueW 15941->15942 15942->15940 15943->15938 15981 405c66 15944->15981 15947 404f2c HeapFree 15948 405e6d 15947->15948 15948->15877 15950 410cbd 15949->15950 15951 405dba wvnsprintfW 15950->15951 15952 410d03 15950->15952 15951->15950 15953 405dba wvnsprintfW 15952->15953 15954 410d12 15953->15954 15954->15916 15956 4060c6 3 API calls 15955->15956 15957 41444e 15956->15957 15958 410d81 15957->15958 15969 4143f1 15957->15969 15958->15919 15961 404f2c HeapFree 15961->15958 15963 4060c6 3 API calls 15962->15963 15964 4143a3 15963->15964 15968 4143b6 15964->15968 15975 414346 15964->15975 15967 404f2c HeapFree 15967->15968 15968->15933 15970 4143fc 15969->15970 15971 41442a 15970->15971 15972 404efc RtlAllocateHeap RtlReAllocateHeap HeapFree 15970->15972 15971->15961 15973 414419 15972->15973 15973->15971 15974 40638e RtlAllocateHeap 15973->15974 15974->15971 15976 414351 15975->15976 15977 41437f 15976->15977 15978 404efc RtlAllocateHeap RtlReAllocateHeap HeapFree 15976->15978 15977->15967 15979 41436e 15978->15979 15979->15977 15980 40638e RtlAllocateHeap 15979->15980 15980->15977 15983 405c79 15981->15983 15982 405cc5 15982->15947 15982->15948 15983->15982 15984 404efc 3 API calls 15983->15984 15985 405ca7 wvnsprintfW 15983->15985 15984->15983 15985->15983 15993 404a7c CreateFileW 15986->15993 15989 40f3cc 15989->15448 15992 404f2c HeapFree 15992->15989 15994 404ae1 15993->15994 15995 404aa5 GetFileSize 15993->15995 15994->15989 16001 40b67a 15994->16001 15996 404eab RtlAllocateHeap 15995->15996 15997 404ab6 15996->15997 15998 404ada CloseHandle 15997->15998 15999 404abd ReadFile 15997->15999 15998->15994 15999->15998 16000 404ad5 15999->16000 16000->15998 16002 4060c6 3 API calls 16001->16002 16004 40b68f 16002->16004 16003 40b75b 16003->15992 16004->16003 16005 405e03 wvnsprintfA 16004->16005 16006 40b6d7 16005->16006 16007 405e03 wvnsprintfA 16006->16007 16008 40b6ed 16007->16008 16009 404f2c HeapFree 16008->16009 16009->16003 16011 416940 16010->16011 16012 416b3a 16010->16012 16013 40b4b3 CreateStreamOnHGlobal 16011->16013 16029 416b3d 16012->16029 16027 416951 16013->16027 16014 416b30 CredFree 16014->16012 16015 416af1 16016 40b765 4 API calls 16015->16016 16019 416afc 16016->16019 16017 416b27 16017->16014 16018 405e43 4 API calls 16018->16027 16019->16017 16020 40b67a 5 API calls 16019->16020 16021 416b1f 16020->16021 16022 404f2c HeapFree 16021->16022 16022->16017 16024 405dba wvnsprintfW 16024->16027 16025 4060c6 3 API calls 16025->16027 16026 404f2c HeapFree 16026->16027 16027->16014 16027->16015 16027->16018 16027->16024 16027->16025 16027->16026 16046 405eb5 16027->16046 16053 416dc5 16027->16053 16030 416b54 16029->16030 16031 416b6a LoadLibraryA 16030->16031 16032 416b83 16031->16032 16033 416da7 16031->16033 16034 405192 3 API calls 16032->16034 16033->15264 16044 416b90 16034->16044 16035 416d88 FreeLibrary 16035->16033 16037 404f8c RtlAllocateHeap 16037->16044 16038 416ca1 CoTaskMemFree 16038->16044 16040 4060c6 3 API calls 16040->16044 16041 40638e RtlAllocateHeap 16041->16044 16042 40f13f RtlAllocateHeap RtlReAllocateHeap HeapFree 16042->16044 16043 40b589 wvnsprintfA 16043->16044 16044->16035 16044->16037 16044->16038 16044->16040 16044->16041 16044->16042 16044->16043 16045 404f2c HeapFree 16044->16045 16057 404911 CryptUnprotectData 16044->16057 16045->16044 16047 405c66 4 API calls 16046->16047 16051 405ecf 16047->16051 16048 405ef5 16048->16027 16049 405ee8 16050 404efc 3 API calls 16049->16050 16050->16048 16051->16048 16051->16049 16052 404f2c HeapFree 16051->16052 16052->16049 16054 416ddb 16053->16054 16055 404efc 3 API calls 16054->16055 16056 416df7 16055->16056 16056->16027 16058 404967 16057->16058 16060 40493d 16057->16060 16058->16044 16059 40495d LocalFree 16059->16058 16060->16058 16060->16059 16062 414cd0 16061->16062 16063 414cd9 16061->16063 16125 417a2d 16062->16125 16064 414cec 16063->16064 16137 4117c1 16063->16137 16067 414d00 16064->16067 16151 411b63 16064->16151 16069 414d14 16067->16069 16157 411bc7 16067->16157 16071 414d28 16069->16071 16163 40f9ee 16069->16163 16072 414d3b 16071->16072 16183 410692 16071->16183 16079 414d4f 16072->16079 16192 40f08f 16072->16192 16076 414dcc 16206 4173de 16076->16206 16079->16076 16083 405721 13 API calls 16079->16083 16085 414d89 16083->16085 16084 414ded 16086 414e54 16084->16086 16236 41733e 16084->16236 16087 405721 13 API calls 16085->16087 16086->15479 16086->15480 16088 414d97 16087->16088 16090 404ce1 6 API calls 16088->16090 16092 414db4 16090->16092 16095 404ce1 6 API calls 16092->16095 16095->16076 16106 405853 16105->16106 16107 405857 CreateToolhelp32Snapshot 16105->16107 16106->15486 16108 405876 Process32NextW 16107->16108 16109 4058ec 16107->16109 16110 4058e5 CloseHandle 16108->16110 16111 405888 16108->16111 16109->15486 16110->16109 16112 405889 OpenProcess 16111->16112 16113 4058d2 Process32NextW 16112->16113 16114 4058a2 OpenProcessToken 16112->16114 16113->16112 16121 405911 GetTokenInformation 16120->16121 16122 4059ab 16120->16122 16123 4059a2 CloseHandle 16121->16123 16124 40592a NtCreateToken 16121->16124 16122->15486 16123->16122 16124->16123 16126 417a43 16125->16126 16127 404ca7 wvnsprintfW 16126->16127 16128 417a66 16127->16128 16356 4177ab 16128->16356 16131 404ca7 wvnsprintfW 16132 417a85 16131->16132 16133 4177ab 6 API calls 16132->16133 16134 417a94 16133->16134 16362 41780d 16134->16362 16138 4117d8 16137->16138 16139 404ca7 wvnsprintfW 16138->16139 16140 411809 16139->16140 16402 404a5e GetFileAttributesW 16140->16402 16143 411855 16145 404ca7 wvnsprintfW 16143->16145 16144 404ce1 6 API calls 16144->16143 16146 41186b 16145->16146 16147 404a5e GetFileAttributesW 16146->16147 16148 411877 16147->16148 16149 4118b3 16148->16149 16150 404ce1 6 API calls 16148->16150 16149->16064 16150->16149 16152 411b79 16151->16152 16153 404ca7 wvnsprintfW 16152->16153 16154 411ba3 16153->16154 16155 404ce1 6 API calls 16154->16155 16156 411bc0 16155->16156 16156->16067 16158 411bdd 16157->16158 16159 404ca7 wvnsprintfW 16158->16159 16160 411c13 16159->16160 16161 404ce1 6 API calls 16160->16161 16162 411c30 16161->16162 16162->16069 16164 40fa05 16163->16164 16165 404ce1 6 API calls 16164->16165 16166 40fa41 16165->16166 16404 40f43a 16166->16404 16460 40fd2b 16183->16460 16193 40f0a3 16192->16193 16194 40b4b3 CreateStreamOnHGlobal 16193->16194 16195 40f0ab 16194->16195 16196 404ce1 6 API calls 16195->16196 16199 40f131 16195->16199 16197 40f0d7 16196->16197 16198 40b765 4 API calls 16197->16198 16200 40f0e5 16198->16200 16199->16079 16200->16199 16201 405dba wvnsprintfW 16200->16201 16202 40f116 16201->16202 16203 40b67a 5 API calls 16202->16203 16204 40f129 16203->16204 16205 404f2c HeapFree 16204->16205 16205->16199 16207 4173f4 16206->16207 16208 404ca7 wvnsprintfW 16207->16208 16209 41741c 16208->16209 16210 404ce1 6 API calls 16209->16210 16211 414ddb 16210->16211 16212 4128c3 16211->16212 16213 4128da 16212->16213 16214 404ca7 wvnsprintfW 16213->16214 16215 4128f1 16214->16215 16216 407656 5 API calls 16215->16216 16218 412902 16216->16218 16217 412992 16224 415863 16217->16224 16218->16217 16219 405d77 4 API calls 16218->16219 16222 412942 16219->16222 16220 412976 16221 40794a SysFreeString 16220->16221 16221->16217 16222->16220 16523 412513 16222->16523 16225 415878 16224->16225 16226 40b4b3 CreateStreamOnHGlobal 16225->16226 16227 41588d 16226->16227 16228 404ce1 6 API calls 16227->16228 16235 4158d8 16227->16235 16229 4158ae 16228->16229 16230 40b765 4 API calls 16229->16230 16231 4158bc 16230->16231 16232 40b589 wvnsprintfA 16231->16232 16231->16235 16233 4158d0 16232->16233 16234 404f2c HeapFree 16233->16234 16234->16235 16235->16084 16237 417354 16236->16237 16238 405a55 5 API calls 16237->16238 16239 417381 16238->16239 16240 405a55 5 API calls 16239->16240 16241 417390 16240->16241 16242 4173ca 16241->16242 16245 405e43 4 API calls 16241->16245 16243 404f2c HeapFree 16242->16243 16244 4173d1 16243->16244 16246 404f2c HeapFree 16244->16246 16247 4173b0 16245->16247 16247->16242 16249 40fa90 5 API calls 16247->16249 16250 4173c2 16249->16250 16357 4177c1 16356->16357 16358 404ca7 wvnsprintfW 16357->16358 16359 4177e4 16358->16359 16360 404ce1 6 API calls 16359->16360 16361 417806 16360->16361 16361->16131 16363 417824 16362->16363 16364 405dba wvnsprintfW 16363->16364 16365 417849 16364->16365 16379 404a40 GetFileAttributesW 16365->16379 16369 417869 16370 405d77 4 API calls 16369->16370 16373 417a14 16369->16373 16374 4178b5 16370->16374 16371 4179f0 16399 40794a 16371->16399 16373->16063 16374->16371 16375 40794a SysFreeString 16374->16375 16376 405e43 4 API calls 16374->16376 16378 404f2c HeapFree 16374->16378 16392 40fa90 16374->16392 16375->16374 16376->16374 16378->16374 16380 404a51 16379->16380 16380->16373 16381 407656 16380->16381 16382 40766a 16381->16382 16383 407677 CoCreateInstance 16382->16383 16384 407692 16383->16384 16385 4076b9 SysAllocString 16383->16385 16384->16385 16386 407644 16385->16386 16387 4076cd SysAllocString 16386->16387 16389 407709 16387->16389 16388 407749 VariantClear 16390 407647 SysFreeString 16388->16390 16389->16388 16391 40775e 16390->16391 16391->16369 16393 4060c6 RtlAllocateHeap WideCharToMultiByte WideCharToMultiByte 16392->16393 16395 40fa9f 16393->16395 16400 407953 SysFreeString 16399->16400 16401 40795c 16399->16401 16400->16401 16401->16373 16403 404a6f 16402->16403 16403->16143 16403->16144 16405 40f455 16404->16405 16406 405dba wvnsprintfW 16405->16406 16407 40f495 16406->16407 16408 404ce1 6 API calls 16407->16408 16409 40f4ae 16408->16409 16410 40f4b6 16409->16410 16411 40f4d1 16410->16411 16412 405dba wvnsprintfW 16411->16412 16413 40f511 16412->16413 16414 404ce1 6 API calls 16413->16414 16415 40f52a 16414->16415 16416 40f74a 16415->16416 16417 40f762 16416->16417 16418 404ca7 wvnsprintfW 16417->16418 16419 40f77f 16418->16419 16420 404ce1 6 API calls 16419->16420 16421 40f7ab 16420->16421 16422 40f7b2 16421->16422 16423 40f7ca 16422->16423 16424 404ca7 wvnsprintfW 16423->16424 16425 40f7e7 16424->16425 16426 404ce1 6 API calls 16425->16426 16427 40f813 16426->16427 16428 40f81a 16427->16428 16429 40f832 16428->16429 16430 404ca7 wvnsprintfW 16429->16430 16431 40f84f 16430->16431 16432 404ce1 6 API calls 16431->16432 16433 40f87b 16432->16433 16461 40fd38 16460->16461 16462 404ca7 wvnsprintfW 16461->16462 16463 40fdce 16462->16463 16464 404a40 GetFileAttributesW 16463->16464 16465 40fdda 16464->16465 16466 40ff01 16465->16466 16517 410775 16465->16517 16480 41062a 16466->16480 16468 40fdf1 16469 40fed2 GetPrivateProfileStringW 16468->16469 16470 40fef9 16469->16470 16471 40fdfd GetPrivateProfileStringW 16469->16471 16472 404f2c HeapFree 16470->16472 16473 40fe2e GetPrivateProfileStringW 16471->16473 16478 40fe78 16471->16478 16472->16466 16475 40fe53 GetPrivateProfileStringW 16473->16475 16473->16478 16474 404f2c HeapFree 16474->16478 16475->16478 16476 410775 RtlAllocateHeap 16476->16469 16477 405dba wvnsprintfW 16477->16478 16478->16474 16478->16476 16478->16477 16479 40fa90 5 API calls 16478->16479 16479->16478 16481 410641 16480->16481 16482 405dba wvnsprintfW 16481->16482 16483 41066f 16482->16483 16484 404ce1 6 API calls 16483->16484 16485 41068a 16484->16485 16486 40ff07 16485->16486 16498 40ff21 16486->16498 16487 405dba wvnsprintfW 16487->16498 16488 404a40 GetFileAttributesW 16488->16498 16489 407656 5 API calls 16489->16498 16490 4101e2 16499 410397 16490->16499 16491 4060c6 3 API calls 16491->16498 16492 40794a SysFreeString 16492->16498 16493 405d77 4 API calls 16493->16498 16494 405e43 4 API calls 16494->16498 16495 404f2c HeapFree 16495->16498 16496 40fa90 5 API calls 16496->16498 16497 40452f RtlAllocateHeap 16497->16498 16498->16487 16498->16488 16498->16489 16498->16490 16498->16491 16498->16492 16498->16493 16498->16494 16498->16495 16498->16496 16498->16497 16500 4103a4 16499->16500 16501 404ca7 wvnsprintfW 16500->16501 16502 410464 16501->16502 16503 404a40 GetFileAttributesW 16502->16503 16504 410470 16503->16504 16505 4105d7 16504->16505 16506 41047b GetPrivateProfileSectionNamesW 16504->16506 16505->16072 16506->16505 16514 41049c 16506->16514 16507 4104b4 GetPrivateProfileStringW 16508 4104dc GetPrivateProfileStringW 16507->16508 16507->16514 16509 4104ff GetPrivateProfileStringW 16508->16509 16508->16514 16509->16514 16510 4060c6 3 API calls 16510->16514 16511 40452f RtlAllocateHeap 16511->16514 16513 405dba wvnsprintfW 16513->16514 16514->16505 16514->16507 16514->16510 16514->16511 16514->16513 16515 40fa90 5 API calls 16514->16515 16516 404f2c HeapFree 16514->16516 16520 40488c 16514->16520 16515->16514 16516->16514 16518 404eab RtlAllocateHeap 16517->16518 16519 410783 16518->16519 16519->16468 16521 404eab RtlAllocateHeap 16520->16521 16522 4048a1 16521->16522 16522->16514 16532 41252d 16523->16532 16524 4128be 16524->16220 16525 405d77 RtlAllocateHeap HeapFree WideCharToMultiByte WideCharToMultiByte 16525->16532 16526 412513 9 API calls 16526->16532 16527 407647 SysFreeString 16527->16532 16528 4060c6 RtlAllocateHeap WideCharToMultiByte WideCharToMultiByte 16528->16532 16529 40452f RtlAllocateHeap 16529->16532 16531 404eab RtlAllocateHeap 16531->16532 16532->16524 16532->16525 16532->16526 16532->16527 16532->16528 16532->16529 16532->16531 16533 405dba wvnsprintfW 16532->16533 16534 405e43 4 API calls 16532->16534 16536 404f2c HeapFree 16532->16536 16537 404749 16532->16537 16543 41163f 16532->16543 16533->16532 16534->16532 16536->16532 16539 40475f 16537->16539 16538 404eab RtlAllocateHeap 16538->16539 16539->16538 16540 40465a RtlAllocateHeap HeapFree 16539->16540 16541 404f2c HeapFree 16539->16541 16542 404826 16539->16542 16540->16539 16541->16539 16542->16532 16544 41164c 16543->16544 16545 40b589 wvnsprintfA 16544->16545 16546 411658 16545->16546 16546->16532 16580 4107f1 16579->16580 16582 4108d7 16579->16582 16581 405dba wvnsprintfW 16580->16581 16580->16582 16581->16582 16582->15503 16588 410c2e 16583->16588 16584 410c99 16584->15503 16586 405dba wvnsprintfW 16586->16588 16587 4108e4 13 API calls 16587->16588 16588->16584 16588->16586 16588->16587 16589 404f2c HeapFree 16588->16589 16658 404f8c 16588->16658 16589->16588 16591 410c09 16590->16591 16592 410b5c 16590->16592 16591->15503 16593 404eab RtlAllocateHeap 16592->16593 16602 410b64 16593->16602 16594 410c00 WNetCloseEnum 16594->16591 16595 410bdf WNetEnumResourceW 16596 410bf9 16595->16596 16595->16602 16597 404f2c HeapFree 16596->16597 16598 410bff 16597->16598 16598->16594 16599 404f8c RtlAllocateHeap 16599->16602 16600 410b2d 13 API calls 16600->16602 16601 4108e4 13 API calls 16601->16602 16602->16594 16602->16595 16602->16599 16602->16600 16602->16601 16603 404f2c HeapFree 16602->16603 16603->16602 16605 414e93 16604->16605 16606 404eab RtlAllocateHeap 16605->16606 16614 414ea1 16606->16614 16607 415020 16607->15503 16608 415016 16609 404f48 HeapFree 16608->16609 16609->16607 16610 4058f2 4 API calls 16610->16614 16611 414f3a SHGetFolderPathW 16611->16614 16612 404efc 3 API calls 16612->16614 16613 414fdf CloseHandle 16613->16614 16614->16607 16614->16608 16614->16610 16614->16611 16614->16612 16614->16613 16615 41072d RtlAllocateHeap 16614->16615 16616 4107d9 wvnsprintfW 16614->16616 16617 4108e4 13 API calls 16614->16617 16615->16614 16616->16614 16617->16614 16619 404eab RtlAllocateHeap 16618->16619 16620 4108fa 16619->16620 16621 410b27 16620->16621 16622 404ca7 wvnsprintfW 16620->16622 16621->15503 16623 410922 FindFirstFileW 16622->16623 16624 410b1f 16623->16624 16630 410940 16623->16630 16625 404f2c HeapFree 16624->16625 16625->16621 16626 410afe FindNextFileW 16628 410b16 FindClose 16626->16628 16626->16630 16627 404ca7 wvnsprintfW 16627->16630 16628->16624 16629 404f8c RtlAllocateHeap 16629->16630 16630->16626 16630->16627 16630->16629 16631 405dba wvnsprintfW 16630->16631 16632 4108e4 10 API calls 16630->16632 16633 404f2c HeapFree 16630->16633 16634 40f39a 9 API calls 16630->16634 16631->16630 16632->16630 16633->16630 16634->16630 16663 4136aa 16635->16663 16637 414099 16638 4140b6 16637->16638 16639 4140fd PathFindExtensionA 16637->16639 16655 414160 16637->16655 16674 413ec6 VirtualAlloc 16638->16674 16641 41410c 16639->16641 16645 414112 16639->16645 16644 406122 3 API calls 16641->16644 16644->16645 16684 404c33 GetTempPathW 16645->16684 16647 4140c7 CreateThread 16650 4140ee VirtualFree 16647->16650 16651 4140de WaitForSingleObject CloseHandle 16647->16651 16696 4050f0 16647->16696 16648 414157 16652 404f2c HeapFree 16648->16652 16649 41414e 16654 404f2c HeapFree 16649->16654 16650->16648 16651->16650 16652->16655 16654->16648 16655->15495 16657 405552 ShellExecuteW 16657->16649 16659 404f95 16658->16659 16660 404fbf 16658->16660 16659->16660 16661 404eab RtlAllocateHeap 16659->16661 16660->16588 16662 404fa4 16661->16662 16662->16588 16664 406122 3 API calls 16663->16664 16665 4136bf 16664->16665 16666 413457 2 API calls 16665->16666 16673 41374d 16665->16673 16667 4136f3 16666->16667 16668 405dba wvnsprintfW 16667->16668 16669 41370a 16668->16669 16670 413973 HeapFree 16669->16670 16671 413745 16670->16671 16672 404f2c HeapFree 16671->16672 16672->16673 16673->16637 16681 413ef3 16674->16681 16682 414052 16674->16682 16675 413fb5 16676 413fc2 VirtualProtect 16675->16676 16679 413fdb 16676->16679 16677 413f55 LoadLibraryA 16677->16681 16678 413ff5 VirtualFree 16678->16679 16679->16678 16680 414036 VirtualProtect 16679->16680 16679->16682 16680->16679 16681->16675 16681->16677 16683 40528d 2 API calls 16681->16683 16682->16647 16682->16648 16683->16681 16685 404c95 16684->16685 16686 404c54 16684->16686 16685->16649 16690 404bc9 CreateFileW 16685->16690 16686->16685 16687 405dba wvnsprintfW 16686->16687 16688 404c84 16687->16688 16689 404ca7 wvnsprintfW 16688->16689 16689->16685 16691 404bf5 16690->16691 16692 404c2c 16690->16692 16693 404c17 CloseHandle 16691->16693 16694 404bff WriteFile 16691->16694 16692->16649 16692->16657 16693->16692 16695 404c23 DeleteFileW 16693->16695 16694->16693 16695->16692 16697 405106 16696->16697 16699 404f2c HeapFree 16698->16699 16700 4131ad 16699->16700 16701 404f2c HeapFree 16700->16701 16702 4131b8 CoUninitialize 16701->16702 16748 e1a282 16749 e1a291 VirtualAlloc 16748->16749 16750 e1a2a5 16748->16750 16749->16750

    Control-flow Graph

    APIs
      • Part of subcall function 00413569: InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004135AB
    • InternetOpenW.WININET(00000000,?,00000000,00000000,00000000), ref: 004129CC
    • InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00412A08
    • InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00412A21
    • HttpOpenRequestW.WININET(0000EA60,?,?,00000000,00000000,00000000,-00000001,00000000), ref: 00412A5C
    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00412A80
    • InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 00412A99
    • HttpSendRequestW.WININET(00000000,?,?,0000EA60,?), ref: 00412AB1
    • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 00412AC7
    • InternetReadFile.WININET(00000000,00000000,?,?), ref: 00412AEF
    • InternetCloseHandle.WININET(00000000), ref: 00412B07
    • InternetCloseHandle.WININET(0000EA60), ref: 00412B10
    • InternetCloseHandle.WININET(?), ref: 00412B19
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Internet$CloseHandleOption$HttpOpenQueryRequest$AvailableConnectCrackDataFileReadSend
    • String ID: `
    • API String ID: 2263532179-1850852036
    • Opcode ID: 337f231a003c4c706b158496a4df7ab4e4f1f63051ffc8cb6a84e9b7fa47582e
    • Instruction ID: dc99d5b8504d753b9beb300cd76dbe9c4bb2313e18cd3c81913fb33a92f5dd12
    • Opcode Fuzzy Hash: 337f231a003c4c706b158496a4df7ab4e4f1f63051ffc8cb6a84e9b7fa47582e
    • Instruction Fuzzy Hash: 53513AB1A00219BFDF119FA5DD49EEFBFB8EB48700F10412AF512E2150D7795A90DB68

    Control-flow Graph

    APIs
      • Part of subcall function 00413B6C: CoInitializeEx.COMBASE(00000000,00000002), ref: 00413B7B
      • Part of subcall function 0041701B: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00413CCB,?,00000032), ref: 00417037
    • CreateMutexA.KERNEL32(00000000,00000001,?), ref: 00413CD6
    • ExitProcess.KERNEL32 ref: 00413CEC
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00413CFF
    • ExitProcess.KERNEL32 ref: 00413D2F
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExitProcess$CreateFileInformationInitializeModuleMutexNameVolume
    • String ID:
    • API String ID: 2804266631-0
    • Opcode ID: fcd8eb96de6217f256b999b5a7e5d2b0f0d3e120eca5a8fc7563aa3f23ff9bf0
    • Instruction ID: ddbba73eb4803778151220dfd07befdf9224cd48c48c060a4fbae49941d5bf6b
    • Opcode Fuzzy Hash: fcd8eb96de6217f256b999b5a7e5d2b0f0d3e120eca5a8fc7563aa3f23ff9bf0
    • Instruction Fuzzy Hash: AD514C72C00218AADF11FBB1AD4A9DE777CAF05305F1004ABF605A6042EB399BC88B59
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b26e765b5013b219c1abc091eac328a0d5c8a046ec8bb4a422298991ddf01ce7
    • Instruction ID: 7603a2472ed12046b4ab69322df02bc3577b2223112e8b6f7a6670809ff62f80
    • Opcode Fuzzy Hash: b26e765b5013b219c1abc091eac328a0d5c8a046ec8bb4a422298991ddf01ce7
    • Instruction Fuzzy Hash: 38012278A00208EFCB44CF58C190999BBB5FB4C354F208299EC499B746D736EE82CF80

    Control-flow Graph

    APIs
      • Part of subcall function 00405192: LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D
    • LoadLibraryA.KERNEL32(?), ref: 0040731F
    • LoadLibraryA.KERNEL32(?), ref: 00407343
    • LoadLibraryA.KERNEL32(?), ref: 0040736C
    • LoadLibraryA.KERNEL32(?), ref: 00407395
    • LoadLibraryA.KERNEL32(?), ref: 004073DA
    • LoadLibraryA.KERNEL32(?), ref: 004073FF
    • LoadLibraryA.KERNEL32(?), ref: 00407428
    • LoadLibraryA.KERNEL32(?), ref: 0040744A
    • LoadLibraryA.KERNEL32(?), ref: 0040746F
    • LoadLibraryA.KERNEL32(?), ref: 00407497
    • LoadLibraryA.KERNEL32(?), ref: 004074C0
    • LoadLibraryA.KERNEL32(?), ref: 004074E5
    • LoadLibraryA.KERNEL32(?), ref: 0040750A
    • LoadLibraryA.KERNEL32(?), ref: 0040752F
    • LoadLibraryA.KERNEL32(?), ref: 00407551
    • LoadLibraryA.KERNEL32(?), ref: 00407573
    • LoadLibraryA.KERNEL32(?), ref: 00407598
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: [Xx$(F&$.Y*$8I$>$f|j?$yF|d$uE$+N$LNF$U=$W0U$c50
    • API String ID: 1029625771-3561996427
    • Opcode ID: 1b2d95f987bde8cf06e019b5f51688bb45c474f0357fcc0c95498163d0c90df6
    • Instruction ID: 7b55cb6931a6eae9675ae3473d819d56059f9eb575f203993a4290f2a2dbd950
    • Opcode Fuzzy Hash: 1b2d95f987bde8cf06e019b5f51688bb45c474f0357fcc0c95498163d0c90df6
    • Instruction Fuzzy Hash: 178289B08052699BDB61CF518D987CEBBB5BB45308F5082DAD5097A200DBB91FC9CF89

    Control-flow Graph

    APIs
    • GetCurrentProcess.KERNEL32(00000000), ref: 00E44539
    • TerminateProcess.KERNEL32(00000000), ref: 00E44540
    • SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E4454E
    • GetLastError.KERNEL32 ref: 00E44558
    • GetCurrentProcess.KERNEL32(00000000), ref: 00E44565
    • TerminateProcess.KERNEL32(00000000), ref: 00E4456C
    • IdnToNameprepUnicode.NORMALIZ(00000000,00000000,00000000,00000000,00000000), ref: 00E4457C
    • GetLastError.KERNEL32 ref: 00E44586
    • GetCurrentProcess.KERNEL32(00000000), ref: 00E44593
    • TerminateProcess.KERNEL32(00000000), ref: 00E4459A
    • _malloc.LIBCMT ref: 00E445A5
    • _memset.LIBCMT ref: 00E445C5
    • _free.LIBCMT ref: 00E446B5
      • Part of subcall function 00E450D3: HeapFree.KERNEL32(00000000,00000000,?,00E464BD,00000000,?,?,00E4556B,00E45196), ref: 00E450E9
      • Part of subcall function 00E450D3: GetLastError.KERNEL32(00000000,?,00E464BD,00000000,?,?,00E4556B,00E45196), ref: 00E450FB
    • _free.LIBCMT ref: 00E446C1
    • _free.LIBCMT ref: 00E446CD
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Process$CurrentErrorLastTerminate_free$CalendarFreeHeapInfoNameprepUnicode_malloc_memset
    • String ID:
    • API String ID: 3381973965-0
    • Opcode ID: a11179b8c1479883a886a6b55744cc66d84f1ca3dc96979a0f3e107bcc4d6a08
    • Instruction ID: 61d6ca9dd422d136f150dc50b4332c913878d10b541b45d2a3e2db51548b01e2
    • Opcode Fuzzy Hash: a11179b8c1479883a886a6b55744cc66d84f1ca3dc96979a0f3e107bcc4d6a08
    • Instruction Fuzzy Hash: D541C2F5E00204AFEB10EFE4FC4ABAE77B4AF45714F145064E205B62C1E7755A44CBA2

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 117 412e5d-412e78 call 4060c6 120 412e7a-412e7c 117->120 121 412e7d-412e9c call 413457 call 404f2c gethostbyname 117->121 126 412ead-412ec2 socket 121->126 127 412e9e-412eab call 413973 121->127 129 413007-41300a 126->129 130 412ec8-412ef5 connect 126->130 127->120 132 412efb-412f3f call 40f31f call 405e03 send 130->132 133 412ffe-413001 closesocket 130->133 132->133 138 412f45-412f58 send 132->138 133->129 138->133 139 412f5e-412f9d recv call 404ecb call 404f6a 138->139 144 412f9f-412fa3 139->144 144->133 145 412fa5-412faa 144->145 145->133 146 412fac-412fbd call 405d4f 145->146 146->133 149 412fbf-412fd0 call 413985 146->149 149->133 152 412fd2-412ffa call 40502d call 404fe2 149->152 152->133 157 412ffc 152->157 157->133
    APIs
    • gethostbyname.WS2_32(?), ref: 00412E92
    • socket.WS2_32(00000002,00000001,00000006), ref: 00412EB4
    • connect.WS2_32(00000000,?,00000010), ref: 00412EEC
    • send.WS2_32(00000000,?,00000000,00000000), ref: 00412F37
    • send.WS2_32(00000000,?,?,00000000), ref: 00412F4F
    • recv.WS2_32(?,?,00000400,00000000), ref: 00412F6B
    • closesocket.WS2_32(?), ref: 00413001
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: send$closesocketconnectgethostbynamerecvsocket
    • String ID:
    • API String ID: 1783939010-2344752452
    • Opcode ID: 29e188fea70a0dd2f8240455ef74e17abaa8d4ab1a3e0102d3a2115e332ad8ad
    • Instruction ID: da93d37a2aa8dd86005f6c059bbb5740c46efee5a5ea72e2e65dce030ffe33f1
    • Opcode Fuzzy Hash: 29e188fea70a0dd2f8240455ef74e17abaa8d4ab1a3e0102d3a2115e332ad8ad
    • Instruction Fuzzy Hash: 2C51B172900209ABDF219FA8CD45AEF7B75EF44320F104066F901F72A1DB799E91DB98

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 234 e4435c-e44369 235 e4437c-e44380 234->235 236 e4436b-e44376 VirtualAlloc 234->236 237 e44382-e4438d VirtualAlloc 235->237 238 e44393-e44397 235->238 236->235 237->238 239 e443ad-e443b1 238->239 240 e44399-e443a7 MessageBoxW 238->240 240->239
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000059,00001000,00000004), ref: 00E44376
    • VirtualAlloc.KERNEL32(00000000,0000000F,00001000,00000004), ref: 00E4438D
    • MessageBoxW.USER32(00000000,agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk,cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi,00000000), ref: 00E443A7
    Strings
    • agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk, xrefs: 00E443A0
    • cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi, xrefs: 00E4439B
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual$Message
    • String ID: agifcyaupylynlxrdbouhbvogtggqihkuypuygkslhxscprmajfbaypsivploqthhskwfpyvgxvpxgfwmk$cesconhhsbwhrjrbwbloyiquwsvkaflobkbgbdklfwoveuhrqardvxivmlpjqxescwtgybfngsdfptrmlxrbihhnteiqfsrcqysgritpomedxiyrgkwknltmjdagrbwwfi
    • API String ID: 1804078305-2917780553
    • Opcode ID: 1e5e9ae5b0c104a8acf7ee7a0b29b51f56891d3caa91875d0cd09c70db51c16a
    • Instruction ID: e1d42f6c507f80e17caec6312dfac8e89b43d25f10b28f2e59587b3f5cb7a6b8
    • Opcode Fuzzy Hash: 1e5e9ae5b0c104a8acf7ee7a0b29b51f56891d3caa91875d0cd09c70db51c16a
    • Instruction Fuzzy Hash: E1F0F8B93C0744BAE7308E14EC4BB883A20A705BB6F149120FB5D7C5D1C3F096898A81

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 241 41701b-41703f GetVolumeInformationW 242 417041-417060 call 40f31f call 41700b * 3 241->242 243 417098 241->243 252 417065-417075 call 41700b 242->252 244 41709a-41709d 243->244 255 417077-417096 call 405e03 252->255 255->244
    APIs
    • GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00413CCB,?,00000032), ref: 00417037
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: InformationVolume
    • String ID: C:\
    • API String ID: 2039140958-3404278061
    • Opcode ID: 889d53317b2db0a536e5275cff2a90517a2d7934359336816fc69587e525ddc7
    • Instruction ID: 38deaf873d01ad376382a45a46a62742d6431d24871cea28b4788a870ec15d02
    • Opcode Fuzzy Hash: 889d53317b2db0a536e5275cff2a90517a2d7934359336816fc69587e525ddc7
    • Instruction Fuzzy Hash: 80014071C05628B6CF11EFA28D498DFBF78EE49364B10006AF805B3141D6399B85DBF9

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 258 e443c0-e44430 call e44960 call e448b0 * 3 GetModuleHandleW 268 e44432-e44444 258->268 269 e4448b-e44491 258->269 268->269 271 e44446-e44458 call e4510d 268->271 274 e4445d-e44467 271->274 275 e4447d-e44481 274->275 276 e44469-e4447a call e484f0 274->276 275->269 278 e44483-e44489 275->278 276->275 278->269
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00E4440C
    • _malloc.LIBCMT ref: 00E44458
      • Part of subcall function 00E4510D: __FF_MSGBANNER.LIBCMT ref: 00E45126
      • Part of subcall function 00E4510D: __NMSG_WRITE.LIBCMT ref: 00E4512D
      • Part of subcall function 00E4510D: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00E4445D,?), ref: 00E45152
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocateHandleHeapModule_malloc
    • String ID:
    • API String ID: 2614553508-0
    • Opcode ID: 9bfbcbdfcdd265cbecc9f292f11f950b5eb190ceebeb36df5e4ef4267976e11d
    • Instruction ID: 7a60a278bf3f4e01f91f37ac2b0ac721776e9c8b045078044f30e09d2303eece
    • Opcode Fuzzy Hash: 9bfbcbdfcdd265cbecc9f292f11f950b5eb190ceebeb36df5e4ef4267976e11d
    • Instruction Fuzzy Hash: 9E21C6B5E00209AFDB04DFE4E945BEEBBF4AF48305F108159F915B7281E7359A41CBA1
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000DE,00001000,00000004), ref: 00E18282
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 0dbdd0ce220b3d0d7d3e46107b150b32627a158c10ecaeddac67d009b0ac8ead
    • Instruction ID: c26b5518d2cff223b7a9649423f0a8db2f8a6e08cba9a5089be901925ba82aa1
    • Opcode Fuzzy Hash: 0dbdd0ce220b3d0d7d3e46107b150b32627a158c10ecaeddac67d009b0ac8ead
    • Instruction Fuzzy Hash: A4233A709012299BCB69CF08C9A4BDDBBB5BF48348F1481D9D50DAB356D730AAD1CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000DE,00001000,00000004), ref: 00E3D01F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: e82e0d08f978e54bb8fd84ca44726de00d227a6cae861d7208d19425633491a8
    • Instruction ID: be92fb92163b7c669d403f4974bb6c9c4ab004176cbab1fecb539d6c387453ac
    • Opcode Fuzzy Hash: e82e0d08f978e54bb8fd84ca44726de00d227a6cae861d7208d19425633491a8
    • Instruction Fuzzy Hash: 83234C719012289BCB69CF08CD95BDCBBB5BF48348F1481D9E50DAB356D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000066,00001000,00000004), ref: 00E220CC
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 9ea67b292c1c628f7ac8979763038c075a4fd9e024e0eba3b276c450237e7d19
    • Instruction ID: da27692f6b7e5a5df440466028f65648a3268b0afdcdf2b0db1203e7a1e26c86
    • Opcode Fuzzy Hash: 9ea67b292c1c628f7ac8979763038c075a4fd9e024e0eba3b276c450237e7d19
    • Instruction Fuzzy Hash: 82233D709012299BCB69CF08D990BDDBBB6BF84349F1481D9D50DAB356D730AB91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 711 e40942-e4094f 712 e40965-e415f4 711->712 713 e40951-e4095f VirtualAlloc 711->713 714 e415f6-e41602 712->714 715 e41608-e41614 712->715 713->712 714->715 716 e41625-e4162e 715->716 717 e41616-e41622 715->717 718 e41630-e4163c 716->718 719 e41642-e4164e 716->719 717->716 718->719 720 e41650-e41656 719->720 721 e4165c-e4167b 719->721 720->721 722 e4167d-e41689 721->722 723 e4168f-e4169b 721->723 722->723 724 e4169d-e416a9 723->724 725 e416af-e416bb 723->725 724->725 726 e416bd-e416c9 725->726 727 e416cf-e416e8 725->727 726->727 728 e416fc-e41715 727->728 729 e416ea-e416f6 727->729 730 e41717-e41723 728->730 731 e41729-e41748 728->731 729->728 730->731 732 e4175c-e4177b 731->732 733 e4174a-e41756 731->733 734 e4177d-e41789 732->734 735 e4178f-e417ab 732->735 733->732 734->735 736 e417ad-e417b9 735->736 737 e417bf-e417ee 735->737 736->737 738 e417f0-e417f9 737->738 739 e417fc-e4181b 737->739 738->739 740 e4181d-e41829 739->740 741 e4182f-e418a7 739->741 740->741 742 e418a9-e418b5 741->742 743 e418bb-e418c7 741->743 742->743 744 e418c9-e418d5 743->744 745 e418db-e4190d 743->745 744->745 746 e4190f-e41915 745->746 747 e4191b-e41927 745->747 746->747 748 e41929-e41935 747->748 749 e4193b-e41941 747->749 748->749 750 e41955-e41961 749->750 751 e41943-e4194f 749->751 752 e41972-e4197e 750->752 753 e41963-e4196c 750->753 751->750 754 e41980-e4198c 752->754 755 e41992-e4199b 752->755 753->752 754->755 756 e4199d-e419a9 755->756 757 e419af-e419cb 755->757 756->757 758 e419cd-e419d9 757->758 759 e419df-e419e8 757->759 758->759 760 e419fc-e41a35 759->760 761 e419ea-e419f6 759->761 762 e41a37-e41a43 760->762 763 e41a49-e41a65 760->763 761->760 762->763 764 e41a67-e41a73 763->764 765 e41a79-e41abe 763->765 764->765 766 e41ac0-e41acc 765->766 767 e41ad2-e41b1e 765->767 766->767 768 e41b20-e41b2c 767->768 769 e41b32-e41b3b 767->769 768->769 770 e41b3d-e41b49 769->770 771 e41b4f-e41b81 769->771 770->771 772 e41b95-e41bb1 771->772 773 e41b83-e41b8f 771->773 774 e41bc5-e41be4 772->774 775 e41bb3-e41bbf 772->775 773->772 776 e41bf5-e41c3a 774->776 777 e41be6-e41bef 774->777 775->774 778 e41c3c-e41c45 776->778 779 e41c48-e41c67 776->779 777->776 778->779 780 e41c78-e41c84 779->780 781 e41c69-e41c72 779->781 782 e41c86-e41c92 780->782 783 e41c98-e41ca1 780->783 781->780 782->783 784 e41cb5-e41cbe 783->784 785 e41ca3-e41caf 783->785 786 e41cc0-e41cc9 784->786 787 e41ccf-e41cd8 784->787 785->784 786->787 788 e41cec-e41cf8 787->788 789 e41cda-e41ce6 787->789 790 e41d0c-e41d18 788->790 791 e41cfa-e41d06 788->791 789->788 792 e41d2c-e41d45 790->792 793 e41d1a-e41d26 790->793 791->790 794 e41d47-e41d53 792->794 795 e41d59-e41d75 792->795 793->792 794->795 796 e41d77-e41d83 795->796 797 e41d89-e41db8 795->797 796->797 798 e41dc9-e41de8 797->798 799 e41dba-e41dc3 797->799 800 e41dfc-e41e08 798->800 801 e41dea-e41df6 798->801 799->798 802 e41e19-e41e22 800->802 803 e41e0a-e41e13 800->803 801->800 804 e41e24-e41e30 802->804 805 e41e36-e41e42 802->805 803->802 804->805 806 e41e44-e41e50 805->806 807 e41e56-e41e62 805->807 806->807 808 e41e64-e41e70 807->808 809 e41e76-e41e82 807->809 808->809 810 e41e84-e41e8d 809->810 811 e41e93-e41e9f 809->811 810->811 812 e41eb0-e41f1b 811->812 813 e41ea1-e41eaa 811->813 814 e41f2c-e41f45 812->814 815 e41f1d-e41f26 812->815 813->812 816 e41f56-e41f6f 814->816 817 e41f47-e41f50 814->817 815->814 818 e41f71-e41f7a 816->818 819 e41f7d-e41f89 816->819 817->816 818->819 820 e41f9d-e41fb9 819->820 821 e41f8b-e41f97 819->821 822 e41fcd-e41fd9 820->822 823 e41fbb-e41fc7 820->823 821->820 824 e41fed-e41ff9 822->824 825 e41fdb-e41fe7 822->825 823->822 826 e4200d-e42019 824->826 827 e41ffb-e42007 824->827 825->824 828 e4202d-e42039 826->828 829 e4201b-e42027 826->829 827->826 830 e4204d-e425fd 828->830 831 e4203b-e42047 828->831 829->828 831->830
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000D5,00001000,00000004), ref: 00E4095F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 619e1bf0bdb5a0a1a85a5a63eb6f624197d7dcb400d0619716ced49df9eae162
    • Instruction ID: ace141ef8e112a7abf126dca7e0707b473c642cc3e986cddf36c85d27f2ba3a2
    • Opcode Fuzzy Hash: 619e1bf0bdb5a0a1a85a5a63eb6f624197d7dcb400d0619716ced49df9eae162
    • Instruction Fuzzy Hash: 25133B709012299BDB69CF08DD90BECBBB5BF48348F1481D9E50DAB356D730AA91CF48

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 832 e3b342-e3b34f 833 e3b362-e3bfe5 832->833 834 e3b351-e3b35c VirtualAlloc 832->834 835 e3bfe7-e3bff0 833->835 836 e3bff6-e3c01f 833->836 834->833 835->836 837 e3c033-e3c03c 836->837 838 e3c021-e3c02d 836->838 839 e3c050-e3c05c 837->839 840 e3c03e-e3c04a 837->840 838->837 841 e3c070-e3c0a2 839->841 842 e3c05e-e3c06a 839->842 840->839 843 e3c0b6-e3c0c2 841->843 844 e3c0a4-e3c0b0 841->844 842->841 845 e3c0d6-e3c0f2 843->845 846 e3c0c4-e3c0d0 843->846 844->843 847 e3c106-e3c148 845->847 848 e3c0f4-e3c100 845->848 846->845 849 e3c14a-e3c156 847->849 850 e3c159-e3c188 847->850 848->847 849->850 851 e3c18a-e3c196 850->851 852 e3c19c-e3c1a5 850->852 851->852 853 e3c1a7-e3c1b0 852->853 854 e3c1b6-e3c1c2 852->854 853->854 855 e3c1d3-e3c1df 854->855 856 e3c1c4-e3c1cd 854->856 857 e3c1f3-e3c1ff 855->857 858 e3c1e1-e3c1ed 855->858 856->855 859 e3c201-e3c20a 857->859 860 e3c20d-e3c219 857->860 858->857 859->860 861 e3c21b-e3c227 860->861 862 e3c22a-e3c27c 860->862 861->862 863 e3c290-e3c29c 862->863 864 e3c27e-e3c28a 862->864 865 e3c2b0-e3c2bc 863->865 866 e3c29e-e3c2aa 863->866 864->863 867 e3c2d0-e3c2ef 865->867 868 e3c2be-e3c2ca 865->868 866->865 869 e3c303-e3c335 867->869 870 e3c2f1-e3c2fd 867->870 868->867 871 e3c337-e3c343 869->871 872 e3c349-e3c355 869->872 870->869 871->872 873 e3c357-e3c363 872->873 874 e3c369-e3c372 872->874 873->874 875 e3c383-e3c38f 874->875 876 e3c374-e3c37d 874->876 877 e3c391-e3c39a 875->877 878 e3c3a0-e3c3ac 875->878 876->875 877->878 879 e3c3ae-e3c3ba 878->879 880 e3c3bd-e3c3c6 878->880 879->880 881 e3c3da-e3c409 880->881 882 e3c3c8-e3c3d4 880->882 883 e3c40b-e3c417 881->883 884 e3c41a-e3c426 881->884 882->881 883->884 885 e3c43a-e3c446 884->885 886 e3c428-e3c434 884->886 887 e3c457-e3c483 885->887 888 e3c448-e3c454 885->888 886->885 889 e3c497-e3c4cd 887->889 890 e3c485-e3c491 887->890 888->887 891 e3c4cf-e3c4d8 889->891 892 e3c4de-e3c4ea 889->892 890->889 891->892 893 e3c4fb-e3c52a 892->893 894 e3c4ec-e3c4f5 892->894 895 e3c53b-e3c554 893->895 896 e3c52c-e3c535 893->896 894->893 897 e3c556-e3c55f 895->897 898 e3c565-e3c584 895->898 896->895 897->898 899 e3c586-e3c592 898->899 900 e3c598-e3c5a4 898->900 899->900 901 e3c5a6-e3c5b2 900->901 902 e3c5b8-e3c640 900->902 901->902 903 e3c642-e3c64e 902->903 904 e3c654-e3c686 902->904 903->904 905 e3c697-e3c6c9 904->905 906 e3c688-e3c691 904->906 907 e3c6cb-e3c6d7 905->907 908 e3c6dd-e3c6e9 905->908 906->905 907->908 909 e3c6eb-e3c6f7 908->909 910 e3c6fd-e3c713 908->910 909->910 911 e3c727-e3c743 910->911 912 e3c715-e3c721 910->912 913 e3c757-e3c763 911->913 914 e3c745-e3c751 911->914 912->911 915 e3c765-e3c76e 913->915 916 e3c774-e3c780 913->916 914->913 915->916 917 e3c782-e3c78e 916->917 918 e3c791-e3c79d 916->918 917->918 919 e3c7b1-e3c82c 918->919 920 e3c79f-e3c7ab 918->920 921 e3c840-e3c849 919->921 922 e3c82e-e3c83a 919->922 920->919 923 e3c84b-e3c857 921->923 924 e3c85d-e3c89f 921->924 922->921 923->924 925 e3c8b3-e3c8cf 924->925 926 e3c8a1-e3c8ad 924->926 927 e3c8e3-e3c902 925->927 928 e3c8d1-e3c8dd 925->928 926->925 929 e3c913-e3c932 927->929 930 e3c904-e3c90d 927->930 928->927 931 e3c943-e3c975 929->931 932 e3c934-e3c93d 929->932 930->929 933 e3c977-e3c983 931->933 934 e3c989-e3c995 931->934 932->931 933->934 935 e3c997-e3c9a3 934->935 936 e3c9a9-e3c9c5 934->936 935->936 937 e3c9c7-e3c9d3 936->937 938 e3c9d9-e3c9f5 936->938 937->938 939 e3c9f7-e3ca00 938->939 940 e3ca06-e3ca25 938->940 939->940 941 e3ca27-e3ca33 940->941 942 e3ca39-e3cfec 940->942 941->942
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00E3B35C
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: d5b04e46f8c3dabcc6bd6d664fd41a042d021ad69f6e50dac5754d8f480bbfef
    • Instruction ID: 63720d1cbc88f7868ad4defc9e41edf2808d85afad6fa871a332377a405f8c88
    • Opcode Fuzzy Hash: d5b04e46f8c3dabcc6bd6d664fd41a042d021ad69f6e50dac5754d8f480bbfef
    • Instruction Fuzzy Hash: 1F134D709011289BDB68CF08CD94BDDBBB6BF84349F1482D9D54DAB356D730AA91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 943 e313d2-e313e2 944 e313e4-e313f2 VirtualAlloc 943->944 945 e313f8-e3211c 943->945 944->945 946 e32130-e321cb 945->946 947 e3211e-e3212a 945->947 948 e321cd-e321d9 946->948 949 e321dc-e321e8 946->949 947->946 948->949 950 e321ea-e321f6 949->950 951 e321fc-e3221b 949->951 950->951 952 e3222f-e3229e 951->952 953 e3221d-e32229 951->953 954 e322a0-e322ac 952->954 955 e322af-e322bb 952->955 953->952 954->955 956 e322cf-e322eb 955->956 957 e322bd-e322c9 955->957 958 e322ff-e3230b 956->958 959 e322ed-e322f9 956->959 957->956 960 e3231f-e3232b 958->960 961 e3230d-e32319 958->961 959->958 962 e3233f-e32371 960->962 963 e3232d-e32339 960->963 961->960 964 e32373-e3237f 962->964 965 e32385-e323a4 962->965 963->962 964->965 966 e323a6-e323b2 965->966 967 e323b8-e3240d 965->967 966->967 968 e32421-e3242a 967->968 969 e3240f-e3241b 967->969 970 e3243e-e324a6 968->970 971 e3242c-e32438 968->971 969->968 972 e324ba-e324c6 970->972 973 e324a8-e324b4 970->973 971->970 974 e324da-e324e6 972->974 975 e324c8-e324d4 972->975 973->972 976 e324f7-e32529 974->976 977 e324e8-e324f1 974->977 975->974 978 e3252b-e32534 976->978 979 e3253a-e32546 976->979 977->976 978->979 980 e3255a-e32563 979->980 981 e32548-e32554 979->981 982 e32565-e32571 980->982 983 e32574-e325df 980->983 981->980 982->983 984 e325e1-e325ea 983->984 985 e325f0-e3260f 983->985 984->985 986 e32623-e3262f 985->986 987 e32611-e3261d 985->987 988 e32631-e3263d 986->988 989 e32640-e3266c 986->989 987->986 988->989 990 e32680-e326a6 989->990 991 e3266e-e3267a 989->991 992 e326ba-e326c6 990->992 993 e326a8-e326b4 990->993 991->990 994 e326d7-e326e3 992->994 995 e326c8-e326d4 992->995 993->992 996 e326e5-e326ee 994->996 997 e326f4-e32739 994->997 995->994 996->997 998 e32747-e32760 997->998 999 e3273b-e32744 997->999 1000 e32762-e3276e 998->1000 1001 e32774-e32780 998->1001 999->998 1000->1001 1002 e32782-e3278e 1001->1002 1003 e32794-e327b3 1001->1003 1002->1003 1004 e327c7-e327f6 1003->1004 1005 e327b5-e327c1 1003->1005 1006 e32807-e32849 1004->1006 1007 e327f8-e32801 1004->1007 1005->1004 1008 e32857-e32863 1006->1008 1009 e3284b-e32854 1006->1009 1007->1006 1010 e32877-e328a9 1008->1010 1011 e32865-e32871 1008->1011 1009->1008 1012 e328ab-e328b4 1010->1012 1013 e328ba-e328c3 1010->1013 1011->1010 1012->1013 1014 e328d1-e328ed 1013->1014 1015 e328c5-e328ce 1013->1015 1016 e32901-e3290d 1014->1016 1017 e328ef-e328fb 1014->1017 1015->1014 1018 e32921-e3293a 1016->1018 1019 e3290f-e3291b 1016->1019 1017->1016 1020 e3294e-e32993 1018->1020 1021 e3293c-e32948 1018->1021 1019->1018 1022 e329a7-e329b0 1020->1022 1023 e32995-e329a1 1020->1023 1021->1020 1024 e329b2-e329be 1022->1024 1025 e329c4-e329d0 1022->1025 1023->1022 1024->1025 1026 e329d2-e329de 1025->1026 1027 e329e4-e329f0 1025->1027 1026->1027 1028 e329f2-e329fb 1027->1028 1029 e32a01-e32a43 1027->1029 1028->1029 1030 e32a57-e32a63 1029->1030 1031 e32a45-e32a51 1029->1031 1032 e32a77-e32a93 1030->1032 1033 e32a65-e32a71 1030->1033 1031->1030 1034 e32aa7-e32ac3 1032->1034 1035 e32a95-e32aa1 1032->1035 1033->1032 1036 e32ad7-e32ae3 1034->1036 1037 e32ac5-e32ad1 1034->1037 1035->1034 1038 e32af7-e32b16 1036->1038 1039 e32ae5-e32af1 1036->1039 1037->1036 1040 e32b24-e330c4 1038->1040 1041 e32b18-e32b21 1038->1041 1039->1038 1041->1040
    APIs
    • VirtualAlloc.KERNEL32(00000000,0000009E,00001000,00000004), ref: 00E313F2
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: c7e175a4789abd662432b5c4bdbdb6c18da192fe8e8aca6f61815968df8a98c0
    • Instruction ID: 18742f2d39b4717543f9d24ea138cd0ecee3e560c14a4fd70b31262641bff1cd
    • Opcode Fuzzy Hash: c7e175a4789abd662432b5c4bdbdb6c18da192fe8e8aca6f61815968df8a98c0
    • Instruction Fuzzy Hash: 51134B719012289BCB69CF08CD95BDCBBB5BF48348F1481D9E54DAB356D730AA91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1042 e34982-e34992 1043 e34994-e349a2 VirtualAlloc 1042->1043 1044 e349a8-e3562f 1042->1044 1043->1044 1045 e35643-e3564f 1044->1045 1046 e35631-e3563d 1044->1046 1047 e35663-e3566f 1045->1047 1048 e35651-e3565d 1045->1048 1046->1045 1049 e35683-e3568f 1047->1049 1050 e35671-e3567d 1047->1050 1048->1047 1051 e35691-e3569a 1049->1051 1052 e356a0-e35705 1049->1052 1050->1049 1051->1052 1053 e35707-e35713 1052->1053 1054 e35716-e35722 1052->1054 1053->1054 1055 e35736-e35762 1054->1055 1056 e35724-e35730 1054->1056 1057 e35776-e35782 1055->1057 1058 e35764-e35770 1055->1058 1056->1055 1059 e35790-e357c2 1057->1059 1060 e35784-e3578d 1057->1060 1058->1057 1061 e357d6-e357e2 1059->1061 1062 e357c4-e357d0 1059->1062 1060->1059 1063 e357f6-e35815 1061->1063 1064 e357e4-e357f0 1061->1064 1062->1061 1065 e35817-e35823 1063->1065 1066 e35826-e35845 1063->1066 1064->1063 1065->1066 1067 e35847-e35850 1066->1067 1068 e35856-e35862 1066->1068 1067->1068 1069 e35873-e358b2 1068->1069 1070 e35864-e3586d 1068->1070 1071 e358c6-e358d2 1069->1071 1072 e358b4-e358c0 1069->1072 1070->1069 1073 e358e6-e358f2 1071->1073 1074 e358d4-e358e0 1071->1074 1072->1071 1075 e35906-e35922 1073->1075 1076 e358f4-e35900 1073->1076 1074->1073 1077 e35933-e3594f 1075->1077 1078 e35924-e3592d 1075->1078 1076->1075 1079 e35963-e35992 1077->1079 1080 e35951-e3595d 1077->1080 1078->1077 1081 e359a6-e359d5 1079->1081 1082 e35994-e359a0 1079->1082 1080->1079 1083 e359d7-e359e3 1081->1083 1084 e359e9-e35a18 1081->1084 1082->1081 1083->1084 1085 e35a1a-e35a26 1084->1085 1086 e35a2c-e35a84 1084->1086 1085->1086 1087 e35a86-e35a92 1086->1087 1088 e35a98-e35ac7 1086->1088 1087->1088 1089 e35ac9-e35ad2 1088->1089 1090 e35ad8-e35af7 1088->1090 1089->1090 1091 e35b0b-e35b17 1090->1091 1092 e35af9-e35b05 1090->1092 1093 e35b2b-e35b37 1091->1093 1094 e35b19-e35b25 1091->1094 1092->1091 1095 e35b4b-e35b67 1093->1095 1096 e35b39-e35b45 1093->1096 1094->1093 1097 e35b69-e35b72 1095->1097 1098 e35b78-e35b84 1095->1098 1096->1095 1097->1098 1099 e35b86-e35b92 1098->1099 1100 e35b98-e35ba1 1098->1100 1099->1100 1101 e35ba3-e35baf 1100->1101 1102 e35bb5-e35bc1 1100->1102 1101->1102 1103 e35bc3-e35bcf 1102->1103 1104 e35bd5-e35c1a 1102->1104 1103->1104 1105 e35c2e-e35c3a 1104->1105 1106 e35c1c-e35c28 1104->1106 1107 e35c4e-e35ccd 1105->1107 1108 e35c3c-e35c48 1105->1108 1106->1105 1109 e35cdb-e35ce7 1107->1109 1110 e35ccf-e35cd5 1107->1110 1108->1107 1111 e35cfb-e35d04 1109->1111 1112 e35ce9-e35cf5 1109->1112 1110->1109 1113 e35d12-e35d2e 1111->1113 1114 e35d06-e35d0c 1111->1114 1112->1111 1115 e35d42-e35d91 1113->1115 1116 e35d30-e35d3c 1113->1116 1114->1113 1117 e35d93-e35d9f 1115->1117 1118 e35da5-e35dc4 1115->1118 1116->1115 1117->1118 1119 e35dc6-e35dd2 1118->1119 1120 e35dd8-e35e2d 1118->1120 1119->1120 1121 e35e41-e35e4a 1120->1121 1122 e35e2f-e35e3b 1120->1122 1123 e35e5e-e35e7d 1121->1123 1124 e35e4c-e35e58 1121->1124 1122->1121 1125 e35e91-e35edd 1123->1125 1126 e35e7f-e35e8b 1123->1126 1124->1123 1127 e35ef1-e35f0d 1125->1127 1128 e35edf-e35eeb 1125->1128 1126->1125 1129 e35f0f-e35f1b 1127->1129 1130 e35f1e-e35f3a 1127->1130 1128->1127 1129->1130 1131 e35f4e-e35f57 1130->1131 1132 e35f3c-e35f48 1130->1132 1133 e35f59-e35f62 1131->1133 1134 e35f68-e35f74 1131->1134 1132->1131 1133->1134 1135 e35f76-e35f82 1134->1135 1136 e35f88-e35f91 1134->1136 1135->1136 1137 e35f93-e35f9f 1136->1137 1138 e35fa5-e35fb1 1136->1138 1137->1138 1139 e35fb3-e35fbf 1138->1139 1140 e35fc5-e35fe1 1138->1140 1139->1140 1141 e35fe3-e35fef 1140->1141 1142 e35ff5-e36014 1140->1142 1141->1142 1143 e36016-e36022 1142->1143 1144 e36028-e36034 1142->1144 1143->1144 1145 e36036-e36042 1144->1145 1146 e36048-e36054 1144->1146 1145->1146 1147 e36056-e3605f 1146->1147 1148 e36065-e36618 1146->1148 1147->1148
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000BE,00001000,00000004), ref: 00E349A2
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 390223123707a8c6a220173b8714950add9c86caaa5dd8e524cfd03f4a4f43b7
    • Instruction ID: 611f5110a62ff6952a3d12904319d5207a715be1c644b05f8898fd5f907a4309
    • Opcode Fuzzy Hash: 390223123707a8c6a220173b8714950add9c86caaa5dd8e524cfd03f4a4f43b7
    • Instruction Fuzzy Hash: 83133D709011289BDB69CF08CD94BDDBBB6BF84349F1482D9D50DAB356D730AA91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1149 e2c2b2-e2c2c2 1150 e2c2c4-e2c2d2 VirtualAlloc 1149->1150 1151 e2c2d8-e2cf46 1149->1151 1150->1151 1152 e2cf5a-e2cf66 1151->1152 1153 e2cf48-e2cf54 1151->1153 1154 e2cf7a-e2cfbf 1152->1154 1155 e2cf68-e2cf74 1152->1155 1153->1152 1156 e2cfd0-e2d00f 1154->1156 1157 e2cfc1-e2cfca 1154->1157 1155->1154 1158 e2d023-e2d078 1156->1158 1159 e2d011-e2d01d 1156->1159 1157->1156 1160 e2d07a-e2d086 1158->1160 1161 e2d08c-e2d0ab 1158->1161 1159->1158 1160->1161 1162 e2d0bf-e2d0db 1161->1162 1163 e2d0ad-e2d0b9 1161->1163 1164 e2d0ef-e2d0fb 1162->1164 1165 e2d0dd-e2d0e9 1162->1165 1163->1162 1166 e2d10f-e2d1aa 1164->1166 1167 e2d0fd-e2d109 1164->1167 1165->1164 1168 e2d1be-e2d1da 1166->1168 1169 e2d1ac-e2d1b8 1166->1169 1167->1166 1170 e2d1ee-e2d1fa 1168->1170 1171 e2d1dc-e2d1e8 1168->1171 1169->1168 1172 e2d20e-e2d22d 1170->1172 1173 e2d1fc-e2d208 1170->1173 1171->1170 1174 e2d23b-e2d257 1172->1174 1175 e2d22f-e2d235 1172->1175 1173->1172 1176 e2d26b-e2d287 1174->1176 1177 e2d259-e2d265 1174->1177 1175->1174 1178 e2d298-e2d2b7 1176->1178 1179 e2d289-e2d292 1176->1179 1177->1176 1180 e2d2c8-e2d2f1 1178->1180 1181 e2d2b9-e2d2c5 1178->1181 1179->1178 1182 e2d2f3-e2d2ff 1180->1182 1183 e2d305-e2d321 1180->1183 1181->1180 1182->1183 1184 e2d323-e2d32f 1183->1184 1185 e2d335-e2d341 1183->1185 1184->1185 1186 e2d343-e2d34f 1185->1186 1187 e2d355-e2d387 1185->1187 1186->1187 1188 e2d398-e2d3c7 1187->1188 1189 e2d389-e2d395 1187->1189 1190 e2d3db-e2d459 1188->1190 1191 e2d3c9-e2d3d5 1188->1191 1189->1188 1192 e2d45b-e2d467 1190->1192 1193 e2d46d-e2d476 1190->1193 1191->1190 1192->1193 1194 e2d48a-e2d493 1193->1194 1195 e2d478-e2d484 1193->1195 1196 e2d4a7-e2d4b0 1194->1196 1197 e2d495-e2d4a1 1194->1197 1195->1194 1198 e2d4b2-e2d4be 1196->1198 1199 e2d4c4-e2d4dd 1196->1199 1197->1196 1198->1199 1200 e2d4ee-e2d520 1199->1200 1201 e2d4df-e2d4e8 1199->1201 1202 e2d522-e2d52e 1200->1202 1203 e2d534-e2d550 1200->1203 1201->1200 1202->1203 1204 e2d552-e2d55e 1203->1204 1205 e2d564-e2d5a9 1203->1205 1204->1205 1206 e2d5ab-e2d5b7 1205->1206 1207 e2d5bd-e2d5c9 1205->1207 1206->1207 1208 e2d5cb-e2d5d7 1207->1208 1209 e2d5dd-e2d60f 1207->1209 1208->1209 1210 e2d623-e2d62c 1209->1210 1211 e2d611-e2d61d 1209->1211 1212 e2d640-e2d649 1210->1212 1213 e2d62e-e2d63a 1210->1213 1211->1210 1214 e2d65a-e2d679 1212->1214 1215 e2d64b-e2d654 1212->1215 1213->1212 1216 e2d67b-e2d687 1214->1216 1217 e2d68d-e2d699 1214->1217 1215->1214 1216->1217 1218 e2d69b-e2d6a7 1217->1218 1219 e2d6ad-e2d6d3 1217->1219 1218->1219 1220 e2d6e4-e2d6f0 1219->1220 1221 e2d6d5-e2d6de 1219->1221 1222 e2d6f2-e2d6fe 1220->1222 1223 e2d704-e2d710 1220->1223 1221->1220 1222->1223 1224 e2d712-e2d71b 1223->1224 1225 e2d721-e2d750 1223->1225 1224->1225 1226 e2d752-e2d75e 1225->1226 1227 e2d764-e2d793 1225->1227 1226->1227 1228 e2d7a4-e2d7ad 1227->1228 1229 e2d795-e2d79e 1227->1229 1230 e2d7c1-e2d7cd 1228->1230 1231 e2d7af-e2d7bb 1228->1231 1229->1228 1232 e2d7e1-e2d800 1230->1232 1233 e2d7cf-e2d7db 1230->1233 1231->1230 1234 e2d802-e2d80e 1232->1234 1235 e2d814-e2d81d 1232->1235 1233->1232 1234->1235 1236 e2d82e-e2d84a 1235->1236 1237 e2d81f-e2d82b 1235->1237 1238 e2d85b-e2d887 1236->1238 1239 e2d84c-e2d855 1236->1239 1237->1236 1240 e2d89b-e2d8a7 1238->1240 1241 e2d889-e2d895 1238->1241 1239->1238 1242 e2d8b8-e2d8c1 1240->1242 1243 e2d8a9-e2d8b5 1240->1243 1241->1240 1244 e2d8d2-e2d8de 1242->1244 1245 e2d8c3-e2d8cf 1242->1245 1243->1242 1246 e2d8f2-e2de92 1244->1246 1247 e2d8e0-e2d8ec 1244->1247 1245->1244 1247->1246
    APIs
    • VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000004), ref: 00E2C2D2
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: c3844a004e6af381e61cd692a6f596314ecf2ebdf8155c99814b052c2f8738d6
    • Instruction ID: 29f180aaeb02cf719824647ae260937c48fc042bceee28fce253dd63a18af1c2
    • Opcode Fuzzy Hash: c3844a004e6af381e61cd692a6f596314ecf2ebdf8155c99814b052c2f8738d6
    • Instruction Fuzzy Hash: 05133C709052299BCB69CF08DD94BDCBBB5BF44348F1481D9E50DAB356D730AA91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1343 e3eec2-e3eecf 1344 e3eed1-e3eedf VirtualAlloc 1343->1344 1345 e3eee5-e3fbaa 1343->1345 1344->1345 1346 e3fbbe-e3fbe4 1345->1346 1347 e3fbac-e3fbb8 1345->1347 1348 e3fbe6-e3fbf2 1346->1348 1349 e3fbf8-e3fc01 1346->1349 1347->1346 1348->1349 1350 e3fc03-e3fc0f 1349->1350 1351 e3fc15-e3fc1e 1349->1351 1350->1351 1352 e3fc32-e3fc64 1351->1352 1353 e3fc20-e3fc2c 1351->1353 1354 e3fc66-e3fc72 1352->1354 1355 e3fc78-e3fc81 1352->1355 1353->1352 1354->1355 1356 e3fc83-e3fc8c 1355->1356 1357 e3fc92-e3fc9e 1355->1357 1356->1357 1358 e3fcb2-e3fcbe 1357->1358 1359 e3fca0-e3fcac 1357->1359 1360 e3fcd2-e3fcf1 1358->1360 1361 e3fcc0-e3fccc 1358->1361 1359->1358 1362 e3fcf3-e3fcff 1360->1362 1363 e3fd05-e3fd24 1360->1363 1361->1360 1362->1363 1364 e3fd26-e3fd32 1363->1364 1365 e3fd35-e3fd74 1363->1365 1364->1365 1366 e3fd76-e3fd82 1365->1366 1367 e3fd88-e3fdca 1365->1367 1366->1367 1368 e3fddb-e3fe07 1367->1368 1369 e3fdcc-e3fdd5 1367->1369 1370 e3fe09-e3fe12 1368->1370 1371 e3fe18-e3fe34 1368->1371 1369->1368 1370->1371 1372 e3fe36-e3fe3f 1371->1372 1373 e3fe45-e3fe74 1371->1373 1372->1373 1374 e3fe76-e3fe82 1373->1374 1375 e3fe88-e3fe94 1373->1375 1374->1375 1376 e3fe96-e3fe9f 1375->1376 1377 e3fea5-e3fec1 1375->1377 1376->1377 1378 e3fec3-e3fecf 1377->1378 1379 e3fed5-e3ff07 1377->1379 1378->1379 1380 e3ff1b-e3ff3a 1379->1380 1381 e3ff09-e3ff15 1379->1381 1382 e3ff4e-e3ff57 1380->1382 1383 e3ff3c-e3ff48 1380->1383 1381->1380 1384 e3ff6b-e3ff77 1382->1384 1385 e3ff59-e3ff65 1382->1385 1383->1382 1386 e3ff79-e3ff82 1384->1386 1387 e3ff88-e3ffa7 1384->1387 1385->1384 1386->1387 1388 e3ffa9-e3ffb2 1387->1388 1389 e3ffb8-e3ffc4 1387->1389 1388->1389 1390 e3ffd2-e3ffde 1389->1390 1391 e3ffc6-e3ffcc 1389->1391 1392 e3ffe0-e3ffec 1390->1392 1393 e3ffef-e3fffb 1390->1393 1391->1390 1392->1393 1394 e4000f-e4001b 1393->1394 1395 e3fffd-e40009 1393->1395 1396 e4002c-e40045 1394->1396 1397 e4001d-e40026 1394->1397 1395->1394 1398 e40056-e40062 1396->1398 1399 e40047-e40050 1396->1399 1397->1396 1400 e40064-e40070 1398->1400 1401 e40076-e400b5 1398->1401 1399->1398 1400->1401 1402 e400b7-e400c3 1401->1402 1403 e400c9-e400e2 1401->1403 1402->1403 1404 e400e4-e400f0 1403->1404 1405 e400f6-e400ff 1403->1405 1404->1405 1406 e40110-e4011c 1405->1406 1407 e40101-e4010a 1405->1407 1408 e4012d-e4014c 1406->1408 1409 e4011e-e4012a 1406->1409 1407->1406 1410 e40160-e4017f 1408->1410 1411 e4014e-e4015a 1408->1411 1409->1408 1412 e40181-e4018d 1410->1412 1413 e40193-e401c2 1410->1413 1411->1410 1412->1413 1414 e401c4-e401cd 1413->1414 1415 e401d3-e401df 1413->1415 1414->1415 1416 e401e1-e401ed 1415->1416 1417 e401f3-e401ff 1415->1417 1416->1417 1418 e40201-e4020d 1417->1418 1419 e40213-e40268 1417->1419 1418->1419 1420 e4027c-e40285 1419->1420 1421 e4026a-e40276 1419->1421 1422 e40296-e402fe 1420->1422 1423 e40287-e40293 1420->1423 1421->1420 1424 e40300-e4030c 1422->1424 1425 e40312-e40354 1422->1425 1423->1422 1424->1425 1426 e40365-e40371 1425->1426 1427 e40356-e40362 1425->1427 1428 e40385-e40925 1426->1428 1429 e40373-e4037f 1426->1429 1427->1426 1429->1428
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000DD,00001000,00000004), ref: 00E3EEDF
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 12e703f7547d9e04b148f43378600e234aa984f819c1a046880c947d484033e4
    • Instruction ID: d7aa32d92ff806f47c412034cb221ec539fa9e038ec555767d12852965adf073
    • Opcode Fuzzy Hash: 12e703f7547d9e04b148f43378600e234aa984f819c1a046880c947d484033e4
    • Instruction Fuzzy Hash: E3033E709021299BDB68CF08CD94BDDBBB6BF84349F1481D9D50DAB356D730AA91CF88

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1248 e1a282-e1a28f 1249 e1a291-e1a29f VirtualAlloc 1248->1249 1250 e1a2a5-e1af69 1248->1250 1249->1250 1251 e1af6b-e1af77 1250->1251 1252 e1af7d-e1af89 1250->1252 1251->1252 1253 e1af8b-e1af94 1252->1253 1254 e1af9a-e1afb9 1252->1254 1253->1254 1255 e1afbb-e1afc7 1254->1255 1256 e1afcd-e1afd9 1254->1256 1255->1256 1257 e1afdb-e1afe7 1256->1257 1258 e1afed-e1aff9 1256->1258 1257->1258 1259 e1affb-e1b007 1258->1259 1260 e1b00d-e1b016 1258->1260 1259->1260 1261 e1b018-e1b024 1260->1261 1262 e1b02a-e1b046 1260->1262 1261->1262 1263 e1b048-e1b054 1262->1263 1264 e1b05a-e1b066 1262->1264 1263->1264 1265 e1b068-e1b074 1264->1265 1266 e1b07a-e1b086 1264->1266 1265->1266 1267 e1b097-e1b0a3 1266->1267 1268 e1b088-e1b094 1266->1268 1269 e1b0a5-e1b0b1 1267->1269 1270 e1b0b7-e1b0d6 1267->1270 1268->1267 1269->1270 1271 e1b0e7-e1b0f3 1270->1271 1272 e1b0d8-e1b0e1 1270->1272 1273 e1b0f5-e1b101 1271->1273 1274 e1b107-e1b149 1271->1274 1272->1271 1273->1274 1275 e1b14b-e1b157 1274->1275 1276 e1b15d-e1b17c 1274->1276 1275->1276 1277 e1b190-e1b19c 1276->1277 1278 e1b17e-e1b18a 1276->1278 1279 e1b1b0-e1b1bc 1277->1279 1280 e1b19e-e1b1aa 1277->1280 1278->1277 1281 e1b1cd-e1b1d9 1279->1281 1282 e1b1be-e1b1c7 1279->1282 1280->1279 1283 e1b1db-e1b1e7 1281->1283 1284 e1b1ed-e1b209 1281->1284 1282->1281 1283->1284 1285 e1b20b-e1b217 1284->1285 1286 e1b21d-e1b249 1284->1286 1285->1286 1287 e1b24b-e1b257 1286->1287 1288 e1b25d-e1b269 1286->1288 1287->1288 1289 e1b26b-e1b274 1288->1289 1290 e1b27a-e1b283 1288->1290 1289->1290 1291 e1b285-e1b291 1290->1291 1292 e1b297-e1b2b3 1290->1292 1291->1292 1293 e1b2b5-e1b2c1 1292->1293 1294 e1b2c7-e1b2f6 1292->1294 1293->1294 1295 e1b2f8-e1b304 1294->1295 1296 e1b30a-e1b313 1294->1296 1295->1296 1297 e1b315-e1b321 1296->1297 1298 e1b327-e1b333 1296->1298 1297->1298 1299 e1b335-e1b341 1298->1299 1300 e1b347-e1b353 1298->1300 1299->1300 1301 e1b355-e1b361 1300->1301 1302 e1b367-e1b373 1300->1302 1301->1302 1303 e1b375-e1b381 1302->1303 1304 e1b387-e1b3cc 1302->1304 1303->1304 1305 e1b3e0-e1b3ec 1304->1305 1306 e1b3ce-e1b3da 1304->1306 1307 e1b3fd-e1b409 1305->1307 1308 e1b3ee-e1b3f7 1305->1308 1306->1305 1309 e1b40b-e1b414 1307->1309 1310 e1b41a-e1b44c 1307->1310 1308->1307 1309->1310 1311 e1b460-e1b48f 1310->1311 1312 e1b44e-e1b45a 1310->1312 1313 e1b491-e1b49d 1311->1313 1314 e1b4a3-e1b4bf 1311->1314 1312->1311 1313->1314 1315 e1b4c1-e1b4ca 1314->1315 1316 e1b4d0-e1b4ef 1314->1316 1315->1316 1317 e1b4f1-e1b4fd 1316->1317 1318 e1b503-e1b50c 1316->1318 1317->1318 1319 e1b520-e1b529 1318->1319 1320 e1b50e-e1b51a 1318->1320 1321 e1b52b-e1b537 1319->1321 1322 e1b53d-e1b556 1319->1322 1320->1319 1321->1322 1323 e1b558-e1b564 1322->1323 1324 e1b56a-e1b583 1322->1324 1323->1324 1325 e1b585-e1b591 1324->1325 1326 e1b597-e1b5c6 1324->1326 1325->1326 1327 e1b5c8-e1b5d4 1326->1327 1328 e1b5da-e1b5e6 1326->1328 1327->1328 1329 e1b5f7-e1b603 1328->1329 1330 e1b5e8-e1b5f4 1328->1330 1331 e1b605-e1b611 1329->1331 1332 e1b617-e1b65c 1329->1332 1330->1329 1331->1332 1333 e1b66a-e1b676 1332->1333 1334 e1b65e-e1b667 1332->1334 1335 e1b678-e1b684 1333->1335 1336 e1b68a-e1b6e2 1333->1336 1334->1333 1335->1336 1337 e1b6e4-e1b6f0 1336->1337 1338 e1b6f6-e1b702 1336->1338 1337->1338 1339 e1b704-e1b710 1338->1339 1340 e1b716-e1b71f 1338->1340 1339->1340 1341 e1b721-e1b72d 1340->1341 1342 e1b733-e1bcd3 1340->1342 1341->1342
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000098,00001000,00000004), ref: 00E1A29F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1c56df7035cfc17368497917aebb0a293042570b9ad2158d8074370880c0e91b
    • Instruction ID: 813018b54ca02fab9b8c08cc4d377c758a55cb539e4f4a76c312f3ac90eb7304
    • Opcode Fuzzy Hash: 1c56df7035cfc17368497917aebb0a293042570b9ad2158d8074370880c0e91b
    • Instruction Fuzzy Hash: 4C032D709011289BDB69CF08CD94BDDBBB6BF84349F1482D9D50DAB356D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000088,00001000,00000004), ref: 00E275A2
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 467980cf5679ee37abaf9e0d11f18ad16ada8ee2d46bac81ce3e9cd601e9cf6d
    • Instruction ID: 192fe529ca0c598d840e42650a12b9e73d91e977ceabc71497c12f2b69e7ffc6
    • Opcode Fuzzy Hash: 467980cf5679ee37abaf9e0d11f18ad16ada8ee2d46bac81ce3e9cd601e9cf6d
    • Instruction Fuzzy Hash: 3C0340709021299BCB68CF08DD94BDDBBB6BF84349F1481D9D50DAB356D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000DB,00001000,00000004), ref: 00E37DDF
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a80669fff3f4dcdbc5c73053096faa06d175fab7629864591682ed36776bfb2e
    • Instruction ID: 4a220ae5951b187ec8a9d720f19400e674a951f5d36c2bdc8081e90f1bec07d5
    • Opcode Fuzzy Hash: a80669fff3f4dcdbc5c73053096faa06d175fab7629864591682ed36776bfb2e
    • Instruction Fuzzy Hash: 00033E709012289BDB69CF08CDA4BDDBBB5BF44348F1881D9E54DAB356D730AA91CF48
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000086,00001000,00000004), ref: 00E1BD0F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3e38a8bd976a94705cb36f68fc8f9719df62c184c5463d44798cadd2740ae3d8
    • Instruction ID: b8d45d696c31d8036be9b473b82bb14e5a15ca3c5041ee7346fe2d95b1286c8b
    • Opcode Fuzzy Hash: 3e38a8bd976a94705cb36f68fc8f9719df62c184c5463d44798cadd2740ae3d8
    • Instruction Fuzzy Hash: 13F22E709021299BDB65CF08CD94BDCBBB6BF84349F1482D9D50DAB356D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000E1,00001000,00000004), ref: 00E28F8F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a7f49f6ec565153527147d62f7eacbb9019da682a89dd66a6166f07c4c55b1ef
    • Instruction ID: 26c67e1d52332759545a613125476a17065149069be9f6ad8250c37dfd5fce6f
    • Opcode Fuzzy Hash: a7f49f6ec565153527147d62f7eacbb9019da682a89dd66a6166f07c4c55b1ef
    • Instruction Fuzzy Hash: 8AF23C719012289BDB69CF08DD91BDDBBB5BF44348F1881D9E50DAB346D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,000000BC,00001000,00000004), ref: 00E2098F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: ef1c82fd14189bc1652f6527e3ed58052d937321f8d85a451114c51cb3294e3e
    • Instruction ID: 017ae8ae4d7e8342739fa62b57a65da6da9986993823b4a0d98ecce990e4d2e8
    • Opcode Fuzzy Hash: ef1c82fd14189bc1652f6527e3ed58052d937321f8d85a451114c51cb3294e3e
    • Instruction Fuzzy Hash: 16F221709021289BDB65CF08DD94BDDBBB6BF84349F1881D9D50DAB346D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,0000009E,00001000,00000004), ref: 00E3664F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: aacd6582ce22bbd2cb96502fca4bc220b31808fabb8776f6dff6c64e673e68ea
    • Instruction ID: 07e44e238ed47a531cc893953423a408e6e644509c55776d6276ebf69035506f
    • Opcode Fuzzy Hash: aacd6582ce22bbd2cb96502fca4bc220b31808fabb8776f6dff6c64e673e68ea
    • Instruction Fuzzy Hash: 52F230709021289BDB65CF08CD94BDDBBB6BF84349F1482D9D54DAB346D730AA91CF88
    APIs
    • VirtualAlloc.KERNEL32(00000000,00000038,00001000,00000004), ref: 00E2DECC
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: cee99c0551ad3aadf1ae54f9145f9e0b8baa7d900de0ee4e82b3c91bccd61e60
    • Instruction ID: 8cdf4baf348c74d2fa58a2d0d52999923ac0f5d0516d59f2eb916f3d2281b7e7
    • Opcode Fuzzy Hash: cee99c0551ad3aadf1ae54f9145f9e0b8baa7d900de0ee4e82b3c91bccd61e60
    • Instruction Fuzzy Hash: 2EF23E719012289BDB69CF08DD91BDDBBB5BF44348F1881D9E50DAB346D730AA91CF88
    APIs
    • WSAStartup.WS2_32(00000202,?), ref: 00413058
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: FreeHeapStartup
    • String ID:
    • API String ID: 2645306408-0
    • Opcode ID: 793fe0e23c926e118c317851a62ca9fc2f271c520f6b2796c1a3be0fbcd07ad0
    • Instruction ID: 85eaebae8ecb59086afdba9375555a315fe97a6d3168c9436cec4943f927f23a
    • Opcode Fuzzy Hash: 793fe0e23c926e118c317851a62ca9fc2f271c520f6b2796c1a3be0fbcd07ad0
    • Instruction Fuzzy Hash: 9E4126729002055ADB10BBF59C067DE77B8AF04329F10467FE525F71C2DB7CAAC886A9
    APIs
    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004135AB
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CrackInternet
    • String ID:
    • API String ID: 1381609488-0
    • Opcode ID: 1f30e356890268eec9b8736f66e33cfb54df743040c3992c9484ecbd4371fa2f
    • Instruction ID: e614fb814403e5dece979d69869864768b2494d54fb3b1e4180828ee4861d7d4
    • Opcode Fuzzy Hash: 1f30e356890268eec9b8736f66e33cfb54df743040c3992c9484ecbd4371fa2f
    • Instruction Fuzzy Hash: A6415F71D00209EFCB25DFA9D849AAEB7B8EF48708F04846EE115E7351D734AA91CB18
    APIs
    • LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 0731132f2c085ddfa4906626f7d310de20feb9acd7983381990d4f9d4327e38d
    • Instruction ID: 67fdade5f613ffbd55c1bcba6ed67b2f355c1f356c8aa0174c7c74f795b6b543
    • Opcode Fuzzy Hash: 0731132f2c085ddfa4906626f7d310de20feb9acd7983381990d4f9d4327e38d
    • Instruction Fuzzy Hash: 8B311931E006099BCB10DFA9C881BAEB7F4EF44315F2444AEE805E7281DB74AA41CF98
    APIs
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000031), ref: 00413C88
      • Part of subcall function 00405552: ShellExecuteW.SHELL32(00000000,?,?,?,00000000,00413CAA), ref: 00405584
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: EnvironmentExecuteExpandShellStrings
    • String ID:
    • API String ID: 3420131149-0
    • Opcode ID: c51505f62ae0d60d765b208fd1d9be1b0dc86cce8ea40458f69f07a3423c06be
    • Instruction ID: 7c1f23a69d59edf966e54b30518460001e067b65124b0e8b2901e75b1d68294f
    • Opcode Fuzzy Hash: c51505f62ae0d60d765b208fd1d9be1b0dc86cce8ea40458f69f07a3423c06be
    • Instruction Fuzzy Hash: 0C016272900219ABEF10B795DC45FCE737DEB44358F044177BA04F3180D678AA098BA4
    APIs
    • ShellExecuteW.SHELL32(00000000,?,?,?,00000000,00413CAA), ref: 00405584
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExecuteShell
    • String ID:
    • API String ID: 587946157-0
    • Opcode ID: 008b087240dcf4241beb349bef6002c78aa6b1512e1df1ad9dd9a7f0ddd57d53
    • Instruction ID: d18ec08f8543c4dbb60dbc8c47ccdfc66d3fd6096a5b5cf377363826124ae3c7
    • Opcode Fuzzy Hash: 008b087240dcf4241beb349bef6002c78aa6b1512e1df1ad9dd9a7f0ddd57d53
    • Instruction Fuzzy Hash: 98E04F369001187BEF017BD4DC06BCD7769EB48758F008135FE01B71C1D674A65586A5
    APIs
      • Part of subcall function 00413010: WSAStartup.WS2_32(00000202,?), ref: 00413058
    • CoInitializeEx.COMBASE(00000000,00000002), ref: 00413B7B
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: InitializeStartup
    • String ID:
    • API String ID: 757567358-0
    • Opcode ID: 5fec628b651680302c66f62c61b06849b678b99d9a90760234df615ded1974c9
    • Instruction ID: 6401bba1a63e528685dd402c426a869b913f33cdd7edc6ad85fc1aed2aa27d7e
    • Opcode Fuzzy Hash: 5fec628b651680302c66f62c61b06849b678b99d9a90760234df615ded1974c9
    • Instruction Fuzzy Hash: 92C08C723C830024F1383BB26C0BF4C0680CB04B2AF30042FF201380C39EAEAD90046E
    APIs
      • Part of subcall function 00413CAF: CreateMutexA.KERNEL32(00000000,00000001,?), ref: 00413CD6
      • Part of subcall function 00413CAF: ExitProcess.KERNEL32 ref: 00413CEC
    • ExitProcess.KERNEL32 ref: 00413EB7
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExitProcess$CreateMutex
    • String ID:
    • API String ID: 876306376-0
    • Opcode ID: d563ec539f073a063a248b7edb6121168ff304b69d91af3401d83f336c15bb41
    • Instruction ID: f214b6c546d575785904b22b39ee5774269018132e23d6b5c8a454dc11483360
    • Opcode Fuzzy Hash: d563ec539f073a063a248b7edb6121168ff304b69d91af3401d83f336c15bb41
    • Instruction Fuzzy Hash: 39B092A2024A0516E2803BFB9C0F78831481B4072AF54033AFA69641D27E6836A444FF
    APIs
    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00E44E0B
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 719d1ed409448da2ad6b142b06b2317d0f302e47669c53cac2345cbf88c1876d
    • Instruction ID: 818f647d4081203266fb70f0a5e2a88bf0956f9d52db7cda86586ac1992caf0e
    • Opcode Fuzzy Hash: 719d1ed409448da2ad6b142b06b2317d0f302e47669c53cac2345cbf88c1876d
    • Instruction Fuzzy Hash: 3451CAB4A00209EFCB04CF54D495AADBBB1FF88315F249159E949AF381D731EE81CB90
    APIs
      • Part of subcall function 00405E03: wvnsprintfA.SHLWAPI(?,00000040,00000000,?), ref: 00405E21
    • GlobalMemoryStatusEx.KERNEL32(?,80000004,?,?,?,?,?,?,?), ref: 0041486C
    • GetSystemMetrics.USER32(00000000), ref: 004148B2
    • GetSystemMetrics.USER32(00000001), ref: 004148BC
    • GetComputerNameW.KERNEL32(?,?), ref: 00414909
    • GetUserNameW.ADVAPI32(?,00000101), ref: 0041491A
      • Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC
    • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041498B
    • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 00414A79
    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00414A85
    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00414AA0
      • Part of subcall function 004060C6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00413134,00000000), ref: 004060E8
    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041481A
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: System$KeyboardLayoutListMetricsNamewvnsprintf$ByteCharComputerDevicesDisplayEnumFreeGlobalHeapInfoLocalMemoryMultiStatusTimeUserWide
    • String ID: $%S x%d$%s(%S)$%s\%s$%s\%s\%s$@$l=A
    • API String ID: 375986244-4245113576
    • Opcode ID: a25fbd5bdde50d55c8110164023be6b82fb393dbc888be728111d552e25622b2
    • Instruction ID: 63ff94530e6feffdfb7e96b5c04adaf04086d6c0553b814bd94c6ab8dbfd29ed
    • Opcode Fuzzy Hash: a25fbd5bdde50d55c8110164023be6b82fb393dbc888be728111d552e25622b2
    • Instruction Fuzzy Hash: DC126472900218ABDF10EBA5DC45BDE7779EB48314F0144BAFA08B7181DB78AF858F94
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040D634
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D668
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D6B3
    • SetFilePointer.KERNEL32(?,0000000C,00000000,00000000), ref: 0040D6EB
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D6FF
    • SetFilePointer.KERNEL32(?,00000038,00000000,00000000), ref: 0040D72E
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040D742
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: File$Read$Pointer$Create
    • String ID:
    • API String ID: 974188869-0
    • Opcode ID: 58d3b6bd0f27f1b602da2a19fe2724778e68bab20d457524611b29731b1cb8b4
    • Instruction ID: 84ebc060d0621895f24b80f2e4f6a002ceadae2b21af062f922643ae4e17e730
    • Opcode Fuzzy Hash: 58d3b6bd0f27f1b602da2a19fe2724778e68bab20d457524611b29731b1cb8b4
    • Instruction Fuzzy Hash: 83C17E72D00119AFDB14DF94D8809EEBBB9FF88300F14847AE955B7290D735AE45CBA4
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?), ref: 004119AA
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7), ref: 00411A27
    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7), ref: 00411A5A
    • FindClose.KERNEL32(00000000,?,?,?), ref: 00411ABF
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?), ref: 00411B3E
    • FindClose.KERNEL32(?,?,?,?,?,00413DD7,?,?,00414E1F,00413DD7,?,?,?,?,?,00000000), ref: 00411B4F
      • Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext$wvnsprintf
    • String ID: %s%s$%s%s\$%s\%s\%s$%s\%s\%s\%s
    • API String ID: 943964047-654875542
    • Opcode ID: dd70484e7b8f062de1627af05d2bb0e73b74333fcc5ca2cf95427de7cffbf31e
    • Instruction ID: ea2d4c6f06bba6889578ba78540cc3033c32bd1741134c71fc68db188b5883d4
    • Opcode Fuzzy Hash: dd70484e7b8f062de1627af05d2bb0e73b74333fcc5ca2cf95427de7cffbf31e
    • Instruction Fuzzy Hash: 10614A72900218AADB21EB90DC45EDE777DEB04314F4445B7FA08B3091E738AB898F68
    APIs
    • CoCreateInstance.COMBASE(00401000,00000000,00004401,00401010,?), ref: 00410F3A
    • CoTaskMemFree.COMBASE(?), ref: 00410FEB
    • CoTaskMemFree.COMBASE(?), ref: 00411002
    • CredEnumerateW.ADVAPI32(?,00000000,?,?), ref: 00411145
    • CryptUnprotectData.CRYPT32(004115DF,00000000,0000004A,00000000,00000000,00000000,?), ref: 00411201
    • LocalFree.KERNEL32(?), ref: 004112B1
    • CredFree.ADVAPI32(?), ref: 004112C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Free$CredTask$CreateCryptDataEnumerateInstanceLocalUnprotect
    • String ID: %s\%s\%s$J
    • API String ID: 847491909-3392352968
    • Opcode ID: cabbff06b2101c33da73da649a489b026c12fe618483aefe325a352881240ba3
    • Instruction ID: f20f3bdc523f32172019d99ea4a9c5d2acc98d4ba874119d7bf4abe8c2f71e7c
    • Opcode Fuzzy Hash: cabbff06b2101c33da73da649a489b026c12fe618483aefe325a352881240ba3
    • Instruction Fuzzy Hash: 57C16E72D00119AFCF10DFA5D881AEEB7B9EF48314F14406BE604B7291DB79AE85CB58
    APIs
    • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 00405849
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 00405869
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040587E
    • OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 00405896
    • OpenProcessToken.ADVAPI32(00000000,0000000A,?), ref: 004058A9
    • CloseHandle.KERNEL32(?), ref: 004058C1
    • CloseHandle.KERNEL32(00000000), ref: 004058C8
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 004058DA
    • CloseHandle.KERNEL32(00000000), ref: 004058E6
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CloseHandle$NextOpenProcessProcess32$AdjustCreatePrivilegeSnapshotTokenToolhelp32
    • String ID:
    • API String ID: 4144978764-0
    • Opcode ID: 288efba21ccabab0d353f82fcd98234522787933f75711a39f8c2e4291eeda84
    • Instruction ID: 621fd83d4662feb52ae53584e4e942dca7b79aa80e7d553c684b4606091f2438
    • Opcode Fuzzy Hash: 288efba21ccabab0d353f82fcd98234522787933f75711a39f8c2e4291eeda84
    • Instruction Fuzzy Hash: 22118E32A41215BBEB206B60AC4DBEF3BB8EB05B54F048076F901E61D0D7789D59DE68
    APIs
    • FindFirstFileW.KERNEL32(QRA,?,00000000,00000000,00000000), ref: 0041092E
    • FindNextFileW.KERNEL32(?,?), ref: 00410B08
    • FindClose.KERNEL32(?), ref: 00410B19
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID: %s\%s$%s\%s\%s$QRA$QRA
    • API String ID: 3541575487-3613279923
    • Opcode ID: cdefb29d012c533e5eb7a0f99dc1b8d7dc3370ec5ee0fe1d844c96336cf856d8
    • Instruction ID: bf7924639df49b3f9cf932feb5dce01370ee5a3f54a8194052eeded70ea7b8fc
    • Opcode Fuzzy Hash: cdefb29d012c533e5eb7a0f99dc1b8d7dc3370ec5ee0fe1d844c96336cf856d8
    • Instruction Fuzzy Hash: 6851B37290021AABDF24EF50C8459EEB775EF54354F10406AEA04772D1D778AEC58B98
    APIs
    • GetTokenInformation.ADVAPI32(000000FF,00000003(TokenIntegrityLevel),00000000,00000000,?,00000000), ref: 00405768
    • GetTokenInformation.ADVAPI32(000000FF,00000003(TokenIntegrityLevel),00000000,?,?,00000000), ref: 004057A5
    • DuplicateTokenEx.ADVAPI32(000000FF,00000024,00000000,00000002,00000002,000000FF,00000000), ref: 004057D4
    • AdjustTokenPrivileges.ADVAPI32(000000FF,00000000,00000000,00000000,00000000,00000000), ref: 004057F3
    • NtSetInformationThread.NTDLL(000000FE,00000005,000000FF,00000004), ref: 00405803
    • CloseHandle.KERNEL32(000000FF), ref: 0040580F
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Token$Information$AdjustCloseDuplicateHandlePrivilegesThread
    • String ID:
    • API String ID: 611535677-0
    • Opcode ID: 06ca594b98fcea6d42740ea5f37fb11c24cdb8a138cb983caa624f97473775bf
    • Instruction ID: 227ccfd11fb12c717d30c07917c2268877481373599fd8ad21870a49e25d02be
    • Opcode Fuzzy Hash: 06ca594b98fcea6d42740ea5f37fb11c24cdb8a138cb983caa624f97473775bf
    • Instruction Fuzzy Hash: C4212C72900609BFEB20AFA1DC89E9B7B7DEB44754F10843AFA05A5190D7349E90DB94
    APIs
    • OpenProcessToken.ADVAPI32(00000000,00000008,0041551C,00000000), ref: 00405903
    • GetTokenInformation.ADVAPI32(0041551C,0000000A(TokenIntegrityLevel),?,00000038,?), ref: 00405920
    • NtCreateToken.NTDLL(0041551C,000F01FF,0041803C,00000002,?,?,?,00418024,?,00000000,?,0041A800,User32 ), ref: 0040599A
    • CloseHandle.KERNEL32(0041551C), ref: 004059A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Token$CloseCreateHandleInformationOpenProcess
    • String ID: User32
    • API String ID: 791112728-31512923
    • Opcode ID: 8b4807e47cd7d9c0ab678ae9e597a5b8f2ae17fa3ec1aff7756dee87ef57a2b3
    • Instruction ID: 449fceeca6f02f62c474ee06d4cec9e5ea51b23d83900698e46271b5417625ee
    • Opcode Fuzzy Hash: 8b4807e47cd7d9c0ab678ae9e597a5b8f2ae17fa3ec1aff7756dee87ef57a2b3
    • Instruction Fuzzy Hash: DF212C75D4020DBEEB01CF94DC45AEEBBBDEB48700F10412AFA10F6290D7B45A49CB65
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00E454D9
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E454EE
    • UnhandledExceptionFilter.KERNEL32(00E4A180), ref: 00E454F9
    • GetCurrentProcess.KERNEL32(C0000409), ref: 00E45515
    • TerminateProcess.KERNEL32(00000000), ref: 00E4551C
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 865b75f01b487cc54ac964edd11aff4fd1ec82556d2d5a15696021674fb3582f
    • Instruction ID: 9105f8225ea501461483cfbc7d53c988fec4d82c21caa722c4154ae4f40af99f
    • Opcode Fuzzy Hash: 865b75f01b487cc54ac964edd11aff4fd1ec82556d2d5a15696021674fb3582f
    • Instruction Fuzzy Hash: 1921CEBC9182049FD711DF6AFD84644BBA4FB0A325F01102AE508B7261EBB0598FCF05
    APIs
    • CoCreateInstance.COMBASE(004010C4,00000000,00004401,004010D4,00000000), ref: 00407688
    • SysAllocString.OLEAUT32(?), ref: 004076BD
    • SysAllocString.OLEAUT32(00413DD7), ref: 004076E4
    • VariantClear.OLEAUT32(?), ref: 0040774D
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocString$ClearCreateInstanceVariant
    • String ID:
    • API String ID: 1533990153-0
    • Opcode ID: 21ae9dc6ccabbf0237440588804318c15eb7717ecb859a93fa846122d7a12a7d
    • Instruction ID: d989e8f11c9b4fc0ee7ab9285f716e1cb7648385bfeb727a4384310e233b5fb2
    • Opcode Fuzzy Hash: 21ae9dc6ccabbf0237440588804318c15eb7717ecb859a93fa846122d7a12a7d
    • Instruction Fuzzy Hash: C0313875E00208AFCF00EFE4C8899DEBB79EF49314F1044AAE901FB290DB75AA458B54
    APIs
      • Part of subcall function 004059B0: RegOpenKeyExW.ADVAPI32(80000002,00000001,00000000,00000001,00000000,?,?,?), ref: 004059DB
      • Part of subcall function 004059B0: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 004059F4
      • Part of subcall function 004059B0: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 00405A1E
      • Part of subcall function 004059B0: RegCloseKey.ADVAPI32(00000000), ref: 00405A33
    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00410DF9
    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00410EC4
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: FreeQueryValue$CloseCryptDataHeapLocalOpenUnprotect
    • String ID: %S\%S\%s
    • API String ID: 1170349874-688238448
    • Opcode ID: 23367135cf618639a9a6bbe0c38b83fb558316127c41b7a8f9599740e9569a74
    • Instruction ID: 61974f6221aaa33da51fb8b4332ca456937d8993f373d9cc068e8b2d38f05129
    • Opcode Fuzzy Hash: 23367135cf618639a9a6bbe0c38b83fb558316127c41b7a8f9599740e9569a74
    • Instruction Fuzzy Hash: 4D517D72D00218AFCF10EBA5DC45EEEBBB9EF48314F14446AF905B7251D778AA84CB94
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,00415460,00000000,00000104), ref: 00404D1F
    • FindNextFileW.KERNEL32(00000031,?), ref: 00404DF8
    • FindClose.KERNEL32(00000031), ref: 00404E09
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: a1ae58e16886171732d84ffa5514422ae4debaf7fcbeeaa3ffe23fc2a8f78e40
    • Instruction ID: 3ee7f45571ec2e728f2d45caa32b95f4a36e807a3dbe421b590e3191cc866bd4
    • Opcode Fuzzy Hash: a1ae58e16886171732d84ffa5514422ae4debaf7fcbeeaa3ffe23fc2a8f78e40
    • Instruction Fuzzy Hash: E131A37240015AABDF219F61DD45BEF7778AF80314F14007AFE00B21E1DB389EA58B98
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: db43c8d085c1f94b5784418c359cbdf909740303067dbff6d8f02ae611701fae
    • Instruction ID: f8e789f92e4b7cf39002b8d122e2b9a2772ba2b14ca12a686d6cc296af542319
    • Opcode Fuzzy Hash: db43c8d085c1f94b5784418c359cbdf909740303067dbff6d8f02ae611701fae
    • Instruction Fuzzy Hash: FD5160B4E01209DFDB04CF98D484BADBBB2FF88318F249559D815AB395D734AA81CF94
    APIs
    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00412074
    • LocalFree.KERNEL32(?,?,?,004121DC,00000000,?,?), ref: 00412096
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CryptDataFreeLocalUnprotect
    • String ID:
    • API String ID: 1561624719-0
    • Opcode ID: 38d28ae3e0e395046ee51ea414fa60c357db4448f3fa60973f9418c10d68782e
    • Instruction ID: d40dfb0f535090772b9fe0eae1febc21ddc0b2eafc90de01a658c335882751cd
    • Opcode Fuzzy Hash: 38d28ae3e0e395046ee51ea414fa60c357db4448f3fa60973f9418c10d68782e
    • Instruction Fuzzy Hash: 1731E775800189AEDF258F7886446DFBFB6EB4E744F00411BDA51E2216C3B99AD3CB1E
    APIs
    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,00411D31), ref: 00404933
    • LocalFree.KERNEL32(00000001,00403AEC,?,?,00411D31,00000001,?,?,?,?,?,?,?,?,00000000,00000104), ref: 00404960
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CryptDataFreeLocalUnprotect
    • String ID:
    • API String ID: 1561624719-0
    • Opcode ID: daddabe56ba01ab0a22bf5a4db6c56f94cdad8289dcfc64dffa5827e9870c4fd
    • Instruction ID: eff705749294552a49cb4206b8a8151450b07a935f9774916d4ace2d366a322e
    • Opcode Fuzzy Hash: daddabe56ba01ab0a22bf5a4db6c56f94cdad8289dcfc64dffa5827e9870c4fd
    • Instruction Fuzzy Hash: 51F014B1900209BFDF109FA9CC85CEFBBBDEB85344B10447AF941A3250D3719E809B64
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID: I@$I@
    • API String ID: 0-1008241598
    • Opcode ID: 9cec92ef4e791106ecc81ca5f9fd656491a685019501de78ba6063891f0cc789
    • Instruction ID: aa87177d6922c40db767e09e7f7300f8604da9cde321312a12b3189cf78b8dcd
    • Opcode Fuzzy Hash: 9cec92ef4e791106ecc81ca5f9fd656491a685019501de78ba6063891f0cc789
    • Instruction Fuzzy Hash: D881DF71D081A59FDB1DCF6D84904ADFFF1AE9A240748C29ED8A5AB387C2389514CFB1
    APIs
    • CloseHandle.KERNEL32(00000000), ref: 00E44FB4
    • CloseHandle.KERNEL32(00000000), ref: 00E44FC4
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 43155015221e9cf424e0a0d239c4a201b45ccaea182c98fb098f5639cc8cf56a
    • Instruction ID: 4597ac75a85def309d1a9f5a6e93f5e78f3f4405598affd1a4ca1c52c4ecf218
    • Opcode Fuzzy Hash: 43155015221e9cf424e0a0d239c4a201b45ccaea182c98fb098f5639cc8cf56a
    • Instruction Fuzzy Hash: 3B21B778A00208DFCB04CF54D498BA9BBB1FB48314F14E599E8096B391C375EE85CF81
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Version
    • String ID:
    • API String ID: 1889659487-0
    • Opcode ID: 3cf1fedbdff5723513f479be4ed969bcb2ac4b1f9bb60681a2d7a451bed1a486
    • Instruction ID: cc9333183fa8c00dccd2b6004e22b404908c773762507ea227cbcdaa759150bb
    • Opcode Fuzzy Hash: 3cf1fedbdff5723513f479be4ed969bcb2ac4b1f9bb60681a2d7a451bed1a486
    • Instruction Fuzzy Hash: 6521D8709452188ECF38CD60A8463EE7375572230EF2654BFE28596200DA3CEAC78B5B
    APIs
    • GetTimeZoneInformation.KERNEL32(?), ref: 00406428
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: InformationTimeZone
    • String ID:
    • API String ID: 565725191-0
    • Opcode ID: 94fb4f433fb7da04c7912a50c4e658d83ca068ef18c375c02743d519853954a0
    • Instruction ID: 9d2192f2e320e058be2c2fda52b9328630a0c2766cdf8855c04a576f05d35507
    • Opcode Fuzzy Hash: 94fb4f433fb7da04c7912a50c4e658d83ca068ef18c375c02743d519853954a0
    • Instruction Fuzzy Hash: A7D0A776A00314EFDB10AF58EC05F44B7F85B05210F0181AAB5D5C31C0D670A5804F66
    APIs
    • GetLocaleInfoA.KERNEL32(80000004,0000005A,?,00000010,?,00414AE1,?,?,80000004,?), ref: 00416E86
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 492bb2610ae7a41e0d722d4a2fa9f85706a9627eede23f664937886feea1bbda
    • Instruction ID: 012795880ae3241001a3ff6f5d3db474ef08a8b0ec5b54ed7dba30c2656240b6
    • Opcode Fuzzy Hash: 492bb2610ae7a41e0d722d4a2fa9f85706a9627eede23f664937886feea1bbda
    • Instruction Fuzzy Hash: 06D0C93214420CBAEF111A41EC06F893B65EB09721F108025F618180E19AB36960AA88
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00035AC7), ref: 00E45B0E
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: ca236233721c69f2d01e8d6d0ee4a2055eb94368c28eb6ed1af60e52bf3873d9
    • Instruction ID: 622df4f3cc8054c0486a7746cbe544135371639c595885b8cae3938c15bc8f3d
    • Opcode Fuzzy Hash: ca236233721c69f2d01e8d6d0ee4a2055eb94368c28eb6ed1af60e52bf3873d9
    • Instruction Fuzzy Hash: 139002A56A1B008FC75227716C4940565945B4A71274955646005F4055DA6040096D22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID: UUUU
    • API String ID: 0-1798160573
    • Opcode ID: 47e17f6eb2f6ed35542de6a4c203a3b3d24fb82f53f471f5337a6533c5149852
    • Instruction ID: 8ce0b6fa30e06822d17ffbceaa72673f25687c9f49871aa502c7412ad644dc10
    • Opcode Fuzzy Hash: 47e17f6eb2f6ed35542de6a4c203a3b3d24fb82f53f471f5337a6533c5149852
    • Instruction Fuzzy Hash: CB51A333F205240BE75C866D8C2A76D3AD287C4354F1E4279E956E72D2D8BCDE12D394
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID: FH@
    • API String ID: 0-3307908349
    • Opcode ID: eba58216cf352b7931a6f12906384ae6f21cbea08298cad6a557a78378606dc1
    • Instruction ID: 5d692aa64f1d02948a3fba6f80e0249745d5ed7c23a60299a5f2d1b3268d9ccc
    • Opcode Fuzzy Hash: eba58216cf352b7931a6f12906384ae6f21cbea08298cad6a557a78378606dc1
    • Instruction Fuzzy Hash: 7F617F70E0066A9EDB15CFAEC8906AEFFF1FF89301F14816AD555E3241D678A601CFA0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID: UUUU
    • API String ID: 0-1798160573
    • Opcode ID: fe74a95da04a3da5957119185af521d6831f355d274b42a1a7b6e0e1e4b16eb0
    • Instruction ID: 1b809dd5407cdfa181b2f36f59f0f85b0af94b7e88463b934ea3cc36f223f438
    • Opcode Fuzzy Hash: fe74a95da04a3da5957119185af521d6831f355d274b42a1a7b6e0e1e4b16eb0
    • Instruction Fuzzy Hash: 21212C323745150BF79CE93D8C0776B62D2DBC8264B18CA3AAA66C72C1DC7CE9138285
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID: gR@
    • API String ID: 0-1284012785
    • Opcode ID: 1bf41191eea62a3d51b1ebc75e6daf2de291ca19e34a7d679d4947561c48509c
    • Instruction ID: 70ef8581f865f0112264750e87cdc896a5a700d15b24c2966dd795d3664bc740
    • Opcode Fuzzy Hash: 1bf41191eea62a3d51b1ebc75e6daf2de291ca19e34a7d679d4947561c48509c
    • Instruction Fuzzy Hash: 0A119131A10A04EFCB21DF69C880BABB3F5EF44354B14487AD846E7251E734AE40CB84
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 289f2053dfa9c8ca239bfff4ed5d862ef5a3f26f2a123b0f2921e60597c983e9
    • Instruction ID: 6f7324b15eca2b7b96dab9f736eed971c045b4517cab1c08fd2209b19b6e3684
    • Opcode Fuzzy Hash: 289f2053dfa9c8ca239bfff4ed5d862ef5a3f26f2a123b0f2921e60597c983e9
    • Instruction Fuzzy Hash: 1FF18832A146959FD740CFAEDCD0489BBF3EFC920175EC6A8C6545B366C2347A12CBA4
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a7b310c85ba78bd130b6d947e25122e94d9fd7f65a3e45bbfc28b2ae52817406
    • Instruction ID: 806ef46059b39e71137c6a37a0d5405ef7dec956314bec1b2ce83c269c788100
    • Opcode Fuzzy Hash: a7b310c85ba78bd130b6d947e25122e94d9fd7f65a3e45bbfc28b2ae52817406
    • Instruction Fuzzy Hash: 83D172B1E1020A9FDB54DFA9D481ADDBBF0BF0D314F10456AE518FB281E775AA808B54
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 66f8a48aecfb97492cb446f1ed1ed734e4917f1bc2179caba97a06dca3b7bf3e
    • Instruction ID: ec769a8d708e545d2d17ded63e2c92bfaf155a030af962b35be15012192d49a3
    • Opcode Fuzzy Hash: 66f8a48aecfb97492cb446f1ed1ed734e4917f1bc2179caba97a06dca3b7bf3e
    • Instruction Fuzzy Hash: 6A71A276B503019BCB08DFEAF9D291A7361EB58340F49817AEE026B2B1D6747B21CB45
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e6aeb10b79cc9689488747f47cd5120282e3b2ecb0f1b3d475f73ce1d6f941e8
    • Instruction ID: c52894c21cce98a5b3e3be7a8c82c8448c5d44fd66a7b6e0b5206e9568c8f8a0
    • Opcode Fuzzy Hash: e6aeb10b79cc9689488747f47cd5120282e3b2ecb0f1b3d475f73ce1d6f941e8
    • Instruction Fuzzy Hash: 2C61643160C5A04ED71CCF2A84BD475FBE2AFC920134E82EFD49B4F2A2C6389565DB65
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5ceb65251ef5f374cc1676978594b672cbf917856a3a8c51848abcda614c3d36
    • Instruction ID: 99e0d7b0a9de723bba338dea900c8a8687d99cdd99ccb4afe0071543674cb564
    • Opcode Fuzzy Hash: 5ceb65251ef5f374cc1676978594b672cbf917856a3a8c51848abcda614c3d36
    • Instruction Fuzzy Hash: 2F61BC71E0464A9BD715CFA9C0C06EEFBF1EF99300F54C1ADC989A7346C274A959CBA0
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fb87ecb3a1000084d9293c3e741e807016fcaee7161e8a27ba20a818466f514b
    • Instruction ID: 777ffbebf7581f0ae84988816b3b3784bbe2ec13b3104a3b9d140de91e986b4e
    • Opcode Fuzzy Hash: fb87ecb3a1000084d9293c3e741e807016fcaee7161e8a27ba20a818466f514b
    • Instruction Fuzzy Hash: A6419522F051895FDB098AAD98516EEBF719F96310F4940AEE481FB383C974DA09C7E1
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 660f38a9e7a8f2821e6550479c5de09e585330eaaeef16a5887133e29895604e
    • Instruction ID: d8afc9364d1788d87b36511f3b298ec2c8d48509b9e0938bb4da120c49f6a260
    • Opcode Fuzzy Hash: 660f38a9e7a8f2821e6550479c5de09e585330eaaeef16a5887133e29895604e
    • Instruction Fuzzy Hash: 6F31D4B37605201BE70C9E7DDCA23EA66C1E789318F46463DC997D72D0D26C994686C8
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 49da9b4152dcc3c3c9f53b880ea02307f24100b3f3ace170fc16e5d65d613d31
    • Instruction ID: e4598f198c1ebe2c8d5ed442411fc326abb90028f457679b4f86855f8050cae0
    • Opcode Fuzzy Hash: 49da9b4152dcc3c3c9f53b880ea02307f24100b3f3ace170fc16e5d65d613d31
    • Instruction Fuzzy Hash: 262181322314109BC748DF3DEC9968A37E2E38935871AC63DD51AD72A0EF38E402CB48
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f8a0c9c23e36e7928c497b593758381672b939dfc3bcbd3f81601b2ea83f3f8c
    • Instruction ID: 8a4452ef7110f5f205f0f63f16211c95a03bb306aef0532b39cacefe1c6f7b48
    • Opcode Fuzzy Hash: f8a0c9c23e36e7928c497b593758381672b939dfc3bcbd3f81601b2ea83f3f8c
    • Instruction Fuzzy Hash: E201A477F2052416F74C98BACC5136AA1479BC4261F1EC6399E69D72C9CCB4CC1142D0
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
    • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
    • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
    • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
    • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
    • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
    • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c92737c4d31cfb72025dec89eae0fb42358f12c3dfe317aacb3237dbb5ec58c0
    • Instruction ID: d8bc9acd7da5fb0c73b53ea44bd5ea9bf3d426c042c7258b91cd9e99573d7f24
    • Opcode Fuzzy Hash: c92737c4d31cfb72025dec89eae0fb42358f12c3dfe317aacb3237dbb5ec58c0
    • Instruction Fuzzy Hash: E9C00839661940CFCA55CF08C194E00B3F4FB59760B068491E905CB732C234ED40DA40
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
    • Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
    • Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
    • Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00E45331), ref: 00E4661D
    • __mtterm.LIBCMT ref: 00E46629
      • Part of subcall function 00E46362: DecodePointer.KERNEL32(00000004,00E4678B,?,00E45331), ref: 00E46373
      • Part of subcall function 00E46362: TlsFree.KERNEL32(00000002,00E4678B,?,00E45331), ref: 00E4638D
      • Part of subcall function 00E46362: DeleteCriticalSection.KERNEL32(00000000,00000000,77375810,?,00E4678B,?,00E45331), ref: 00E46C23
      • Part of subcall function 00E46362: _free.LIBCMT ref: 00E46C26
      • Part of subcall function 00E46362: DeleteCriticalSection.KERNEL32(00000002,77375810,?,00E4678B,?,00E45331), ref: 00E46C4D
    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E4663F
    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E4664C
    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E46659
    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E46666
    • TlsAlloc.KERNEL32(?,00E45331), ref: 00E466B6
    • TlsSetValue.KERNEL32(00000000,?,00E45331), ref: 00E466D1
    • __init_pointers.LIBCMT ref: 00E466DB
    • EncodePointer.KERNEL32(?,00E45331), ref: 00E466EC
    • EncodePointer.KERNEL32(?,00E45331), ref: 00E466F9
    • EncodePointer.KERNEL32(?,00E45331), ref: 00E46706
    • EncodePointer.KERNEL32(?,00E45331), ref: 00E46713
    • DecodePointer.KERNEL32(00E464E6,?,00E45331), ref: 00E46734
    • __calloc_crt.LIBCMT ref: 00E46749
    • DecodePointer.KERNEL32(00000000,?,00E45331), ref: 00E46763
    • GetCurrentThreadId.KERNEL32 ref: 00E46775
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
    • API String ID: 3698121176-3819984048
    • Opcode ID: 97b078525d07077a8388abe92bbf46b12dd3ee4c6a9bb635f6167ed339bbed11
    • Instruction ID: d873b922d0e7a543541bd3ec0e3a9858c7deb26f19d30551d2a50c48faed9857
    • Opcode Fuzzy Hash: 97b078525d07077a8388abe92bbf46b12dd3ee4c6a9bb635f6167ed339bbed11
    • Instruction Fuzzy Hash: 13319E78941320DFDB21EF76BD486157BA4BB53724F0659AAE410B33A0DB74980ACF92
    APIs
    • LoadIconW.USER32(00000000,00007F00), ref: 00E1103B
    • LoadCursorW.USER32(00000000,00007F00), ref: 00E1104B
    • GetStockObject.GDI32(00000000), ref: 00E11056
    • RegisterClassW.USER32(00000003), ref: 00E11071
    • MessageBoxW.USER32(00000000,ghfgfngfnfgng4356345,ghk445fdg,00000010), ref: 00E1108C
    • CreateWindowExW.USER32(00000000,ghk445fdg,hjgk,hgj456,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E110C5
    • ShowWindow.USER32(?,00000000), ref: 00E110D4
    • UpdateWindow.USER32(?), ref: 00E110DE
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E110EE
    • TranslateMessage.USER32(?), ref: 00E110FC
    • DispatchMessageW.USER32(?), ref: 00E11106
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Message$Window$Load$ClassCreateCursorDispatchIconObjectRegisterShowStockTranslateUpdate
    • String ID: ghfgfngfnfgng4356345$ghk445fdg$hjgk,hgj456
    • API String ID: 2734574773-3954598336
    • Opcode ID: 7c9fa4e9b662763e8038c02fca217a52bb3425bd72d1ad13b2ae4406628ff3cf
    • Instruction ID: 81399b8f90ef0075997d156d8d9ce133b7ee47854d877a7ab7023935e609406c
    • Opcode Fuzzy Hash: 7c9fa4e9b662763e8038c02fca217a52bb3425bd72d1ad13b2ae4406628ff3cf
    • Instruction Fuzzy Hash: 77213EB9A85308AFEB14CFA1DC59FEDBBB4EB09711F244018F601BA2C0C7B5A545CB55
    APIs
    • MonitorFromPoint.USER32(?,?,00000001), ref: 00415918
    • GetMonitorInfoW.USER32(?,?), ref: 0041597F
    • CreateCompatibleDC.GDI32(?), ref: 0041599C
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 004159AA
    • SelectObject.GDI32(?,00000000), ref: 004159B7
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,40CC0020), ref: 004159D4
    • GetCursorInfo.USER32(?), ref: 004159E5
    • GetIconInfo.USER32(?,?), ref: 004159F2
    • DrawIcon.USER32(?,?,?,?), ref: 00415A0C
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    • DeleteObject.GDI32(?), ref: 00415ABD
    • DeleteDC.GDI32(?), ref: 00415AC6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Info$CompatibleCreateDeleteIconMonitorObject$BitmapCursorDrawFreeFromHeapPointSelect
    • String ID: (
    • API String ID: 265149036-3887548279
    • Opcode ID: 960edca231de8e156615f46315c9ec6b5a0806d22cdf4613aaf9fa20cff76dd2
    • Instruction ID: 977c3bf0a044a8a20248cdf5c9f61e8bce22bd1014bcf420fbffb512a4ba3380
    • Opcode Fuzzy Hash: 960edca231de8e156615f46315c9ec6b5a0806d22cdf4613aaf9fa20cff76dd2
    • Instruction Fuzzy Hash: 19510472900109EFDF10AFA4DD48ADEBB79FF48354F10806AF905B6160DB35AE45DBA8
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00E4BBF0,00000008,00E464A7,00000000,00000000,?,?,00E4556B,00E45196,?,?,00E4445D,?), ref: 00E463B0
    • __lock.LIBCMT ref: 00E463E4
      • Part of subcall function 00E46D36: __mtinitlocknum.LIBCMT ref: 00E46D4C
      • Part of subcall function 00E46D36: __amsg_exit.LIBCMT ref: 00E46D58
      • Part of subcall function 00E46D36: EnterCriticalSection.KERNEL32(]D,]D,?,00E463E9,0000000D), ref: 00E46D60
    • InterlockedIncrement.KERNEL32(00E4D320), ref: 00E463F1
    • __lock.LIBCMT ref: 00E46405
    • ___addlocaleref.LIBCMT ref: 00E46423
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
    • String ID: KERNEL32.DLL$]D
    • API String ID: 637971194-63745277
    • Opcode ID: f698bfaf61328bb4b5e6c960caf2f5797bdfd3a2b5df33b4bbf088715c62fb2f
    • Instruction ID: 6bba49a3b7229918f1519975a8662fea31087958535af1529195748d783bdf4f
    • Opcode Fuzzy Hash: f698bfaf61328bb4b5e6c960caf2f5797bdfd3a2b5df33b4bbf088715c62fb2f
    • Instruction Fuzzy Hash: 2F018471944B00DFE720AF66E806709FBE0BF41324F10590EE495B77A1CBB4A944CB13
    APIs
    • GetUserNameW.ADVAPI32(?,?), ref: 004153C6
      • Part of subcall function 00405721: SHGetFolderPathW.SHELL32(00000000,004153DA,00000000,00000000,?,?,004153DA,?,0000001A), ref: 00405748
    • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,000F003F,00413DD7), ref: 00415417
      • Part of subcall function 00405662: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000031,00000000), ref: 0040568B
      • Part of subcall function 00405662: Process32NextW.KERNEL32(00000000,0000022C), ref: 004056B7
    • RegCloseKey.ADVAPI32(00413DD7), ref: 0041546A
    • SHGetFolderPathW.SHELL32(00000000,0000001A,?,00000000,?), ref: 00415533
    • SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 00415547
    • SHGetFolderPathW.SHELL32(00000000,00000021,?,00000000,?), ref: 0041555B
    • SHGetFolderPathW.SHELL32(00000000,00000005,?,00000000,?), ref: 0041556F
    • CloseHandle.KERNEL32(?), ref: 0041564C
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: FolderPath$Close$CreateHandleNameNextOpenProcess32SnapshotToolhelp32User
    • String ID:
    • API String ID: 3969033429-0
    • Opcode ID: e480d276afcbd6b7966cb33b1bb95b6df81704ed68652d6a28c1e2cad8850a6d
    • Instruction ID: 7a52210d9c567d5fd2296ea13022ca8b3bd9af4c8aad6b8387a35ee1e3cfdfc0
    • Opcode Fuzzy Hash: e480d276afcbd6b7966cb33b1bb95b6df81704ed68652d6a28c1e2cad8850a6d
    • Instruction Fuzzy Hash: 66914872900519EBDF21DFD0CC85EEEBBB8FB89304F1041AAE605A2190DB759A858F58
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000031,00000000), ref: 0040568B
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 004056B7
    • OpenProcess.KERNEL32(00000400,00000000,?,00000000), ref: 004056D0
    • OpenProcessToken.ADVAPI32(00000000,?,0000001A), ref: 004056E4
    • DuplicateTokenEx.ADVAPI32(0000001A,?,00000000,00000002,00000001,0041A7F8), ref: 004056FA
    • CloseHandle.KERNEL32(0000001A), ref: 00405703
    • CloseHandle.KERNEL32(00000000), ref: 0040570A
    • CloseHandle.KERNEL32(00000000), ref: 00405711
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CloseHandle$OpenProcessToken$CreateDuplicateNextProcess32SnapshotToolhelp32
    • String ID:
    • API String ID: 3292448913-0
    • Opcode ID: a2706c85aca0541312226067f5d2733b4dfed527a6ba5c4ceb9f6ef4114542b9
    • Instruction ID: d1fd8e19b9ea3247be9f77e8ce275ec634d9c5db201f2df05c7f63bf9e51eaf8
    • Opcode Fuzzy Hash: a2706c85aca0541312226067f5d2733b4dfed527a6ba5c4ceb9f6ef4114542b9
    • Instruction Fuzzy Hash: 99119032900515FBDB116BA4DC8DEDB7BB8EB48351F104176F621A20A1D7354A81DF6D
    APIs
      • Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC
    • gethostbyname.WS2_32(?), ref: 004133C6
    • DnsQuery_A.DNSAPI(?,00000001,00000002,?,00000000,00000000), ref: 004133F0
    • inet_ntoa.WS2_32(?), ref: 0041342E
    • DnsFree.DNSAPI(00000000,00000001), ref: 00413449
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: FreeQuery_gethostbynameinet_ntoawvnsprintf
    • String ID: link$pro
    • API String ID: 3295049255-2616294489
    • Opcode ID: 045e133d47ac88580c665aacfaf8e3db3c41d6694abbf577b760372e7ea348a6
    • Instruction ID: 7d109828660f677fbe1903f41f5432d556e214821793483ce54f1a277a5bc00b
    • Opcode Fuzzy Hash: 045e133d47ac88580c665aacfaf8e3db3c41d6694abbf577b760372e7ea348a6
    • Instruction Fuzzy Hash: 5C717272D00118ABDB21EFA5CC45ADFBBB9EF44305F0081B6EA05B7141D7786B498F98
    APIs
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE20
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE49
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 0040FE6E
    • GetPrivateProfileStringW.KERNEL32(?,00000000,00000000,?,0000FFFF,?), ref: 0040FEEB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: $
    • API String ID: 1096422788-227171996
    • Opcode ID: 96352c368fbae6d2e604c92080f5f374570bf7a16415aa76f73c6bb17155fea8
    • Instruction ID: 4bcdd06559af57f3a18aa75212f78c00efbe9c848d9a626a581925e0767f4e7f
    • Opcode Fuzzy Hash: 96352c368fbae6d2e604c92080f5f374570bf7a16415aa76f73c6bb17155fea8
    • Instruction Fuzzy Hash: 1E512D72901119AAEF20EBE0DC45EEEB37DEF04314F14447BBA05F3591E778AA498B54
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0040B7FC
    • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B82C
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0040B849
    • GetFileSize.KERNEL32(?,00000000), ref: 0040B85B
    • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 0040B885
    • CloseHandle.KERNEL32(?), ref: 0040B8B9
    • DeleteFileW.KERNEL32(?), ref: 0040B8DA
      • Part of subcall function 00404C33: GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 00404C4A
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: File$Create$CloseCopyDeleteHandlePathReadSizeTemp
    • String ID:
    • API String ID: 2441216986-0
    • Opcode ID: 5cde616fb5c3efed58da4bb7fb09baae2c060ff0f539486901b99e14cd691bdc
    • Instruction ID: 7c42100144d45914e9297fa56b25ebb1347f1c04ecc592c3643096512dc84bbf
    • Opcode Fuzzy Hash: 5cde616fb5c3efed58da4bb7fb09baae2c060ff0f539486901b99e14cd691bdc
    • Instruction Fuzzy Hash: 9231707294421D7EEB10AFA59C88EDE7B7CEB54314F0080B6F914A72E0D7359E458B68
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008,00000035,?,?,?,?,00413A65,?,00000035,?), ref: 004055A5
    • GetTokenInformation.ADVAPI32(00000035,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,00413A65,?,00000035,?), ref: 004055BE
    • GetTokenInformation.ADVAPI32(00000035,00000019(TokenIntegrityLevel),00000000,?,?,00000035,?,?,?,?,00413A65,?,00000035,?), ref: 004055F3
    • GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,00413A65,?,00000035,?), ref: 004055FF
    • GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,00413A65,?,00000035,?), ref: 0040560C
    • CloseHandle.KERNEL32(00000035,?,?,?,?,00413A65,?,00000035,?), ref: 00405657
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Token$AuthorityInformation$CloseCountHandleOpenProcess
    • String ID:
    • API String ID: 2447973151-0
    • Opcode ID: 14185f4045bd5707be1be35bb3c8f12b709cd81c172b0229a44baae18f5408b9
    • Instruction ID: efd7c50f993448333591d6de82e587b9959ddcf8b0942f83b87ffec69861eda7
    • Opcode Fuzzy Hash: 14185f4045bd5707be1be35bb3c8f12b709cd81c172b0229a44baae18f5408b9
    • Instruction Fuzzy Hash: BA219D70541504BEFF216B90DC88AEF7B6AEB12350F640877F505F22E0D63A9E819E1D
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B27
    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040EE99,?), ref: 00404B3A
    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B65
    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,?,0040EE99,?), ref: 00404B78
    • CloseHandle.KERNEL32(?,?,?,?,?,0040EE99,?), ref: 00404B87
    • CloseHandle.KERNEL32(?,?,?,?,?,0040EE99,?), ref: 00404B90
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: File$CloseCreateHandle$MappingSizeView
    • String ID:
    • API String ID: 2246244431-0
    • Opcode ID: 5f155232a6646b183a63d33a187dcf7d7451c11ffa5c6e8337a98a603e46b336
    • Instruction ID: a5cce8ab798561b9d34a8d8371e3b839bcf71193e68395df42d84d91d4c577ad
    • Opcode Fuzzy Hash: 5f155232a6646b183a63d33a187dcf7d7451c11ffa5c6e8337a98a603e46b336
    • Instruction Fuzzy Hash: 4F115EB0140645BEDB315F62CC4DE5BBFBDEBD5B20B10892EF556A22E0D270A880CA24
    APIs
    • __getptd.LIBCMT ref: 00E479A7
      • Part of subcall function 00E464CC: __getptd_noexit.LIBCMT ref: 00E464CF
      • Part of subcall function 00E464CC: __amsg_exit.LIBCMT ref: 00E464DC
    • __amsg_exit.LIBCMT ref: 00E479C7
    • __lock.LIBCMT ref: 00E479D7
    • InterlockedDecrement.KERNEL32(?), ref: 00E479F4
    • _free.LIBCMT ref: 00E47A07
    • InterlockedIncrement.KERNEL32(02C41688), ref: 00E47A1F
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
    • String ID:
    • API String ID: 3470314060-0
    • Opcode ID: 94e29ed8f9e0c61b31f4f27ffd71215a09962faabe7a0401dd737568d76b840b
    • Instruction ID: 0029a1781f894a99a62bafc501f31c413f83b716f928c3fd1273d6d746a326da
    • Opcode Fuzzy Hash: 94e29ed8f9e0c61b31f4f27ffd71215a09962faabe7a0401dd737568d76b840b
    • Instruction Fuzzy Hash: 6B01F936E087119FDB22AF26B80574D73E0BF42724F052016F440B7691DB345D45DBD2
    APIs
    • GetPrivateProfileSectionNamesW.KERNEL32(?,0000FFFF,?), ref: 0041048E
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 004104CE
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 004104F1
    • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00410514
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: PrivateProfile$String$FreeHeapNamesSection
    • String ID: ;MA
    • API String ID: 2696703033-2473825069
    • Opcode ID: d62af84dadb8aeb0cd767306cd763f2b7af0cc5cd4c31ce0c62e74ab7763d04b
    • Instruction ID: ca2be330a2425339e36bd4ad192777fe90c5f7ef25b94e226df5f8c55297d755
    • Opcode Fuzzy Hash: d62af84dadb8aeb0cd767306cd763f2b7af0cc5cd4c31ce0c62e74ab7763d04b
    • Instruction Fuzzy Hash: F9512C72900119ABDF20EBA0DC45AFEB379EF44314F44447BFA05B7181EB78AE858B59
    APIs
    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,00000031), ref: 00416932
      • Part of subcall function 0040B4B3: CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0040B4BD
    • CredFree.ADVAPI32(?,?), ref: 00416B33
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CredFree$CreateEnumerateGlobalHeapStream
    • String ID: %-50s %s$%2.2X $Name:%lsComment: %lsUser:%lsData:
    • API String ID: 1001871379-3138396605
    • Opcode ID: 2401751eb88739c885c15fd53acb714d68e7c2f50a4fcf00982f6b5b26fd4f3d
    • Instruction ID: 6ab3aa2b8b6f7ef3ca89290d3b3c0aa47683973965a1ba494867f240cd4163d2
    • Opcode Fuzzy Hash: 2401751eb88739c885c15fd53acb714d68e7c2f50a4fcf00982f6b5b26fd4f3d
    • Instruction Fuzzy Hash: 69616172D10119ABCF10EFA5C8819EEB7B9EF04314F15447BE505B7251DB38AE868BA8
    APIs
    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?,00414138,?,00000000,?), ref: 00404BE8
    • WriteFile.KERNEL32(00000000,?,8AA,00000000,00000000,?,00414138,?,00000000,?), ref: 00404C0B
    • CloseHandle.KERNEL32(00000000,?,00414138,?,00000000,?), ref: 00404C18
    • DeleteFileW.KERNEL32(00000000,?,00414138,?,00000000,?), ref: 00404C26
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: File$CloseCreateDeleteHandleWrite
    • String ID: 8AA
    • API String ID: 656945655-1031823992
    • Opcode ID: a0ec578e906b5ba35e8b491669ca7ef15f49042a5f37ecc34628d32a2ccd2aa2
    • Instruction ID: e312bcca5666c2f4f790f24bab3cad1eb1922108b339b2b114f4ebf39fa5c7da
    • Opcode Fuzzy Hash: a0ec578e906b5ba35e8b491669ca7ef15f49042a5f37ecc34628d32a2ccd2aa2
    • Instruction Fuzzy Hash: 6D01AD71409248BFEF111FA08C48FEE3B68EB45360F048179FA50621E0D3754E458B64
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00413E64,?), ref: 0040648D
    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00413E64,?), ref: 004064A1
    • FileTimeToSystemTime.KERNEL32(?,d>A,?,?,?,00413E64,?), ref: 004064BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Time$FileSystem
    • String ID: d>A$d>A
    • API String ID: 2086374402-2582024514
    • Opcode ID: adc8e36154be0d079bfb275c6732458b9ef8cff690ff206a2f1399756dcc4060
    • Instruction ID: 62224ee6774ae8b78034f3a60de505545d6ba04fca9e53ab2c9371a3c230174a
    • Opcode Fuzzy Hash: adc8e36154be0d079bfb275c6732458b9ef8cff690ff206a2f1399756dcc4060
    • Instruction Fuzzy Hash: 1CF0FF7AD0011DFBCF019FA9D8489CEBBBCEA48655B0181A6EA19A3114D634A6498BA4
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000000,00000000,?,00000000,00000031), ref: 00413EE3
    • LoadLibraryA.KERNEL32(?), ref: 00413F58
    • VirtualProtect.KERNEL32(00000000,?,00000002,?), ref: 00413FCD
    • VirtualFree.KERNEL32(?,?,00004000), ref: 00413FFE
    • VirtualProtect.KERNEL32(?,?,?,?), ref: 0041403F
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Virtual$Protect$AllocFreeLibraryLoad
    • String ID:
    • API String ID: 90962928-0
    • Opcode ID: f791cf7a9550d6329176ee1bda85158125c2f50f71a086ac02e9e1274acc6c29
    • Instruction ID: 19d78efe76cc26541039a5d7913da310be6636b7ff9dc4ba670cb481fcde2d22
    • Opcode Fuzzy Hash: f791cf7a9550d6329176ee1bda85158125c2f50f71a086ac02e9e1274acc6c29
    • Instruction Fuzzy Hash: 6751A175A00705AFDB20CF55CC84FE67BB5FF88315F14846AEA059B251D738EA82CB58
    APIs
    • PathFindExtensionA.SHLWAPI(?,?,00000000,00000031), ref: 00414102
      • Part of subcall function 00413EC6: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000000,00000000,?,00000000,00000031), ref: 00413EE3
      • Part of subcall function 00413EC6: VirtualProtect.KERNEL32(00000000,?,00000002,?), ref: 00413FCD
    • CreateThread.KERNEL32(00000000,00000000,004050F0,00000000,00000000,00000000), ref: 004140D1
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004140E1
    • CloseHandle.KERNEL32(00000000), ref: 004140E8
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004140F5
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Virtual$AllocCloseCreateExtensionFindFreeHandleObjectPathProtectSingleThreadWait
    • String ID:
    • API String ID: 248983594-0
    • Opcode ID: ea3605a9d323946bc61b7faccc9b8e1bfbca0fb761fb71cf2cad8dcc6b35fc97
    • Instruction ID: 1fd631035d38c11dd4dca8261721d85a0394e2d27002a17067acf375899f0d5c
    • Opcode Fuzzy Hash: ea3605a9d323946bc61b7faccc9b8e1bfbca0fb761fb71cf2cad8dcc6b35fc97
    • Instruction Fuzzy Hash: 642125728001187ADB106B649C89DEF376DDB81368F14013FFA10B62C1DA388EC586AC
    APIs
    • _malloc.LIBCMT ref: 00E48C91
      • Part of subcall function 00E4510D: __FF_MSGBANNER.LIBCMT ref: 00E45126
      • Part of subcall function 00E4510D: __NMSG_WRITE.LIBCMT ref: 00E4512D
      • Part of subcall function 00E4510D: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00E4445D,?), ref: 00E45152
    • _free.LIBCMT ref: 00E48CA4
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocateHeap_free_malloc
    • String ID:
    • API String ID: 1020059152-0
    • Opcode ID: 0df40ace526c24251e6aa395a06155b5ba49e6b0d412464aa1ceed27ef2ab985
    • Instruction ID: e022eb81bb21fd73af0d6c65903f3b0b1a48d99f48ea564a6abcf4f3e9a3bb74
    • Opcode Fuzzy Hash: 0df40ace526c24251e6aa395a06155b5ba49e6b0d412464aa1ceed27ef2ab985
    • Instruction Fuzzy Hash: E9112333802A11ABCB312F70FE047AD77D5AF813B0F242426F909BA192DE35CC4097A6
    APIs
    • __getptd.LIBCMT ref: 00E48266
      • Part of subcall function 00E464CC: __getptd_noexit.LIBCMT ref: 00E464CF
      • Part of subcall function 00E464CC: __amsg_exit.LIBCMT ref: 00E464DC
    • __getptd.LIBCMT ref: 00E4827D
    • __amsg_exit.LIBCMT ref: 00E4828B
    • __lock.LIBCMT ref: 00E4829B
    • __updatetlocinfoEx_nolock.LIBCMT ref: 00E482AF
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
    • String ID:
    • API String ID: 938513278-0
    • Opcode ID: 7afee22ef5737b87e924ab5b8c0867c7bdc55b1bca3fb462ce951859527a1ba3
    • Instruction ID: f01fb519703fa9235c16fa9010f4d2b9da297aec1ba4803003317f24eae11fbf
    • Opcode Fuzzy Hash: 7afee22ef5737b87e924ab5b8c0867c7bdc55b1bca3fb462ce951859527a1ba3
    • Instruction Fuzzy Hash: 42F09032E04B109BDB21BB74B906B5D33D06F02724F156A09F514772E2CFA45840DA5A
    APIs
    • LoadLibraryA.KERNEL32(?,00000000,?,00000031), ref: 0041131F
      • Part of subcall function 00405192: LoadLibraryA.KERNEL32(?,?,?,?,?,004072F6,98ED24FB), ref: 0040526D
    • FreeLibrary.KERNEL32(00000000), ref: 004115AB
      • Part of subcall function 00416E8E: RtlGetVersion.NTDLL(?), ref: 00416EAB
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Library$FreeLoad$HeapVersion
    • String ID: 4$8
    • API String ID: 2294480396-97111398
    • Opcode ID: e96ea99d3d67079c3c40f3da4a3396d77189df7c1f4810a95be94a213226a20b
    • Instruction ID: da08ae2bdbddc67e45404d6be35d999ed2b863f5bf8dbd1cc8a5796a08cd29d6
    • Opcode Fuzzy Hash: e96ea99d3d67079c3c40f3da4a3396d77189df7c1f4810a95be94a213226a20b
    • Instruction Fuzzy Hash: 97918F71D00618ABCF21DB95CC45AEFBBBAEF84700F14456BE505B7261D7399E80CBA8
    APIs
    • SHGetFolderPathW.SHELL32(00000000,0000001A,?,00000000,?,?,00415240,00000000,?,?,00000000,00000000,?,00000000,?), ref: 00414F48
    • CloseHandle.KERNEL32(?,?,00415240,00000000,?,?,00000000,00000000,?,00000000,?), ref: 00414FE2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: CloseFolderHandlePath
    • String ID: @RA$@RA
    • API String ID: 1943059022-724470139
    • Opcode ID: 496a76d073542a93643ca7f9bf6e6ef4fa0431f7ef08fa4bcb7482e732bc5d0d
    • Instruction ID: 7d3bd842f0370e2a21f54626ff5449ef890e8a7442342d7b05add279836dd212
    • Opcode Fuzzy Hash: 496a76d073542a93643ca7f9bf6e6ef4fa0431f7ef08fa4bcb7482e732bc5d0d
    • Instruction Fuzzy Hash: 23413A7290011AAFCF10DF95CC949EFBBB9FF48304F10446AE611B6290DB399E91CBA4
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00410C17
      • Part of subcall function 00405DBA: wvnsprintfW.SHLWAPI(?,00000104,00000000,?), ref: 00405DDC
      • Part of subcall function 004108E4: FindFirstFileW.KERNEL32(QRA,?,00000000,00000000,00000000), ref: 0041092E
      • Part of subcall function 004108E4: FindNextFileW.KERNEL32(?,?), ref: 00410B08
      • Part of subcall function 00404F2C: HeapFree.KERNEL32(00000000,00000000,?,00404F0C,0041A778,?,0040F172,?,00413CC0,00000000,?,?,00413182,?), ref: 00404F40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: FileFind$DrivesFirstFreeHeapLogicalNextwvnsprintf
    • String ID: %s\%c$A$\\?\%c:
    • API String ID: 1843991470-1503768234
    • Opcode ID: a1edfc6e9cabf554445d2a185e10a61f255003450b096631e2ac9218a3463a49
    • Instruction ID: 2679cea3a276ca4328893308c8c2b4d0c4727979c0711d4b4784de73a077c24f
    • Opcode Fuzzy Hash: a1edfc6e9cabf554445d2a185e10a61f255003450b096631e2ac9218a3463a49
    • Instruction Fuzzy Hash: 4801B172A00608BBEB15AB94D9466DEBBB5DF00318F10406BE900762C2D7B95EC19FE9
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?,00000000,00000000,%s\%s\%s,?,?,?), ref: 00405BC5
    • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405BED
    • RegCloseKey.ADVAPI32(?), ref: 00405C4E
      • Part of subcall function 00404EAB: RtlAllocateHeap.NTDLL(00000008,-00000004), ref: 00404EC3
    • RegEnumValueW.ADVAPI32(00000064,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000064,?), ref: 00405C33
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocateCloseEnumHeapInfoOpenQueryValue
    • String ID:
    • API String ID: 691525546-0
    • Opcode ID: 1af06fff00a42e6c23fd90166e846bd0a02083d29debb43d33bb3cebfcd94c35
    • Instruction ID: 559e2e5736a9b18d769bac7e7b774088cfa7331c56084f597a9c19479372ca08
    • Opcode Fuzzy Hash: 1af06fff00a42e6c23fd90166e846bd0a02083d29debb43d33bb3cebfcd94c35
    • Instruction Fuzzy Hash: 7D2107B1A01228BFDB119F95DD88DEFBFBCEF49754B104066F509E2240D7349A41CBA4
    APIs
    • RegOpenKeyExW.ADVAPI32(?,80000002,00000000,00000000,?,0000000C,00414BA8,80000002,?,00000000,80000004,?,80000004,00000101), ref: 00405B02
    • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405B2A
    • RegCloseKey.ADVAPI32(?), ref: 00405B8B
      • Part of subcall function 00404EAB: RtlAllocateHeap.NTDLL(00000008,-00000004), ref: 00404EC3
    • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000104,?), ref: 00405B70
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: AllocateCloseEnumHeapInfoOpenQuery
    • String ID:
    • API String ID: 79905894-0
    • Opcode ID: be0503fc610a1232bba7b3f51c326396fcb25e7b7365803ef55820ad0cf49b2c
    • Instruction ID: 4659c6dd2db164814af5c74531739fe8379935b17861b01e63ab91215f33c974
    • Opcode Fuzzy Hash: be0503fc610a1232bba7b3f51c326396fcb25e7b7365803ef55820ad0cf49b2c
    • Instruction Fuzzy Hash: 6D212A71901118BFDB219F96DD48DEFBFBCEF49754B004066F809E2250D734AA41CBA4
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,00000001,00000000,00000001,00000000,?,?,?), ref: 004059DB
    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 004059F4
    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?), ref: 00405A1E
    • RegCloseKey.ADVAPI32(00000000), ref: 00405A33
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID:
    • API String ID: 1586453840-0
    • Opcode ID: b2acf11043bdeaf5bf44ffaf8680ff15d35fadd98104504da247060025c6e236
    • Instruction ID: 181d92b4c8150ffe79d116bba498cf6b0d4d091711c9081e6bb2855d3830407c
    • Opcode Fuzzy Hash: b2acf11043bdeaf5bf44ffaf8680ff15d35fadd98104504da247060025c6e236
    • Instruction Fuzzy Hash: E4112671A00508BFDB219F95CC88DEFBF7AFB84754B508166F901A2260E3349E50DF64
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,?,?,?,0040F3AD,?,?,00000000), ref: 00404A98
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?,?,?), ref: 00404AA7
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?), ref: 00404AC8
    • CloseHandle.KERNEL32(00000000,?,?,?,0040F3AD,?,?,00000000,00000104,?,0040F5FC,?,?,?), ref: 00404ADB
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: File$CloseCreateHandleReadSize
    • String ID:
    • API String ID: 3919263394-0
    • Opcode ID: a6ace4e46373c68616f4d3917e97a3d80d1ead997916e22ad0b2fc47a606376d
    • Instruction ID: 35ced7b7e6b8fcb80760e5361844cac7ae60d847a3c82796c2aff2ab1ebf9c76
    • Opcode Fuzzy Hash: a6ace4e46373c68616f4d3917e97a3d80d1ead997916e22ad0b2fc47a606376d
    • Instruction Fuzzy Hash: C2F081B1640218BFFB119FA4DC89FEB366CEB04354F004179FA01A62D0D7B49E018B68
    APIs
    • GetDesktopWindow.USER32 ref: 00415B18
    • GetWindowDC.USER32(00000000,?,?,?,00413DC6,?), ref: 00415B21
    • EnumDisplayMonitors.USER32(00000000,00000000,004158F7,?,?,?,?,00413DC6,?), ref: 00415B34
    • ReleaseDC.USER32(00000000,00000000), ref: 00415B3C
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: Window$DesktopDisplayEnumMonitorsRelease
    • String ID:
    • API String ID: 3138938612-0
    • Opcode ID: 09942aec3327468421f9ad7013ce1eabb26cd18543247e64c5682214829e7bf5
    • Instruction ID: 79ebf71b1ab3dc720c427369539a26d712b4a8fa409b07612e71690da23c6d59
    • Opcode Fuzzy Hash: 09942aec3327468421f9ad7013ce1eabb26cd18543247e64c5682214829e7bf5
    • Instruction Fuzzy Hash: 670121B2900118AF9B10DFA5DC889EFBFBCFF89751B004126F902E2110D7345A41CBA4
    APIs
    • GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 00404C4A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NLRpif3sEB.jbxd
    Similarity
    • API ID: PathTemp
    • String ID: "AA$%08x.%s
    • API String ID: 2920410445-3318964645
    • Opcode ID: c89cc8e68427bbb63d604f05537d755ce9629acc9bc5e5b3f558cfa4640d61b0
    • Instruction ID: a8c78cdc698b28e01514b2981d1d0c4832bbd0bd718657f1769f43814eb44599
    • Opcode Fuzzy Hash: c89cc8e68427bbb63d604f05537d755ce9629acc9bc5e5b3f558cfa4640d61b0
    • Instruction Fuzzy Hash: F7F08CF160512867EF206A258C45AEB231CDBC1308F0580B7BB04B62C1C67D9E9686A8
    APIs
    • DecodePointer.KERNEL32(?,00E46BB8,00000000,00000000,00000000,00000000,00000000,00E47681,?,00E45A5E,00000003,00E46C95,00E4BC40,0000000C,00E46D51,]D), ref: 00E46B8A
    • __invoke_watson.LIBCMT ref: 00E46BA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: DecodePointer__invoke_watson
    • String ID: kU
    • API String ID: 4034010525-2686493706
    • Opcode ID: 7e8ee56fe87271a11e811f22244d421ccd2771c2089c69b3520779dc66863ca8
    • Instruction ID: 36fa92007f0e0fbcce3e132fc75001ca920c9ba5494074fd213efdb13282b13f
    • Opcode Fuzzy Hash: 7e8ee56fe87271a11e811f22244d421ccd2771c2089c69b3520779dc66863ca8
    • Instruction Fuzzy Hash: 6CE0EC76000109BFDF022FA2EC05CAA3FAAFB56354B454460FD14E5131D732D875DB96
    APIs
    • ___crtCorExitProcess.LIBCMT ref: 00E455CA
      • Part of subcall function 00E45597: GetModuleHandleW.KERNEL32(mscoree.dll,]D,00E455CF,]D,?,00E46CA6,000000FF,0000001E,00E4BC40,0000000C,00E46D51,]D,]D,?,00E463E9,0000000D), ref: 00E455A1
      • Part of subcall function 00E45597: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E455B1
    • ExitProcess.KERNEL32 ref: 00E455D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2634716105.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.2634701930.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634744649.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634760124.0000000000E4D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2634775163.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_NLRpif3sEB.jbxd
    Similarity
    • API ID: ExitProcess$AddressHandleModuleProc___crt
    • String ID: ]D
    • API String ID: 2427264223-1726274006
    • Opcode ID: 8f535237a4e91937bd4e11a6bae25b464be4b09c9c58d3db031272e828689fc7
    • Instruction ID: 75ec57af4db994bcf19e711ce40c161fbd77326075bd351093f97ae2a5798fee
    • Opcode Fuzzy Hash: 8f535237a4e91937bd4e11a6bae25b464be4b09c9c58d3db031272e828689fc7
    • Instruction Fuzzy Hash: 78B09232000248BFCB112F12EC0A85D3F6AEB823A0B144021F81819072DF76AE9A9A81